airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From scnakand...@apache.org
Subject [4/7] airavata git commit: adding grouper client code to airavata
Date Thu, 07 Jul 2016 03:47:54 GMT
http://git-wip-us.apache.org/repos/asf/airavata/blob/4766b37c/modules/group-manager/src/main/resources/grouper-loader.base.properties
----------------------------------------------------------------------
diff --git a/modules/group-manager/src/main/resources/grouper-loader.base.properties b/modules/group-manager/src/main/resources/grouper-loader.base.properties
new file mode 100755
index 0000000..6379f03
--- /dev/null
+++ b/modules/group-manager/src/main/resources/grouper-loader.base.properties
@@ -0,0 +1,351 @@
+#
+# Copyright 2014 Internet2
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Grouper loader uses Grouper Configuration Overlays (documented on wiki)
+# By default the configuration is read from grouper-loader.base.properties
+# (which should not be edited), and the grouper-loader.properties overlays
+# the base settings.  See the grouper-loader.base.properties for the possible
+# settings that can be applied to the grouper.properties
+
+
+########################################
+## Config chaining hierarchy
+########################################
+
+# comma separated config files that override each other (files on the right override the left)
+# each should start with file: or classpath:
+# e.g. classpath:grouper-loader.example.properties, file:c:/something/myconfig.properties
+loader.config.hierarchy = classpath:grouper-loader.base.properties, classpath:grouper-loader.properties
+
+# seconds between checking to see if the config files are updated
+loader.config.secondsBetweenUpdateChecks = 60
+
+
+########################################
+## General settings
+########################################
+
+
+# auto-add grouper loader types and attributes when grouper starts up if they are not there
+loader.autoadd.typesAttributes = true
+
+# if a transaction should be used when loading groups.  If not, then
+# commits will happen as the group is loaded (and memory usage might be
+# less intensive, and caching settings need to be set right)
+loader.use.transactions = false
+
+# number of threads in the loader threadpool.  Only this number of jobs can run at once
+# jobs which are on deck will block, or will fail if the blocking timeout occurs
+# a job is running if it is loading (not just scheduled)
+loader.thread.pool.size=10
+
+# if should use threads in the loader for add/remove member
+loader.use.membershipThreads=true
+
+# number of threads to use for each group job (not shared among jobs)
+loader.membershipThreadPoolSize=10
+
+# if should use threads in the loader for each group in a group of groups
+loader.use.groupThreads=true
+
+# number of threads to use for each list of groups job (not shared among jobs)
+loader.groupThreadPoolSize=20
+
+# number of days to retain db logs in table grouperloader_log.  -1 is forever.  default is 7
+loader.retain.db.logs.days=7
+
+# number of days to retain db rows in grouper_change_log_entry.  -1 is forever.  default is 14
+loader.retain.db.change_log_entry.days=14
+
+# if you want queries which do not specify subject source to come from a certain
+# source, specify here (improves performance so it doesnt search through all sources)
+default.subject.source.id = 
+
+#if using a sql table, and specifying the name like string, then should the group (in addition to memberships)
+# be removed if not used anywhere else?
+loader.sqlTable.likeString.removeGroupIfNotUsed = true
+
+# if using a sql table, and specifying the name like string, then should the group be removed even when the group is member of some other group. 
+# loader.sqlTable.likeString.removeGroupIfNotUsed has to be true for this to work
+# https://bugs.internet2.edu/jira/browse/GRP-1132
+loader.sqlTable.likeString.removeGroupIfMemberOfAnotherGroup = false
+
+# by default the top folder for an ldap group of groups is the folder where the config group lives.
+# set to false if you want to be able to provision groups to anywhere
+loader.ldap.requireTopStemAsStemFromConfigGroup = true
+
+# if you dont specify a groupNameExpression, groups will be loaded into this folder
+# if this property doesnt exist, it will be groups:    if it is blank, then there is no top level folder
+# e.g. loader:groups
+loader.ldap.defaultGroupFolder = groups:
+
+# if the loader should check to see too many users were removed, if so, then error out and
+# wait for manual intervention
+loader.failsafe.use = false
+
+# if a group has a size less than this (default 200), then make changes including blanking it out 
+loader.failsafe.minGroupSize = 200
+
+# if a group with more members than the loader.failsafe.minGroupSize have more than this percent (default 30)  
+# removed, then log it as error, fail the job, and don't actually remove the members 
+# In order to run the job, an admin would need to change this param in the config, 
+# and run the job manually, then change this config back 
+loader.failsafe.maxPercentRemove = 30
+
+# Comma separated list of stems under which the display name changes in stems are allowed.
+# eg: loader.allowStemDisplayNameChangesUnderStems=school:courses:english, school:faculty
+loader.allowStemDisplayNameChangesUnderStems =
+
+#################################
+## Performance enhancements
+#################################
+
+# if you want to bulk retrieve subjects to add/remove
+loader.bulkLookupSubjects = true
+
+#################################
+## DB connections
+#################################
+# specify the db connection with user, pass, url, and driver class
+# the string after "db." is the name of the connection, and it should not have
+# spaces or other special chars in it
+#db.warehouse.user = mylogin
+#note the password can be stored encrypted in an external file
+#db.warehouse.pass = secret
+#db.warehouse.url = jdbc:mysql://localhost:3306/grouper
+
+## note: you probably dont have to enter a driver, it will detect from URL.  If it
+## cant detect, then specify it here
+#db.warehouse.driver = 
+
+#################################
+## LDAP connections
+#################################
+# specify the ldap connection with user, pass, url
+# the string after "ldap." is the ID of the connection, and it should not have
+# spaces or other special chars in it.  In this case is it "personLdap"
+
+#note the URL should start with ldap: or ldaps: if it is SSL.  
+#It should contain the server and port (optional if not default), and baseDn, 
+#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
+#ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu
+
+# load this vt-ldap config file before the configs here.  load from classpath
+#ldap.personLdap.configFileFromClasspath = ldap.personLdap.properties
+
+#optional, if authenticated
+#ldap.personLdap.user = uid=someapp,ou=people,dc=myschool,dc=edu
+
+#optional, if authenticated, note the password can be stored encrypted in an external file
+#ldap.personLdap.pass = secret
+
+#optional, if you are using tls, set this to true.  Generally you will not be using an SSL URL to use TLS...
+#ldap.personLdap.tls = false
+
+#optional, if using sasl
+#ldap.personLdap.saslAuthorizationId = 
+#ldap.personLdap.saslRealm = 
+
+#optional (note, time limit is for search operations, timeout is for connection timeouts), 
+#most of these default to vt-ldap defaults.  times are in millis
+#validateOnCheckout defaults to true if all other validate methods are false
+#ldap.personLdap.batchSize = 
+#ldap.personLdap.countLimit = 
+#ldap.personLdap.timeLimit = 
+#ldap.personLdap.timeout = 
+#ldap.personLdap.minPoolSize = 
+#ldap.personLdap.maxPoolSize = 
+#ldap.personLdap.validateOnCheckIn = 
+#ldap.personLdap.validateOnCheckOut = 
+#ldap.personLdap.validatePeriodically = 
+#ldap.personLdap.validateTimerPeriod = 
+#ldap.personLdap.pruneTimerPeriod = 
+# if there is a max size limit on ldap server, then this will retrieve results in pages
+#ldap.personLdap.pagedResultsSize = 
+# set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt)
+#ldap.personLdap.referral = 
+
+
+##################################
+## LDAP loader settings
+##################################
+
+# el classes to add to the el context for the EL to calculate subejct ids or group names etc.  
+# Comma-separated fully qualified classnamesm will be registered by the non-fully qualified
+# uncapitalized classname.  So you register a.b.SomeClass, it will be available by variable: someClass
+loader.ldap.el.classes = 
+
+
+##################################
+## Daily report
+##################################
+#quartz cron-like schedule for daily grouper report, the default is 7am every day: 0 0 7 * * ? 
+#leave blank to disable this
+daily.report.quartz.cron = 
+
+#comma separated email addresses to email the daily report, e.g. a@b.c, b@c.d
+daily.report.emailTo = 
+
+#days on which usdu should run with daily report (comma separated)
+#blank means run never.   e.g. to run on all days: monday, tuesday, wednesday, thursday, friday, saturday, sunday
+daily.report.usdu.daysToRun = monday, tuesday, wednesday, thursday, friday, saturday, sunday
+
+#days on which bad membership finder should run with daily report (comma separated)
+#blank means run never.   e.g. to run on all days: monday, tuesday, wednesday, thursday, friday, saturday, sunday
+daily.report.badMembership.daysToRun = monday, tuesday, wednesday, thursday, friday, saturday, sunday
+
+#if you put a directory here, the daily reports will be saved there, and you can
+#link up to a web service or store them or whatever.  e.g. /home/grouper/reports/
+daily.report.saveInDirectory =
+
+##################################
+## enabled / disabled cron
+##################################
+
+#quartz cron-like schedule for enabled/disabled daemon.  Note, this has nothing to do with the changelog
+#leave blank to disable this, the default is 12:01am, 11:01am, 3:01pm every day: 0 1 0,11,15 * * ? 
+changeLog.enabledDisabled.quartz.cron = 0 1 0,11,15 * * ?
+
+##################################
+## Change log
+##################################
+
+# should the change log temp to change log daemon run?  Note, this should be true
+changeLog.changeLogTempToChangeLog.enable = true
+
+#quartz cron-like schedule for change log temp to change log daemon, the default is 50 seconds after every minute: 50 * * * * ?
+changeLog.changeLogTempToChangeLog.quartz.cron = 
+
+# Should the change log include flattened memberships?  
+changeLog.includeFlattenedMemberships = true
+
+# Should the change log include flattened privileges?  
+changeLog.includeFlattenedPrivileges = true
+
+# Should the change log include roles that have had permission changes?  
+changeLog.includeRolesWithPermissionChanges = false
+
+# Should the change log include non-flattened (immediate and composite only) memberships?
+changeLog.includeNonFlattenedMemberships = false
+
+# Should the change log include non-flattened (immediate only) privileges?
+changeLog.includeNonFlattenedPrivileges = false
+
+
+#specify the consumers here.  specify the consumer name after the changeLog.consumer. part.  This example is "psp"
+#but it could be changeLog.consumer.myConsumerName.class
+#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase
+# changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
+
+#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
+#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?
+#though it will stagger each one by 2 seconds
+# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger
+# changeLog.consumer.psp.quartzCron = 0 * * * * ?
+
+# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false.
+# changeLog.consumer.psp.retryOnError = false
+
+# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method.
+# changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
+
+# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?.
+# changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
+
+# Run a full synchronization job at startup. Defaults to false.
+# changeLog.psp.fullSync.runAtStartup = false
+
+# Omit diff responses from bulk response to conserve memory.
+# changeLog.psp.fullSync.omitDiffResponses = true
+
+# Omit sync responses from bulk response to conserve memory.
+# changeLog.psp.fullSync.omitSyncResponses = true
+
+
+#changeLog.consumer.printTest.class = edu.internet2.middleware.grouper.changeLog.consumer.PrintTest
+#changeLog.consumer.printTest.quartzCron = 
+
+#rules consumer, needed for some of the Grouper rule types to run (e.g. flattenedMembershipRemove, flattenedMembershipAdd)
+changeLog.consumer.grouperRules.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.RuleConsumer
+changeLog.consumer.grouperRules.quartzCron =
+
+#consumer for syncing groups to other groupers
+changeLog.consumer.syncGroups.class = edu.internet2.middleware.grouper.client.GroupSyncConsumer
+changeLog.consumer.syncGroups.quartzCron =
+
+
+
+###################################
+## XMPP notifications 
+## (note, uncomment the consumer class and cron above)
+## this will get grouper ws getMembers rest lite xmp: 
+## http://anonsvn.internet2.edu/cgi-bin/viewvc.cgi/i2mi/trunk/grouper-ws/grouper-ws/doc/samples/getMembers/WsSampleGetMembersRestLite_xml.txt?view=log
+###################################
+
+## general xmpp configuration
+xmpp.server.host = jabber.school.edu
+xmpp.server.port = 5222
+xmpp.user = username
+# note, pass can be in an external file with morphstring
+xmpp.pass = 
+xmpp.resource = grouperServer
+
+###################################
+## Rules config
+###################################
+
+# when the rules validations and daemons run.  Leave blank to not run
+rules.quartz.cron = 0 0 7 * * ?
+
+#####################################
+## ESB integration
+#####################################
+
+#changeLog.consumer.awsJira.quartzCron = 0/15 * * * * ?
+#changeLog.consumer.awsJira.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
+#changeLog.consumer.awsJira.elfilter = event.eventType eq 'MEMBERSHIP_ADD' || event.eventType eq 'MEMBERSHIP_ADD'
+#changeLog.consumer.awsJira.noSensitiveData = true
+## if you want to encrypt messages, set this to an implementation of edu.internet2.middleware.grouperClient.encryption.GcEncryptionInterface
+#changeLog.consumer.awsJira.encryptionImplementation = edu.internet2.middleware.grouperClient.encryption.GcSymmetricEncryptAesCbcPkcs5Padding
+## this is a key or could be encrypted in a file as well like other passwords
+## generate a key with: java -cp grouperClient.jar edu.internet2.middleware.grouperClient.encryption.GcGenerateKey 
+#changeLog.consumer.awsJira.encryptionKey = abc123
+## if you dont want to send the first 4 of the sha hash base 64 of the secret
+#changeLog.consumer.awsJira.dontSendShaBase64secretFirst4 = abc123
+#changeLog.consumer.awsJira.publisher.class = edu.internet2.middleware.grouperAwsChangelog.GrouperAwsEsbPublisher
+#changeLog.consumer.awsJira.publisher.awsAccessKey = ABCXYZ
+#changeLog.consumer.awsJira.publisher.awsSecretKey = 123REWQ
+#changeLog.consumer.awsJira.publisher.awsRegion = US_EAST_1
+#changeLog.consumer.awsJira.publisher.awsSnsTopicArn = arn:aws:sns:us-east-1:123:name
+
+#changeLog.consumer.xmppTest.quartzCron = 
+#changeLog.consumer.xmppTest.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
+#changeLog.consumer.xmppTest.elfilter = event.eventType eq 'GROUP_DELETE' || event.eventType eq 'GROUP_ADD' || event.eventType eq 'MEMBERSHIP_DELETE' || event.eventType eq 'MEMBERSHIP_ADD'
+#changeLog.consumer.xmppTest.publisher.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbXmppPublisher
+#changeLog.consumer.xmppTest.publisher.server = jabber.school.edu
+#changeLog.consumer.xmppTest.publisher.port = 5222
+#changeLog.consumer.xmppTest.publisher.username = jabberuser
+#changeLog.consumer.xmppTest.publisher.password = /home/whatever/pass/jabberuserEncrypted.pass
+#changeLog.consumer.xmppTest.publisher.recipient = system1@school.edu
+#changeLog.consumer.xmppTest.publisher.addSubjectAttributes = NETID
+##note, on the content type header, activemq might need: application/x-www-form-urlencoded
+#changeLog.consumer.xmppTest.publisher.contentTypeHeader = application/json; charset=utf-8
+##note, on the stringRequestEntityPrefix, activemq might need: data=
+#changeLog.consumer.xmppTest.publisher.stringRequestEntityPrefix = 
+##note, on the stringRequestEntityContentType, activemq might need: application/x-www-form-urlencoded
+#changeLog.consumer.xmppTest.publisher.stringRequestEntityContentType = application/json
+
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/4766b37c/modules/group-manager/src/main/resources/grouper-loader.properties
----------------------------------------------------------------------
diff --git a/modules/group-manager/src/main/resources/grouper-loader.properties b/modules/group-manager/src/main/resources/grouper-loader.properties
new file mode 100755
index 0000000..0f63983
--- /dev/null
+++ b/modules/group-manager/src/main/resources/grouper-loader.properties
@@ -0,0 +1,25 @@
+#
+# Copyright 2014 Internet2
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Grouper loader uses Grouper Configuration Overlays (documented on wiki)
+# By default the configuration is read from grouper-loader.base.properties
+# (which should not be edited), and the grouper-loader.properties overlays
+# the base settings.  See the grouper-loader.base.properties for the possible
+# settings that can be applied to the grouper.properties
+
+db.warehouse.user=root
+db.warehourse.pass=
+db.warehouse.url=jdbc:mysql://localhost:3306/loader_grouper

http://git-wip-us.apache.org/repos/asf/airavata/blob/4766b37c/modules/group-manager/src/main/resources/grouper.base.properties
----------------------------------------------------------------------
diff --git a/modules/group-manager/src/main/resources/grouper.base.properties b/modules/group-manager/src/main/resources/grouper.base.properties
new file mode 100755
index 0000000..1cc0805
--- /dev/null
+++ b/modules/group-manager/src/main/resources/grouper.base.properties
@@ -0,0 +1,1017 @@
+#
+# Copyright 2014 Internet2
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Grouper Configuration
+# $Id: grouper.example.properties,v 1.48 2009-12-16 06:02:30 mchyzer Exp $
+#
+
+# Grouper uses Grouper Configuration Overlays (documented on wiki)
+# By default the configuration is read from grouper.base.properties
+# (which should not be edited), and the grouper.properties overlays
+# the base settings.  See the grouper.base.properties for the possible
+# settings that can be applied to the grouper.properties
+
+
+########################################
+## Config chaining hierarchy
+########################################
+
+# comma separated config files that override each other (files on the right override the left)
+# each should start with file: or classpath:
+# e.g. classpath:grouper.example.properties, file:c:/something/myconfig.properties
+grouper.config.hierarchy = classpath:grouper.base.properties, classpath:grouper.properties
+
+# seconds between checking to see if the config files are updated
+grouper.config.secondsBetweenUpdateChecks = 60
+
+
+########################################
+## General settings
+########################################
+
+# in cases where grouper is logging or emailing, it will use this to differentiate test vs dev vs prod
+grouper.env.name = 
+
+#put the URL which will be used e.g. in emails to users.  include the webappname at the end, and nothing after that.
+#e.g. https://server.school.edu/grouper/
+grouper.ui.url =
+
+# tmp dir to use, will set this to the env var for tmp dir during cache operations...
+# note, if you are using a backslash, you need to escape it with another, e.g. c:\\temp
+# see the temp dir in logs with this in log4j.properties
+# log4j.logger.edu.internet2.middleware.grouper.util.GrouperUtil = INFO
+grouper.tmp.dir = 
+
+# main stem for grouper built in objects
+# Note: there are more locations to change than just this
+grouper.rootStemForBuiltinObjects = etc
+
+#######################################
+## inititalization and configuration settings
+#######################################
+
+#if grouper should auto init the registry if not initted (i.e. insert the root stem, built in fields, etc)
+#defaults to true
+registry.autoinit = true
+
+#if grouper should try and detect and log configuration errors on startup
+#in general this should be true, unless the output is too annoying or if it is causing a problem
+configuration.detect.errors = true
+
+#if the startup message should display
+configuration.display.startup.message = true
+
+#if groups like the wheel group should be auto-created for convenience (note: check config needs to be on)
+configuration.autocreate.system.groups = false
+
+#auto-create groups (increment the integer index), and auto-populate with users 
+#(comma separated subject ids) to bootstrap the registry on startup
+#(note: check config needs to be on)
+#configuration.autocreate.group.name.0 = etc:uiUsers
+#configuration.autocreate.group.description.0 = users allowed to log in to the UI
+#configuration.autocreate.group.subjects.0 = johnsmith
+
+# if should check java version and make sure ok
+configuration.checkJavaVersion = true
+
+# if should check database and utf in new thread
+configuration.checkDatabaseAndUtf.inNewThread = true
+
+# if grouper should check to see if the database has case sensitive selects
+configuration.detect.db.caseSensitive.problems = true
+configuration.display.db.caseSensitive.success.message = false
+
+# if grouper should check to see if utf-8 works on startup in files
+configuration.detect.utf8.file.problems = true
+# if grouper should check to see if utf-8 works on startup in the database
+configuration.detect.utf8.problems = true
+configuration.display.utf8.success.message = false
+
+# if grouper in the utf8 check will check to see if grouper supports transaction
+configuration.detect.db.transaction.problems = true
+configuration.display.transaction.success.message = false
+
+###################################
+## security settings
+###################################
+
+# If set to _true_, the ALL subject will be granted that privilege on
+# each new group that is created.  Note, you can override the default
+# checkboxes on screen of UI in media.properties.
+groups.create.grant.all.optin         = false
+groups.create.grant.all.optout        = false
+groups.create.grant.all.read          = false
+groups.create.grant.all.view          = false
+groups.create.grant.all.groupAttrRead = false
+
+# If set to _true_, the ALL subject will be granted that privilege on
+# each new stem that is created.  
+stems.create.grant.all.create         = false
+stems.create.grant.all.stemAdmin      = false
+stems.create.grant.all.stemAttrRead   = false
+stems.create.grant.all.stemAttrUpdate = false
+
+# If set to _true_, the ALL subject will be granted that privilege on
+# each new attributeDef that is created.  
+attributeDefs.create.grant.all.attrAdmin         = false
+attributeDefs.create.grant.all.attrOptin         = false
+attributeDefs.create.grant.all.attrOptout        = false
+attributeDefs.create.grant.all.attrRead          = false
+attributeDefs.create.grant.all.attrUpdate        = false
+attributeDefs.create.grant.all.attrView          = false
+attributeDefs.create.grant.all.attrDefAttrRead   = false
+attributeDefs.create.grant.all.attrDefAttrUpdate = false
+
+# if set to true, then the ALL subject will be granted view on new entities
+entities.create.grant.all.view = false
+
+
+# A wheel group allows you to enable non-GrouperSystem subjects to act
+# like a root user when interacting with the registry.
+groups.wheel.use                      = false
+
+# Set to the name of the group you want to treat as the wheel group.
+# The members of this group will be treated as root-like users.
+groups.wheel.group                    = etc:sysadmingroup
+
+# A viewonly wheel group allows you to enable non-GrouperSystem subjects to act
+# like a root user when viewing the registry.
+groups.wheel.viewonly.use                      = false
+
+# Set to the name of the group you want to treat as the viewonly wheel group.
+# The members of this group will be treated as root-like users when viewing objects.
+groups.wheel.viewonly.group                    = etc:sysadminViewersGroup
+
+# A readonly wheel group allows you to enable non-GrouperSystem subjects to act
+# like a root user when reading the registry.
+groups.wheel.readonly.use                      = false
+
+# Set to the name of the group you want to treat as the readonly wheel group.
+# The members of this group will be treated as root-like users when reading objects.
+groups.wheel.readonly.group                    = etc:sysadminReadersGroup
+
+
+# To change the internal names for GrouperAll and GrouperSystem
+# uncomment and change. Review UI nav.properties to ensure consistency
+subject.internal.grouperall.name   = EveryEntity
+subject.internal.groupersystem.name   = GrouperSysAdmin
+
+# Search and sort strings for internal users
+internalSubjects.searchAttribute0.el = ${subject.name},${subject.id}
+internalSubjects.sortAttribute0.el = ${subject.name}
+
+
+#by default, anyone with admin rights on a group can edit the types or attributes
+#specify types (related attributes will also be protected) which are wheel only, or restricted to a certain group
+#security.types.typeName.wheelOnly = true
+security.types.grouperLoader.wheelOnly = true
+security.types.grouperGroupMembershipSettings.wheelOnly = true
+
+#security.types.typeName.allowOnlyGroup = etc:someAdminGroup
+
+
+# If this property is set, then to move a stem, in addition to having the appropriate stem privileges for the stem being moved and the destination stem,
+# a user must also be a member of the defined group.  Note that users in the wheel group will have access regardless of this property.
+#security.stem.groupAllowedToMoveStem = etc:someAdminGroup
+
+# If this property is set, then to rename a stem, in addition to having the appropriate stem privilege for the stem being renamed,
+# a user must also be a member of the defined group.  Note that users in the wheel group will have access regardless of this property.
+#security.stem.groupAllowedToRenameStem = etc:someAdminGroup
+
+# If this property is set, then to copy a stem, a user must be a member of the defined group.  Note that users in the wheel group will have access regardless of this property.
+#security.stem.groupAllowedToCopyStem = etc:someAdminGroup
+
+# By default, all users have access to sort using any of the sort strings in the member table and search using any of the search strings in the member table.
+# You can restrict to wheel only or to a certain group.
+#security.member.sort.string0.allowOnlyGroup = etc:someGroup
+#security.member.sort.string1.allowOnlyGroup = etc:someGroup
+#security.member.sort.string2.wheelOnly = true
+#security.member.sort.string3.wheelOnly = true
+#security.member.sort.string4.wheelOnly = true
+#security.member.search.string0.allowOnlyGroup = etc:someGroup
+#security.member.search.string1.allowOnlyGroup = etc:someGroup
+#security.member.search.string2.wheelOnly = true
+#security.member.search.string3.wheelOnly = true
+#security.member.search.string4.wheelOnly = true
+
+
+###################################
+## Member sort and search
+###################################
+
+# Attributes of members are kept in the grouper_members table to allow easy sorting and searching (for instance when listing group members).
+# When performing a sort or search and an index is not specified, then a default index will be used as configured below.  The value is comma-separated,
+# so that if the user does not have access to the first index, then next will be tried and so forth.
+# Note:  all sources should have attributes configured for all default indexes.
+member.search.defaultIndexOrder=0
+member.sort.defaultIndexOrder=0
+
+
+###################################
+## whitelist (allow) and blacklist (deny) for db/ldap data or object deletes, without prompting the user to confirm
+## if a listing is in the whitelist (allow), it will be allowed to delete db/ldap
+## if a listing is in the blacklist (deny), it will be denied from deleting db/ldap
+## multiple inputs can be entered with .0, .1, .2, etc.  These numbers must be sequential, starting with 0
+###################################
+
+db.change.allow.user.0=sa
+db.change.allow.url.0=jdbc:hsqldb:hsql://localhost:9001/grouper
+db.change.allow.user.1=grouper1
+db.change.allow.url.1=jdbc:mysql://localhost:3306/grouper1
+
+db.change.deny.user.0=grouper2
+db.change.deny.url.0=jdbc:mysql://localhost:3306/grouper2
+
+# db.change.allow.user.2=uid=admin,ou=system
+# db.change.allow.url.2=ldap://localhost:10389
+
+# if should give error when detect driver mismatch (set to false if using an 
+# unknown driver, and tell the grouper team so we can add to list)
+db.log.driver.mismatch = true
+
+###################################
+## Grouper include / exclude and requireGroups
+## If enabled, will make sure the Type is installed, and when that type is
+## applied to a group, it will auto-create the other groups needed to manage the include and exclude lists
+## see: https://bugs.internet2.edu/jira/browse/GRP-178
+## the naming settings below are only used when the type is applied to a group, will not affect
+## existing include/exclude groups
+###################################
+
+#if the addIncludeExclude and requireInGroups should be enabled, and if the type(s) should be 
+#auto-created, and used to auto create groups to facilitate include and exclude lists, and require lists
+grouperIncludeExclude.use = false
+grouperIncludeExclude.requireGroups.use = false
+
+#for requireGroups (groups that the members must be to be in the overall group).  name is the name of the attribute or type
+#attributeOrType is either attribute for an attribute underneath the requireInGroups type, or type to be a top level type
+#group is the group to be anded in.  note attributes are a global namespace, so you might want to use a naming convention,
+#e.g. prefix with "require".  description is the tooltip.  add as many as you like.
+#grouperIncludeExclude.requireGroup.name.0 = requireActiveEmployee
+#grouperIncludeExclude.requireGroup.attributeOrType.0 = type
+#grouperIncludeExclude.requireGroup.group.0 = school:community:activeEmployee
+#grouperIncludeExclude.requireGroup.description.0 = If value is true, members of the overall group must be an active employee (in the school:community:activeEmployee group).  Otherwise, leave this value not filled in.
+
+#grouperIncludeExclude.requireGroup.name.1 = requireActiveStudent
+#grouperIncludeExclude.requireGroup.attributeOrType.1 = attribute
+#grouperIncludeExclude.requireGroup.group.1 = school:community:activeStudent
+#grouperIncludeExclude.requireGroup.description.1 = If value is true, members of the overall group must be an active student (in the school:community:activeStudent group).  Otherwise leave this value not filled in.
+
+
+# set some names and tooltips
+grouperIncludeExclude.type.name = addIncludeExclude
+grouperIncludeExclude.tooltip = Select this type to auto-create other groups which facilitate having include and exclude list
+
+grouperIncludeExclude.requireGroups.type.name = requireInGroups
+grouperIncludeExclude.requireGroups.tooltip = Select this type to auto-create other groups which set up group math so that other groups can be required for membership (e.g. activeEmployee)
+
+#leave grouperIncludeExclude.andGroups.attributeName blank if you dont want to use this attribute...  
+#though if you were using it, it wont remove already configured groups
+grouperIncludeExclude.requireGroups.attributeName = requireAlsoInGroups
+grouperIncludeExclude.requireGroups.attribute.tooltip = Enter in comma separated group path(s).  An entity must be in these groups for it to be in the overall group.  e.g. stem1:stem2:group1, stem1:stem3:group2
+
+#suffixes for various include/exclude groups (can use ${space} for space).
+#note, these should uniquely identify various parts of the include/exclude.
+#i.e. if the grouperIncludeExclude type is applied to a group with a suffix of the include suffix,
+#the other groups will not be created...
+grouperIncludeExclude.systemOfRecord.extension.suffix = _systemOfRecord
+grouperIncludeExclude.include.extension.suffix = _includes
+grouperIncludeExclude.exclude.extension.suffix = _excludes
+grouperIncludeExclude.systemOfRecordAndIncludes.extension.suffix = _systemOfRecordAndIncludes
+grouperIncludeExclude.includesMinusExcludes.extension.suffix = _includesMinusExcludes
+#note, put a ${i} in there for where the 1 based index will go
+grouperIncludeExclude.requireGroups.extension.suffix = _requireGroups${i}
+
+#suffixes for various include/exclude groups (can use ${space} for space)
+grouperIncludeExclude.systemOfRecord.displayExtension.suffix = ${space}system of record
+grouperIncludeExclude.include.displayExtension.suffix = ${space}includes
+grouperIncludeExclude.exclude.displayExtension.suffix = ${space}excludes
+grouperIncludeExclude.systemOfRecordAndIncludes.displayExtension.suffix = ${space}system of record and includes
+grouperIncludeExclude.includesMinusExcludes.displayExtension.suffix = ${space}includes minus excludes
+#note, put a ${i} in there for where the 1 based index will go
+grouperIncludeExclude.requireGroups.displayExtension.suffix = ${space}requireGroups ${i}
+
+#can use ${extension} as the group extension, or ${displayExtension} for group display extension
+grouperIncludeExclude.overall.description = Group containing list of ${displayExtension} after adding the includes and subtracting the excludes
+grouperIncludeExclude.systemOfRecord.description = Group containing list of ${displayExtension} (generally straight from the system of record) without yet considering manual include or exclude lists
+grouperIncludeExclude.include.description = Group containing manual list of includes for group ${displayExtension} which will be added to the system of record list (unless the subject is also in the excludes group)
+grouperIncludeExclude.exclude.description = Group containing manual list of excludes for group ${displayExtension} which will not be in the overall group
+grouperIncludeExclude.systemOfRecordAndIncludes.description = Internal utility group for group ${displayExtension} which facilitates the group math for the include and exclude lists
+grouperIncludeExclude.includesMinusExclude.description = Internal utility group for group ${displayExtension} which facilitates includes, excludes, and required groups (e.g. activeEmployee)
+#note, put a ${i} in there for where the 1 based index will go
+grouperIncludeExclude.requireGroups.description = Internal utility group for group ${displayExtension} which facilitates required groups (e.g. activeEmployee)
+
+
+###################################
+## Subject settings
+###################################
+
+# if finding across multiple threadable sources, use threads to do the work faster
+subjects.allPage.useThreadForkJoin = false
+
+# if finding across multiple threadable sources, use threads to do the work faster
+subjects.idOrIdentifier.useThreadForkJoin = false
+
+# if the creator and last updater should be group subject attributes (you get
+# a performance gain if you set to false, but if true you can see subject id from UI in 2.0
+subjects.group.useCreatorAndModifierAsSubjectAttributes = true
+
+# customize subjects by implementing this interface: edu.internet2.middleware.grouper.subj.SubjectCustomizer
+# or extending this class: edu.internet2.middleware.grouper.subj.SubjectCustomizerBase (recommended)
+# note the instance will be reused to make sure it is threadsafe
+subjects.customizer.className = 
+
+# if we should use a root session if one isnt started for subject lookups (behavior in v2.0-
+subjects.startRootSessionIfOneIsntStarted = false
+
+###################################
+## Hooks
+## You can register multiple classes for one hook base class by comma separating the hooks implementations
+## You can also register hooks at runtime with: 
+## GrouperHookType.addHookManual("hooks.group.class", YourSchoolGroupHooks2.class);
+###################################
+
+#implement a group attribute hook by extending edu.internet2.middleware.grouper.hooks.AttributeHooks
+#hooks.attribute.class=edu.yourSchool.it.YourSchoolGroupHooks,edu.yourSchool.it.YourSchoolGroupHooks2
+
+#implement an attribute def hook by extending edu.internet2.middleware.grouper.hooks.AttributeDefHooks
+#hooks.attributeDef.class=edu.yourSchool.it.YourSchoolAttributeDefHooks,edu.yourSchool.it.YourSchoolAttributeDefHooks2
+
+#implement an attribute def name hook by extending edu.internet2.middleware.grouper.hooks.AttributeDefNameHooks
+#hooks.attributeDefName.class=edu.yourSchool.it.YourSchoolAttributeDefNameHooks,edu.yourSchool.it.YourSchoolAttributeDefNameHooks2
+
+#implement an attribute assign hook by extending edu.internet2.middleware.grouper.hooks.AttributeAssignHooks
+#hooks.attributeAssign.class=edu.yourSchool.it.YourSchoolAttributeAssignHooks,edu.yourSchool.it.YourSchoolAttributeAssignHooks2
+
+#implement an attribute assign hook by extending edu.internet2.middleware.grouper.hooks.AttributeAssignValueHooks
+#hooks.attributeAssignValue.class=edu.yourSchool.it.YourSchoolAttributeAssignValueHooks,edu.yourSchool.it.YourSchoolAttributeAssignValueHooks2
+
+#implement a group hook by extending edu.internet2.middleware.grouper.hooks.GroupHooks
+#hooks.group.class=edu.yourSchool.it.YourSchoolGroupHooks,edu.yourSchool.it.YourSchoolGroupHooks2
+
+#implement a grouper lifecycle hook by extending edu.internet2.middleware.grouper.hooks.LifecycleHooks
+#hooks.lifecycle.class=edu.yourSchool.it.YourSchoolLifecycleHooks
+
+#implement a membership hook by extending edu.internet2.middleware.grouper.hooks.MembershipHooks
+#hooks.membership.class=edu.yourSchool.it.YourSchoolMembershipHooks
+
+#implement a member hook by extending edu.internet2.middleware.grouper.hooks.MemberHooks
+#hooks.member.class=edu.yourSchool.it.YourSchoolMemberHooks
+
+#implement a stem hook by extending edu.internet2.middleware.grouper.hooks.StemHooks
+#hooks.stem.class=edu.yourSchool.it.YourSchoolStemHooks
+
+#implement a composite hook by extending edu.internet2.middleware.grouper.hooks.CompositeHooks
+#hooks.composite.class=edu.yourSchool.it.YourSchoolCompositeHooks
+
+#implement a field hook by extending edu.internet2.middleware.grouper.hooks.FieldHooks
+#hooks.field.class=edu.yourSchool.it.YourSchoolFieldHooks
+
+#implement a grouperSession hook by extending edu.internet2.middleware.grouper.hooks.GrouperSessionHooks
+#hooks.grouperSession.class=edu.yourSchool.it.YourSchoolGrouperSessionHooks
+
+#implement a groupType hook by extending edu.internet2.middleware.grouper.hooks.GroupTypeHooks
+#hooks.groupType.class=edu.yourSchool.it.YourSchoolGroupTypeHooks
+
+#implement a groupTypeTuple hook by extending edu.internet2.middleware.grouper.hooks.GroupTypeTupleHooks
+#hooks.groupTypeTuple.class=edu.yourSchool.it.YourSchoolGroupTypeTupleHooks
+
+#implement a loader hook by extending edu.internet2.middleware.grouper.hooks.LoaderHooks
+#hooks.loader.class=edu.yourSchool.it.YourSchoolLoaderHooks
+
+#implement an external subject hook by extending edu.internet2.middleware.grouper.hooks.ExternalSubjectHooks
+#hooks.externalSubject.class=edu.yourSchool.it.YourSchoolExternalSubjectHooks
+
+###################################
+## Rules
+###################################
+
+# Rules users who are in the following group can use the actAs field to act as someone else
+# You can put multiple groups separated by commas.  e.g. a:b:c, e:f:g
+# You can put a single entry as the group the calling user has to be in, and the grouper the actAs has to be in
+# separated by 4 colons
+# e.g. if the configured values is:       a:b:c, e:f:d :::: r:e:w, x:e:w
+# then if the calling user is in a:b:c or x:e:w, then the actAs can be anyone
+# if not, then if the calling user is in e:f:d, then the actAs must be in r:e:w.  If multiple rules, then 
+# if one passes, then it is a success, if they all fail, then fail.
+rules.act.as.group = 
+
+# any actAs subject in this group has access to more objects when the EL fires on 
+# the IF or THEN EL clause
+rules.accessToApiInEl.group = 
+
+# cache the decision to allow a user to actAs another, so it doesnt have to be calculated each time
+# defaults to 30 minutes
+rules.act.as.cache.minutes = 30
+
+# uuids (comma separated) of the attribute assign record which is the rule type to the owner object
+# e.g. SELECT gaagv.attribute_assign_id FROM grouper_attr_asn_group_v gaagv WHERE gaagv.attribute_def_name_name LIKE '%:rule' AND gaagv.group_name = 'stem:a'
+# make sure log info level is set for RuleEngine
+# log4j.logger.edu.internet2.middleware.grouper.rules.RuleEngine = INFO
+rules.attributeAssignTypeIdsToLog = abc1234abc123, def456def345
+
+# if this is true, then log a lot of info about why rules do or do not fire... only turn on temporarily
+# since it takes a lot of resources...  note you need log DEBUG set for the rules engine in log4j.properties too e.g.
+# log4j.logger.edu.internet2.middleware.grouper.rules = DEBUG
+rules.logWhyRulesDontFire = false
+
+# put in fully qualified classes to add to the EL context.  Note that they need a default constructor
+# comma separated.  The alias will be the simple class name without a first cap.
+# e.g. if the class is test.Test the alias is "test"
+rules.customElClasses = 
+
+# If the CHECK, IF, and THEN are all exactly what is needed for managing inherited stem privileges
+# Then allow an actAs GrouperSystem in source g:isa
+rules.allowActAsGrouperSystemForInheritedStemPrivileges = 
+
+# If not blank, then keep email templates in this folder instead of classpath
+# If in classpath, it is classpath: grouperRulesEmailTemplates/someTemplate.txt
+rules.emailTemplatesFolder = 
+
+
+###################################
+## Group attribute validation via regex
+## You can attach a regex to an attribute name (including built ins)
+## If none are registered, the built in hook will not be enabled
+## The built ins are description, displayName, extension, displayExtension, name
+## Configure a group.attribute.validator.attributeName.X for attribute name
+## group.attribute.validator.regex.X for the regex
+## group.attribute.validator.vetoMessage.X for the veto message (can contain the variable $attributeValue$ which will substitute)
+## the X must be a sequential integer which groups the config entries together.
+## do not repeat two config entries
+###################################
+
+#Attach a regex validator by attribute name
+#group.attribute.validator.attributeName.0=extension
+#group.attribute.validator.regex.0=^[a-zA-Z0-9]+$
+#group.attribute.validator.vetoMessage.0=Group ID '$attributeValue$' is invalid since it must contain only alpha-numerics
+#
+#group.attribute.validator.attributeName.1=displayExtension
+#group.attribute.validator.regex.1=^[a-zA-Z0-9 ]+$
+#group.attribute.validator.vetoMessage.1=Group name '$attributeValue$' is invalid since it must contain only alpha-numerics or spaces
+
+#####################################
+## Audit settings
+#####################################
+
+# if set to true, then exceptions will be thrown if any actions are not audited... exceptions
+# should not be thrown since everything should be audited, so this is a switch to make it absorb
+# errors if there is a problem (will be logged instead if second param is true)
+audit.requireAuditsForAllActions = false
+audit.logAuditsForMissingActions = false
+
+#####################################
+## Change log settings
+#####################################
+
+# if we should insert records into grouper_change_log_temp when events happen
+# defaults to true.  Note, it is not currently supported to set this to false...
+changeLog.enabled = true
+
+
+#####################################
+## Settings to track last membership changes for groups and stems.
+#####################################
+
+# If true, when an immediate membership changes for a group (either a privilege or a list member), 
+# then an update will be made to the lastImmediateMembershipChange property for the group.
+groups.updateLastImmediateMembershipTime = false
+
+# If true, when an immediate, composite, or effective membership changes for a group (either a privilege or a list member), 
+# then an update will be made to the lastMembershipChange property for the group.
+groups.updateLastMembershipTime = false
+
+# If true, when an immediate or effective membership changes for a stem (this would be a naming privilege), 
+# then an update will be made to the lastMembershipChange property for the stem.
+stems.updateLastMembershipTime = false
+
+
+#####################################
+## Database structure data definition language (DDL) settings
+#####################################
+
+# Grouper DOES NOT WORK WITHOUT NESTED TRANSACTIONS!  This config parameter doesnt exist
+#ddlutils.use.nestedTransactions = true
+
+# ddlutils db name will be set by default, you can override it here, it must be one of:
+# axion, cloudscape, db2, db2v8, derby, firebird, hsqldb, interbase, maxdb, mckoi, 
+# mssql, mysql, mysql5, oracle, oracle10, oracle9, postgresql, sapdb, sybase, sybasease15, 
+#
+#ddlutils.dbname.override = oracle10
+
+# if you want to not create the subject tables (grouper examples for unit testing), 
+# then set this to true
+ddlutils.exclude.subject.tables = false
+
+# set the path where ddl scripts are generated (they will be uniquely named in this directory).
+# if blank, the directory used will be the current directory
+ddlutils.directory.for.scripts = ddlScripts
+
+# during schema export, should it install grouper data also or not.  e.g. insert the root stem, default true
+ddlutils.schemaexport.installGrouperData = true
+
+# when grouper starts, should it shut down if not right version?
+ddlutils.failIfNotRightVersion = true
+
+# after you have converted id's, and are happy with the conversion of removing the uuid col, 
+# this will remove the backup uuid cols when running the gsh command: gsh -registry -deep 
+ddlutils.dropBackupUuidCols = false
+
+# after you have converted field id foreign keys, and are happy with the conversion of removing the attribute name, 
+# membership list name, and type cols, 
+# this will remove the backup field name/type cols when running the gsh command: gsh -registry -deep  
+ddlutils.dropBackupFieldNameTypeCols = false
+
+# before the group name etc was moved to the grouper_groups table, the attributes table
+# was backed up.  If it should not be backed up, or if the upgrade is done and works, then it can
+# be removed, set to true, run: gsh -registry -deep 
+ddlutils.dropAttributeBackupTableFromGroupUpgrade = false
+
+# Since grouper_memberships no longer has effective memberships, that table doesn't need via_id,
+# depth and parent_membership.  If they were converted, this will drop the backup of those cols with: gsh -registry -deep 
+ddlutils.dropMembershipBackupColsFromOwnerViaUpgrade = false
+
+# After legacy attributes are converted, the backed up tables can be dropped with: gsh -registry -deep
+ddlutils.dropLegacyAttributes = false
+
+# this is the schema ddlutils uses to query metadata with jdbc.  usually this can be omitted,
+# and it defaults to your database loginid, however, in postgres, it can be different, so enter here
+# in sql server, it might need to be: dbo
+#ddlutils.schema = public
+
+#if you are running a DB that supports them, but you dont want them, disable comments here (defaults to false)
+ddlutils.disableComments = false
+
+#set to true and we wont subsitute varchar 4000 for text in mysql (wont work in innodb utf-8 databases
+ddlutils.dontSubstituteVarchar4000forTextMysql = false
+
+#####################################
+## mail settings (optional, e.g. for daily report form loader)
+#####################################
+
+#smtp server is a domain name or dns name.  set to "testing" if you want to log instead of send (e.g. for testing)
+#mail.smtp.server = whatever.school.edu
+
+#leave blank if unauthenticated
+#mail.smtp.user = 
+
+#leave blank if unauthenticated
+#mail.smtp.pass = 
+
+#leave blank or false for no ssl, true for ssl
+#mail.smtp.ssl = 
+
+#leave blank for default (probably 25), if ssl is true, default is 465, else specify
+#mail.smtp.port = 
+
+#this is the default email address where mail from grouper will come from
+#mail.from.address = noreply@school.edu
+
+#this is the subject prefix of emails, which will help differentiate prod vs test vs dev etc
+#mail.subject.prefix = TEST:
+
+#when running junit tests, this is the address that will be used
+#mail.test.address = a@b.c
+
+#####################################
+## misc settings which probably dont need to be changed
+#####################################
+
+dao.factory = edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAOFactory
+
+# if tables that are hibernated should have optimistic locking or not (assumes the data layer supports this, hibernate does)
+dao.optimisticLocking = true
+
+# set the API as readonly (e.g. during upgrades).  Any updates will throw an exception
+grouper.api.readonly = false
+
+# When searching for memberships using the getMemberships WS (or underlying API call), limit the number of memberships
+# which can be returned, else throws exception.  -1 means dont check.
+ws.getMemberships.maxResultSize = 30000
+
+# When searching for attribute assignments using the getAttributeAssignments WS (or underlying API call), limit the number of assignments
+# which can be returned, else throws exception.  -1 means dont check.
+ws.findAttrAssignments.maxResultSize = 30000
+
+# When searching attribute def names, this is max size
+findAllAttributeDefNames.maxResultSize = 30000
+
+# create the type and attribuute for membership lite ui config by group
+membershipUpdateLiteTypeAutoCreate = false
+
+grouper.tableIndex.group.minIndex = 10000
+grouper.tableIndex.stem.minIndex = 10000
+grouper.tableIndex.attributeDef.minIndex = 10000
+grouper.tableIndex.attributeDefName.minIndex = 10000
+
+# verify that table indexes are set and the pointers are ok, incurs a bit of overhead to grouper startup
+grouper.tableIndex.verifyOnStartup = true
+
+# in different circumstances, retrieve a different number of IDs at once.
+# if it is a system where the JVM is starting and stopping (e.g. GSH), then
+# dont reserve that many at once 
+grouper.tableIndex.reserveIdsGsh = 1
+grouper.tableIndex.reserveIdsDefault = 10
+grouper.tableIndex.reserveIdsLoader = 10
+grouper.tableIndex.reserveIdsWs = 10
+grouper.tableIndex.reserveIdsUi = 10
+
+# group who can assign id index cols (also, wheel or root is allowed)
+grouper.tableIndex.groupWhoCanAssignIdIndex = etc:canAssignIdIndex
+
+# number of bytes in DB that a non ascii char takes
+grouper.nonAsciiCharDbBytesLength = 3
+
+# cache size for jexl expressions
+jexl.cacheSize = 1024
+
+# when reading writing files from util classes, this is encoding (was ISO-8859-1)
+grouper.default.fileEncoding = UTF-8
+
+
+#####################################
+## testing settings
+#####################################
+
+# if the ldappc tests should be included when running all tests (default false)
+junit.test.ldappc = false
+
+# if the loader tests should be included when running all tests (default true)
+junit.test.loader = true
+
+# if the ddl tests should be included when running all tests (default true)
+junit.test.ddl = true
+
+# if the gsh tests should be included when running all tests (default false)
+junit.test.gsh = false
+
+# if the stress tests should be included when running all tests (default false)
+junit.test.stress = false
+
+# if the external subject tests should be included when running all tests, note you need the jabber attribute in the view (default false)
+junit.test.externalSubjects = false
+
+# if the group sync should be tested... note you need the demo server available to test this, or change some settings...
+junit.test.groupSync = false
+junit.test.groupSync.url = https://grouperdemo.internet2.edu/grouper-ws_v2_0_0/servicesRest
+junit.test.groupSync.user = remoteUser
+junit.test.groupSync.password = R:/pass/grouperDemoRemoteUser.pass
+#folder where the user can create/stem which the user can use to run tests
+junit.test.groupSync.folder = test2:whateverFolder
+#this is true unless testing to an older grouper which doesnt support this
+junit.test.groupSync.pushAddExternalSubjectIfNotExist = true
+junit.test.groupSync.createRemoteFolderIfNotExist = true
+junit.test.groupSync.remoteSourceId = grouperExternal
+junit.test.groupSync.remoteReadSubjectId = identifier
+junit.test.groupSync.remoteWriteSubjectId = identifier
+
+
+#####################################
+## attribute framework
+#####################################
+
+# root stem in grouper where built in attributes are put
+grouper.attribute.rootStem = etc:attribute
+
+# comma separated names of attribute defs will not be audited or change log or point in time
+grouper.attribute.namesOfAttributeDefsToIgnoreAuditsChangeLogPit.elConfig = ${edu.internet2.middleware.grouper.cfg.GrouperConfig.retrieveConfig().propertyValueStringRequired('grouper.attribute.rootStem')}:userData:grouperUserDataValueDef
+
+# if the attribute loader attributes, and other attributes should be autoconfigured (created, etc)
+grouper.attribute.loader.autoconfigure = true
+
+#####################################
+## centrally managed permissions
+#####################################
+
+# if the permissions limits should be readable and updatable by GrouperAll (set when created)...
+grouper.permissions.limits.builtin.createAs.public = true
+
+# if the permissions limits should be readable and updatable by GrouperAll (set when created)...
+grouper.permissions.limits.builtin.displayExtension.limitAmountLessThan = amount less than
+grouper.permissions.limits.builtin.displayExtension.limitAmountLessThanOrEqual = amount less than or equal to
+grouper.permissions.limits.builtin.displayExtension.limitExpression = Expression
+grouper.permissions.limits.builtin.displayExtension.limitIpOnNetworkRealm = ipAddress on network realm
+grouper.permissions.limits.builtin.displayExtension.limitIpOnNetworks = ipAddress on networks
+grouper.permissions.limits.builtin.displayExtension.limitLabelsContain = labels contains
+grouper.permissions.limits.builtin.displayExtension.limitWeekday9to5 = Weekday 9 to 5
+
+
+# el classes to add to the el context for a limitExpression.  Comma-separated fully qualified classnames
+grouper.permissions.limits.el.classes = 
+
+# permission limits linked to subclasses of edu.internet2.middleware.grouper.permissions.limits.PermissionLimitBase
+#grouper.permissions.limits.logic.someName.limitName = 
+#grouper.permissions.limits.logic.someName.logicClass = 
+
+# if you are doing ip address limits, you can put realms here
+# grouper.permissions.limits.realm.someName = 1.2.3.4/24, 2.3.4.5/16
+
+#####################################
+## External subjects
+#####################################
+
+#manages the description of a user automatically
+externalSubjects.desc.el = ${grouperUtil.appendPrefixIfStringNotBlank('[unverifiedInfo]', ' ', grouperUtil.appendIfNotBlankString(externalSubject.name, ' - ', externalSubject.institution))} [externalUserID] ${externalSubject.identifier}
+
+#search and sort strings added to member objects
+externalSubjects.searchAttribute0.el = ${subject.name},${subjectUtils.defaultIfBlank(subject.getAttributeValue("institution"), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValue("identifier"), "")},${subject.id},${subjectUtils.defaultIfBlank(subject.getAttributeValue("email"), "")}
+externalSubjects.sortAttribute0.el = ${subject.name}
+externalSubjects.sortAttribute1.el = ${subjectUtils.defaultIfBlank(subject.getAttributeValue("identifier"), "")}
+externalSubjects.sortAttribute2.el = ${subjectUtils.defaultIfBlank(subject.getAttributeValue("institution"), "")}
+
+# false if the description should be managed via EL (config above)
+externalSubjects.desc.manual = false
+
+# quartz cron where subjects are recalculated if necessary (empty means dont run), e.g. everyday at 3am
+externalSubjects.calc.fields.cron = 0 0 3 * * ? 
+
+externalSubjects.name.required = true
+externalSubjects.email.required = false
+externalSubjects.email.enabled = true
+
+# these field names (uuid, institution, identifier, uuid, email, name) or attribute names 
+# will be toLowered, and appended with comma separators.  e.g. if you add attributes, add them here too
+externalSubjects.searchStringFields = name, institution, identifier, uuid, email
+
+externalSubjects.institution.required = false
+externalSubjects.institution.enabled = true
+
+# note, this must be only alphanumeric lower case or underscore
+# (valid db column name, subject attribute name)
+#externalSubjects.attributes.jabber.systemName = jabber
+#externalSubjects.attributes.jabber.required = false
+# comment on column in DB (no special characters allowed)
+#externalSubjects.attributes.jabber.comment = The jabber ID of the user
+
+# if wheel or root can edit external users
+externalSubjects.wheelOrRootCanEdit = true
+
+# group which is allowed to edit external users
+externalSubjects.groupAllowedForEdit = 
+
+# if the view on the external subjects should be created.  
+# turn this off if it doesnt compile, othrewise should be fine
+externalSubjects.createView = true
+
+#name of external subject source, defaults to grouperExternal
+externalSubject.sourceId = grouperExternal
+externalSubject.sourceName = External Users
+
+# grouper can auto create a jdbc2 source for the external subjects
+externalSubjects.autoCreateSource = true
+
+# put in fully qualified classes to add to the EL context.  Note that they need a default constructor
+# comma separated.  The alias will be the simple class name without a first cap.
+# e.g. if the class is test.Test the alias is "test"
+externalSubjects.customElClasses = 
+
+# change these to affect the storage where external subjects live (e.g. to store in ldap),
+# must implement each respective storable interface
+externalSubjects.storage.ExternalSubjectStorable.class = edu.internet2.middleware.grouper.externalSubjects.ExternalSubjectDbStorage
+externalSubjects.storage.ExternalSubjectAttributeStorable.class = edu.internet2.middleware.grouper.externalSubjects.ExternalSubjectAttributeDbStorage
+
+# you can use the variables $newline$, $inviteLink$.  Note, you need to change this default message...
+externalSubjectsInviteDefaultEmail = Hello,$newline$$newline$This is an invitation to register at our site to be able to access our applications.  This invitation expires in 7 days.  Click on the link below and sign in with your InCommon credentials.  If you do not have InCommon credentials you can register at a site like protectnetwork.org and use those credentials.$newline$$newline$$inviteLink$$newline$$newline$Regards.
+# default subject for email
+externalSubjectsInviteDefaultEmailSubject = Register to access applications
+
+# you can use the variables $newline$, $inviteeIdentifier$, $inviteeEmailAddress$.  Note, you need to change this default message...
+externalSubjectsNotifyInviterEmail = Hello,$newline$$newline$This is a notification that user $inviteeIdentifier$ from email address $inviteeEmailAddress$ has registered with the identity management service.  They can now use applications at this institution.$newline$$newline$Regards.
+externalSubjectsNotifyInviterSubject = $inviteeIdentifier$ has registered
+
+# numner of days after which this request will expire.  If -1, then will not expire
+externalSubjectsInviteExpireAfterDays = 7
+
+#put some group names comma separated for groups to auto add subjects to
+externalSubjects.autoaddGroups=
+#should be insert, or update, or insert,update
+externalSubjects.autoaddGroupActions=insert,update
+#if a number is here, expire the group assignment after a certain number of days
+externalSubjects.autoaddGroupExpireAfterDays=
+
+# add multiple group assignment actions by URL param: externalSubjectInviteName
+#externalSubjects.autoadd.testingLibrary.externalSubjectInviteName=library
+
+# comma separated groups to add for this type of invite
+#externalSubjects.autoadd.testingLibrary.groups=
+
+# should be insert, update, or insert,update
+#externalSubjects.autoadd.testingLibrary.actions=insert,update
+
+# should be insert, update, or insert,update
+#externalSubjects.autoadd.testingLibrary.expireAfterDays=
+
+#if registrations are only allowed if invited or existing...
+externalSubjects.registerRequiresInvite=true
+
+#make sure the identifier when logging in is like an email address or eppn, e.g. username@school.edu
+externalSubjects.validateIndentiferLikeEmail=true
+
+#put regexes here, increment the 0 for multiple entries, e.g. restrict your own institution
+#note, the extensions must be sequential (dont skip), regex e.g. ^.*@myschool\\.edu$
+externalSubjects.regexForInvalidIdentifier.0=
+
+#####################################
+## org management
+#####################################
+
+# if the orgs table(s) should be included in the DDL (includes the hierarchical table
+orgs.includePocOrgsTablesInDdl = false
+
+# loader connection of the database where orgs are (grouper means the grouper db in grouper.hibernate.properties)
+orgs.databaseName = grouper
+
+#table name of the org table (can prefix by schema name if you like)
+orgs.orgTableName = grouperorgs_poc_orgs
+
+#column names of this table
+orgs.orgIdCol = id
+orgs.orgNameCol = org_name
+orgs.orgDisplayNameCol = org_display_name
+orgs.orgParentIdCol = parent_id
+
+#stem where the orgs are, e.g. poc:orgs
+orgs.parentStemName = poc:orgs
+
+#org config name
+orgs.configGroupName = poc:orgs:orgsConfig
+
+######################################
+## Grouper client connections
+## if this grouper needs to talk to another grouper, this is the client connection information
+######################################
+
+
+# id of the source, should match the part in the property name
+#grouperClient.someOtherSchool.id = someOtherSchool
+
+# url of web service, should include everything up to the first resource to access
+# e.g. https://groups.school.edu/grouperWs/servicesRest
+#grouperClient.someOtherSchool.properties.grouperClient.webService.url = https://some.other.school.edu/grouperWs/servicesRest
+
+# login ID
+#grouperClient.someOtherSchool.properties.grouperClient.webService.login = someRemoteLogin
+
+# password for shared secret authentication to web service
+# or you can put a filename with an encrypted password
+#grouperClient.someOtherSchool.properties.grouperClient.webService.password = *********
+
+# client version should match or be related to the server on the other end...
+#grouperClient.someOtherSchool.properties.grouperClient.webService.client.version = v2_0_000
+
+# this is the subject to act as local, if blank, act as GrouperSystem, specify with SubjectFinder packed string, e.g.
+# subjectIdOrIdentifier  or  sourceId::::subjectId  or  ::::subjectId  or  sourceId::::::subjectIdentifier  or  ::::::subjectIdentifier
+# sourceId::::::::subjectIdOrIdentifier  or  ::::::::subjectIdOrIdentifier
+#grouperClient.someOtherSchool.localActAsSubject = 
+
+# the id of this source, generally the same as the name in the property name.  This is mandatory
+#grouperClient.someOtherSchool.source.jdbc.id = jdbc
+
+# the part between "grouperClient.someOtherSchool.source." and ".id" links up the configs, 
+# in this case, "jdbc", make sure it has no special chars.  sourceId can be blank if you dont want to specify
+#grouperClient.someOtherSchool.source.jdbc.local.sourceId = jdbc
+
+# this is the identifier that goes between them, it is "id" or an attribute name.  subjects without this attribute will not be processed
+#grouperClient.someOtherSchool.source.jdbc.local.read.subjectId = identifier
+
+# this is the identifier to lookup to add a subject, should be "id" or "identifier" or "idOrIdentifier"
+#grouperClient.someOtherSchool.source.jdbc.local.write.subjectId = identifier
+
+# sourceId of the remote system, can be blank
+#grouperClient.someOtherSchool.source.jdbc.remote.sourceId = jdbc
+
+# this is the identifier that goes between them, it is "id" or an attribute name.  subjects without this attribute will not be processed
+#grouperClient.someOtherSchool.source.jdbc.remote.read.subjectId = 
+
+# this is the identifier to lookup to add a subject, should be "id" or "identifier" or "idOrIdentifier"
+#grouperClient.someOtherSchool.source.jdbc.remote.write.subjectId = 
+
+
+
+
+######################################
+## Sync to/from another grouper
+## Only sync one group to one other group, do not sync one group to
+## two report groupers.  If you need to do this, add the group to another group
+######################################
+
+# we need to know where our
+# connection name in grouper client connections above
+#syncAnotherGrouper.testGroup0.connectionName = someOtherSchool
+
+# incremental  or  push  or   pull  or  incremental_push.  Note, incremental push is cron'ed and incremental (to make sure no discrepancies arise)
+#syncAnotherGrouper.testGroup0.syncType = incremental_push
+
+# quartz cron  to schedule the pull or push (incremental is automatic as events happen) (e.g. 5am daily)
+#syncAnotherGrouper.testGroup0.cron =  0 0 5 * * ?
+
+# local group which is being synced
+#syncAnotherGrouper.testGroup0.local.groupName = test:testGroup
+
+# remote group at another grouper which is being synced
+#syncAnotherGrouper.testGroup0.remote.groupName = test2:testGroup2
+
+# if subjects are external and should be created if not exist
+#syncAnotherGrouper.testGroup0.addExternalSubjectIfNotFound = true
+
+
+
+###################################
+## user data settings
+###################################
+
+# amount of time to cache groups in use
+grouperUserData.group.cache.seconds = 120
+
+
+######################################
+## Legacy attributes
+######################################
+legacyAttribute.baseStem=etc:legacy:attribute
+legacyAttribute.groupTypeDef.prefix=legacyGroupTypeDef_
+legacyAttribute.attributeDef.prefix=legacyAttributeDef_
+legacyAttribute.customListDef.prefix=legacyCustomListDef_
+legacyAttribute.groupType.prefix=legacyGroupType_
+legacyAttribute.attribute.prefix=legacyAttribute_
+legacyAttribute.customList.prefix=legacyCustomList_
+legacyAttributeMigration.useThreads = true
+legacyAttributeMigration.threadPoolSize = 20
+
+
+######################################
+## Point in time audit
+######################################
+pit.sync.useThreads = true
+pit.sync.threadPoolSize = 20
+
+
+######################################
+## Stem sets
+######################################
+stemSet.sync.useThreads = true
+stemSet.sync.threadPoolSize = 20
+
+
+######################################
+## Group sets
+######################################
+groupSet.sync.useThreads = true
+groupSet.sync.threadPoolSize = 20
+
+########################
+## LDAPProvisioningHook
+########################
+#LDAPProvisioningHook.exclude.regex.0=.*_excludes$
+#LDAPProvisioningHook.exclude.regex.1=.*_includes$
+#LDAPProvisioningHook.exclude.regex.2=.*_systemOfRecord$
+#LDAPProvisioningHook.exclude.regex.3=.*_systemOfRecordAndIncludes$
+
+#########################################
+## Unresolvable Subject Deletion Utility
+#########################################
+
+# Don't do anything if more than this number of unresolvable subjects are found
+usdu.failsafe.maxUnresolvableSubjects = 200
+
+
+################# DIAGNOSTICS ##################
+# In UI and WS
+
+#if ignore tests.  Note, in job names, invalid chars need to be replaced with underscore (e.g. colon)
+#anything in this regex: [^a-zA-Z0-9._-]
+ws.diagnostic.ignore.memoryTest = false
+ws.diagnostic.ignore.dbTest_grouper = false
+ws.diagnostic.ignore.source_jdbc = false
+ws.diagnostic.ignore.loader_CHANGE_LOG_changeLogTempToChangeLog = false
+
+#this is 52 hours... 48 for 2 days, and 4 more for the job to run.  So if the warehouse is down for updates,
+#then the daily job will not give an error
+ws.diagnostic.defaultMinutesSinceLastSuccess = 3120
+
+#change log can only for 30 minutes of failing before diagnostics fails
+ws.diagnostic.defaultMinutesChangeLog = 30
+
+#number of minute that can go by without a success before an error is thrown
+ws.diagnostic.minutesSinceLastSuccess.loader_SQL_GROUP_LIST__aStem_aGroup2 = 60
+
+#list groups which should check the size, in this case, "employee" or "students" in the key name is a variable
+#ws.diagnostic.checkGroupSize.employees.groupName = community:employees
+#ws.diagnostic.checkGroupSize.employees.minSize = 28000
+
+#ws.diagnostic.checkGroupSize.students.groupName = community:students
+#ws.diagnostic.checkGroupSize.students.minSize = 18000
+


Mime
View raw message