Grouper Call of May 22, 2024
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
- Gail Lift, University of Michigan
- Liam Hoekenga, University of Michigan
- Bert Bee Lindgren, GA Tech
- Henry Hyzer, intern
- Emily Eisbruch, Independent
DISCUSSION
Administrivia
InCommon Basecamp is June 3-7, 2024 (online only)
Internet2 Technology Exchange 2024 is in Boston Dec 9-13
- TechEx Call for BOFs and Working Groups is now open
- https://na.eventscloud.com/website/69276/call-for-proposals-3/
- Emily will submit request for a Grouper BOF
Current Work
Vivek
- enhancing and making it compatible with Service Now
- Bring attributes, user data into Grouper
- Goal is to be able to have arbitrary SCIM attributes for groups and entities
- Can be extended attributes in SCIM schema or custom schemas
- If you have objects or sub objects and can get attribute value, than you can have an EL expression of an attribute name, JSON pointer
- Grouper util can take a JSON pointer and read from a JSON representation and create whatever objects are needed if they don’t exist
- Now we need to be able to provision that
- Challenge with service now case: value of custom attributes are pointers to other IDs in service Now. We have 2 tables: user table and attribute table
- Also Michael G requested a SCIM enhancement for GitHub
Rules
- When you create rules and reference other objects, there are issues around permissions
- Complex criteria, many scenarios
- For example, One criteria for Ref Group, another criteria for Basis Group
- If you click to edit a rule, what should happen?
- Progress: when you are editing a rule, you can see what objects are being referred to. But you might not be able to edit the rule if you don’t have the right permission
- Need inherited read permission
- Now there is an inherited privilege finder
- Does this wiki need updating ? https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+privileges+inheritance+on+UI
- AI Chris and Vivek create/add to wiki doc for the Grouper rules privileges inheritance.
Does this page need updating? https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+privileges+inheritance+on+UI
- AI Chris and Vivek create/add to wiki doc for the Grouper rules privileges inheritance.
Shilen
- Worked on performance, along with Chris
- 1 converted some data structures to use arrays instead of sets
- 2 Reduce memory usage for duplicated strings
- 3 Re-use objects provisioning group and provisioning entity
- The changes have resulted in big improvements in memory needed for large scale provisioning to LDAP
- Question: what about looking at database interactions?
- Chris Hyzer: this work mostly focused on memory and issue of daemons that crash, but we are interested in database interactions
Harry
- Working on proof of concept for Swagger
- Goal is to make web services easier to use
- Question: will this be extensible?
- Answer: not super easy, hard to find where the Swagger parameters go
- U Mich is going to start using web services
- Making a postman collection of the various Grouper web services
- Using free version of postman
- Intent to contribute that
- OpenAPI
- Postman website has instructions on importing Swagger into postman
- Can update the wiki to let users know is Swagger is being used
- Will have something on the demo server showing Swagger
- Config for web service URL, Harry may work on this
- Harry and Chris will Explore Swagger Code Gen
Chris
- Looking at programmatically using Grouper interface
- No success so far with Selenium or headless Chrome.
- Looking at playright. https://playwright.dev/ Microsoft open source. Higher level than Selenium
- Installed https://playwright.dev/ on POM
- It dynamically downloads what is needed
- You can record and run scripts
- Recording window generates code
- Need to look at different parts of the UI we want to interact with
- Adjust attributes in HTML
- Put indicator of where attribute is on the page
- This helps with scripting
- Changes to the UI and coming up with library of these methods
- Then as we make adjustments we can adjust the methods
- Suggestion to have image released with playright and an image released without https://playwright.dev/
- Using same container?
- Comment: Suggestion for Groovy script
- Don’t want to have this https://playwright.dev/ pluggable library with every image
- Make it OSGI?
- Concern about Grouper UI evolving and changing input field
- Change UI to add HTML attributes to make it easier to use this tool
- Discuss more on InCommon Slack
- Options:
- 1. Add https://playwright.dev/ in
- 2. Make it like an OSGI sidecar module
- 3. Have multiple containers
- 4. Don’t add it, but provide instructions on how you can add it
Grouper Instrumentation
- Grouper Instrumentation is a priority
- Report back from Grouper to a central collector
- On what features of Grouper are being used
- We have a starting point but need to make progress
Grouper Documentation (possible intern task)
- Make every UI screen have an opportunity for a wiki doc about it
- Also opportunity for local doc on that screen
- You click help and get choice of wiki doc or your institutions link
- Task: Go thru UI and implement this approach
- Perhaps the Grouper doc team can help
- Versioning is a concern
- Issue: You click on HELP and get doc for version that is different from the one your institution is using
ABAC
- issue in ABAC Not all rows returned by data provider are represented in Grouper
- In JEXL scripted groups for ABAC the syntax now allows you to have an inlist thing.
- You don’t have to say what attribute equals
- Changes Chris Hyzer just made:
- Keys to row: use minimum number of columns
- Key values were not allowed to be duplicates and key values were not allowed to be null
- Now you can have keys that are null
- Will convert to ISNULL for the database
- Grouper v5 new version will be released soon
Chad
- Made progress on converting container build from installer (java) to scripted container build. Works in V5. Hope to not change the installer too much going forward.
- AI Chad will send a pointer to Chris Hyzer for the work on converting container build from installer to scripted container build
Issue Roundup
JIRAs
GRP-5445
add another loader query so attributes on groups can be loaded
GRP-5444
allow null values in abac expressions
GRP-5443
allow nulls in row keys in abac
GRP-5442
space between not ! and member of in abac does not register the not
GRP-5441
editing row gives error: alias is already used
GRP-5439
Changelog GSH daemon fails with >1 batch
GRP-5438
sample script for Changel og GSH script refers to test class EsbPublisherChangeLogScriptTest
GRP-5437
group with no members with a group with no members is not reflected in the visualization
GRP-5436
add inherited privilege finders
GRP-5435
aws external system gives success with blank password
GRP-5434
Entity Provisioning for LDAP
GRP-5433
Move from jexl2 to jexl3 everywhere
GRP-5432
gsh template logged in and act as user should audit correctly
GRP-5431
Drop Down GSH Template values from attributes
GRP-5430
WsSubject attributes have single value for multi-valued attributes
GRP-5429
delete a folder used by existing templates, GSH template screen will not display
GRP-5428
edit folder and invalid extension and got error but went through
GRP-5427
provisioning objects should be thinner to take less memory
GRP-5426
add authenticated user to the gsh template runtime so it can be used in a template
GRP-5425
create swagger docs for ws
GRP-5424
look at rules for add disabled date for invalid membership on group or folder
GRP-5423
Show problematic name in "StemAddException: must contain a non-whitespace character"
GRP-5422
UI hyperlinked things should work when opening in new tabs
GRP-5421
enable gsh template doesnt work
GRP-5420
Make trivial diagnosticType default
Wiki updates
- And more..
Next Grouper Call: Wed. June 5, 2024
-----