Grouper Working Group Notes of Sept 1, 2021
Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Steve Zoppi, Internet2
- Emily Eisbruch, Internet2
New Action Items
- AI (team) share insights on use cases around integrating w big vendor solutions with SteveZ in next few weeks, using SLACK or email or at CAMP/ACAMP, including our own institutions,
- AI Emily - shared with SteveZ references to AWS and O365 Grouper Slack archives (done)
- AI Vivek -- for Grouper 2.5.56 - test around confirming for deletes, check of sync object
- AI Chris - add a flag for SQL provisioning tests
- AI Shilen - in Grouper 2.6 make the PIT and group set tables a weekly daemon and change the diagnostic threshold
Administrivia
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper Release
- 2.5.55 release is out. Container unit tests are running.
- Goal is to release 2.5.56
- Grouper 2.6.0
- Continue with provisioning
- Migration
- Get the UI working, diagnostics working better
- So people can migrate, then start with Grouper 3.0
- Grouper 3.0
- Database
- Implement SCIM web service
- Replace Penn State J2E? Implementation
- Look at how privileges interfaces
- Make Grouper Client to JSON instead of XML
- Become unburdened w legacy code
- If community has bug fix requests, let us know
- Team, please work on unit tests
- Communicate on who is doing which
- Vivek working on provisioning tests
- SQL provisioning testing needs more work
- Switch to default to false around what’s being tested
- Perhaps 12 we need to look at
- Done within the next week hopefully
- At some point say 2.5 and 2.6 are only supported versions
- Grouper 2.5 will be for those who don’t want enhancements, just want security fixes
- Don’t want to have to respond to Grouper 2.4 issue
Announcement on Grouper Slack:
We are proud to announce the release of Grouper 2.5.55. There are two low-priority upgrade instructions from 2.5.54. 21 jiras.
- Visualization for composites is accessible
- Remove container taglib startup errors
- OpenLDAP empty member attribute support in provisioning framework
- Database migration utility fix
https://spaces.at.internet2.edu/display/Grouper/v2.5+Release+Notes
Note: for upcoming 2.5.56 (hopefully in a week) we will make sure all unit tests work and are taking requests for low-risk bug fixes, let us know. The plan is for 2.5.56 to be equivalent 2.6.0. 2.5 will be the stable version of Grouper with no more enhancements. 2.6 will pick up where 2.5 left off; we will stabilize the provisioning framework and the new subject API wizard config. The recommendation is in 3 months the only supported Grouper version are 2.5 (stable) and 2.6 (enhancements).
SteveZ comments:
- Thanks, Grouper team has been working under unusual conditions for a long time
- High producing team of practitioners
- Community has noticed the excellent production from the Grouper team
- Positive feedback on Grouper team’s work through CSP Community Success Program and other channels
- Don’t want overstress in these odd times
- There have been conversations in Component Architecture setting on audiences to help create greater understanding around group management, to get word out to others who may not be aware, CIO types or INFOSEC types,
- To increase understanding on how things can be knitted together for authentication, auditability, group management,
- Commercial providers are interested in how the Higher Ed solution for group management might fit into their offering
- Some challenge when the team changes at the commercial provider organizations.
- Trying to come up with tangible implementation stories to share with vendors
- At Penn, redoing the IDM system, it’s important for the designers to understand how central authorization works, and policy groups, etc.
- Sending a staffer to Grouper training
- New Unicon movie is good
- Big vendors listen to their subscribers, CIOs and CISOs
- If CIOs see how much more work the team must do to integrate with the commercial offering, and the price tag, that has impact
- Hoping to influence
- Looking for use cases, stories, exemplifying the pain of integration with a 3rd party vendor,
- So many ways to solve things, people work around the big vendors
- Penn integrates w o365 and Amazon
- Shilen: vendors don’t always externalize their authorizations, must build things in unique way for each vendor, lose visibility, more work to tie that in together
- Shilen will ask if Duke can share info on this
- Not just authorization, authentication is also an issue (w Microsoft for example),
-
- Organizing the types of request, Box , Smartsheet, there is SSO and also allow local account
- Looking for a deeper level of integration in some cases
- Higher Ed is not the biggest revenue source for some of the large vendors
- AI (all) share insights on use cases around integrating w big vendor solutions with SteveZ in next few weeks, using SLACK or email or at CAMP/ACAMP, including our own institutions, Emily reviewed and shared with SteveZ references to AWS and O365 Grouper Slack archives
- Grouper team and other open source projects are proactive and listening to customers
- Getting accurate stories out there, to counteract potential misunderstandings, some from commercial sales forces, is important
- Amazon AWS lacks good authorization service, may build something internal. Use cases are not being supported by the vendors
- Disappointing how unique is each SCIM implementation (it is like REST and SAML), wrong stuff in the envelope sometimes
Recent Work
Vivek
- Provisioning
- Resolving edge conditions
- Delete functionality
- Improve code to fix unit tests
- Grouper messaging unit test
- Real time membership changes
- Calc and Non Recalc
- When there are membership changes, we used to do a full object recalc
- That made a performance penalty
- Now for non recalcs , we want memberships to flow thru
- Sent to target
- For recalcs, perhaps because of an error
- With addition to LDAP DAO, Vivek has this working
- Issue: when user is provisionable
- Made a change to make this more correct
- It has impacted unit tests
- Concept of having a group of provisionable users
- Helps with grace periods
- Not letting account fall out of target
- 3 switches
- If you don’t have a group of users to exist in target
- Only way Grouper knows if they are provisionable is if they are in provisionable group
- Tweaked this..
- Referring to user objects in the target
- AI Vivek: for Grouper 2.5.56 - test around confirming for deletes, check of sync object
- What does delete groups = true mean?
- You must pick one of the 3 options
- The default changed…
- What should the default be?
- Default to the least destructive
- On the UI you have to pick..
- Only delete groups = true is invalid
- They must pick on of the three
- If not a recalc, it checks
- If you add a membership it checks sync table
- If zero before it removes default and adds new
- If you delete membership, and it goes to zero in sync table it will add the default value after delete
Shilen
- Focus on unit tests
- Minor provisioning updates for bugs
- Fixed things based on failing unit tests
- AI Chris will add a flag for SQL provisioning tests
Chris
- Failsafe for loading will be in Grouper 2.6
- Time threshold
- Does incremental loader have failsafe?
- If it exceeds a certain number it triggers a full sync
- When we changed how DDL works and SQL scripts, implication for utility, now fixed
- Deprovisioning and enabled flag, which change that for 2.6
- Chad and Chris discussing web service client stacks
- 2 flags that default to true around what info is sent and web service
- AI Shilen - in Grouper 2.6 make the PIT and group set tables a weekly daemon and change the diagnostic threshold
Grouper Performance logging
- Should have an action
- Identify it as something with a performance log
- Capture a duration
- Add in for web service calls or UI?
- Starting point to diagnose performance
LDAP to SQL sync
- There is a daemon you can configure
- Now the logic is there
- Use filter
- LDAP attributes
- Tells how many inserts updates and deletes for each run
- Utility for robust access management
- This is not a loader or provisioner
- Please kick the tires
Chad
- Worked on JIRAs
- Around Visualization and complement groups
- Rabbit MQ connection recovery issue if network drops
- Stack Trace issue
- Absorbing into Splunk
- Question on libraries and Grouper upgrades
- Perhaps for Grouper 3.0
- Hibernate
- Groovy: using 2.5 beta version
- In Groovy 3.0, there are annotations and support classes for Groovy shell
- This will be for Grouper 3.0
- Shilen: Doing something w LDAP also for Grouper 3.0
- Some upgrade work is needed for upcoming Grouper Training
- Close to getting Docker working at UNC
- Redhat and openshift, Nexus server
- Podman
- Module to post Docker files
- Pulls locally instead of going to Dockerhub
- Will deploy Grouper 2.5.55
- Hoping Grouper ALL improvements pay off in Grouper 3.0
Issue Roundup
Jiras in past two weeks
- GRP-3576
error with database migration utility
GRP-3575
daemons should not show error on daemon screen if they have the schedule: 59 59 23 31 12 ? 2099
GRP-3574
add generic performance monitoring into Grouper
GRP-3573
SFTP / CSV report not honoring removeUnderscoresAndCapitalizeHeaders
GRP-3572
SFTP: Add proxy support to the connection
GRP-3571
Grouper Provisioning - ldap dao should throw exceptions if there are update errors
Grouper Emails in past two weeks
- [grouper-users] Provisioning Two LDAP attributes using gsh, David A. Kovacic, 08/17/2021
- Re: [grouper-users] Provisioning Two LDAP attributes using gsh, dak, 08/18/2021
- Re: [grouper-users] Provisioning Two LDAP attributes using gsh, dak, 08/18/2021
- Re: [grouper-users] Provisioning Two LDAP attributes using gsh, Paul Engle, 08/18/2021
- [grouper-users] Grouper Training: Last Call for Early Bird Rates, Erin Murtha, 08/26/2021
Grouper wiki updates in past two weeks
- Grouper v2.5 container unit tests
- Grouper custom template via GSH
- Grouper database migration utility example from mysql to postgres
- Grouper performance logging
- Penn subject source JDBC2 example
- LDAP to SQL sync
- LDAP to SQL sync simple example
- Configuration and UUID's, name, and idIndexes
Next Grouper Call: Wed., Sept. 15, 2021