Grouper Working Group Notes of Oct. 27, 2021
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Axel Stohn, Unicon
- Emily Eisbruch, Internet2
Action Items from this call
- AI Chris and Shilen - discuss USDU issues and Issue of members not in any groups, don’t get checked by USDU
- AI Chris take pass at output to both web services and UI for Grouper custom template via GSH web service membership counts
- AI Vivek and Chris - for Azure provisioning, add an option to choose a provisioning default. Then that default will be displayed on the screen. Figure out what can be unassigned on an update, everything except teams must be insert only (set only on group creation). May need to test teams. If you delete teams, does it delete the group from Azure? Add something to handle different options (insert, update).
- AI Chris template to disable all loader jobs. Give warning about which ones are disabled. Job table with state “pause”
- AI Chad, check admin UI running with new UI,
Comments: - checkbox attribute is interesting, but perhaps there is no use case ? For includes /excludes,
- There is a gap
- When doing an action, but you don’t need to assign a type
- Make it work with the tools we have
- Chris uses policy group for allow / deny , instead of include /exclude
- For policy group you can ask for ad hoc allow / deny
Discussion
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Work in Progress
Vivek
- Azure provisioning
- mapping
- Resource provisioning options
- Sends values to Azure
- How to know if default value is true or false?
- Must keep track
- Have a config on whether to show metadata?
- If false it doesn’t send anything
- Default is false, or whatever you do in the translation
- Challenging to communicate that on the screen
AI Vivek and Chris - for Azure provisioning, add an option to choose a provisioning default. Then that default will be displayed on the screen. Figure out what can be unassigned on an update, everything except teams must be insert only (set only on group creation). May need to test teams. If you delete teams, does it delete the group from Azure? Add something to handle different options (insert, update).
Next : Vivek work on SQL provisioner
Web Service
From Grouper Slack
here was a pull request to facilitate custom web services
https://github.com/Internet2/grouper/pull/157
GSH templates can be used as custom web services. The example in the pull request is membership counts, so I did a GSH template example for that so we can compare
Grouper custom template via GSH web service membership counts
Advantages of GSH templates
- Can execute from WS or UI
- Has UI config
- Rich input config and validation
- Easily control who can call and who it runs as
- Fewer things to learn, once you know how to do GSH templates, you can do UI tools and WS tools
- Fewer things to support
- Uses GSH not compiled Java
- Other?
- Can execute from WS or UI
Advantages of the pull request
- Returning data from the GSH template is clunky... I just put a JSON string in an output line, so you need to get that out of JSON, and then convert that to a JSON object
- Can make more sensible and restful services as far as inputs/outputs (not tunneled through templates)
- Compiled Java is faster for custom services especially that have high traffic
- Other?
- Returning data from the GSH template is clunky... I just put a JSON string in an output line, so you need to get that out of JSON, and then convert that to a JSON object
So... if someone has thoughts please share. Do we need to enhance the GSH template WS strategy to make it better for use cases like this? Or do we need another way to implement custom WS (i.e. accept the pull request)? If so, what do we need to adjust in the pull request if anything? :)
- Authentication to UI and Web Services in Grouper v2.5+
- Grouper web services - authentication - self-service JWT
- Unicon submitted request for Simple framework for creating custom web services.
- GSH templates and Web service membership counts
- Grouper custom template via GSH web service membership counts
-
- Extract JSON
- Take inputs and put them as request parameters?
- Axel: this is good, enhance it and make it less wonky, it does fit needs
- Matt: in web service authentication conversation, some making own apps and fronting, or establishing their own API layer in addition to Grouper’s APIs
- Matt thought another use case where people want to extend web services to do something else
- If you have wrapper layer
- If anyone can implement API wrapper layer
- Then less technical debt
- See wiki page on JWT
- Chris: idea is to do something web services can’t do
- Matt: with wrapper web services could enumerate people in group
- concern: could be inefficient
- Framework to add new REST endpoint
- Matt: Open API Definition (for inputs and outputs) approach for an alternate context?
- Chris : GSH templates provide scripts
- Improvements can be made to make GSH templates work better, in a more friendly way, with web services
- Can make simple web services; if you want to make a lot of web services, then a different approach is better (make your own project)
- Could be good for community contribs
- Not built-in and automatically deployed
- Shilen: GSH template with adjustments is perfect
- Vivek: use cases will evolve
- Must follow the conventions of REST
- Flag to limit folder?
- Flag for restrict from UI and restrict from web services?
- Could clutter menus, if only meant to be a web service call and it shows on UI
- Different permissions for who can execute?
- Chris: thinking same permissions
- Matt: concerned about being able to pick and choose what can be used where
- GSH template code should working both in UI and web services might not work out well
- Concern: If output is different for web services and for UI, can be too complex
- Summary: Grouper team will try to make GSH templates work for the needs JJ at Unicon expressed
- AI Chris will take pass at output to both web services and UI for Grouper custom template via GSH web service membership counts
- Axel will report back to JJ
- Axel: Grouper authentication testing Unicon is doing.
- Tested against Grouper 2.5 and 2.6
- In Grouper 2.6 there is an OIDC issue, related to Nimbus library
- This is for VA Tech
- Grouper May need to revert Nimbus?
- Axel will report back
- AI Chad and Chris will look at the OIDC issue for Grouper 2.6 (found by Unicon) and Nimbus. Look at dependencies.
JDK versions
- Need to bump up,
- Need to be backwards compatible
- Container issues
Shilen
- Working on updates to provisioning diagnostics
- Can let it find a group and insert a group
- Run bulk queries
- Added ability to delete a group
- Query a single entity
- Insert and delete an entity
- Already pushed
- Next : ability to insert a group membership
- JIRA 3666
- GRP-3666
Improvements to provisioning diagnostics for 2.6.1 - Release notes have it as 2.6.1, Shilen will update that
- Good to keep JIRAs up to date for all work
- Looking at UMICH issue: USDU
- Specify days after deleted and resolvable
- 0 and -1
- Should be an update in the config
- Need a way to override failsafe?
- From 500 to another value
- Leave as is for now
- In future: have failsafe framework
- USDU only marks for deletion in members table in some situations
- Should it look thru things that don’t have membership?
- Could mean it takes longer to run
- Need to keep track of this
- Issue of members not in any groups, don’t get checked by USDU
- AI Chris and Shilen discuss USDU issues and Issue of members not in any groups, don’t get checked by USDU
Chad:
- Question on slack re openshift
- JBM and operating system
- Heat memory
- Grouper max memory
- Default does not seem appropriate and it’s not easily findable, in Docker
- Chris: Should default to 3 gigs or 12 gigs
- Memory management is better in newer versions of JAVA
Issue Roundup
Jiras in past two weeks
GRP-3672
config key error message
GRP-3671
add Boolean as provisioning attribute type
GRP-3670
jwt self service ui for ws authn
GRP-3669
ddl upgrade does not make columns non - null
GRP-3668
add provisioning troubleshooting zip download
GRP-3667
Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
GRP-3666
Improvements to provisioning diagnostics for 2.6.1
GRP-3665
validation error on group name does not put group name in stack
GRP-3664
add subjectIdOrIdentifier to MembershipSave
GRP-3663
cannot save rabbitmq connection, required pathToTrustStore
Grouper Emails in past two weeks
- [grouper-users] PSPNG provisioning problem, Wilfried Aurokiom, 10/16/2021
Grouper wiki updates in past two weeks
- GSH template exec
- Grouper custom template via GSH zoom deprovisioning
- Grouper web services - authentication - self-service JWT
- Grouper SQL interface
- Grouper Penn one-time import from CSV
- Grouper rules use case - Add a created group to another group as member
- Grouper custom template via GSH web service membership counts
Next Grouper call: Nov 10, 2021