Attending 

• Chris Hyzer, Penn, Chair
• Chad Redman, University of North Carolina Chapel Hill
• Vivek Sachdiva, independent 
• Carey Black, the Ohio State University
•  Emily Eisbruch, Internet2

New Action Items from this call 

• AI Chad put container used at  July 2021 BaseCAMP  in Grouper MISC
  
• AI Chad and Chris - put presentations from BaseCAMP in documents wiki  https://spaces.at.internet2.edu/x/Gobd
  

• AI Chris - enhance the intro and flow for the  Grouper provisioning framework recalc logic  wiki page  
  
•   AI Chad: take another look at JIRA 3402 issue and , make a JIRA for another example, if there is one, perhaps related to GSH, https://todos.internet2.edu/browse/GRP-3402
  

Discussion

Administrivia

•  Internet2 Intellectual Property Policy
  
• Approve minutes
  
• Review AIs  Grouper Project Action Items (Google Doc)
  
• Agenda bash
  

Review of Grouper Training  June 22-25, 2021, about 20 attendees

 https://www.incommon.org/academy/grouper/

• Similar to last Grouper training, smoother than the one before that
  
• New lesson on GSH template, one on provisioning, one on LDAP loader
  
• 50% of attendees very involved
  
• Some troubleshooting issues from previous training got fixed (maturity level issues)
  
• Involvement of CSP (Community Success Program) participants can create more energy amonth participants 
  
• Change in defaults in containers, needed to fix that
  
• So many containers in GTE and so many Docker files
  
• Maybe need one that everything inherits from
  
• Merge all the configuration into one base configuration
  
• Eliminate multiple grouper.properties
  
• Each container has start and end, the end is needed for next start
  
• Put the GSH that creates the end into start of next one
  
• Can you do that with a template to reset the server?
  
• Many issues solved with templates….
  
• Summary: training went well, previous training prep work paid off
  

How was BaseCAMP?

• Chad : Grouper 101 at BaseCAMP went well
  
• More fleshed out container
  
• Long term hope for more beefed up mock environment
  
• Chris: Grouper more advanced  session at BaseCAMP  - shared Penn use cases, reports, attestation, 
  
• AI Chad put container used at BaseCAMP in July 2021  in Grouper MISC
  
• AI Chad and Chris - put presentations from BaseCAMP in documents wiki  https://spaces.at.internet2.edu/x/Gobd
  

Current work tasks, and next tasks

Vivek  - Provisioning

• Have implemented provisioning to github and AWS via SCIM 
  
• Duo tested
  
• Have to accommodate differences between Github, AWS and SCIM
  
• Can’t delete orgs through SCIM, different form how AWS works, can do more with AWS
  
• Some disappointment with SCIM’s implementation
  
•  
  
• In AWS can’t retrieve all users in paginated way
  
  • Must know all user IDs before
    
  • Required attributes are handled differently 
    
• Now working on Azure
  
  • Password Is a required field
    
  • Password profile is a complex field
    
  • Get access token needed for API call
    
  • External system needs to know both URLS
    
  • Commands class must deal with this
    
  • It’s a necessary authentication step
    
  • If don’t provide the password profile, get an error
    
  • How to deal with the error?
    
  • Rely on Grouper to generate password
    
  • Password can be random 
    
  • Force change password must be true
    
  • Chad used test account and test users
    
  • Vivek:   the capability to insert users into target does not exist
    
  • We want that capability added in our commands
    
  • Chris: Make an insert entity
    
  • Vivek will add this capability
    
  • Password policies can be tricky
    
  • Carey: Might want to allow users to configure, must/can’t have special characters , etc
    
  • Start with generic approach to passwords
    
  •  
    
  • Looking at whole provisioner system 
    
  • Wiki page that says if this is the input, what should be happening 
    
  • Grouper provisioning framework recalc logic
    
  • Carey: the start of the wiki page needs a flow 
    
  • AI Chris - explain the Grouper provisioning framework recalc logic  wiki page better
    
  •  
    
  • Treating events as stateless messages 
    
  • Recalc is stateless
    
  • Non recalc is stateful
    
  • If changelog says add to group, sometimes needs to go to target, sometimes it does not, depends on provisioner, and config 
    
  • Vivek, Shilen and Chris have discussed the framework
    
  • Some issues will be solved after user tests
    
  • Incremental will become more efficient
    
  • LDAP DOA can’t do individual member operations
    
    • Shilen is working on that
      
  • Vivek is working on framework
    
  • Chad: the fact it pulls in every single entity from remote source, will there be an option to NOT do that?
    
  • Chris: yes that is in the table under  full sync , 2nd row
    
  • This page shows conditions for converts to recalc
    
    • https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+incremental+workflow
      
  • Carey: in tOSU environment, everything is incremental.  
    
    • Would appreciate more certain statements in documentation on how provisioning is done
      
  • Strategy of PSPNG was   that stateless is best
    
  • Now we try to compromise with stateful
    
  • Hybrid approach, trying to get better performance
    
  • Carey: hard to understand stateless
    
  • Full sync object or entire provisioner
    
  • Full sync is everything
    
  • Group sync is for the group
    
  • Membership recalc is look at both sides and see what needs to change for the membership
    
  • Stateful where it can be
    
  • Stateless in other places
    
  • There is also a shadow table
    
  • Problem w PSPNG - no caching
    
  • Sync tables satisfy several needs: 
    
    • caching, 
      
    • knowing state of the target, 
      
    • capturing error conditions 
      
• Vivek will keep working on provisioning and documentation 
  
• LDAP provisioner may be a little broken now, 
  
  • Deletion issue
    
• Need to do a new release today if possible
  
• TO DO
  
  • LDAP efficiency
    
  • Recalcs
    
  • Messaging provisioner
    
  • Improve SQL provisioning

People are using the new provisioning

 Chris  

• Did new Grouper release
  
• Chad helped w Travis CI
  
  
  
• JIRA for loader issues 
  
• Global  loader failsafe 
  
• If group is over size then failsafe kicks in
  
• Max percent to remove
  
• What is needed for changes to the defaults and attributes on loader jobs to increase flexibility   
  
• Suggestion for  new settings
  
• Default for changing things at group level
  
• Min Group percent remove
  
• Max overall percent remove
  
• Min managed groups
  
• Min number of members for a group
  
• Overall List of groups , should be this number of bail
  
• Send an email , default to true
  
• To turn off the failsafe, use a date and time
  
• Setting failsafe per job is a big win
  
• All this is in loader UI wizard
  
• Set on a loader job, but some don’t apply everywhere
  
• Carey: questions around lists.. Will think more 
  

 Chad  

• Looking at library OKIO
  
• Duo users and Azure users
  
• Libraries conflict
  
• Should have named jar file differently
  
• GRP-3531 okio needs to be upgraded for azure provisioner
  
• Looked at why it’s pulling in older one
  
• Need to test with Duo
  
• Just changed it to use Duo client, 
  
• May be a Maven dependency issue
  
• Carey posted about this on Grouper Slack
  
• Pointing to wrong version of OKIO
  
• Need to test if Duo works with OKIO 1.17.2, 
  
• Carey tested
  
• Both versions of OKIO are in container
  
• When Maven does dependency resolution  if you did not order them properly, older version gets included 
  
• We made change to the POM and that led to  a problem
  
• Chad can change the order, or we can do an exclude for the Duo
  
• Carey updated ?
  
• Most important to take latest from OK Http and OKIO
  
• Chad, can tell it to take most recent
  
• Chad is getting Duo mock environment going
  
• They have made changes to API
  
•  
  

Issue Roundup 

Jiras in past 4 weeks

•  GRP-3537
• Convert 'Veto if not group' rule into a hook that uses the Type=policy to enforce the "rule logic"
  
•  
  
• GRP-3536
  
• WS user not in ws.client.user.group.name logs stacktrace multiple times
  
•  
  
• GRP-3535
  
• LDAP incremental provisioner not working when a membership is deleted
  
•  
  
• GRP-3534
  
• new provisioning framework on memberships delete not deleting
  
•  
  
• GRP-3533
  
• provisioner error on counts npe
  
•  
  
• GRP-3532
  
• rulapi add privilege inheritance should propagate
  
•  
  
• GRP-3531
  
• okio needs to be upgraded for azure provisioner
  
•  
  
• GRP-3530
  
• misc -> loader jobs errors out
  
•  
  
• GRP-3529
  
• Configuration UI doesn't validate configurationEditor.sourceIpAddresses
  
•  
  
• GRP-3528
  
• Provisioning framework throws NPE when there's subject link and member is deleted
  
•  
  
• GRP-3527
  
• make email notification templates a textarea
  
•  
  
• GRP-3526
  
• grouperClient bug when GROUPER_CLIENT_WS_PASSWORD is set
  
•  
  
• GRP-3525
  
• automatically remove old reports
  
•  
  
• GRP-3524
  
• Fix provisioner for incremental - remove membership and delete group issues
  
•  
  
• GRP-3523
  
• scim provisioner to aws
  
•  
  
• GRP-3522
  
• report should not save blank values in attributes
  
•  
  
• GRP-3521
  
• groupViewMoreActionsButton is used in multiple places from externalized text
  
•  
  
• GRP-3520
  
• grouper gsh should not throw exception when calling getter
  
•  
  
• GRP-3519
  
• remove penn folder from i2 image
  
•  
  
• GRP-3518
  
• a non required gsh template input is giving an error when blank
  
•  
  
• GRP-3517
  
• folder privilege CREATE does not imply attribute read or update
  
•  
  
• GRP-3516
  
• ldaptive v2 patch
  
•  
  
• GRP-3515
  
• incremental loader sometimes adds memberships that exist
  

• 
  GRP-3514
  Incremental loader shouldn't return SUCCESS when there are non-fatal issues
  
• 
  GRP-3513
  Local Entity Creation Fails due to rules applying invalid privileges
  
• 
  GRP-3512
  Unresolvable Subject UI paging not working
  
• 
  GRP-3511
  Stem.Scope should be imported by default in GSH templates
  
• 
  GRP-3510
  gsh template transaction is not working correctly
  
• 
  GRP-3509
  Reports should be able to not send email when there is no data in the report.
  
• 
  GRP-3508
  find folders should validate parent stem name
  
• 
  GRP-3507
  error in ui if added members while viewing audits, should either not have button there or start a session
  
• 
  GRP-3506
  grouperClient with -jar and grouper.client.properties is not read correctly
  
• 
  GRP-3505
  builder pattern for MembershipFin
  
  
  

Grouper Emails in past 4 weeks

• [grouper-users] Advice around TLS, Java, Grouper, Michael Carrick, 06/25/2021
  
• Re: [grouper-users] Advice around TLS, Java, Grouper, Olivier Salaün, 06/28/2021
  
• [grouper-users] SCIM provisioning using Grouper 2.4, Siju Jacob, 07/07/2021
  
• Re: [grouper-users] SCIM provisioning using Grouper 2.4, Marwan Shaher, 07/08/2021
  
• [grouper-users] Possible grouperClient bug?, Marwan Shaher, 07/08/2021
  
• [grouper-users], Malathi, 07/16/2021
  
• [grouper-users] please ignore my previous mail, Malathi, 07/16/2021
  
• Re: [grouper-users] please ignore my previous mail, Malathi Deenadayalan, 07/19/2021
  
• Re: [grouper-users] please ignore my previous mail, Yoann Delattre, 07/19/2021
  
• RE: [grouper-users] please ignore my previous mail, Rappleyea, Ben, 07/19/2021
  

Grouper wiki updates in past 4 weeks

• Grouper loader real time updates
  
• Grouper - Loader
  
• Grouper provisioning SCIM
  
• Grouper provisioning framework recalc logic
  
• Grouper SCIM Provisioning
  
• v2.5 Release Notes
  
• Grouper v2.5 container unit tests
  
• Travis CI
  
• GrouperShell (gsh) Composite insert / update / delete (CompositeSave)
  
• Grouper custom template via GSH inherited privileges WS example