Grouper Working Group Notes of Nov. 10, 2021
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Chad Redmon, UNC
- Jonathan Johnson, Unicon
- Emily Eisbruch, Internet2
New Action Items
AI Chad - add info to the Container memory settings based on the UNC experience with how much is needed for operating system
AI Chris - make a wiki for translations
DISCUSSON
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
- Grouper Blog has been developed for November 2021 Trust and identity newsletter. stay tuned
News from JJ from Unicon
- Submitted an update around web services, quick fix
- Should see a PR (pull request) out there for that
- Axel talked with us about authentication work. Looks good, passes testing. Imports work
- Custom web services , like the idea of using GSH templates
- Looked at JAVA
- Will kick the tires on the GSH approach
- GSH templates - JJ will use for reports being requested
- A client has a separate reporting group, wants controlled access to SQL reports, want to go into the UI and pull them up and view them, need to be in real time, likely for troubleshooting,
- JJ will produce a proof of concept,
- UI outside of Grouper
- calling Grouper web services
- Perhaps using a Grouper Custom UI is a better approach
- JJ hopes to provide options for the client
- Creating a database back to Trust Store???
- Set up LDAP
- Write the implementation to pull from that set of properties
- JJ was working on a few years ago:
- Web interface into interactive GSH console or shell
- Did not have security
- For setting up GSH templates
- Use case: you want to deploy everything on fargate? Don’t have access to a shell
- Config that makes everything available thru environmental variables
- No external java libraries
- JJ not sure if he will pursue this
- JJ may share this with the team to get response
- Chris: Like the database trust store
- If we can do the GSH templates…
- Get params passed thru URL instead of JSON
- So you don’t need to specify folder
- Not sure about streaming in and out
- For bigger payloads may need different approach
- Interactive GSH...concern about security
- Chad:
- running a special webpage that has a terminal and interacting w Groovy
- Cloud services work this way
- Openshift has something like it
- Need security to manage the access
- Then can go in and directly interact
- recommend not running in same container as other items
- Can use much memory
- Would need a different memory param
- How would exterm connect to UI
- It’s like another web service
- Have another web server for this
- Similar to what you’d run GSH on
- Chris: make another container and use OPEN SSH
- Shilen: good to have GSH exposed thru the web
- But if not part of the UI container, then not sure it’s worth additional infrastructure for this
- Same process space as UI?
- JJ can look at this approach and then share it with the Grouper team
- Chris: can see page with text area, type things in, keep the output, not as good as a terminal
- JJ: that was the initial idea, but there are advantages with the shell
- Unicon may help with web services documentation, JJ and Chris will discuss.
Work items
Vivek
- SQL provisioning
- https://docs.google.com/document/d/12ov_Y4mIWCnaVrb43T47F857lxTj1Uvguiu7eBTIFdQ/edit
-
- Chris: some might be provisioning all groups and memberships
- Looking thru provisioning framework lens, good to be able to mark things as provisionable
- See wiki on what next generation could be like
- Provision to SQL and then Midpoint would pick it up thru SQL
- Need to ask how many membership attributes you have
- Maps to columns in table
- JJ: comment: enthusiastic for Grouper team to add in the membership attributes to the provisioner, for one client previously, Unicon needed to modify Grouper Loader Base properties file. It was something on the membership object, needed to put it in the data model.
- Chris: for most of the provisioners in the past, this was not applicable
- Chris asks JJ to chat with him in the future about the ways to use metadata
- If doing syncing or provisioning of Grouper data thru SQL, please share what the tables structures are,
- Hope to get this approach out in the next Grouper release
- After that, for standard attributes , we need to be sure it fits the use cases
- Chad: we don’t use SQL
- Translate expressions for everything?
- Creating a UUID
- 3 choices, direct mapping for a field, static, or translations with JXL
- Hoping most things thru fields
- Shilen : No SQL provisioning at Duke, but this looks great
- U Penn uses SQL and is excited about this work
- Interested in numeric IDs
- Unicon is interested in SQL provisioning into MidPoint for some client use cases
- Vivek: will work on externalized text. Hopes to finish this by end of week
- Will do testing
- Vivek and Chris are verifying everything (selecting, updating, etc) is ready to be done in multiples
Shilen
- Updated the LDAP wiki
- Login issue, minor fix
- Vivek : make note that Low level SQL logging, get it working for SQL provisioner
- Issue that override DN, where object in LDAP exists but lacks matching ID, it deletes
- Possible solutions:
- Have a dropdown with matching ID order
- If you select multiple columns, Grouper could assume what the order should be.
- DN last, something else first
- Or specify a comma separated list of matching ID attributes
- Another option : take out matching ID checkbox
- We are talking about matching and search ID
- How many matching IDs do you have, dropdown and you pick
- Shilen: if you have multiple matching or search IDs, and there is namespace overlap
- This works best when you let Grouper figure out your queries / filters
- You specify the attribute
- Filter would be JID number plus attribute
- Shilen: searching makes sense
- Matching ID is a field in object model and it has a value
- Needs to be a multi key
- If you have multiple search IDs and you search based on DN
- Update there
- Shilen and Chris will chat about this.
- Shilen working on versioning diagnostics
Chris
- New Grouper release since last call
- Did examples of provisioning
- HTTP fix, checked in Duo provisioner
- PSP provisionable assignments to provisioning framework changed a bit
- Now can specify the PSP config ID
- Can get a provisioning report
- Can delete orphans
- Duo provisioner can have a test button
- Get failsafe working
- Failsafe for approvals
- Don’t want the churn to go thru the point in time history
- config file
- Hope to finish that and get it into 2.65
Chad
- Provisioning everything thru messaging
- Filter using JEXL
- Currently using MidPoint
- Try to filter out, look for specific groups
- Once messaging is in new provisioning system, it will work better
- UNC is waiting for this
- Chris: To select what’s provisionable for messaging is a partial step
- Chad: will try this out and let Chris know how it works
- Peter D had things in Admin UI, in one simple form, wants to upgrade, but wants that same functionality.
- Chris: working on this
- Related to legacy types and attribute
- Chris: Started implementing, In Grouper config you will be able to list which framework attributes are viewable from Grouper UI in main group page, and then you could specify which order they display
- Takes some set up, you specify which attributes, it would build the UI for you
- If you can attribute update on the group… you can update
- Could be used for other purposes as well
- In migrating from using the Attribute Framework
- Perhaps this feature will be ready for Grouper 2.6.6
- For UNC, working on production containers, going down due to out of memory
- It’s issue of amount of memory left over for operating system
- AI Chad will add info to the Container memory settings based on the UNC experience with how much is needed for operating system
- Leave 700 megs for operating system
- In openshift you partition containers with memory
- JIRA related to group finder
- Chris and Chad will discuss latest major version of databases
Issue Roundup
Jiras in past two weeks
GRP-3694
GroupFinder/StemFinder with assignScope also finds alternate names, needs option to exclude
GRP-3693
at end of deep report tell user not to run the generated deep script unless told to by grouper project
GRP-3692
grouper ddl print out should be more obvious
GRP-3691
add command debug to sql provisioner
GRP-3690
migrate scim provisioner to use GrouperHttpClient
GRP-3689
fix command logging for http
GRP-3688
duo provisioner does not update description (provisioning framework)
GRP-3687
duo external system secret key should be password field
GRP-3686
convert pspng to provisioning should take four inputs and use the new format
GRP-3685
provisioning logging does not work
GRP-3684
add "test" button for duo external system
GRP-3683
fix low level logging for ldap
GRP-3682
change grouper report daemon names to be the system name not uuid
GRP-3681
allow groupsave to work on idIndex on update (maybe check if not used)
GRP-3680
zoom column is wrong type
GRP-3678
Unused wiki page to delete
GRP-3677
Improvements to provisioning diagnostics for 2.6.5
GRP-3676
Fix config for usdu.delete.ifAfterDays
GRP-3675
add unicode types to client database api
GRP-3674
keep the oidc library in sync with pac4j
Grouper Emails in past two weeks - None
Grouper wiki updates in past two weeks
- Grouper UI and version
- Grouper LDAP provisioner in v2.5
- Grouper provisioning framework
- PSPNG at Penn
- Grouper LDAP provisioner in v2.6 demo7 groupAttributes flat with DN override, toLowerCase user search, and LDAP command logging
- Grouper Duo provisioning (v2.5 provisioning framework)
- v2.6 Release Notes
- Grouper Azure provisioner (new provisioning framework)
- GSH template exec
Next Grouper Call: Wed. Dec 8, 2021
(Wed. Nov 24 call is cancelled)