Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Carey Black, the Ohio State University
- Scott Koranda, CILogon
- Emily Eisbruch, Internet2
New Action Items from this call
- AI Shilen -- Add a row to 2.5 upgrade task wiki re propagation changes for provisionable attributes, anyone using new provisioning framework should do this, most people don’t need it
- AI Shilen and Chris - talk about null member for LIGO and get unit test working
DISCUSSION
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
LIGO Use Cases
Scott K: https://spaces.at.internet2.edu/display/Grouper/Requirements+from+LIGO+Project
- LDAP provisioning
- Work w PSP NG
- LIGO has been a long time term user of Grouper and provisioning to LDAP way back to LDAP PC approach .
- Involved thru CI Logon, Scott works for CI Logon https://www.cilogon.org/home
- Getting LIGO from 2.3 to Grouper 2.5 container working in CI LOGON cloud
- Found missing functionality in PSP NG that was in PSP in Grouper 2.3
- Some trade offs, now mostly ready to go on a 2.5 image with PSP NG
- Good to talk about the gaps and how they might be filled
- One app must be transitioned to getting info it needs from web services
- Three items
- PSP supported provisioning of empty group where object class is group of names in open LDAP
- LIGO wants that to continue they, know open LDAP well
- They rely on SYMPA, mailing list
- Need to access/handle empty groups, some sympa lists can be empty. The PSP enabled provisioning of empty groups into LDAP with the groupOfNames objectClass (which requires the member attribute) by provisioning the member attribute with the null DN as value.
- Q: does underlying API for LDAP support this?
- Shilen: with new LDAP provisioning framework, the default value can be a blank string, that should provision the member attributes w nothing.
- could have boolean value
- Required but blank is seen as missing
- Need to handle this case
- Server accepts member attribute w no value
- Be sure LDAP session can assign member attribute w no value
- Chad: If no members, instead of blank, set to root user, (not production ready)
- Add test case to LDAP server
- Nesting groups, The PSP enabled provisioning of "nested" groups in LDAP, represented both in the member attribute and the hasMember attribute (again, using groupOfNames as the objectClass):
- Likely negotiated away for LIGO
- Assumption in provisioning framework, ….
- Translations w JEXL
- No translation per subject source
- If nested in multiple ways, could miss a group
- Q: If a group is a member of a group in LDAP is it an immediate member, or effective, of a group in Grouper?
- A: Immediate
- Potential edge case
- Chris: Ignore change log issue and resolve in full sync
- Gap of provisioning multiple subject sources w different translations. No use case for this right now
- Carey: consider service principles, local subjects to a given provisioning system
- Not all tied to a subject source
- Chad : we have that use case, different OUs
- Carey: Subjects from the internal subject sources only from a folder or list of stems
- Model subjects to provisioned systems
- Could create in different OUs and translate differently
- Multiple provisioned systems
- Configuration of a provisioner could get more complex, and it’s already complex
- Chris: we don’t have a precise plan, do the things we know we need now
- The PSP-NG forced a change in the LIGO LDAP by requiring an attribute with a unique value on each group, even when using a "bushy" approach
- Had to add an attribute for each group w unique value
- LIGO complaint , this is Unnecessary extra info , want it to go away
- Chris: we store STATE in Grouper
- Extra attribute helps when you move or rename a group
- ID index never changes
- To do an efficient full sync, hope to retrieve all groups at once
- If all groups in one OU it’s easy, but if not, this ID Index helps
- Suggestion to store number as attribute
- Not required by the new framework
- Recommended if LDAP people don’t complain
- Liam at U-MICH wants group provisioned, bushy, point to groups outside of the provisioned OU.
- Is Grouper authoritative for all the groups or just one source, and leave others alone.
- When more solidified with LDAP, have a section in wiki to describe pros and cons
- Scott: be concrete on which attribute to use from the Grouper side
- Tried ID (UUID) , but does not flow out of point in time tables
- Hoping new provisioning framework solves point in time issues
- Point in Time holds UUID, but not ID
- Scott: there was an issue w UUID
- Q: Change log consumer , rename or delete, is it processed as an event?
- A: Incremental handles that
- Chris: Specify search OU and filter, wants to get only groups for that application, could be multiple OUs, couldn’t make a filter that looks at the DN with wildcards, use another attribute extension attribute 10 for full name of the group, you can filter on that with wildcards, even in bushy system
- Request to Scott to kick tires on new provisioning system when time is right
- AI Shilen and Chris will talk about null member for LIGO and get unit test working
Current Work
Vivek
- Duo mock server
- To test integration
- Flip the domain name
- URL from Grouper to real DUO
- Tomcat, problem on MAC, works on Windows
- Switch from local to real and it should just work
- Once basic tests are done, will work on hooking w provisioner
- Create a group and provision to DUO, provision a user to DUO.
- Server side of DUO is implemented in mock server
- Would like to store configs in the database table
- To share test configs
- Unit tests against DUO to test for releases
- DUO is unusual, can’t search for a group by name,
- Workaround: You can get all the groups, thus provisioning engine can see if the group is in the cache
- The provisioner generally expects that
- Provisioning engine will need to do things slightly differently
- Membership provisioning, can’t do a group sync
- Can see all the groups a member is in
- “To retrieve group members” use this (in V2, not in V1)
- Disabled flags on the DUO side
- A group can be disabled,
- Active, bypass or disabled, right now we ignore that.
- Goal: get unit tests working to provisioning members and groups
- Then work on Admin Role
- Comments: good work, looks great
- Similar to the Azure work
- Long term goal: whatever CICD we have could take advantage of this
- Run all tests for DUO or Azure, would be a big plus
- Now we need a DUO account to test
- DUO gives you a free account
- Goal : end to end provisioner testing, then move on to roles
Shilen
- Working on propagation changes for provisionable attributes
- Should be done now
- Go to UI and mark folder as provisionable , set metadata,
- The groups under wont have attribute framework attributes anymore
- The provisioner will add the data to the Sync object directly
- Performance is better now, based on shilen’s tests
- Method to clean up old assignments
- Need to make this an upgrade task
- AI Shilen -- Add a row to 2.5 upgrade task wiki re propagation changes for provisionable attributes , anyone using new provisioning framework should do this, most people don’t need it
- Sync table issue resolved now
- Fixed other issues
- If group is provisionable and then no longer provisionable, sync table was updated correctly but there was still an issue in the target. Shilen looking at this. Not solved yet.
- Will retest performance
Chris
- Issue of labels for GSH templates
- Null label
- Carey: Issue of output from script, backend GSH
- AI Chris will fix GRP-3476
- Chris will create a new Grouper release
- Hoping for more adoption and replacing PSP NG
- Chris working on Mock services
- Working w Vivek on DUO
- GSH template issues
- Need to get list of TO DOs for the provisioner
- Things LIAM has suggested
- Number of inserts does not match up
- UI does not perfectly reflect what’s happening
- Will collect , prioritize and fix
Chad
- Working on Web AUTHN project at UNC
- Hoping to finish in a week or so
- There are pilot groups for passwordless device authentication
Grouper Training June 22 to June 25 https://www.incommon.org/academy/grouper/
- Will start weekly meetings for Grouper training
- For training: fix basis groups versus reference groups in examples used in class
- Student years should go into basis groups
- Switch to new subject source wizard
- Use workbench instead of GTE eventually
Carey
- working on GSH template in Grouper 2.50
Issue Roundup
Jiras in past two weeks
gsh template outputs null CHRIS WILL WORK ON THIS
Error viewing provisioning details on group when restricting using regex or policy groups
add textarea to template input choice
do not print exceptions in sync objects
provisioning translation should retrieve from link data is not translated from Grouper
allow a provisioner to convert field and attribute nulls to blank
templates can cause error showing folder
alternative status url that is outside of the authenticated path
provisioning mock server in unit tests
PSP-NG should allow the null DN for attributes with DN syntax
allProvisionedValuesPrefix not stored correctly in database
remove unneeded csrfguard configs
a callback grouper session block, that starts a session, will not be found in static grouper session
running template as root (from non root user), is not working as expected
Grouper Emails in past two weeks
none
Grouper wiki updates in past two weeks