2-March-2022

Attending 

• Chris Hyzer, Penn, Chair
• Shilen Patel, Duke
• Chad Redmon, UNC
• Carey Black, Purdue
• Jonathan Johnson (JJ) , Unicon
• Emily Eisbruch, Internet2  (scribe)

   

DISCUSSION

•  Internet2 Intellectual Property Policy
  
• Review AIs  Grouper Project Action Items (Google Doc)
  

• Blog on Attribute Based Access Control (ABAC) with Grouper was in February 2022 InCommon Newsletter. https://incommon.org/news/new-features-with-grouper/
  

Current Work

Vivek

• Attribute screen
  
• Duo provisioner, adding a loader  
  
• https://todos.internet2.edu/browse/GRP-3868
  
• https://spaces.at.internet2.edu/pages/viewpage.action?pageId=190356395
  
  
  
• Similar to Zoom provisioner
  
• Zoom user table works a bit differently
  
• Zoom can load folders with groups
  
• Hard to match users in Zoom to users in your institution
  
• Grouper should be able to do that matching at some point
  
  
•  Make loader system in Grouper like the provisioning framework
  
• Loader screen can be more flexible
  
• Some concern about performance
  
• Sometimes can’t do frequent full sync
  
• Chad: JIRA for new GSH loader type 
  
• Use a GSH script, return an output object
  
• Has a list of users , or list of users and groups
  
• Examples of DOAs
  
• Efficient if you put in work to make custom classes for every provisioner
  
•   if vendor has special API,, still need GSH loader
  
• But for provisioner that goes to target like LDAP or SQL, then use full sync
  
• If not using provisioning framework for DUO, can you still use loader?
  
•   Yes, it may be clunky at this point
  
• Loader framework is not a consistent framework now, but maybe in the future
  
  

Chris reviewed issues for Grouper 2.6.9

• https://spaces.at.internet2.edu/display/Grouper/Grouper+Product+Roadmap
  
• https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+v2.6.9+refactor
  
• Add tables for other items, as we have for Zoom and Duo? Perhaps in future
  
• Jexl translations in UI, almost done
  
• Scaffolding
  
• Wizard config
  
• After streamlining provisioning config, and using scaffolding, then make videos.
  
• To go from zero to provisioning now takes 15 min to a couple of hours
  
• Videos could help cut the time
  
• People are using provisioning now, special thanks Liam
  
• Grouper 2.6.8 went out to handle issue in 2.6.7
  
• Make a branch for 2.6.9 
  
• https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+v2.6.9+refactor
  
• Config files issue
  
• Goal is to make things easier
  
• Make it harder to do the wrong thing
  
• Make things more dynamic
  
• Grouper would show the LDAP filter it will use
  
•   If we had infinite ability to make changes….
  

Shilen

• updated name of group, loader job issue, now fixed
  
• We need to make a branch for provisioning work
  
  

Chris

• Log4J, can't get it out of the container
  
• Cannot customize log streams in tomcat
  
• Chris will take first stab   at search and matching

Chad

• GSH Loader
  
• https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader+GSH
  
• Similar to how SQL jobs run
  
  
• Created a JIRA for want memberships thru GSH, need a better API
  
•  No good wiki on this
  
•  Chris and Chad will chat about these topics
  

Issue Roundup 

Jiras in past two weeks

• GRP-3894
  how to know when matching id is required...
  
  GRP-3893
  failsafe attribute not found
  
  GRP-3892
  add assignments on assignments to group edit attributes
  
• 
  GRP-3891
  If there are too many errors then stop the provisioner
  
  
  
  
• 
  GRP-3890
  allow select attributes to be edited on group edit screen
  
• 
  GRP-3889
  fix all SQL provisioning unit tests
  
• 
  GRP-3888
  load more actions in group in ajax only if needed
  
• 
  GRP-3887
  add performance logging on view group in ui
  
  
  
  
• 
  GRP-3886
  error when editing templates
  
  
  
• 
  GRP-3885
  provisioning search attribute is required
  
  GRP-3884
  do not retry provisioning problems that are validations
  
  
  
  

GRP-3883
templates config key for stems changed

• 
  GRP-3882
  see where GrouperConfigurationModuleBase.retrieveAttributes() is used and only use when editing or saving an edit
  
• 
  GRP-3880
  add performance logging for folder actions button
  
• 
  GRP-3879
  stem more actions button is slow
  
• 
  GRP-3878
  add custom tag for performance timing gate
  
  
  GRP-3877
  add performance log for left tree menu
  
  
  
  
• 
  GRP-3876
  add performance log for stem view in UI
  
• 
  GRP-3875
  groups are public read and view but users cannot see the folder
  
  GRP-3874
  performance problem on view stems and groups
  
• 
  GRP-3873
  allow custom appenders in the stock log4j2.xml file
  
• 
  GRP-3872
  fix provisioning update count
  
• 
  GRP-3871
  fix provisioning insert/delete count
  
• 
  GRP-3870
  fix provisioning total count for full
  
• 
  GRP-3869
  fix provisioning total count for incremental
  
• 
  GRP-3868
  Load DUO users into grouper table
  
• 
  GRP-3867
  add grouper ws logging to default log file (disabled)
  
• 
  GRP-3866
  dynamically configure log4j2
  
• 
  GRP-3865
  inherited privilege rule should be invalid if assigning admin to everyentity (daemon fails)
  
• 
  GRP-3864
  error in change log temp job: java.lang.RuntimeException: Active PITField with sourceId=abc123 not found
  
• 
  GRP-3863
  -e GROUPER_APACHE_REMOTE_IP_INTERNAL_PROXY
  
• 
  GRP-3862
  refactor env and usertoken in the container logs
  
• 
  GRP-3861
  provisioning matching ID is required
  
• 
  GRP-3860
  grouper container not logging with log4j.properties
  
• 
  GRP-3859
  script daemon should error out if the script cannot compile
  
• 
  GRP-3858
  make an example of loading groups and memberships from WS
  GRP-3857
  allow http client to assert success based on json pointer
  
  GRP-3856
  add json pointer jackson helper methods
  
  GRP-3855
  add http client assertion of code
  
• 
  GRP-3854
  add debug map to http client
  
  
  GRP-3853
  add method to increment a debug log entry
  
  GRP-3852
  add a helper method for syncing data to a SQL table
  
  GRP-3851
  null safe method to set loader log counts
  
• 
  GRP-3850
  make it easier to sync data from list of objects to SQL table
  
  
  GRP-3849
  Improve MembershipFinder api
  
  
  
  
• 
  GRP-3848
  provisioning DAO can acknowledge object as whole, and any nulls in attribute action acks should be automatically filled in
  
• 
  GRP-3847
  sql provisioner needs to acknowledge all attribute actions performed, not just object as whole
  
  GRP-3846
  change SQL provisioner to insert memberships when inserting groups/entities if groupAttributes/entityAttributes
  
  
  
  
• 
  GRP-3845
  provisioning if attribute is not select but is insert, then do not insert the attribute when updating the object (except for memberships)
  
  GRP-3844
  provisioning translate from group/entity field create only did not wor
  
• 
  GRP-3843
  Duo connector logging glitch
  
• 
  GRP-3842
  consider change loader queries into textareas
  
• 
  GRP-3841
  allow sql provisioner to have groupAttributes
  
• 
  GRP-3839
  only show "number of membership attributes" if provisioning type is membershipObjects
  
• 
  GRP-3838
  if provisioning sql group attributes, allow the search column to be in the attributes table
  
• 
  GRP-3837
  counts for provisioning in loader log
  
• 
  GRP-3836
  UI improvement - provisioner - add edit provisioner in provisioning list screen
  
• 
  GRP-3835
  wssec throwing error
  
• 
  GRP-3834
  remove slf api v25 from maven
  
• 
  GRP-3833
  add group which has subjects to pre-compute stem view privileges on full sync
  
• 
  GRP-3832
  stem view priv does not persist
  
• 
  GRP-3831
  stemViewers field is created on install but not upgrade
  
  
  GRP-3830
  grouper does not start with log4j problems
  
  
  
  GRP-3829
  upgrade mysql driver
  
• 
  GRP-3828
  mysql ddl operations error with ModelException: There are multiple column with the name in the table
  
• 
  GRP-3827
  stem privs tab doesnt render
  
• 
  GRP-3826
  dropping sysadmin causes attribute problems
  
• 
  GRP-3825
  add a way to bootstrap config
  
• 
  GRP-3824
  add Duo admin role provisioner
  
• 
  GRP-3823
  Add advanced filter to subject's memberships, where you can filter by object type
  
• 
  GRP-3822
  change container test to not use hsql
  
• 
  GRP-3821
  dn override is not editable after initial set
  
• 
  GRP-3820
  try provisioning diagnostics with dn override
  
• 
  GRP-3819
  make sure you can enable duo provisioning external systems
  
• 
  GRP-3818
  duo provisioning colons need to be escaped
  
• 
  GRP-3817
  Grouper WS does not behave as expected with some attribute call request
  
  
  

Grouper Emails in past two weeks

none

Grouper wiki updates in past two weeks

• Grouper Product Roadmap
  
• Grouper - Loader GSH
  
• v2.6 Upgrade Instructions from v2.6
  
• v2.6 Release Notes
  
• Grouper provisioning v2.6.9 refactor
  
• Grouper attribute framework attributes editable in group edit screen
  
• DDL in Grouper v2.5+
  
• Grouper provisioning unit tests
  
• Grouper performance logging
  
• Grouper container documentation for v2.5
  
• Specsheet
  
• Grouper Duo provisioning (v2.5 provisioning framework)
  
• Grouper logging dynamic configuration
  
• Grouper log4j 2x conversion
  
• Grouper daemon "other job" GSH script to load data from a rest WS to a SQL table
  
• Grouper daemon "other job" to run a script
  
• GrouperShell (gsh) Sync data to SQL table (GcTableSyncFromData)
  
• Grouper - Loader
  
• Grouper data structure improvements v3.0
  
• Grouper Duo Role Provisioner
  
• GrouperShell (gsh) Gsh template execute (GshTemplateExec)
  
• Grouper folder privilege performance
  
• Grouper rules use case - Email notifications on disabled dates
  
• DDL in Grouper v2.5+
  
• Grouper failsafes
  
• Release steps for new container build
  
• Grouper provisioning validation
  

Next Grouper Call : Wed March 16, 2022