Grouper Working Group Notes of Dec. 22, 2021

  Attending 

  • Chris Hyzer, Penn, Chair
  •  Shilen Patel, Duke
  • Chad Redmon, UNC
  • Vivek Sachdiva, Independent
  • Emily Eisbruch, Internet2

 

 DISCUSSION


New Action Item

  • AI Chris will  research the clean  up step after a Grouper sub image probe  that removes broken files related to old LOG4J versions  

 

 Administrivia

 

 

 

 Current Work

Vivek

  • Worked on GSH template
    • Now can set up on groups
    • By default it is set to false
    • Added show folders option, can select multiple
  • Better interface with IPv6


  • Provisioning for Google
    •  
    • It was in a separate module 
    • Will support for groups and members provisioning
    • Using same approach as using for other targets
    • Vivek is using the client, there will be a mock service
    • Google client SDK will be a dependency
    • Adding SDK libraries gets untenable 
    • We don’t want to add every client ever to the Grouper API or Daemon
    • Better to roll our own clients
    • This is how midPoint handles this
    • OSGi  could be helpful as a solution? 
      • Being used less than in the past perhaps
    • Issue is segregating the libraries, to avoid complexity
    • Use REST API if possible
    • Run different provisioners in different daemons?
       
      • Not sure that’s a good path 
      • It’s nice to have one daemon

    • Rolling REST clients is easiest solution
    • Just use client library
    • Goal: use raw HTTP instead of library
    • Vivek will start w directory API
    • It’s working w client
    • Then cloud API and REST calls

 


Chris

  • Stem Privileges
  • Almost done, running tests
  • Two tables
    • One Table tracks when user has made a request for new privileges
    • Stem View Privilege Table , has memberID , stem UUID
    • Can query to insert or delete what’s  needed for users
    • Can check a table to see if you have access to stem
    • Want to do minimal query work
  • Load testing? Or just release it?
  • Shilen: we’ve seen issues with mySQL
  • Chris: we’ve seen it with big deployments on every database
  • Will only do group adds and stem adds in same thread as calling thread
  • Only needs to wait for 2 small queries
  • Only happens if you have not logged in during last week
  • Chris can put in test environment
  • Auto set privileges on folders is not recommended


  • M Gettes and C Hubing working on multi architecture Google image
  • Images will be slightly larger 
  • Log4J issues
    • 4 digit build numbers, people are OK with them
    • Carey has concerns
    • Issue of how much should be included in containers
    • Want to minimize container size, but need to compromise
    • Process where you just have tomcat
    • Sysadmins do scans looking for file name, too many layers
    • They look at images on the host
    • Some files are only needed for the build
    • Images depending on images
    • Use sub images as a solution?
    • Issue with overlays
    • They exist on the host
    • Inherent to Docker
    • Jar dependencies should not be there
    • AI Chris will  research the clean  up step after a Grouper sub image probe  that removes broken files related to old LOG4J versions  
    • Vulnerable versions , it’s a house cleaning thing
    •  Decision  : container version not always same as library version
    • If we need a security fix we will add a 4th?   

 

 

Shilen 

  • USDU work
  • Incremental if no subject ID issue solved
  • Provisioning issue re propagation not working correctly if ? assigned to folder not group, That has a separate JIRA
  • Still putting fixes in Grouper 2.5?
  • Maybe
  • Can cherry pick it
  • If it is low risk and a bug, OK to fix
  • USDU fixes
    • When USDU runs  deleting attributes for unresolvable, that is now fixed
    • Delete date issue … got stuck in the UI… that is fixed
    • Other USDU issues also fixed

 

 

Chad

  • LOG4J 
  • Chris worked in container
  • Chad getting dependencies working 
  • Upgrade to LOG4J2
  • Grouper web services was using internal multi class logging solution
  • There is 1.2 compatibility API
  • Issue: in Grouper util, it looks at the ? , in LOG4J2 those are internal classes, not easy to get to
  • Need to rip that out

 

  • TomEE has its own logging that we are replacing
  • Issue with HSQL
  • Swap log4J into docker until Tomee has stable log4J
  • Exclude log4J1
  • Moving away from Log4J in long term, perhaps
    • This will be decided for Grouper 3.0
    • Will involve migrating Jar files and making a few fixes


    • Configuring with the UI will be helpful
    • Want to check things without rebuilding


  • Build with Jenkins
  • Chris Hubing set up something on test bed server
  • Created local Docker compose with local Jenkins
  • Could build on i2MIdev

 

 

Issue Roundup 


Grouper wiki updates in past two weeks   

 

  Emily’s questions on wiki, need to follow up on at next call

 

v2.6 Upgrade Instructions from v2.6 ........ Is the first sentence correct? References 2.5 , not 2.6


When should we move the Grouper Provisioning Framework documentation out of “Development Items”????

Grouper provisioning framework

 

What is difference between these two wikis:


And 

 

Grouper SQL provisioner in v2.6

v2.5 Release Notes

v2.6 Release Notes

Grouper web services - authentication - self-service JWT

GrouperShell (gsh)


Unresolvable Subject Deletion Utility (USDU)

Grouper container v2.6 change JVM

 Grouper entity attribute resolving

Grouper utility classes (DRAFT)

 

 

Jiras in past two weeks

Grouper Emails in past few weeks

 

 



 

 

 

Next Grouper Call:  Wed. Jan. 5, 2022

  

  • No labels