Grouper Call of March 27, 2024
Attending
- Chris Hyzer, Penn, Chair
- Chad Redmond, Unicon
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
Liam Hoekenga, UMich
- Gail Lift, UMich
Kellen Murphy, Univ of Virginia
Drew Aschenbrener, Internet2
Administrivia
InCommon Basecamp is June 3-7, 2024 (online only)
DISCUSSION
Current Work
Vivek worked on JIRAs including:
- GRP-5336 when deleting groups/folders, check for rules, and let user know, and delete those rules too
- Need to think about other related improvements around deleting things
- GRP-5308 Provisioning entities not filtering objectClass when Select All Entities is false. Chris and Vivek worked on this. If you configure an object class, not selecting all entities at once, it tries to get all in batches, now it uses object class. Realized you can pick which search attributes you want, the DOA is provided with which search attributes to search on. ISSUE FOUND: If you write your own filter, and configure multiple search attributes, it will not work. Took out the filter that was not working.
- Vivek worked on GRP-5385
add multiple check options for certain rules
Shilen
- Added static method to call from GSH script to get change log cleared
- Adjusted daemon screen to fix status
- Visualization:
- https://spaces.at.internet2.edu/x/Nwd0C
- Goal is to add an option to select a user
- this led to discussion on how colors are used.
- Use two border colors?
- Use different shapes?
- Shilen will experiment with different border colors
Chad working on:
- GRP-5104
Provisioner retrieve AD objectSid and objectGuid as string instead of binary
Provisioner case sensitive compare wants to change value only differing in case
- GRP-5380 Upgrade jquery version
Chris worked on JIRAs , including:
Group Roles
add a provisioning group roles method
Chris worked on this and updated the provisioning translation wiki
https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+translations
To translate from an entity, call isingroup or ishasprivilege.
This returns a boolean.
For a group, you can request a list of users for a role.
Limited to the items in the member table.
JEXL allows you to loop through and edit.
We need to think about that how to resolve attributes
Entity wrapper.is in group is fragile.
If group doesn’t exist the error message is not clear.
Chad has been working on an issue found by a community member.
Ugly stack trace.
Some object is making calls. Hard to debug
AI - For https://todos.internet2.edu/browse/GRP-5305 Chris will try to get JEXL script tester working and get better error message
Chris also worked on:
GRP-5382
Cannot stop and start container due to pipe problem
GRP-5386
ldaptive v2 external system cannot save config with handlers
Adding Built in Grouper Types
From Slack on March 26, 2024
We would like to some built-in "types" to Grouper (like policy, intermediate, manual, etc). This is for Grouper v5+.
- "automatic" this is the opposite of a manual group. This signifies a group that you shouldn't be changing the membership of since it is managed by some process. Either a loader, or a WS, or a GSH daemon, or a grace period ("recent membership") group, or an ABAC group. We considered "loaded", but this type would be for more than just the Grouper Loader, its any automatic process that manages the memberships of a group.
"flag" this is a group that should be empty new near-empty, and if it is not, then someone needs to take some action. e.g. a composite intersection of a group with a reference population (who has access who is not an employee). e.g. a group loaded with people who have access whose jobs have changed recently. the action is either to ignore and re-attest later, or revoke access or add them to an ignore group (maybe with an auto-end date) so they are not flagged again (for a while).
"eligibility" this is a group where people need to be in this population to be eligible for a policy or something else. This could be for manual or automatic (de)provision.
- See this discussion https://internet2.slack.com/archives/C7V0UQDJ4/p1711138349225059
Note: this is not like types that were used in Grouper previously and since deprecated. Regarding types: See also
https://spaces.at.internet2.edu/x/5QI3C
https://spaces.at.internet2.edu/x/QIbd
Misc:
- Openshift issue, Chad reports it seems OK in Grouper 4.11.2
- Need another tomcat upgrade 8.5 is end of life, need to move to 9
- Chris: will announce latest stable release (flag) when a new release is announced.
Issue Roundup
Jiras in past two weeks
GRP-5391
Foreign key constraint missing from Oracle upgrade DDL
GRP-5390
mechanism to display differences between file provided properties and db provided properties
GRP-5389
jwt puts member_id in wrong column
GRP-5388
show grouper database under external systems
GRP-5387
assignCheckSecurity in MembershipFinder doesnt work
GRP-5386
ldaptive v2 external system cannot save config with handlers
GRP-5385
add multiple check options for certain rules
GRP-5384
provisioningEntityWrapper.isInGroup() generic jexl error
GRP-5383
take out option to not auto create built in objects
GRP-5382
Cannot stop and start container due to pipe problem
GRP-5381
WebService Account with stem create privilege cannot create stem at child level
GRP-5380
Upgrade jquery version
GRP-5379
Tomcat security advisory CVE-2024-23672
GRP-5378
look at status_grouper to see if works in v5
GRP-5377
add diagnostics to data provider
GRP-5376
add diagnostics query to data provider query
GRP-5375
Grouper session gets lost if not assigned to a variable
GRP-5374
add expiration dates to membership export
GRP-5373
if a data field row config id is the same as a data field config id then a corruption occurs
GRP-5372
Add static methods to wait until change log is processed
GRP-5371
Fix daemon jobs ui last run status for CHANGE_LOG_changeLogTempToChangeLog and CHANGE_LOG_consumer_compositeMemberships
GRP-5370
sql cache group error
GRP-5369
audit for attestation says "attested group group a:b:c"
GRP-5368
run load job should not show for scripted group
GRP-5367
add status page with ddl checks
GRP-5366
moving groups should change jexl script for loaded groups
GRP-5365
fix example for grouper client get attribute assignments, should be value and not theValue
Grouper wiki updates in past two weeks
Universal Subject Daemon Utility (USDU)
Grouper Emails in past two weeks
none
Next Grouper Call: Wed. April 10, 2024