Grouper Call of May 22, 2024
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
- Gail Lift, University of Michigan
- Liam Hoekenga, University of Michigan
- Bert Bee Lindgren, GA Tech
- Henry Hyzer, intern
- Emily Eisbruch, Independent
InCommon Basecamp is June 3-7, 2024 (online only)
Internet2 Technology Exchange 2024 is in Boston Dec 9-13
- TechEx Call for BOFs and Working Groups is now open
- Emily will submit request for a Grouper BOF
Current Work
- enhancing and making it compatible with Service Now
- Bring attributes, user data into Grouper
- Goal is to be able to have arbitrary SCIM attributes for groups and entities
- Can be extended attributes in SCIM schema or custom schemas
- If you have objects or sub objects and can get attribute value, than you can have an EL expression of an attribute name, JSON pointer
- Grouper util can take a JSON pointer and read from a JSON representation and create whatever objects are needed if they don’t exist
- Now we need to be able to provision that
- Challenge with service now case: value of custom attributes are pointers to other IDs in service Now. We have 2 tables: user table and attribute table
- Also Michael G requested a SCIM enhancement for GitHub
- When you create rules and reference other objects, there are issues around permissions
- Complex criteria, many scenarios
- For example, One criteria for Ref Group, another criteria for Basis Group
- If you click to edit a rule, what should happen?
- Progress: when you are editing a rule, you can see what objects are being referred to. But you might not be able to edit the rule if you don’t have the right permission
- Need inherited read permission
- Now there is an inherited privilege finder
- Does this wiki need updating ?
- AI Chris and Vivek create/add to wiki doc for the Grouper rules privileges inheritance.
Does this page need updating?
- AI Chris and Vivek create/add to wiki doc for the Grouper rules privileges inheritance.
- Worked on performance, along with Chris
- 1 converted some data structures to use arrays instead of sets
- 2 Reduce memory usage for duplicated strings
- 3 Re-use objects provisioning group and provisioning entity
- The changes have resulted in big improvements in memory needed for large scale provisioning to LDAP
- Question: what about looking at database interactions?
- Chris Hyzer: this work mostly focused on memory and issue of daemons that crash, but we are interested in database interactions
- Working on proof of concept for Swagger
- Goal is to make web services easier to use
- Question: will this be extensible?
- Answer: not super easy, hard to find where the Swagger parameters go
- U Mich is going to start using web services
- Making a postman collection of the various Grouper web services
- Using free version of postman
- Intent to contribute that
- OpenAPI
- Postman website has instructions on importing Swagger into postman
- Can update the wiki to let users know is Swagger is being used
- Will have something on the demo server showing Swagger
- Config for web service URL, Harry may work on this
- Harry and Chris will Explore Swagger Code Gen
- Looking at programmatically using Grouper interface
- No success so far with Selenium or headless Chrome.
- Looking at playright. Microsoft open source. Higher level than Selenium
- Installed on POM
- It dynamically downloads what is needed
- You can record and run scripts
- Recording window generates code
- Need to look at different parts of the UI we want to interact with
- Adjust attributes in HTML
- Put indicator of where attribute is on the page
- This helps with scripting
- Changes to the UI and coming up with library of these methods
- Then as we make adjustments we can adjust the methods
- Suggestion to have image released with playright and an image released without
- Using same container?
- Comment: Suggestion for Groovy script
- Don’t want to have this pluggable library with every image
- Make it OSGI?
- Concern about Grouper UI evolving and changing input field
- Change UI to add HTML attributes to make it easier to use this tool
- Discuss more on InCommon Slack
- Options:
- 1. Add in
- 2. Make it like an OSGI sidecar module
- 3. Have multiple containers
- 4. Don’t add it, but provide instructions on how you can add it
Grouper Instrumentation
- Grouper Instrumentation is a priority
- Report back from Grouper to a central collector
- On what features of Grouper are being used
- We have a starting point but need to make progress
Grouper Documentation (possible intern task)
- Make every UI screen have an opportunity for a wiki doc about it
- Also opportunity for local doc on that screen
- You click help and get choice of wiki doc or your institutions link
- Task: Go thru UI and implement this approach
- Perhaps the Grouper doc team can help
- Versioning is a concern
- Issue: You click on HELP and get doc for version that is different from the one your institution is using
- issue in ABAC Not all rows returned by data provider are represented in Grouper
- In JEXL scripted groups for ABAC the syntax now allows you to have an inlist thing.
- You don’t have to say what attribute equals
- Changes Chris Hyzer just made:
- Keys to row: use minimum number of columns
- Key values were not allowed to be duplicates and key values were not allowed to be null
- Now you can have keys that are null
- Will convert to ISNULL for the database
- Grouper v5 new version will be released soon
- Made progress on converting container build from installer (java) to scripted container build. Works in V5. Hope to not change the installer too much going forward.
- AI Chad will send a pointer to Chris Hyzer for the work on converting container build from installer to scripted container build
Issue Roundup
add another loader query so attributes on groups can be loaded
allow null values in abac expressions
allow nulls in row keys in abac
space between not ! and member of in abac does not register the not
editing row gives error: alias is already used
Changelog GSH daemon fails with >1 batch
sample script for Changel og GSH script refers to test class EsbPublisherChangeLogScriptTest
group with no members with a group with no members is not reflected in the visualization
add inherited privilege finders
aws external system gives success with blank password
Entity Provisioning for LDAP
Move from jexl2 to jexl3 everywhere
gsh template logged in and act as user should audit correctly
Drop Down GSH Template values from attributes
WsSubject attributes have single value for multi-valued attributes
delete a folder used by existing templates, GSH template screen will not display
edit folder and invalid extension and got error but went through
provisioning objects should be thinner to take less memory
add authenticated user to the gsh template runtime so it can be used in a template
create swagger docs for ws
look at rules for add disabled date for invalid membership on group or folder
Show problematic name in "StemAddException: must contain a non-whitespace character"
UI hyperlinked things should work when opening in new tabs
enable gsh template doesnt work
Make trivial diagnosticType default
Wiki updates
- And more..
Next Grouper Call: Wed. June 5, 2024