Grouper Working Group Notes of Oct. 27, 2021

  Attending 

  • Chris Hyzer, Penn, Chair
  • Vivek Sachdiva, independent 
  •  Shilen Patel, Duke
  • Axel Stohn, Unicon
  •  Emily Eisbruch, Internet2


 

Action Items from this call

  •  AI Chris and Shilen - discuss USDU issues and Issue of members not in any groups, don’t get checked by USDU
  •  AI Chris take pass at output to both web services and UI for Grouper custom template via GSH web service membership counts
  •  AI Vivek and Chris - for Azure provisioning, add an option to choose a provisioning default. Then that default will be displayed on the screen. Figure out what can be unassigned on an update, everything except teams must be insert only (set only on group creation).  May need to test teams. If you delete teams, does it delete the group from Azure?  Add something to handle different options (insert, update). 
  •  AI Chris template to disable all loader jobs.  Give warning about which ones are disabled.  Job table with state “pause”
  •  AI  Chad, check admin UI running with new UI,
      Comments: 
      • checkbox attribute is interesting, but perhaps there is  no use case ?  For includes /excludes,
      • There is a gap
      • When doing an action, but you don’t need to assign a type
      • Make it work with the tools we have
      • Chris uses policy group for allow / deny , instead of include /exclude
      • For policy group you can ask for ad hoc allow / deny

 

Discussion

Work in Progress

Vivek

  • Azure provisioning
  • mapping 
  • Resource provisioning options
  • Sends values to Azure
  • How to know if default value is true or false?
  •   Must keep track
  • Have a config on whether to show metadata?
  • If false it doesn’t send anything
  • Default is false, or whatever you do in the translation
  • Challenging to communicate that on the screen


 

 AI Vivek and Chris - for Azure provisioning, add an option to choose a provisioning default. Then that default will be displayed on the screen. Figure out what can be unassigned on an update, everything except teams must be insert only (set only on group creation).  May need to test teams. If you delete teams, does it delete the group from Azure?  Add something to handle different options (insert, update). 

 

Next : Vivek work on SQL provisioner

 

Web Service

From Grouper Slack

 here was a pull request to facilitate custom web services

https://github.com/Internet2/grouper/pull/157

GSH templates can be used as custom web services.  The example in the pull request is membership counts, so I did a GSH template example for that so we can compare

 

Grouper custom template via GSH web service membership counts

 

Advantages of GSH templates

        • Can execute from WS or UI
        • Has UI config
        • Rich input config and validation
        • Easily control who can call and who it runs as
        • Fewer things to learn, once you know how to do GSH templates, you can do UI tools and WS tools
        • Fewer things to support
        • Uses GSH not compiled Java
        • Other?

Advantages of the pull request

        • Returning data from the GSH template is clunky... I just put a JSON string in an output line, so you need to get that out of JSON, and then convert that to a JSON object 
        • Can make more sensible and restful services as far as inputs/outputs (not tunneled through templates)
        • Compiled Java is faster for custom services especially that have high traffic
        • Other?

So... if someone has thoughts please share.  Do we need to enhance the GSH template WS strategy to make it better for use cases like this?  Or do we need another way to implement custom WS (i.e. accept the pull request)?  If so, what do we need to adjust in the pull request if anything?  :)


  • Authentication to UI and Web Services in Grouper v2.5+
  • Grouper web services - authentication - self-service JWT

  • Unicon submitted request for Simple framework for creating custom web services.  
  • GSH templates and Web service membership counts 
  • Grouper custom template via GSH web service membership counts
  •  
  • Extract JSON
  • Take inputs and put them as request parameters?  
  • Axel: this is good, enhance it and make it less wonky, it does fit needs
  • Matt: in web service authentication conversation, some making own apps and fronting, or establishing their own API layer in addition to Grouper’s APIs
  • Matt thought another use case where people want to extend web services to do something else
  • If you have wrapper layer
  • If anyone can implement API wrapper layer
  • Then less technical debt
  • See wiki page on JWT
  • Chris: idea is to do something web services can’t do
  • Matt: with wrapper web services could enumerate people in group
  • concern: could be inefficient
  • Framework to add new REST endpoint
  • Matt: Open API Definition (for inputs and outputs) approach for an alternate context?
  • Chris : GSH templates provide scripts 
  • Improvements can be made to make GSH templates work better, in a more friendly way, with web services 
  • Can  make simple web services; if you want to make a lot of web services, then a different approach is better (make your own project)
  • Could be good for community contribs
  • Not built-in and automatically deployed
  • Shilen: GSH template with adjustments is perfect
  • Vivek: use cases will evolve
  • Must follow the conventions of REST
  • Flag to limit folder?
  • Flag for restrict from UI and restrict from web services?
  • Could clutter menus, if only meant to be  a web service call and it shows on UI
  • Different permissions for who can execute?
  • Chris: thinking same permissions
  • Matt: concerned about being able to pick and choose what can be used where
  • GSH template code should working both in UI and web services might not work out well
  • Concern:  If output is different for web services and for UI, can be too complex

 

 

  • Axel will report back to JJ
  • Axel: Grouper authentication testing Unicon is doing.
  • Tested against Grouper 2.5 and 2.6
  • In Grouper 2.6 there is an OIDC issue, related to Nimbus library
  • This is for VA Tech
  • Grouper May need to revert Nimbus?
  • Axel will report back
  • AI Chad and Chris will look at the OIDC issue for Grouper 2.6 (found by Unicon)  and Nimbus. Look at dependencies.

 

 

JDK versions 

  • Need to bump up,
  • Need to be backwards compatible
  • Container issues

 

Shilen

  • Working on updates to provisioning diagnostics
  • Can let it find a group and insert a group
  • Run bulk queries
  • Added ability to delete a group
  • Query a single entity
  • Insert and delete an entity
  • Already pushed
  • Next : ability to insert a group membership
  • JIRA 3666
  • GRP-3666
    Improvements to provisioning diagnostics for 2.6.1
  • Release notes have it as 2.6.1, Shilen will update that
  • Good to keep JIRAs up to date for all work


  •  Looking at UMICH issue: USDU
  • Specify days after deleted and resolvable
  • 0 and -1
  • Should be an update in the config
  • Need a way to override failsafe?
  • From 500 to another value
  • Leave as is for now
  • In future: have failsafe framework
  • USDU  only marks for deletion in members table in some situations
  • Should it look thru things that don’t have membership?
  • Could mean it takes longer to run
  • Need to keep track of this
  • Issue of members not in any groups, don’t get checked by USDU
  • AI Chris and Shilen discuss USDU issues and Issue of members not in any groups, don’t get checked by USDU

 

Chad:

  • Question on slack re openshift
  • JBM and operating system
  • Heat memory
  • Grouper max memory
  • Default does not seem appropriate and it’s not easily findable, in Docker
  • Chris: Should default to 3 gigs or 12 gigs
  • Memory management is better in newer versions of JAVA

 

 


Issue Roundup 

 

Jiras in past two weeks

 

 

Grouper Emails in past two weeks

 

 

Grouper wiki updates in past two weeks

 

Next Grouper call: Nov 10, 2021

  

  • No labels