Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Carey Black, the Ohio State University
- Emily Eisbruch, Internet2
New Action Items from this call
- AI Chad put container used at July 2021 BaseCAMP in Grouper MISC
- AI Chad and Chris - put presentations from BaseCAMP in documents wiki https://spaces.at.internet2.edu/x/Gobd
- AI Chris - enhance the intro and flow for the Grouper provisioning framework recalc logic wiki page
- AI Chad: take another look at JIRA 3402 issue and , make a JIRA for another example, if there is one, perhaps related to GSH, https://todos.internet2.edu/browse/GRP-3402
Discussion
Administrivia
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Review of Grouper Training June 22-25, 2021, about 20 attendees
https://www.incommon.org/academy/grouper/
- Similar to last Grouper training, smoother than the one before that
- New lesson on GSH template, one on provisioning, one on LDAP loader
- 50% of attendees very involved
- Some troubleshooting issues from previous training got fixed (maturity level issues)
- Involvement of CSP (Community Success Program) participants can create more energy amonth participants
- Change in defaults in containers, needed to fix that
- So many containers in GTE and so many Docker files
- Maybe need one that everything inherits from
- Merge all the configuration into one base configuration
- Eliminate multiple grouper.properties
- Each container has start and end, the end is needed for next start
- Put the GSH that creates the end into start of next one
- Can you do that with a template to reset the server?
- Many issues solved with templates….
- Summary: training went well, previous training prep work paid off
How was BaseCAMP?
- Chad : Grouper 101 at BaseCAMP went well
- More fleshed out container
- Long term hope for more beefed up mock environment
- Chris: Grouper more advanced session at BaseCAMP - shared Penn use cases, reports, attestation,
- AI Chad put container used at BaseCAMP in July 2021 in Grouper MISC
- AI Chad and Chris - put presentations from BaseCAMP in documents wiki https://spaces.at.internet2.edu/x/Gobd
Current work tasks, and next tasks
Vivek - Provisioning
- Have implemented provisioning to github and AWS via SCIM
- Duo tested
- Have to accommodate differences between Github, AWS and SCIM
- Can’t delete orgs through SCIM, different form how AWS works, can do more with AWS
- Some disappointment with SCIM’s implementation
-
- In AWS can’t retrieve all users in paginated way
- Must know all user IDs before
- Required attributes are handled differently
- Must know all user IDs before
- Now working on Azure
- Password Is a required field
- Password profile is a complex field
- Get access token needed for API call
- External system needs to know both URLS
- Commands class must deal with this
- It’s a necessary authentication step
- If don’t provide the password profile, get an error
- How to deal with the error?
- Rely on Grouper to generate password
- Password can be random
- Force change password must be true
- Chad used test account and test users
- Vivek: the capability to insert users into target does not exist
- We want that capability added in our commands
- Chris: Make an insert entity
- Vivek will add this capability
- Password policies can be tricky
- Carey: Might want to allow users to configure, must/can’t have special characters , etc
- Start with generic approach to passwords
-
- Looking at whole provisioner system
- Wiki page that says if this is the input, what should be happening
- Grouper provisioning framework recalc logic
- Carey: the start of the wiki page needs a flow
- AI Chris - explain the Grouper provisioning framework recalc logic wiki page better
-
- Treating events as stateless messages
- Recalc is stateless
- Non recalc is stateful
- If changelog says add to group, sometimes needs to go to target, sometimes it does not, depends on provisioner, and config
- Vivek, Shilen and Chris have discussed the framework
- Some issues will be solved after user tests
- Incremental will become more efficient
- LDAP DOA can’t do individual member operations
- Shilen is working on that
- Shilen is working on that
- Vivek is working on framework
- Chad: the fact it pulls in every single entity from remote source, will there be an option to NOT do that?
- Chris: yes that is in the table under full sync , 2nd row
- This page shows conditions for converts to recalc
- Carey: in tOSU environment, everything is incremental.
- Would appreciate more certain statements in documentation on how provisioning is done
- Would appreciate more certain statements in documentation on how provisioning is done
- Strategy of PSPNG was that stateless is best
- Now we try to compromise with stateful
- Hybrid approach, trying to get better performance
- Carey: hard to understand stateless
- Full sync object or entire provisioner
- Full sync is everything
- Group sync is for the group
- Membership recalc is look at both sides and see what needs to change for the membership
- Stateful where it can be
- Stateless in other places
- There is also a shadow table
- Problem w PSPNG - no caching
- Sync tables satisfy several needs:
- caching,
- knowing state of the target,
- capturing error conditions
- caching,
- Password Is a required field
- Vivek will keep working on provisioning and documentation
- LDAP provisioner may be a little broken now,
- Deletion issue
- Deletion issue
- Need to do a new release today if possible
- TO DO
- LDAP efficiency
- Recalcs
- Messaging provisioner
- Improve SQL provisioning
- LDAP efficiency
People are using the new provisioning
Chris
- Did new Grouper release
- Chad helped w Travis CI
- JIRA for loader issues
- Global loader failsafe
- If group is over size then failsafe kicks in
- Max percent to remove
- What is needed for changes to the defaults and attributes on loader jobs to increase flexibility
- Suggestion for new settings
- Default for changing things at group level
- Min Group percent remove
- Max overall percent remove
- Min managed groups
- Min number of members for a group
- Overall List of groups , should be this number of bail
- Send an email , default to true
- To turn off the failsafe, use a date and time
- Setting failsafe per job is a big win
- All this is in loader UI wizard
- Set on a loader job, but some don’t apply everywhere
- Carey: questions around lists.. Will think more
Chad
- Looking at library OKIO
- Duo users and Azure users
- Libraries conflict
- Should have named jar file differently
- GRP-3531 okio needs to be upgraded for azure provisioner
- Looked at why it’s pulling in older one
- Need to test with Duo
- Just changed it to use Duo client,
- May be a Maven dependency issue
- Carey posted about this on Grouper Slack
- Pointing to wrong version of OKIO
- Need to test if Duo works with OKIO 1.17.2,
- Carey tested
- Both versions of OKIO are in container
- When Maven does dependency resolution if you did not order them properly, older version gets included
- We made change to the POM and that led to a problem
- Chad can change the order, or we can do an exclude for the Duo
- Carey updated ?
- Most important to take latest from OK Http and OKIO
- Chad, can tell it to take most recent
- Chad is getting Duo mock environment going
- They have made changes to API
-
Issue Roundup
Jiras in past 4 weeks
- GRP-3537
- Convert 'Veto if not group' rule into a hook that uses the Type=policy to enforce the "rule logic"
-
- GRP-3536
- WS user not in ws.client.user.group.name logs stacktrace multiple times
-
- GRP-3535
- LDAP incremental provisioner not working when a membership is deleted
-
- GRP-3534
- new provisioning framework on memberships delete not deleting
-
- GRP-3533
- provisioner error on counts npe
-
- GRP-3532
- rulapi add privilege inheritance should propagate
-
- GRP-3531
- okio needs to be upgraded for azure provisioner
-
- GRP-3530
- misc -> loader jobs errors out
-
- GRP-3529
- Configuration UI doesn't validate configurationEditor.sourceIpAddresses
-
- GRP-3528
- Provisioning framework throws NPE when there's subject link and member is deleted
-
- GRP-3527
- make email notification templates a textarea
-
- GRP-3526
- grouperClient bug when GROUPER_CLIENT_WS_PASSWORD is set
-
- GRP-3525
- automatically remove old reports
-
- GRP-3524
- Fix provisioner for incremental - remove membership and delete group issues
-
- GRP-3523
- scim provisioner to aws
-
- GRP-3522
- report should not save blank values in attributes
-
- GRP-3521
- groupViewMoreActionsButton is used in multiple places from externalized text
-
- GRP-3520
- grouper gsh should not throw exception when calling getter
-
- GRP-3519
- remove penn folder from i2 image
-
- GRP-3518
- a non required gsh template input is giving an error when blank
-
- GRP-3517
- folder privilege CREATE does not imply attribute read or update
-
- GRP-3516
- ldaptive v2 patch
-
- GRP-3515
- incremental loader sometimes adds memberships that exist
GRP-3514
Incremental loader shouldn't return SUCCESS when there are non-fatal issues
GRP-3513
Local Entity Creation Fails due to rules applying invalid privileges
GRP-3512
Unresolvable Subject UI paging not working
GRP-3511
Stem.Scope should be imported by default in GSH templates
GRP-3510
gsh template transaction is not working correctly
GRP-3509
Reports should be able to not send email when there is no data in the report.
GRP-3508
find folders should validate parent stem name
GRP-3507
error in ui if added members while viewing audits, should either not have button there or start a session
GRP-3506
grouperClient with -jar and grouper.client.properties is not read correctly
GRP-3505
builder pattern for MembershipFin
Grouper Emails in past 4 weeks
- [grouper-users] Advice around TLS, Java, Grouper, Michael Carrick, 06/25/2021
- Re: [grouper-users] Advice around TLS, Java, Grouper, Olivier Salaün, 06/28/2021
- [grouper-users] SCIM provisioning using Grouper 2.4, Siju Jacob, 07/07/2021
- Re: [grouper-users] SCIM provisioning using Grouper 2.4, Marwan Shaher, 07/08/2021
- [grouper-users] Possible grouperClient bug?, Marwan Shaher, 07/08/2021
- [grouper-users], Malathi, 07/16/2021
- [grouper-users] please ignore my previous mail, Malathi, 07/16/2021
- Re: [grouper-users] please ignore my previous mail, Malathi Deenadayalan, 07/19/2021
- Re: [grouper-users] please ignore my previous mail, Yoann Delattre, 07/19/2021
- RE: [grouper-users] please ignore my previous mail, Rappleyea, Ben, 07/19/2021
Grouper wiki updates in past 4 weeks
- Grouper loader real time updates
- Grouper - Loader
- Grouper provisioning SCIM
- Grouper provisioning framework recalc logic
- Grouper SCIM Provisioning
- v2.5 Release Notes
- Grouper v2.5 container unit tests
- Travis CI
- GrouperShell (gsh) Composite insert / update / delete (CompositeSave)
- Grouper custom template via GSH inherited privileges WS example