Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Carey Black, the Ohio State University
- Emily Eisbruch, Internet2
DISCUSSION
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Current Work
Vivek
- Custom UI https://spaces.at.internet2.edu/display/Grouper/Grouper+Custom+UI
- Similar structure to GSH Templates
- Can build UI from a particular configuration
- On a particular group, you may want custom UI to be enabled
- UI is driven off custom UI config
- There are 5 use cases below for Custom UI
- And concept is extensible
- 1st use case, simple enroll/ unenroll / opt in/ opt out for a user
- Imagine screen with a button, but only orgs ready to do this ,
- Custom UI w query can see if you are in a certain group, can do filters
- It’s more than Grouper’s view, goes into the target systems
- Gives end user or IT support person a view into what the issue is
- The way queries are set up, can see exactly what’s going on
- 2nd use case: helps support staff, runs queries
- They see a UI specific to the task at hand
- Text on screen can by dynamic, such as “org not enrolled yet”
- “Have enrolled, but not yet provisioned, please wait an hour “
- Might provide audit info
- 3rd use case: user analyzing what their issues are
- Not enrolling or unenrolling, but figuring out problems
- For example, why cant I log into a particular app
- Get an error screen that tell you what the problem is
- Example
- migrating to Banner,
- Need to be in a certain group
- Need to have MFA, have taken trainings
- You may lose access and not know why
- But the error screen will tell you what to do!
- 4th use case: you need redirect or terms of service for COVID testing and vaccinations
- Click a button
- Can do custom logic
- Attribute with dates
- Redirects to scheduling software
- 5th use case: Survey Monkey
- Custom UI sees if you are in a group
- If yes, it takes you to Survey Message
- If not you get a message
- Summary, Custom UI Provides descriptive text to help in all kinds of situations
- GSH Templates versus Custom UI
- GSH Templates go on folders
- Custom UI goes on group
- GSH can support n on a given object
- But Custom UI is one and done on a given object
- Would be useful to re use configuration on groups
- At Penn:
- For O365 there is an analysis tool
- Queries were time consuming
- For end user and IT staff wanted tool to analyze
- Made sibling groups
- GSH templates: getting to them from misc.
- For a user to go to menu and get to option to select custom UI
- Would be helpful to navigate more directly to custom UI
- That’s another aspect of Vivek’s work
- It’s in the Admin section
- We are not there now
- And have moved on from this task
- At least admins can see the custom UIs
- GSH templates, it’s more straightforward to see who is allowed to use it
- Could picture something in the Misc.
- Some users hate the browse folder tree
- Hunting and pecking for custom UIs could be hard
- People want a favorite option
- Point of custom UI is don’t need to go to group
- Can use a portal
- This is a step in right direction, central place to see them
- Next step is to make a non admin list of custom UIs
- Migration
- Legacy, key value pairs, now there is a utility function
- Attribute assignments are gone
- Moved to custom UI
- Custom UI Text Config
- 11:54
- Provisioning related work
- Provisioning from Azure and Duo and similar external systems
- SQL and LDAP ,
- don’t have full control over the external system
- Creating endpoints
- You change URL
- Change the endpoint
- Idea is for things to flow from Grouper to DUO
- Create a mock DUO group
- Q : is there a plan to work out DUO admin role provisioning?
- A: yes, completely re-doing the current DUO provisioning
- Feature by feature is the goal
- There will be metadata on a member
- To represent roles
- Managing Admin roles in Duo will be helpful
- Duo: There are Duo child account on the prod side, possibly this is being deprecated
- Library issue is being fixed
- Vivek: Will continue working on the users part
- Chris: issue with the mock services
- It’s not easy to get started
- Writing unit tests is challenging
- Unit tests deletes from the database, from every table
- Running UI can’t run
- Tell the UI to refresh like the unit test did?
- Perhaps UI point to database that's different schema from the unit test
- Unit test blows away its own database
- Has running UI w mock services
- Can reach in, mock objects stored in specific tables for that service
- Can delete from the tables
- And provision groups
- Query the tables rather than the mock endpoint
- Need grouper usernames and passwords
- Is this the right path?
- That way not polluting the Grouper database schema
- Don’t mind adding mock tables
- Should tests start and stop Tomcat?
- Two different database?
- Another way?
- Q: What does running the test have to do w UI?
- Mean tomcat or TomEE
- Must be running to act like Azure or Duo
- Run container that includes that
- Downside could take a long time to run
- Recreating every time
- Must run that servlet container
- Test must get directly to the database
- Chad: for unit tests, like Junit, those are just test methods
- Not for working w external systems
- Talking about integrated testing
- Creates Docker containers
- Sets up PSP NG
- Does not need to be blowing things away
- Have talked about unit tests that do containers
- Want automated tests
- Like Junit automated
- Unit tests would start a container
- Same database
- Start container that points to it
- Starts mock service
- On Mac and Windows its easy to point from container to host database
- Can run multiple containers
- Chris will try to get it working for Azure
- Vivek, Expect to write some unit tests, Chris will help
Shilen
- Metadata for Grouper Demo has been updated to have the requested attribute
- Chris Hubing has added as an optional attribute
- Now it’s required and it works
- Database connection pool refresh
- There were bugs
- what container? 2.5.39
- Will be resolved in next release
- Two different paths to create database connection
- Tested only one path
- Now that is resolved
- Another issue: when a connection must be refreshed and pool must be refreshed, it was creating a new pool, old would remain active for a little while, but it eventually gets killed, Shilen found a way to prevent the killing until the connections are no longer used. Seems to work now.
- Provisioning, instead of indirect, it should store directly in the ? tables
- If you say a folder is provisionable, it will mark all objects as provisionable, wil mark groups in the sync table as provisionable. Skip the middle step?
- Directly update the sync tables.
- Got a lot of that working now
- LDAP test, full and incremental sync work
- Idea is to simplify the queries.
- A few more things to look at
- Some sections of the code were commented out and Shilen needs to review that
- Do we need an upgrade task for attribute assignments?
- Query that selects? Call from GSH? Should be easy
- A method to call if needed
- It’s a one-off
- Downgrade issue
- UMICH interested in what Duke has done w custom UIs
- Shilen hopes to finish provisioning work before next Grouper call
- There will then be a new Grouper release
Chris
- Has been looking at provisioning and doing support for issues raised on Slack
Chad
- Doing web authn project for UNC
- Hope to do a community contrib
- Rollup groups and creating a custom table to do a group list loader
Issue Roundup
Jiras in past two weeks
grouper log config should not produce error
replace members with unresolvables should give message that wont proceed
- How to solve?
- Start auditing more things
add read logs in grouper to ui and ws
InCommon config for grouperdemo needs requested attributes
- Will add asterisk for this
only map csrfguard to necessary patterns
- Users have reported the errors
- Suggestion: Allow everything but only check for things mapped
- Chris will document how to configure
- AI Chris Change CSRFguard properties file to finish jira 3450
header image can cause csrfguard errors
Make entries in provisioning log more identifiable
grouper duo connector library upgrade
- Work done so far did not speed things up
- Hope to do fetches and batches in bulk
- Not much to do around slowness on inserts and deletes
- In Grouper 3.0 we need to be able to measure this kind of thing better
increment ldap recalc provisioning has issues
- LDAP DOA can get groups etc , but can’t see if a member is in a group
- Use a filter
- Does recalc on full group
grouper loader does not create parent folders now fixed
azure custom ui has issue with boolean
compare merge configs across envs
- Being able to export configs
- What are database and non database
- Chad uses scripts
- Use filter for export
- Right now does database only
change defaults for marking provisionable
- Clunky as is, make it easier
Grouper Provisioning attribute propagation - propagate directly to sync table
grouper gsh templates should take uuid or name for folders and groups
cannot create root stem with new validation
Add attestation full sync and incremental sync
Add deprovisioning full sync and incremental sync for propagating attributes
Grouper Emails in past two weeks
- Re: [grouper-users] LDAP Grouper Loader paging issue, Shilen Patel, 05/04/2021
- [grouper-users] loader.deleteGroupsNoLongerInSource = true grouper 2.4, Siju Jacob, 05/10/2021
- <Possible follow-up(s)>
- Re: [grouper-users] loader.deleteGroupsNoLongerInSource = true grouper 2.4, Black, Carey M., 05/10/2021
- [grouper-users] Duo provisioning NoClassDefFoundError issue, Darren Boss, 05/11/2021
Grouper wiki updates in past two weeks