Attending 

  • Chris Hyzer, Penn, Chair
  • Shilen Patel, Duke
  • Chad Redman, University of North Carolina Chapel Hill
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Emily Eisbruch, Internet2

New Action Items from this call

 


Discussion

 Administrivia

 

 

New Grouper Build  2.5.46 as of this week

Recent Work

 

Vivek

  • GSH Builder Classes - New Commands
  • For finders (retrieve) and savers (insert/update/delete):

  • See documentation : Grouper GSH new commands
  •  Hope to bring consistency across classes
  • Will have on wiki page per operation, for example: GrouperShell (gsh) Group insert / update / delete
  • Enhance Javadocs and rely on that
  • Hope to have an API to help generate wiki pages
  • Replace all settings, can help if you   want to tweak an existing,  
  • These will run w security of the calling Grouper session
  • If you have a GSH template, you can pass in run as root if needed
  • Could spend forever on APIs, need to limit work effort
  • Looks good
  • Be sure to document in Java doc, if certain things are required, what to do, 
    • Example: Group Save and you forget the name, it won’t work
    • But OK to forget displayname
  • With old classes, such as finders, was hard to know what the parameter meant
  • Documentation is key, especially for assign methods
  • Matt: like the builder methodology, but inherent problem that a thing must exist before you can pass it to next thing 
  • User needs to Understand what needs to exist before starting the GSH code
  • Matt has use case for doing reporting, spinning up a new app folder
  • Will deprecate the older built-in commands for GSH
  • Keep under legacy methods, bring to sub page
  • Links to sub pages
  • Decent amount of work for restructuring the documentation
  • Right now the   GSH wiki page it is one long huge rambling page
  • In new structure, Top part of operations wiki page is from Java Docs
  • In addition to new builders, we should have sub pages on different topics, like how to do hibernate, Group by topic
  • SQL to generate GSH can be in its own sub page
  • GSH has help command that shows a lot  of the main commands
  • What will happen with that?
  • Need to rewrite it, and rewrite help page in the UI
  • Could have a link to the wiki, so you don’t have to search every time
  •  
  • Vivek has  wrapped up GSH template
  • If you make a template in Grouper you can run it in the UI
  • Need people to kick the tires

 


Notes from Chris Hyzer:

 

- UNC: attestation, custom classes

- Java class, on behalf of users

- creates folder, set of groups (admin, users, filters, source, composite), attestation, privileges, gidNumber

- Checks existing groups

Inputs:

- folder name

- folder display name

- gidNumber

- users in admin group

- provisioned to ldap or ad

- attestation yes/no

- attestation number of days

- mail for attestation

- log inputs except passwords, private

- prefix

0. Send where you are for context

1. Run as template

2. Run in parts of UI

3. Run in background

 

Send list of output

GSH: arbitrary

How to test.

 

 

OSU:

- hooks ( trigger GSH scripts on events like: object create, membershipAdd, etc...)

- rules ( simplify users adding complex attribute(s), values, etc.. and 'maybe with elevated privs in gsh script' )

- add rule to group

- "Live reports" in the UI (gather inputs, collect details  'maybe with elevated privs in gsh script', return output (HTML?) to user in the UI ) 

- hopefully permission guarded access to each "template/script"

- hopefully scripts could be limited to a "scope"(stem, set of stems, regex match for stems? )


 

Chris

 


  • Chris working on provisioning diagnostics
  • See link: Grouper provisioning diagnostics
  • Anything someone with a support question needs should pop up 
  • Import Config File
  • Prints config for external system
  • Will validate and test external system
  • Will validate the provisioner
  • Ask questions on what you want to do
  • Will reach into the DAO
  • Can see what classes executed in provisioner
  • Makes sure what is being configured is right
  • Validation looks at the configuration rules, etc
  • Helps run translation scripts, filters
  • Shows what group looks like in raw form, and after provisioner does some of the translations
  • You can see how group morphs and try to debug
  • Would work for LDAP, could   make tweak for Azure
  • Shilen: looks useful
  • Matt: perhaps add a select all and copy all button to the UI
  • Chris : will do


  • Using group client in ESB at Penn
  • Now you can pass in the endpoint username and password to Grouper Client
  • Using Grouper client as java library will be better experience

 

Shilen

  • Provisionable attribute propagation
  • Incremental and full syncs for the job will handle propagation 
  • Fixed a few minor bugs
  •   provisioning daemon was clearing invalid provisionable configs, still doing that


  • Chris: Query in Grouper DAO is using Grouper Membership All View
  • Would be better to use the tables , for mysql 
  • New queries are using only tables
  • Quick thing to change
  • AI, Shilen address Query in Grouper DAO is using Grouper Membership All View, should use table
  • Next task: bushy provisioning w LDAP
  • Initial questions:
  • All in framework or only  in LDAP DAO?
  • Might be LDAP specific
  • If only in LDAP DAO then need support for translations on attributes
  • Section for folders where you configure folders
  • LDAP as RDN?
  • Object class
  • Or need place for  other attributes  based on stem
  • That would be more involved
  • Starting with the RDN and object classes for 1st pass?
  • Yes
  • Matt using PSPNG for use case
  • Inferring from folder structure
  • As long as that model flows for the bushy OUs, not too hard to convert.
  • How to mark folder or objects
  • Nice to model new provisioner in similar way as PSPNG
  • Mapping to OU in connected LDAP
  • OUs are just folder extensions
  • Force everything under the folder
  • Get base working
  • Next step: look at stem metadata, point to different OU
  • Matt: interested in mapping to external folders
  • Chris: right now focus on LDAP specific approach
  • Shilen: will focus on LDAP only approach now
  • Shilen and Chris will chat and create a wiki
  • There are Folder provisioned use cases at OSU

 

Chad

  • Azure  issues
  • Tried ismock = true
  • Did not solve issues
  • Need to add port to tomcat
  • Hoped Azure calls would go to mock
    • They go to Microsoft
  • Had multiple connectors, one regular and one test
  • Test connector must be first one it finds
  • Mock classes look into configs
  • If you have multiple Azure external systems w different secrets,
  • It picked up wrong one
  • Need a config to tie to a specific mock external system
  • Better to have special mock configs
  •  
  • Trouble syncing groups
  • Kept looking for subject sources
  • Could be a bug we need to fix
  • AI Chris will make a wiki about Azure mock server

 


  • Openshift  
  • Grouper container running on OpenShift
  • Chad has documented how to set up environment secrets  
  • SLF4J  http://www.slf4j.org/
  • No DDL Scripts folder for bootstrap
  • Folder not writable issue
  • Image overlay is large
  • Should web  app be writable? Is that an antipattern? 
  • DDL scripts issue
  • Running Groovy without home directory, can’t save commands
  • Chris and Chad will discuss on a different call 
  • This is running in openshift at UNC
  • AI Chad Will add more documentation on Openshift to the wiki

 

 

Issue Roundup 

 

Grouper wiki updates in past two weeks

 


Good to make JIRAs for commits

 

Reports will move to configs?

AI Matt and Chris will discuss reporting needs at OSU

 

 

Question on Grouper email re creating group w 24K and performance issues

 

Jiras in past two weeks

 


GRP-3240
select all groups/entities/memberships during diagnostics

Grouper Emails in past two weeks

 

 

 

Next Grouper Call: Wed, March 31, 2021


  • No labels