Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
- Emily Eisbruch, Internet2
New Action Items from this call
- AI Team - review Grouper GSH template wizard security https://spaces.at.internet2.edu/display/Grouper/Grouper+GSH+template+wizard+security
- AI Shilen address Query in Grouper DAO that is using Grouper Membership All View, should use table DONE
- AI Matt and Chris - discuss reporting needs at OSU
- AI Chris - make a wiki about Azure mock server
- AI Chad - add more documentation on Openshift to the wiki https://spaces.at.internet2.edu/display/Grouper/Grouper+container+running+on+OpenShift
Discussion
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Administrivia
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
New Grouper Build 2.5.46 as of this week
Recent Work
Vivek
- GSH Builder Classes - New Commands
- For finders (retrieve) and savers (insert/update/delete):
- See documentation : Grouper GSH new commands
- Hope to bring consistency across classes
- Will have on wiki page per operation, for example: GrouperShell (gsh) Group insert / update / delete
- Enhance Javadocs and rely on that
- Hope to have an API to help generate wiki pages
- Replace all settings, can help if you want to tweak an existing,
- These will run w security of the calling Grouper session
- If you have a GSH template, you can pass in run as root if needed
- Could spend forever on APIs, need to limit work effort
- Looks good
- Be sure to document in Java doc, if certain things are required, what to do,
- Example: Group Save and you forget the name, it won’t work
- But OK to forget displayname
- With old classes, such as finders, was hard to know what the parameter meant
- Documentation is key, especially for assign methods
- Matt: like the builder methodology, but inherent problem that a thing must exist before you can pass it to next thing
- User needs to Understand what needs to exist before starting the GSH code
- Matt has use case for doing reporting, spinning up a new app folder
- Will deprecate the older built-in commands for GSH
- Keep under legacy methods, bring to sub page
- Links to sub pages
- Decent amount of work for restructuring the documentation
- Right now the GSH wiki page it is one long huge rambling page
- In new structure, Top part of operations wiki page is from Java Docs
- In addition to new builders, we should have sub pages on different topics, like how to do hibernate, Group by topic
- SQL to generate GSH can be in its own sub page
- GSH has help command that shows a lot of the main commands
- What will happen with that?
- Need to rewrite it, and rewrite help page in the UI
- Could have a link to the wiki, so you don’t have to search every time
-
- Vivek has wrapped up GSH template
- If you make a template in Grouper you can run it in the UI
- Need people to kick the tires
Notes from Chris Hyzer:
- UNC: attestation, custom classes
- Java class, on behalf of users
- creates folder, set of groups (admin, users, filters, source, composite), attestation, privileges, gidNumber
- Checks existing groups
Inputs:
- folder name
- folder display name
- gidNumber
- users in admin group
- provisioned to ldap or ad
- attestation yes/no
- attestation number of days
- mail for attestation
- log inputs except passwords, private
- prefix
0. Send where you are for context
1. Run as template
2. Run in parts of UI
3. Run in background
Send list of output
GSH: arbitrary
How to test.
OSU:
- hooks ( trigger GSH scripts on events like: object create, membershipAdd, etc...)
- rules ( simplify users adding complex attribute(s), values, etc.. and 'maybe with elevated privs in gsh script' )
- add rule to group
- "Live reports" in the UI (gather inputs, collect details 'maybe with elevated privs in gsh script', return output (HTML?) to user in the UI )
- hopefully permission guarded access to each "template/script"
- hopefully scripts could be limited to a "scope"(stem, set of stems, regex match for stems? )
Chris
- Grouper GSH template wizard security
- Hoping to find security issues before releasing
- AI Team please review Grouper GSH template wizard security
- Chris working on provisioning diagnostics
- See link: Grouper provisioning diagnostics
- Anything someone with a support question needs should pop up
- Import Config File
- Prints config for external system
- Will validate and test external system
- Will validate the provisioner
- Ask questions on what you want to do
- Will reach into the DAO
- Can see what classes executed in provisioner
- Makes sure what is being configured is right
- Validation looks at the configuration rules, etc
- Helps run translation scripts, filters
- Shows what group looks like in raw form, and after provisioner does some of the translations
- You can see how group morphs and try to debug
- Would work for LDAP, could make tweak for Azure
- Shilen: looks useful
- Matt: perhaps add a select all and copy all button to the UI
- Chris : will do
- Using group client in ESB at Penn
- Now you can pass in the endpoint username and password to Grouper Client
- Using Grouper client as java library will be better experience
Shilen
- Provisionable attribute propagation
- Incremental and full syncs for the job will handle propagation
- Fixed a few minor bugs
- provisioning daemon was clearing invalid provisionable configs, still doing that
- Chris: Query in Grouper DAO is using Grouper Membership All View
- Would be better to use the tables , for mysql
- New queries are using only tables
- Quick thing to change
- AI, Shilen address Query in Grouper DAO is using Grouper Membership All View, should use table
- Next task: bushy provisioning w LDAP
- Initial questions:
- All in framework or only in LDAP DAO?
- Might be LDAP specific
- If only in LDAP DAO then need support for translations on attributes
- Section for folders where you configure folders
- LDAP as RDN?
- Object class
- Or need place for other attributes based on stem
- That would be more involved
- Starting with the RDN and object classes for 1st pass?
- Yes
- Matt using PSPNG for use case
- Inferring from folder structure
- As long as that model flows for the bushy OUs, not too hard to convert.
- How to mark folder or objects
- Nice to model new provisioner in similar way as PSPNG
- Mapping to OU in connected LDAP
- OUs are just folder extensions
- Force everything under the folder
- Get base working
- Next step: look at stem metadata, point to different OU
- Matt: interested in mapping to external folders
- Chris: right now focus on LDAP specific approach
- Shilen: will focus on LDAP only approach now
- Shilen and Chris will chat and create a wiki
- There are Folder provisioned use cases at OSU
Chad
- Azure issues
- Tried ismock = true
- Did not solve issues
- Need to add port to tomcat
- Hoped Azure calls would go to mock
- They go to Microsoft
- Had multiple connectors, one regular and one test
- Test connector must be first one it finds
- Mock classes look into configs
- If you have multiple Azure external systems w different secrets,
- It picked up wrong one
- Need a config to tie to a specific mock external system
- Better to have special mock configs
-
- Trouble syncing groups
- Kept looking for subject sources
- Could be a bug we need to fix
- AI Chris will make a wiki about Azure mock server
- Openshift
- Grouper container running on OpenShift
- Chad has documented how to set up environment secrets
- SLF4J http://www.slf4j.org/
- No DDL Scripts folder for bootstrap
- Folder not writable issue
- Image overlay is large
- Should web app be writable? Is that an antipattern?
- DDL scripts issue
- Running Groovy without home directory, can’t save commands
- Chris and Chad will discuss on a different call
- This is running in openshift at UNC
- AI Chad Will add more documentation on Openshift to the wiki
Issue Roundup
Grouper wiki updates in past two weeks
- Grouper container documentation for v2.5
- Grouper provisioning diagnostics
- Grouper GSH new commands
- v2.5 Release Notes
- v2.5 Upgrade Instructions from v2.5
- Grouper container running on OpenShift
- Grouper GSH template wizard security
- Grouper SQL interface
- Grouper provisioning: identifying groups for provisioning
- Externalize and encrypt grouper passwords
- Grouper Training Environment developer notes
- GrouperShell (gsh) Group insert / update / delete
- GrouperShell (gsh)
- GrouperShell (gsh) GrouperSession
- Grouper custom template via GSH Internet2 example
- Release steps for new container build
Good to make JIRAs for commits
Reports will move to configs?
AI Matt and Chris will discuss reporting needs at OSU
Question on Grouper email re creating group w 24K and performance issues
Jiras in past two weeks
- GRP-3250
if a gsh template throws an exception, still display the screen - GRP-3249
refactor validation in provisioning - GRP-3248
allow restrict by group in provisioning (e.g. valid users) - GRP-3247
dont retrieve objectClass by default in provisioning
GRP-3246
add external system to diagnostics - GRP-3245
add entity to select to diagnostics - GRP-3244
add validation to diagnostics - GRP-3243
add group select to diagnostics - GRP-3242
add capabilities and behaviors to diagnostics - GRP-3241
if an attribute is not specified in provisioning it should be filtered from target
GRP-3240
select all groups/entities/memberships during diagnostics
- GRP-3239
provisioning diagnostics should start with provisioner configuration - GRP-3238
provisioning diagnostics should go to 100% when done - GRP-3237
provisioning diagnostics should have a start form before running - GRP-3236
Grouper Reporting should support a Java/GSH option (not just SQL) with context/inputs based on how the job was configured/started. - GRP-3235
object type assignment can cause rule issues - GRP-3234
Grouper Provisioning - unable to remove direct assignment - GRP-3233
Grouper Provisioning - unable to remove metadata json in UI - GRP-3232
config overrides and threadlocal overrides should be able to override a non ELconfig if the base file has ELconfig - GRP-3231
should not need a stem lookup to create a stem via WS - GRP-3230
make grouper client properties optional - GRP-3229
allow grouper client to have endpoint, user, pass, passed in from external - GRP-3228
add root managers group which can read/update all - GRP-3227
allow assigning grouper passwords to be assigned as encrypted - GRP-3226
quartz driver delegate postgres throws exception - GRP-3225
on gsh profiles, dont start a root session if there is a session there already
GRP-3224
gsh templates delete but then still are on screen - GRP-3223
quartz is testing connections too much and should use grouper db pool - GRP-3222
upgrade mysql db driver - GRP-3221
zoom customui looking up by group id and not group name, exception - GRP-3220
Error: can't find daemon config for jobName PSP_FULL_SYNC - GRP-3219
add lower retry in apache proxypass - GRP-3218
new daemon to delete old logs from grouper_sync_log - GRP-3217
gsh template view details throws exception - GRP-3216
gsh template jexl validations should use the value variable with same type as input type - GRP-3215
grouper folder provisioning metadata was not saving correctly - GRP-3214
add method to read a config from a file - GRP-3213
During a bulk import ( from the UI/WS ) to group(s) that are loaded by a loader job the loader job should "wait/skip the group" until the import is complete. - GRP-3212
provisioning metadata booleans should be radios - GRP-3211
use protocol for getting SSL certs in container
GRP-3210
Migrate existing subject sources to subject source templates - GRP-3209
make the list of breadcrumb right clickable in the UI to the parts of the folder structure they are for.
Grouper Emails in past two weeks
- [grouper-users] Grouper demo site?, Takeshi Nishimura, 03/01/2021
- Re: [grouper-users] Grouper demo site?, Takeshi Nishimura, 03/01/2021
- Re: [grouper-users] Grouper demo site?, Olivier Salaün, 03/02/2021
- Re: [grouper-users] Grouper demo site?, Takeshi Nishimura, 03/02/2021
- Re: [grouper-users] Grouper demo site?, Redman, Chad, 03/03/2021
- Re: [grouper-users] Grouper demo site?, Takeshi Nishimura, 03/04/2021
- Re: [grouper-users] Grouper demo site?, Olivier Salaün, 03/04/2021
- Re: [grouper-users] Grouper demo site?, Takeshi Nishimura, 03/01/2021
- Re: [grouper-users] Grouper demo site?, Olivier Salaün, 03/01/2021
- Re: [grouper-users] Fw: Install Grouper, Malathi Deenadayalan, 03/05/2021
- Re: [grouper-users] Fw: Install Grouper, Black, Carey M., 03/05/2021
- [grouper-users] performance issue with grouper 2.4, Siju Jacob, 03/09/2021
Next Grouper Call: Wed, March 31, 2021