3-Feb-2021

 Attending 

• Chris Hyzer, Penn, Chair
• Shilen Patel, Duke
• Chad Redman, University of North Carolina Chapel Hill
• Carey Black, the Ohio State University
• Vivek Sachdiva, independent
• Jeff Williams, UNCG
• Emily Eisbruch, Internet2

Discussion

• https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
• Approve minutes
• Review AIs  Grouper Project Action Items (Google Doc)
• Agenda bash

New Action Item

AI Chris look at question on Slack from UMICH re have a composite policy group (using the GDG policy template) and want an audit report of membership changes over a period of time for my policy group, it seems I am not able to "view membership audit log" to get that information interactively via the UI.  

Administrivia

• https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
• Approve minutes
• Review AIs  Grouper Project Action Items (Google Doc)
• Agenda bash

Grouper Training Online

• Registration is open for Grouper  School,  Feb 9-12, 2021
•  https://incommon.org/academy/grouper/
• Training VMs are done
• AWS command line work for passwords, done
• 4 new training videos, including covering the Grouper Deployment Guide
• For eduperson affiliations, it's working
• full sync works, Some issues w incrementals, 

Current Projects

Vivek

• Running unit tests
• LDAP subject source, diagnostics works well 
• Chris: Leave this work as 1st pass, and come back to it
• Add screen for subject sources
• Things in properties, search and sort
•  Move configs to subject.properties so UI wizard is consistent, reads one properties file
• Code would read from subject source and if not there, look at existing location for backwards compatibility
• Migrates existing subject source configs to the new way
• Config is generic except for LDAP
• Subject w source attribute names that can be multi valued
• Extract part that goes to the subject source and maintain a common logic base
• One more pass to extract a DAO thing 
• Try to get LDAP and SQL implementation of subject source to minimum
• Reuse the common stuff
• Will be similar to other integrations
• Chad: on diagnostics, when you go to subject source, you can look at any source, but breadcrumbs says diagnostics, helpful to add, this is the LDAP subject source in breadcrumbs
• This is problem in Daemon screens too
• You are in different screen, but breadcrumbs don’t show it
• Provisioner screens and edit buttons, also need to be more consistent
• Carey: LDAP syntax for multi valued, can you get to the nth value of the attribute?
• Would be an ordered set, there is a Grouper UTIL method to get index
• Need to document that
  
  
• Lowercasing the attribute names,
• Subject attribute names are case insensitive
• Need to highlight on the screen about case insensitive
• External source is one value..
• Pooling is managed in external system
• Carey: Subject API implementation would be good to have a fall through, a local JDBC store, falls thru to and LDAP, can localize to database and not have to make network call
• Chris will do LDAP filter to sync to database table, as requested by MichaelG
• That adds load to the system
• Carey: issue of person who just showed up in the store
• Table needs to be refreshed
• LDAP call on the dynamic side, 
• Why not just LDAP and not JDBC?
• For lookups
• Tiered fall thru
• Thinking about all of them
• Shilen: One option is have a subject source with all the intelligence built in, rather than Grouper juggling multiple sources
• Advanced use case
• Shilen: screen for editing subject source, with CN and other mutli-valued attributes, in long description where CN is referenced, assume there will be a UTIL to convert mutl-valued into single string.  YES there will be
•  will capture plans and move onto other tasks

Custom templates in the UI

•  Vivek’s next task is custom templates in the UI
• Part of Internet2 effort to integrate products together, there is a workbench
• 12 containers, Shib, Midpoint, COmanage, Grouper, everything works together
• Internet2 using these products for internal collaborations
• Internet2 needs custom template via GSH
• Screens in COmanage
• Where community member requests a new collab group
• There are checkboxes for “I want email list, confluence, JIRA”
• Then groups get made in Grouper
• Setting up manual groups  also
• COmanage will capture inputs
• And calls to Grouper with the inputs
• Web Service could function just like the UI
• Screen where you have inputs
• 20 different tasks
• Grouper sysadmin sets up custom template
• General configuration on who is allowed to use this (admins)
• Config that lists all the inputs
• Form element type from web service
• Validation
• Default regex
• Make GSH variables to use that securely
• GSH script where certain variables from screen are set for you
• Name Value Pairs, this is the form element name , this is the value
• GSH script could insert variables
• If statements, if they checked this checkbox do this
• Chad: UNC is eager to use this
• Could do testing on this feature
• Tried to create a custom template
• Java classes only supported memberships
• Attestation and attributes on groups were not available easily without custom classes
• Shilen: when somebody upgrades, is there an easy way to know if methods are still valid?
• If this were Java coded, it would not compile
• Risk with any GSH
• Attestation save class?
• Attributes can be a lot of work
• Chad: API changes are not a problem
• Runtime things can be an issue after a Grouper upgrade
• Strategy : don’t remove things people might be using
  
  
• Error handling is interesting issue
• Log entry every time it runs?
• Should have logging.
• Test case could delete a folder, reprovision and then validate
• General Principle: don’t delete methods
• Nice to start having an API for this that would not change
• That’s rewriting GSH
• Test case could solve some of the problem
• Each form element you configure, could be a UI, could have a test value,
• If overall test true that it runs that
• delete this folder before you run the test, could be an option
  
  
• Carey: Use case: use custom templates to replace hooks? 
• Get rid of custom hooks
• Issue, custom templates could be slow?
• Would not want this running on membership add
• But add a folder , yes
• Rules allow JEXLs, need to document better
• Scriptable things
• Add this rule to this folder or group
• Allow non admins to do rule things?
• Great use case for extending custom templates
• GSH one method calls
•  
• Any GSH script you run periodically, put into the UI
• Carey: access control scripts, would be better to do it from the UI
• Auditing advantages too
• Shilen: Use case to trigger a template on a UI change, create a group, run a template and provide another form to fill in?  
• Chris: not for initial rollout of custom templates
• Should this be in flows in the UI?
• Do you go to add member button or template button? Don’t want it to be confusing 
• Carey: Have templates available to be used for certain groups but not displayed in list of templates
• What does user see when templates run?
• Hope fully GSH template will identify a screen, or display text at top, explaining 
• Need context for where the template was run from
• Name validation only in certain folders and not having to write Java
  
  
• The Ohio State, along with UNC and Internet2, will be happy for custom templates feature
• Penn also has use cases
• custom templates project has high priority

Chris

• New Grouper Release, most important element was getting provisioning to work in training environment
• better labels
•  More to come 
• Attribute values in LDAP, marking to only delete 
• Can set up provisioner so it can use arbitrary text
• Other improvements…
• Planning another Grouper release soon

Shilen

• Load testing 
• updated LDAP tests, got them working
• Updated LDAP DAO to not return attributes with no value
• Looking at performance issues
• Null value can cause issues
• Gave 4 gigs of memory in dev environment, for several hundred thousand groups
• Saw issues
• Grouper provisioning daemon has performance issues 
• Looking for ways to improve
• Chris: there may not be quick wins, provisioning daemon likely needs a rewrite
• Do Grouper DAO first, leverage queries w provisioning daemon
• Get just columns we need
• Do profiling so we don’t hold onto objects we don’t need
• Chris: need queries to be efficient
• Shilen: issues w Oracle and queries, may try w postgress
• Chris will send Shilen a new idea around DAO 
• Will never have action and resource inheritance
• Try: Not use any views to make it faster

Chad:

• Finished  edupersonaffiliation,  will start eduperson entitlement
• Have a copy and paste grouper loader.propoerties
• Chris: Diagnostics screen can do a lot, having some visualization showing attributes from target may be helpful 

Issue Roundup 

Jiras in past   week

• 
  GRP-3115
  LDAP provisioning dao search operation shouldn't return attributes with no values
  
  
• 
  GRP-3114
  add more descriptive labels to subject source wizard
  
  
  GRP-3113
  dont delete membership attribute values unless they are supposed to be deleted
  
  GRP-3112
  ldap provisioner has "Test" metadata configured, needs to be removed
  
  GRP-3111
  add provisioning metadata to configuratio
• 
  GRP-3110
  default logging debug on provisioning to debug
• 
  GRP-3109
  append settings from log4j_additional.properties
• 
  GRP-3108
  add container variable GROUPER_SSL_USE_STAPLING
  
  
• GRP-3107
  Azure provisioner supply groupName or mailNickName JEXL via Attribute value/string
  
  
  
• GRP-3106
  Azure provisioner Unified Groups - support additional extended properties
• 
  GRP-3105
  the membership attribute should get insert/update/select ability from membership objects/configuration
  
  
  
• GRP-3104
  Misc --> "All daemon jobs" filter option: List all jobs with a failure status between a Start and End date/time value
• 
  GRP-3103
  provisioning default values to membership attribute NPE
  
  GRP-3102
  add verbose logging and response code checking starting output to container
  
  

Grouper Emails in past week

• [grouper-users] Grouper group name, tuck-hain_leong, 01/28/2021

Grouper wiki updates in past week

• Grouper provisioner framework tasks

• Grouper Training Environment developer notes

• Provisioning Models

• Grouper Training Environment dev notes - generate images

• v2.5 Release Notes

• Grouper v2.5 container unit tests

• v2.5 Upgrade Instructions from v2.5

• Grouper developers coding standards

• Grouper container documentation for v2.5

•  Folder and Group Design

• DDL in Grouper v2.5+

• Grouper Container v2.5 running as non-root

• Release steps for new container build

Grouper Slack in past  week

Carey  If you upload a config file and the value is an ELscript…. The system does not appear to always check the “is EL” box for the loaded config. ( And instead treats the value like a fixed String.)

Is there a way to avoid the confusion in the file before it is loaded? 

Chris Hyzer  -The 2.5.40 container has more verbose output so we can easily see whats going on if there is a problem

https://todos.internet2.edu/browse/GRP-3102

Chris Hyzer   We are proud to announce the release of Grouper 2.5.40.  

Carey  plug for upvotes/comments GRP-3104 

Misc --> “All daemon jobs” filter option: List all jobs with a failure status between a Start and End date/time value

Tim    I don't have 2.5 in production yet. For those who don't allow auto DDL updates, what's a good practice for updating production to a grouper version that requires one?  

Liam   2.5.40 upgrade UI httpd issues

Jeffrey C   looking for recommendations on how to determine which  accounts is accessing which folder

Aimee  If I have a composite policy group (using the GDG policy template) and want an audit report of membership changes over a period of time for my policy group, it seems I am not able to "view membership audit log" to get that information interactively via the UI.      

AI Chris look at question on Slack re have a composite policy group (using the GDG policy template) and want an audit report of membership changes over a period of time for my policy group, it seems I am not able to "view membership audit log" to get that information interactively via the UI.

 , need messaging provisioning implementations.

tuck  I’d like to limit the folder/group name the users can create from Grouper UI to something like “[A-Z][a-z]-.“. Is there a parameters in properties file to do that? 

Liam: I updated to 2.5.40, and when I start my ui container, I get this..

 …  I think maybe the container should use self signed cert if none provided so it doesnt error out right?

Erik Is there a way to "undo" a password-protected config item in the Configuration UI?  

Erik   I just started to see an error on a PSPNG sync of a policy group: …  

Erik 

I'm getting another weird situation. I marked a folder to sync to Azure AD that had existing groups, I then added a new person to the existing group. I then get a crash dump

Tim  what's the consequence of hitting a 2.5 WS instance with a URL that has an old version number in it? A lot of our campus is still using this /grouper-ws/servicesRest/json/v2_1_005. I can see that it works, but would it be missing some of the new stuff in 2.5? 

Jeffrey 

 client question about setting the group creator and last updated fields via the web service. I'm guessing the answer is no but wanted to make sure.

Justin

Is there a way to enforce a naming convention for groups on a specific folder in Grouper?

Sudheer 

Can someone point me to documentation on how to configure/setup queues in grouper 2.4 and let other applications subscribe to it?  

Chris Hyzer   

 We are proud to announce the release of Grouper 2.5.41.   

Paul R

 is there a Grouper messaging connector to the Azure Service Bus...  The only cloud queuing system I found supported, thus far, is AWS SQS.   .

Justin   We have compliance requirements w/ tutorials / training like HRMS, FERPA, etc. We load compliant users into Grouper, but we would also like to load when they are no longer in compliance as a membership disabled date. Is there a way to do that with a loader or some other process?

Next Grouper Call: Wed. Feb. 17, 2021