Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Jeff Williams UNCG
- Carey Black, the Ohio State University
- Emily Eisbruch, Internet2
Administrivia
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Current Work
Vivek
- Working w Chris and Shilen on object types
- Used to propagate to Children in real time
- You’d click on Save in UI and then propagate to all
- There were performance issues, reaching out to database too many times
- Now there is incremental sync
- Full sync to reconcile everything
- Minimize number of SQL queries
- Get all necessary info in one SQL query
- Question: is it still going thru predefined loop of attributes?
- Answer: building off folders and groups of interest
- New Incremental
- Getting object types
- Get children and ancestors
- Trying not to do same query twice in incremental
- Could be confusing
- Workflow, as used for provisioning
- Each method only does one thing
- For ESB events, doesn’t do logic
- Gets individual assignments
- Then gets children
- Then gets ancestors
- Keep all data structures
- Helps with logic
- Don’t have to keep track
- Do it at point you are ready to do it
- Finding ancestors for a list of folders
- Can remove relationships
- Get to minimal queries you need
- Everythings is committed
- Vivek is testing logic for full sync
- Suggestion to redo provisioning potentially using this approach
- Less passing of arguments is better
- Shilen will take a look at this new approach for provisioning
- Hope for new Grouper release out by end of weekend
- Object type full sync has been issue
- Vivek will look at instrumentation daemon
Chris
- GSH templates
- Meta data for DNs , afterwards
- VPN rollout is happening at Penn
- If you add a VPN, build out a structure
- Overall list, allow deny
- In the allow you could have different ref groups
- Come from org chart
- GSH template adds value
- 59 steps to add a template
- Each is a little block in the code
- Email for the admin
- Makes a report
- Carey: Could templates spawn other templates?
- Could 2nd template add a user to role?
- Nest functions inside functions
- Chris: yes possibly
- Templates were not multi threaded
- This is fixed in new branch
- Another profile
- Lightweight
- Blog on GSH Templates is good idea
- Focus on JS 232
- AI Emily check with Dean on the deadlines for a blog on GSH templates blog and set up google doc for ChrisH. (Emily working on this)
- Also, we are improving the
stable version of Grouper- Every 6 months mark a stable version?
- Chad: feature based is fine
- New features not entirely stable and changing
- Makes it hard to keep up
- If there is a security issue, you must increment
- If we had long term support for a particular version, it is less risk
- Carey: people want new features
- Chris: want the stable new shiny
- Some Don’t want to wait a year
- It’s a life to go from a year ago to now
- Issue is validation
- Strawpoll : long term support version every 6 months: one vote
- UNCG moving into longer term model. Need more justification on upgrades
- Others want to keep releases as they are now
- Shilen : depends on what feature is happening
- If there’s a feature that’s really needed, we may want to upgrade more often than every 6 months
- But now, things may be too unstable
- Some JUNIT tests are not passing right now
- An issue is institutions that don’t need the bleeding edge, but don’t want to get burned with a need for an upgrade due to a security issue
- If we support 2 versions back, then sites must upgrade around every year
- Every 6 months increment 2.5 to 2.6 to 2.7
- Those who want can get the point releases, like 2.5.3 to 2.5.4
- We must stabilize provisioning so sites can upgrade
- GSH templates
- And subject sources
- Then sites will upgrade to long term support version
- Then design sessions and brainstorm next stages
- Hope changing data structures in database will help performance issues
- Move to Grouper 3.0
- Chad, nice having everything in one branch
- Matt: how to patch the long term release?
- Chris: It’s another minor version
Shilen
- Made minor provisioning changes related to propagation issues
- Added logic in LDAPTIVE code so if you have AD set to TRUE and don't’ specify page size, since paging is usually done w AD, then it will query AD
- Defaults to 1000
- Looking at performance issues
- Running profilers
- Adding 200K members to a group
- Identified a few issues
- Query to retrieve members from Grouper is expensive
- Batches of 900
- For a large group, this needs improvement
- 2nd issue: in retrieving entity , it asks for same entity multiple times
- 3rd issue: when going thru to check values for membership object, adding membership to set, it checks entire set
- Another issue: If running incremental as new changes are being added, it will get most of work done, but won’t fully increment last sequence processed, Not sure why
Chad
- Added a new link to release notes on Main Grouper wiki page
- Chris will take a look at Azure issue
- Looking at GSH templates
- UNC has similar project using GSH templates to what Penn is doing
Issue Roundup
Recent Jiras (from March 22 to April 14, 2021)
GRP-3371 when calculating showEl in gsh templates, consider default values for null values
GRP-3370 add ability to have conditional attestation via script
GRP-3369 if you edit a value in the config editor it should use the unprocessed value
GRP-3368 deleting a report should unschedule it
GRP-3367 CompositeSave should allow "minus" and other words in addition to current words
GRP-3366 CompositeSave chaining class should take groups in addition to group names
GRP-3365 report user should show in a more friendly way
GRP-3364 recent activity should escape html (e.g. edit externalized text)
GRP-3363 Grouper Provisioning attribute propagation improvements
GRP-3362 percent done of GSH template is based on average execution time
GRP-3361add debugMap to GSH templates
GRP-3360support bind variables for GSH template scripts
GRP-3359 convert groovysh shell for templates, other jobs, and custom ui, to jsr223
GRP-3358 cache GSH template compilation
GRP-3357 take out System.out.println from gsh templates
adjust gsh template so it runs the same script every time
Provide the specify the DN of a target LDAP group in the provisioner configuration
GRP-3354 offer "skeletal" grouper provisioner project
GRP-3353 scroll to top after filling out gsh template run form
GRP-3352 need to check gsh template privs as root
GSH template doesnt show in menu unless user is admin on folder
GRP-3350 a blank gsh string input will get processed as the string "null"
can multiple GSH scripts run at the same time?
if a gsh template field is empty, then dont validate the regex
Lookup Active Directory page size if not set
get rid of tag library errors in TomEE startu[
add box loader to bring user info into a sql table
GRP-3344 alphabetize template list
check to see if a deleted config is in a config file and give a more accurate message
GRP-3342 gsh template validation messages do not show on screen
email addresses label should be bold in attestation
Grouper provisioning attribute propagation with multiple provisioners
ldaptive implementation should verify that dn is passed during updates
add easy API way to allow a "group email" address in config
will compositeng rule remove a group is not employee (should ignore)
folder attestation validation (e.g. no email address) navigates away from form
get memberships json rest sample should have memberships in result (its blank)
allowedToUse configs show up in "remaining config" on config UIGRP-3333
update LDAP setting descriptions in the "external systems" UI
grouper client getAttributeAssignments should document "value" in the sampleGRP-3330
validate various azure provisioning constraints
GRP-3329 insert group into target in diagnostics
it should not be a diagnostics error to not have a matching id if it is retrieved from target
GRP-3327 diagnostics all groups should check matching ids. all have a unique one
GRP-3326 object type daemon needs to be quicker
GRP-3325 harmonize container log4j and host log4j properties
GRP-3324 container duplicates log messages
GRP-3323 add one time daemon for fix SET information
GRP-3322 Cannot remove jobs from daemon jobs screen
GRP-3321 add one time daemon for fix PIT information
GRP-3319 ldap provisioner should output debug filter information
provisioning diagnostics should not run during another job
GRP-3317 enable smtp email external system test button
GRP-3316 allow grouper to email to a group for attestation and other functions
GRP-3315 add ability to send email to a subject via api
GRP-3314 add html emails to grouper
GRP-3313 smtp external system should show all email configs
GRP-3312 do not allow delete of smtp external system
GRP-3311 do not allow add smtp external system
GRP-3310 running gsh via api can have exception
GRP-3309 azure external system should not have so many required fields
GRP-3308 Grouper Provisioning - ldap configuration for rdn
GRP-3307 Grouper Provisioning attribute propagation point in time error
GRP-3306if an external system cannot enable/disable, do not throw exception
GRP-3305 fix enable / disabled in smtp external system
GRP-3304 external systems buttons should be ajax and not urls
GRP-3303 improve ldap external system screen documentation
GRP-3302 add ldap debug info to subject diagnostics
subject diagnostics should not use subject cache
GRP-3300 Grouper Provisioning - ldap bushy support
GRP-3299 subject api diagnostics should show the low level queries/filters
GRP-3298 show errors with dao in logs
GRP-3297 make provisioning config save wizard faster
gsh template progress should return to input screen if validation problem
subject problem with no description
GRP-3293 automatically add sql server driver to container on startup
GRP-329 take out template run submit button when it is running (so not clicked twice)
filter out success gsh template messages if rolled back and not success
add button to print out script header in GSH template
GRP-3287 labels should be bold like other screens in template input screen
GRP-3286 add template name to "running template" progress screen
GRP-3285 gsh template screen should show template name, and link to stem
GRP-3284 add validation on gsh template inputs, cannot have same name
GRP-3283 add GdgTypeStemSave builder
GRP-3282 add GdgTypeStemFinder builder
GRP-3281 add GdgTypeGroupSave builder
Grouper Emails in past two weeks
- [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Malathi Deenadayalan, 04/01/2021
- Message not available
- Re: [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Malathi Deenadayalan, 04/05/2021
- Re: [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Redman, Chad, 04/05/2021
- Re: [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Malathi Deenadayalan, 04/06/2021
- Re: [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Malathi Deenadayalan, 04/06/2021
- Re: [grouper-users] Please do the needful, this was my third mail did not get any reply for my problem, Malathi Deenadayalan, 04/06/2021
- RE: [grouper-users] Adobe provisioner for Grouper, Coleman, Erik C, 04/01/2021
- <Possible follow-up(s)>
- Re: [grouper-users] Adobe provisioner for Grouper, James Oulman, 04/01/2021
- Re: [grouper-users] [External] Adobe provisioner for Grouper, Robinson, Justin S, 04/01/2021
- [grouper-users] Grouper 2.4 upgrade deleted some groups from Active Directory, Siju Jacob, 04/05/2021
Grouper wiki updates in past two weeks
- Grouper reporting
- Grouper Wiki Home
- GrouperShell (gsh)
- How to Setup a lite Grouper Development Environment for Grouper v2.5
- v2.5 Release Notes
- Grouper custom template via GSH report compare Banner security envs
- GrouperShell (gsh) HTTP client (GrouperHttpClient)
- GrouperShell (gsh) Password for Grouper insert / update (GrouperPasswordSave)
- GrouperShell (gsh) Attribute assignment on attribute assignment insert /update / delete (AttributeAssignToAssignmentSave)
- Grouper custom template via GSH impersonate delete example
- Grouper custom template via GSH impersonate example
- GrouperShell (gsh) ldap session (LdapSessionUtils)
- GrouperShell (gsh) gc db access (GcDbAccess)
- GrouperShell (gsh) Group copy (GroupCopy)
- Grouper rules use case - Composite-ng intersection
- Grouper GSH new commands
- Grouper reporting
- Versioning & Support Policy
- Running Grouper not in a container
Next Grouper Call: Wed April 28, 2021