Grouper Working Group Notes of Sept 1, 2021

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Vivek Sachdiva, independent 
  •  Shilen Patel, Duke
  • Steve Zoppi, Internet2
  •  Emily Eisbruch, Internet2

New Action Items

  • AI  (team)  share insights on use cases around integrating w big vendor solutions with  SteveZ in next few weeks, using SLACK or email or at CAMP/ACAMP, including our own institutions,
  • AI Emily -  shared with SteveZ references to AWS and O365 Grouper Slack archives (done)
  • AI   Vivek -- for Grouper 2.5.56 - test around confirming for  deletes, check of sync object
  • AI Chris - add a flag for SQL provisioning tests
  •  AI Shilen -  in Grouper 2.6 make the PIT and group set tables a weekly daemon and change the diagnostic threshold

 Administrivia

Grouper Release

  • 2.5.55 release is out. Container unit tests are running.
  • Goal is to release   2.5.56
  • Grouper 2.6.0
    • Continue with provisioning
    • Migration
    • Get the UI working, diagnostics working better
    • So people can migrate, then start with Grouper 3.0
  • Grouper 3.0 
    • Database
    • Implement SCIM web service
    • Replace Penn State J2E? Implementation
    • Look at how privileges interfaces
    • Make Grouper Client to JSON instead of XML
    • Become unburdened w legacy code

  • If community has bug fix requests, let us know
  • Team, please work on unit tests
  • Communicate on who is doing which
  • Vivek working on provisioning tests
  • SQL provisioning testing needs more work
  • Switch to default to false around what’s being tested
  • Perhaps 12 we need to look at
  • Done within the next week hopefully
  •  At some point say 2.5 and 2.6 are only supported versions
  • Grouper 2.5 will be for those who don’t want enhancements, just want security fixes
  • Don’t want to have to respond to Grouper 2.4 issue

 

Announcement on Grouper Slack: 

We are proud to announce the release of Grouper 2.5.55.  There are two low-priority upgrade instructions from 2.5.54.  21 jiras.

  • Visualization for composites is accessible
  • Remove container taglib startup errors
  • OpenLDAP empty member attribute support in provisioning framework
  • Database migration utility fix

https://spaces.at.internet2.edu/display/Grouper/v2.5+Release+Notes

Note: for upcoming 2.5.56 (hopefully in a week) we will make sure all unit tests work and are taking requests for low-risk bug fixes, let us know.  The plan is for 2.5.56 to be equivalent 2.6.0.  2.5 will be the stable version of Grouper with no more enhancements.  2.6 will pick up where 2.5 left off; we will stabilize the provisioning framework and the new subject API wizard config.  The recommendation is in 3 months the only supported Grouper version are 2.5 (stable) and 2.6 (enhancements). 

 

SteveZ comments:

  • Thanks, Grouper team has been working under unusual conditions for a long time
  • High producing team of practitioners
  • Community has noticed the excellent production from the Grouper team
  • Positive feedback on Grouper team’s work through CSP Community Success Program and other channels
  • Don’t want overstress in these odd times
  • There have been conversations in Component Architecture setting on audiences to help create greater understanding around group management, to get word out to others who may not be aware, CIO types or INFOSEC types,
  • To increase understanding on how things can be knitted together for authentication, auditability, group management,
  • Commercial providers are interested in how the Higher Ed solution for group management might fit into their offering
  • Some challenge when the team changes at the commercial provider organizations.
  • Trying to come up with tangible implementation stories to share with vendors
  • At Penn, redoing the IDM system, it’s important for the designers to understand how central authorization works, and policy groups, etc.
  • Sending a staffer to Grouper training
  • New Unicon movie is good
  • Big vendors listen to their subscribers, CIOs and CISOs
  • If CIOs see how much more work the team must do to integrate with the commercial offering, and the price tag, that has impact 
  • Hoping to influence
  • Looking for use cases, stories, exemplifying the pain of integration with a 3rd party vendor, 
  • So many ways to solve things, people work around the big vendors 
  • Penn integrates w o365 and Amazon
  • Shilen:  vendors don’t always externalize their authorizations, must build things in unique way for each vendor, lose visibility, more work to tie that in together
  • Shilen will ask if Duke can share info on this
  • Not just authorization, authentication is also an issue (w Microsoft for example),
  •  
  • Organizing the types of request, Box , Smartsheet, there is SSO and also allow local account 
  •  Looking for a deeper level of integration in some cases
  •  Higher Ed is not the biggest revenue source for some of the large vendors
  • AI  (all)  share insights on use cases around integrating w big vendor solutions with  SteveZ in next few weeks, using SLACK or email or at CAMP/ACAMP, including our own institutions,  Emily   reviewed and shared with SteveZ references to AWS and O365 Grouper Slack archives
  •   Grouper team and other open source projects are proactive and listening to customers
  •  Getting accurate stories out there, to counteract potential misunderstandings, some from commercial sales forces, is important
  •  Amazon AWS lacks good authorization service, may build something internal. Use cases are not being supported by the vendors
  • Disappointing how unique is each SCIM implementation (it is like REST and SAML), wrong stuff in the envelope sometimes

 

 

Recent Work

Vivek

  • Provisioning
  • Resolving edge conditions
  • Delete functionality
  • Improve code to fix unit tests
  • Grouper messaging unit test 
  • Real time membership changes
  • Calc and Non Recalc
  • When there are membership changes, we used to do a full object recalc
  • That made a performance penalty
  • Now for non recalcs , we want memberships to flow thru
  • Sent to target
  • For recalcs, perhaps because of an error 
  • With addition to LDAP DAO, Vivek has this working
  • Issue: when user is provisionable
  • Made a change to make this more correct
  • It has impacted unit tests
  • Concept of having a group of provisionable users
  • Helps with grace periods
  • Not letting account fall out of target
  • 3 switches
  • If you don’t have a group of users to exist in target
  • Only way Grouper knows if they are provisionable is if they are in provisionable group
  • Tweaked this..
  • Referring to user objects in the target
  • AI   Vivek:    for Grouper 2.5.56 - test around confirming for  deletes, check of sync object
  • What does delete groups = true mean?
  • You must pick one of the 3 options
  • The default changed…
  • What should the default be?
  • Default to the least destructive
  • On the UI you have to pick..
  • Only delete groups = true is invalid
  • They must pick on of the three
  • If not a recalc, it checks
  • If you add  a membership it checks sync table
  • If zero before it removes default and adds new
  • If you delete membership, and it goes to zero in sync table it will add the default value after delete

Shilen

  • Focus on unit tests
  • Minor provisioning updates for bugs
  • Fixed things based on failing unit tests
  • AI Chris will add a flag for SQL provisioning tests

Chris 

  • Failsafe for loading will be in Grouper 2.6
  • Time threshold 
  • Does incremental loader have failsafe?
  • If it exceeds  a certain number it triggers a full sync
  • When we changed how DDL works and SQL scripts, implication for utility, now fixed
  • Deprovisioning and enabled flag, which change that for 2.6
  • Chad and Chris discussing web service client stacks
  • 2 flags that default to true around what info is sent and web service
  •  AI Shilen -  in Grouper 2.6 make the PIT and group set tables a weekly daemon and change the diagnostic threshold

Grouper Performance logging

  • Should have an action 
  • Identify it as something with a performance log
  • Capture a duration
  • Add in for web service calls or UI?
  • Starting point to diagnose performance

LDAP to SQL sync

  • There is a daemon you can configure
  • Now the logic is there
  • Use filter
  • LDAP attributes
  • Tells how many inserts updates and deletes for each run
  • Utility for robust access management
  • This is not a loader or provisioner
  • Please kick the tires

 

 

Chad

  • Worked on JIRAs
  • Around Visualization and complement groups
  • Rabbit MQ connection recovery issue if network drops
  • Stack Trace issue
  • Absorbing into Splunk
  • Question on libraries and Grouper upgrades
  • Perhaps for Grouper 3.0
  • Hibernate
  • Groovy: using 2.5 beta version
  • In Groovy 3.0, there are annotations and support classes for Groovy shell
    • This will be for Grouper 3.0
  • Shilen: Doing something w LDAP also for Grouper 3.0

 

  • Some upgrade work is needed for upcoming Grouper Training

 

  • Close to getting Docker working at UNC
    • Redhat and openshift, Nexus server
    • Podman
    • Module to post Docker files
    • Pulls locally instead of going to Dockerhub
  • Will deploy Grouper 2.5.55

 

  •  Hoping Grouper ALL improvements pay off in Grouper 3.0

 

Issue Roundup 

 

Jiras in past two weeks

Grouper Emails in past two weeks

 

 

Grouper wiki updates in past two weeks

 

  

Next Grouper Call: Wed., Sept. 15, 2021

  • No labels