Grouper Working Group Notes of Oct. 13, 2021

  Attending 

• Chris Hyzer, Penn, Chair
• Vivek Sachdiva, independent 
•  Shilen Patel, Duke
•  Emily Eisbruch, Internet2

Discussion

•  Internet2 Intellectual Property Policy
  
• Approve minutes
  
• Review AIs  Grouper Project Action Items (Google Doc)
  
• Agenda bash
  

Grouper Training in late Sept 2021

• Positive was mostly positive
  
• Doing a lot of attendee’s showing screens and troubleshooting
  
• People liked this, Especially with the container
  
• Changed structures of the Grouper Training Environment, next training we should be sure everything is accurate
  

InCommon and Geant CAMP week, Oct 4-8, 2021

Grouper Slides

• Chris did excellent presentation, showing use cases for access management
  

Shilen

• did a presentation on linking of SSO , generated conversation afterwards
  
• How O365 integration is done using a custom Shim for SAML conversion, not using ADFS
  
• Less conversation on Grouper than at previous CAMPs perhaps
  

OK getting rid of HSQL?  (YES)

• Vivek and Shilen say yes
  
• Develop using Postgres
  
• Potential Approaches 
  
• Container could come w postgres installed and run it for quickstart
  
• Or 
  
• Could download and install postgres in container, would not work for people who are proxying
  
• Or
  
• Get rid of quickstart option
  
• Use GTE (demo) approach
  
• Quickstart serves purpose
  
• Tell users to download postgres
  
• Or can make a sub-image if you don’t want to install 
  
• One less thing to test every  time we change DDL
  

Current Work

Vivek

•  JWT RSA authentication to Grouper Web Service from trusted authority
  
• Authentication to UI and Web Services in Grouper v2.5+
  
•  
  
• Working on Local Entity
  
• Can create public private key
  
•  Comments:   looks good.
  
• How many days worth of logs to keep?
  
• For troubleshooting
  
• Make parameter in grouper properties for how long logs are kept
  
• Good first pass
  
• Good if client provides example
  
• Using cryptography
  
• Self service authentication to web service
  
• Will save people time
  
• Have group of people allowed 
  
• This is enabled by default
  
• Can be disabled potentially
  
• Include as an upgrade instruction so people can turn it off
  
• Security office at Duke prefers using centralized credentials
  
• Vivek: question about deleting and child table, and cascade
  
• Chris: delete from child table
  
• Extract logic from daemon
  
• Not our standard now to use cascade, revisit that for Grouper 3.0
  
• We should be consistent now
  
• Vivek will update some wording: Replace key / delete key and settings
  

  Azure Provisioning Connector

• Illinois was working on Azure connector
  
• Submitted enhancements
  
• Interested in kicking tires on provisioner
  
• Vivek: look at their configs
  
• Need to have a call
  
• Need to Update the wiki and Add screenshots
  

Chris 

• Worked on  some JIRAS, including issues discussed at Grouper training
  
• Swagger is now OpenAPI
  
• See Chris's work here: Web Services OpenAPI
  
• Comment: this work will be helpful
  
• Hosting will be on demo server and it will also be in your app
  
• Overhead of running this is not bad
  
• Took away ability to actually make calls
  
• Can add that back potentially
  
• Not sure how authentication will work
  
• Don’t want this on the demo server
  
• Might want it on a deployment 
  
• Can test on a deployment that has authentication
  

• Penn Zoom Deprovisioning
  
• Penn Grouper with Zoom
  
• Will need to implement in new provisioning framework
  
• Syncs to table of Zoom users, not all users are resolvable
  
• Can do queries on users
  
• Can have reports and GSH templates to help Zoom provisioners 
  
• Can remove non human users
  
• Map email address to user
  
  
  

Provisioning : be sure we are escaping everything

• Stack trace , started at 20K, can  get below 4k using
  
• Method called exception without dups , exception without packages, 
  
• Shaves off size
  
• Then Gzip if needed
  
  
  

Grouper daemon "other job" GSH script to delete unresolvable subjects

• Useful for incremental daemons 
  
• Subject IDs , tries to resolve them
  
• Same logic as failsafe
  

Shilen

• Issues related to LDAP provisioner
  
• Uppercase vs lowercase
  
• Fixed
  
• Character in group name that required escaping, fixed
  
• Rename a folder w same name but different case, fixed
  
  

Issue Roundup 

Jiras in past two weeks

• 
  GRP-3662
  improve low level logging for provisioning target commands
  
  
  
• 
  GRP-3661
  make more efficient stack traces
  
• 
  GRP-3660
  escape html for provisioning error messages
  
  
  
• 
  GRP-3659
  add textarea for provisioning error messages
  
  
  GRP-3658
  the UI under "my groups" shows groups the user doesnt have READ on but does have OPTIN or OPTOUT on... the WS should be consistent
  
  
  GRP-3657
  add database to report CSV config
  
  
  GRP-3656
  report with bad cron gives error but still partially saves
  
  
  GRP-3655
  add customizable headers to CSV reports
  
  
  
• 
  GRP-3654
  add file upload to GSH import
  
  
  
• 
  GRP-3653
  zoom loader should sync users to a table
  
• 
  GRP-3652
  grouper deprovisioning should not fail if membership remove doesnt do anything, and shouldnt show disabled memberships
  
  
  GRP-3651
  dont allow config keys with "secret" or other things that mean password
  
  
  
• 
  GRP-3650
  load zoom user data into a table for processing
  
• 
  GRP-3649
  add ability to have attachments in grouper emails
  
  
  
• 
  GRP-3648
  ran recent memberships full loader multiple times and it finds adds but they dont get applied?
  
  
  
• 
  GRP-3647
  add a lookup table for view params (i.e. "etc" is configurable and doesnt work with "inst:etc"
  
• 
  GRP-3646
  obliterate stem had error
  
• 
  GRP-3645
  add swagger to grouper WS
  
  
  
• 
  GRP-3644
  Make it harder to accidentally delete an attribute definition that is in use
  
  
  
• 
  GRP-3643
  Notification feed functionality to address long-running UI operations
  
  
  
• 
  GRP-3642
  grouper report is too large, limit number of unsuccessful jobs
  
  
  
• 
  GRP-3641
  Visualization: If sibling count greate
  
  
  

Grouper Emails in past two weeks

• 
  
• [grouper-users] Grouper 2.4 webservice to get members of a group filtered on point in time from and to, Siju Jacob, 09/29/2021
  
• Re: [grouper-users] Grouper 2.4 webservice to get members of a group filtered on point in time from and to, Andrew Jason Morgan, 09/29/2021
  

• [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local 
  
• timezone, David A. Kovacic, 10/04/2021
  
• Re: [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local timezone, Michael Porter, 10/04/2021
  
• Re: [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local timezone, Edward Rynes, 10/05/2021
  
• [grouper-users] grouper getting crashed always., Malathi Deenadayalan, 10/07/2021
  

Grouper wiki updates in past two weeks

• Grouper daemon "other job" GSH script to delete unresolvable subjects
  
• Grouper provisioning strategy
  
• Grouper custom template via GSH zoom deprovisioning
  
• Grouper daemon "other job" GSH script to delete unresolvable subjects
  
• Penn Zoom Deprovisioning
  
• Penn Grouper with Zoom
  
• Grouper Zoom provisioning
  
• Web Services OpenAPI
  
• Grouper Product Roadmap
  
• Externalize and encrypt grouper passwords
  
• v2.5 Release Notes
  
• Grouper custom template via GSH role mapper
  
• Grouper LDAP provisioner v2.5 use case Michigan
  
• Grouper LDAP provisioner v2.5 use case PA
  
• Get Memberships
  
• Find Groups