cer28/removeDefaultOwnerPermissions.groovy

## removeDefaultOwnerPermissions.groovy
/****
 *
 * removeDefaultOwnerPermissions.groovy
 *
 * In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin
 * if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically
 * have admin access even without the permission. This script performs a cleanup of these permissions, looping through
 * a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems.
 * This cleanup could remove many thousands of excess memberships from the database, possibly improving performance.
 *
 * After completion, the number of groups and stems where specific users have direct admin privileges should be very
 * low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead,
 * instead of giving direct access.
 *
 * TODO get the count and add a countdown
 * TODO revoke from attribute privileges
 *
 * Chad Redman <chad_redman@unc.edu>, 2018-10-03, Free for any use
 ****/

subjects = ["GrouperSystem", "other-ids-or-identifiers", "for-current-and-past-wheel-members", ]

gs = GrouperSession.startRootSession()
//me = SubjectFinder.findByIdentifierAndSource("myUid", "mySource", true)
//gs = GrouperSession.start(me)

import edu.internet2.middleware.grouper.cfg.GrouperConfig
import edu.internet2.middleware.grouper.internal.dao.QueryOptions
import edu.internet2.middleware.grouper.membership.MembershipType

GrouperConfig.retrieveConfig().propertiesOverrideMap().put("ws.getMemberships.maxResultSize", "300000")

subjects.each { subject ->
    try {

        theUser=SubjectFinder.findByIdOrIdentifier(subject, true)
        println "Revoking admin privs for ${subject} (${theUser.name})"

        // QueryOptions has side effects! Can't reuse between group/subject queries because the sort option sticks to it
        queryOptions = new QueryOptions()
        queryOptions.paging(500, 1, false)  // 500 is the max allowed?

        while (true) {
            x = new MembershipFinder().
              addSubject(theUser).
              assignFieldType(FieldType.ACCESS).
              assignEnabled(true).
              assignHasFieldForGroup(true).
              assignHasMembershipTypeForGroup(true).
              addField("admins").
              assignMembershipType(MembershipType.IMMEDIATE).
              assignQueryOptionsForGroup(queryOptions).
              findMembershipResult().
              getMembershipSubjectContainers()

            if (x.size() == 0) {
                break
            }
            println "\t${x.size()}"

            x.each { member ->
                println "\tRevoke " + subject + " from group " + member.groupOwner.name
                member.groupOwner.revokePriv(theUser, AccessPrivilege.ADMIN, false)
            }
        }


        queryOptions = new QueryOptions()
        queryOptions.paging(500, 1, false)  // 500 is the max allowed?

        while (true) {
            x = new MembershipFinder().
              addSubject(theUser).
              assignFieldType(FieldType.NAMING).
              assignEnabled(true).
              assignHasFieldForStem(true).
              assignHasMembershipTypeForStem(true).
              addField("stemAdmins").
              assignMembershipType(MembershipType.IMMEDIATE).
              assignQueryOptionsForStem(queryOptions).
              findMembershipResult().
              getMembershipSubjectContainers()

            if (x.size() == 0) {
                break
            }
            println "\t${x.size()}"

            x.each { member ->
                println "\tRevoke " + subject + " from stem " + member.stemOwner.name
                member.stemOwner.revokePriv(theUser, NamingPrivilege.STEM_ADMIN, false)
            }
        }
    } catch (Exception e) {
        println "*** Failed to revoke from user ${subject}: ${e}"
        e.printStackTrace()
    }
}


/**** Alternative to MembershipFinder?
 * import edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO
 * H = new Hib3MembershipDAO().findAllImmediateByMemberAndField(gs.member.uuid, FieldFinder.find("admins", true), true)
 *
 * H.each { membership ->
 *     member.groupOwner.revokePriv(me, AccessPrivilege.ADMIN, false)
 * }
 ****/


/**** Now that the direct admin list is much smaller, at some point you should look at subjects
      that have direct access, instead of indirect by policy group. This query will show counts and Subject Ids

select count(*) as num_objects, subject_id, subject_source
from grouper_memberships_v
where     list_type = 'access'
    and   list_name = 'admins'
    and   membership_type = 'immediate'
    and   subject_source != 'g:gsa'
group by subject_id, subject_source
order by count(*) desc;

select count(*), v.subject_id, v.subject_source, m.sort_string0, m.name
from grouper_memberships_v v
join grouper_members m on v.member_id = m.id
where     v.list_type = 'naming'
    and   v.list_name like 'stemAdmins'
    and   v.membership_type = 'immediate'
    and   v.subject_source != 'g:gsa'
group by v.subject_id, v.subject_source, m.sort_string0, m.name
order by 1 desc;

*/
	/****
	*
	* removeDefaultOwnerPermissions.groovy
	*
	* In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin
	* if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically
	* have admin access even without the permission. This script performs a cleanup of these permissions, looping through
	* a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems.
	* This cleanup could remove many thousands of excess memberships from the database, possibly improving performance.
	*
	* After completion, the number of groups and stems where specific users have direct admin privileges should be very
	* low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead,
	* instead of giving direct access.
	*
	* TODO get the count and add a countdown
	* TODO revoke from attribute privileges
	*
	* Chad Redman <chad_redman@unc.edu>, 2018-10-03, Free for any use
	****/

	subjects = ["GrouperSystem", "other-ids-or-identifiers", "for-current-and-past-wheel-members", ]

	gs = GrouperSession.startRootSession()
	//me = SubjectFinder.findByIdentifierAndSource("myUid", "mySource", true)
	//gs = GrouperSession.start(me)

	import edu.internet2.middleware.grouper.cfg.GrouperConfig
	import edu.internet2.middleware.grouper.internal.dao.QueryOptions
	import edu.internet2.middleware.grouper.membership.MembershipType

	GrouperConfig.retrieveConfig().propertiesOverrideMap().put("ws.getMemberships.maxResultSize", "300000")

	subjects.each { subject ->
	try {

	theUser=SubjectFinder.findByIdOrIdentifier(subject, true)
	println "Revoking admin privs for ${subject} (${theUser.name})"

	// QueryOptions has side effects! Can't reuse between group/subject queries because the sort option sticks to it
	queryOptions = new QueryOptions()
	queryOptions.paging(500, 1, false) // 500 is the max allowed?

	while (true) {
	x = new MembershipFinder().
	addSubject(theUser).
	assignFieldType(FieldType.ACCESS).
	assignEnabled(true).
	assignHasFieldForGroup(true).
	assignHasMembershipTypeForGroup(true).
	addField("admins").
	assignMembershipType(MembershipType.IMMEDIATE).
	assignQueryOptionsForGroup(queryOptions).
	findMembershipResult().
	getMembershipSubjectContainers()

	if (x.size() == 0) {
	break
	}
	println "\t${x.size()}"

	x.each { member ->
	println "\tRevoke " + subject + " from group " + member.groupOwner.name
	member.groupOwner.revokePriv(theUser, AccessPrivilege.ADMIN, false)
	}
	}


	queryOptions = new QueryOptions()
	queryOptions.paging(500, 1, false) // 500 is the max allowed?

	while (true) {
	x = new MembershipFinder().
	addSubject(theUser).
	assignFieldType(FieldType.NAMING).
	assignEnabled(true).
	assignHasFieldForStem(true).
	assignHasMembershipTypeForStem(true).
	addField("stemAdmins").
	assignMembershipType(MembershipType.IMMEDIATE).
	assignQueryOptionsForStem(queryOptions).
	findMembershipResult().
	getMembershipSubjectContainers()

	if (x.size() == 0) {
	break
	}
	println "\t${x.size()}"

	x.each { member ->
	println "\tRevoke " + subject + " from stem " + member.stemOwner.name
	member.stemOwner.revokePriv(theUser, NamingPrivilege.STEM_ADMIN, false)
	}
	}
	} catch (Exception e) {
	println "*** Failed to revoke from user ${subject}: ${e}"
	e.printStackTrace()
	}
	}



	/**** Alternative to MembershipFinder?
	* import edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO
	* H = new Hib3MembershipDAO().findAllImmediateByMemberAndField(gs.member.uuid, FieldFinder.find("admins", true), true)
	*
	* H.each { membership ->
	* member.groupOwner.revokePriv(me, AccessPrivilege.ADMIN, false)
	* }
	****/



	/**** Now that the direct admin list is much smaller, at some point you should look at subjects
	that have direct access, instead of indirect by policy group. This query will show counts and Subject Ids

	select count(*) as num_objects, subject_id, subject_source
	from grouper_memberships_v
	where list_type = 'access'
	and list_name = 'admins'
	and membership_type = 'immediate'
	and subject_source != 'g:gsa'
	group by subject_id, subject_source
	order by count(*) desc;

	select count(*), v.subject_id, v.subject_source, m.sort_string0, m.name
	from grouper_memberships_v v
	join grouper_members m on v.member_id = m.id
	where v.list_type = 'naming'
	and v.list_name like 'stemAdmins'
	and v.membership_type = 'immediate'
	and v.subject_source != 'g:gsa'
	group by v.subject_id, v.subject_source, m.sort_string0, m.name
	order by 1 desc;

	*/