Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Jeff Williams UNCG
- Jonathan Johnson, Unicon
- Emily Eisbruch, Internet2
New Action Items from this call
AI Chris will write note for JJ on approach to reduce bounce
AI Chris document on wiki how to pop Grouper out of a container
Discussion
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Administrivia
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
External Authentication Work
- JJ from Unicon has done work on external authentication
- This is important for the next version of Grouper Container.
- Code is here:
- https://github.com/uniconLabs/grouper/tree/IAMSE-1169-External-Authentication
- Can start testing / kicking tires
- At Components architects call, there's been discussion of future of Shibboleth SP
- Not a strategic component
- Not a strategic component
- If we can get Grouper Container to one process, Tomcat, it will simplify things
- JJ: this work has been done by Unicon in collaboration with Universities
- U of Hawaii - CAS
- Virginia tech Tech - OIDC
- U of Hawaii - CAS
- SAML part did not have a sponsor
- Came as follow on to the other parts
- Grouper allows Authentication based on remote user
- Setting up a Shib SP that will broker the SAML negotiation, generate remote user, pass it to TOMCAT
- Makes it easy to add in something else
- Philosophy of Shib SP where everything is above/outside application
- Tie to a particular implementation
- Java, advantage of working in a container
- Filters can take place of any layers on top
- Pack for J library
- Widely used framework
- Widely used framework
- Unicon contributes to pack for J
- Success with Pack for J in CAS project
- Supports myriad authentication methods
- Pack for J was designed as a replacement for Spring Security
- Spring Security was hard to configure and challenging to understand
- Success with Pack for J in CAS project
- JEE in Grouper, servlet filter
- Some use Spring Boot integration
- There is a fork of Grouper under Unicon Labs
- See under Grouper Misc, Authentication
- Servlet container initializer initializes the 2 filters for Pack for J
- Call back filter is used when you leave the application and do authentication
- Sent back
- Brokers authentication
- 2nd filter sets up the security
- Security filter takes the configuration for the IDP you are using
- Gets CAS , SAML config, whatever
- Battery? generates the configuration needed
- Only have the UI side public, U Hawaii and VA Tech are using
- Web services side not yet public (it’s not as well tested)
- Is OIDC a web service thing? (token for web services)
- Not yet, it’s strictly for Grouper UI
- Web services , can use the OIDC token
- Generate appropriate config based on what you have out there
- JJ showed sample of CAS config
- For CAS , login URL is needed
- Some reflection is used so don’t have to maintain so much code
- Chris: can put in Grouper Jar?, don’t want to maintain too many subprojects
- JJ: it’s in a module in Grouper Misc for authentication
- JJ needs to ask about publishing
- Size of Jar is 11 meg
- If its shaded and in maven that's fine
- Maven could pull in dependencies
- Some local changes , some Java 9 code was added , needed to be rewritten to work in Java 8
- Still a year or so of support, we will eventually need to move to Java 11
- JJ is kicking tires on Java 11 version of Grouper
- Grouper team will need to upgrade to Java 11
- Chad: Jacks B and Groovy libraries issue
- Chad: UI versus web service authentication?
- JJ: check context,
- There will be another block when web services portion is ready
- JJ: protect status?
- Take a path and put an authN
- “These are the paths that are protected”
- Question: can this handle embedded discovery?
- JJ: not sure if discovery is built into Pack for J
- Might need 3rd party for discovery
- This provides simple AUTHN
- Shilen: looks good
- Chris: Take common CAS , SHIB or OIDC things and make environment variables?
- JJ: possible to do that
- Can use the login URL
- Can default to an environment variable
- UI wizard for authentication
- JJ : grab all properties in a namespace
- Iterate through everything in a namespace, would need to enhance code
- Chris: Trying to not require bounce when changes are made
- JJ : reimplement to pull filter as needed, so don’t need to bounce
- Chris will write note for JJ on approach to reduce bounce
- NEXT STEPS :
- think about JAR
- probably just want the dependencies,
- start kicking the tires
- think about JAR
- Grouper webapp
- JJ wrote up as quick and easy way to test with Maven context
- Builds just the war file, within context of maven,
- To run a maven target to run Grouper locally
- Test each of the different types of authentication available
- Are there dependencies in each of the modes that would conflict?
- Only one, in SCIM, but since resolved
- Hoping to take out SCIM in next major Grouper release
- TomEE introduces some conflicts
- Allows not having the bit to copy the live directories
Current Work
Vivek:
- Grouper GSH New Command https://spaces.at.internet2.edu/display/Grouper/Grouper+GSH+new+commands
- Use Grouper internal classes more easily
- Library of classes
- Not sure how to filter Javadocs
- Good solution
- Internal only but callable
- But not general to GSH
- This is tagging the things people will want to know
- Only for classes on the list
- Table on the wiki page
- Older GSH documentation will be restructured
- Must be consistent in Javadoc and using tags
- How to differentiate between what’s from javadocs and what isn’t?
- Looking ahead to future, to autogenerate
- Chris: copy and paste might be easier, but could try to automate
- Team please think about what you can make a GSH template for and create examples
- To help build out the documentation
- Next for Vivek:
- optimizing , to get better performance versus everything appearing in real time.
- do not propagate all attributes, all object types
Chris:
- In the APIs, classes already exist in some cases
- Some have a secure flag, use Run as Root in future
- Replace all settings,
- can do either a put or a patch
- Defaults to true
- Overwrites
- Safe Mode
- Finder, return either single group or list of groups
- Be consistent in making new classes
- Did not go back and add everything to what already existed
- Chris worked on email feature https://spaces.at.internet2.edu/pages/viewpage.action?pageId=188841989
- If you have an email that starts w open bracket it will be an HTML email
- Email address to a group, or to a UUID at Grouper, Chris has a workaround
- This is not a routable email
- Can use allow list
- Added some test features for emails
- Chris Still working on Chad’s Azure project
- Insert into a target
- If a matching attribute is pulled from the target, that should not be an error. Should try to insert, should be able to be used. Matching attribute is not in Grouper, it’s only generated in target
- Chris hopes to finish by tomorrow
- Some want to move off changelog consumer, no full syncs
- Insert into a target
Chad:
- Taking break from Azure provisioner.
- UNC has upgraded.
- Will work with GSH templates
Shilen
- Working on minor fixes , bushy support for LDAP
- Added config for allowing the RDM for groups to be specified
- Would like to see a dropdown for that
- Will work on Load Testing
- Look at issues Liam is finding
- LDAP to CAS implementation and DAO to help debug?
- Chris: no, want the framework to do the logging and handle exceptions from DAO
- We have better low level DAO
- Can see what filters and results come back
- Be sure exceptions thrown from the DAO have all the info that is needed
- AI Chris will add more low level DAO logging
- Shilen: Creating a bunch of folders, hard to know what was done, you just know what the exception is
- If we need DAO specific logging, it’s last resort,
- Hope to be more generic
-
- Shilen can try testing in test environment at Duke
Issue Roundup
Jiras (March 17 thru March 22)
- Note that for mysql issue, JIRA was not a good idea. Just say no
- Chris added JIRAs for API work
- GSH Template shows percent complete, See the movie Chris made
- Started using reports at Penn, some issues to circle back to
- GRP-3280
add GdgTypeGroupFinder builder
- GRP-3279
add AttestationGroupSave builder - GRP-3278
add PrivilegeAttributeDefInheritanceSave builder - GRP-3277
validation error markers are not shown if the id has special chars
GRP-3276
some externalized keys not showing
GRP-3275
show progress on gsh template
GRP-3274
consolidate GSH template screen messages by type- GRP-3273
add AttributeAssignValueSave
GRP-3272
add AttributeAssignToAssignmentSave
GRP-3271
add PrivilegeStemInheritanceSave
GRP-3270
add runAsRoot to PrivilegeGroupInheritanceSave
GRP-3269
add runAsRoot and replaceAllSettings to GroupSave
GRP-3268
display template name and description on screen after picking template
GRP-3267
gsh template validations can be more precise and show error marker
GRP-3266
LDAP provisioning batching issue
GRP-3265
allow env var for quick start pass to be encrypted
GRP-3264
GrouperProvisionerGrouperDao should avoid views for performance
GRP-3263
cannot assign end date on attribute def priv assigned to a group.
GRP-3262
grouper report should make sure unique name
GRP-3261
report instance attributes shouldnt be audited
GRP-3260
report attributes should not audit
GRP-3259
do not audit attribute assigns from attributes which shouldnt skip auditing
GRP-3258
do not audit user data actions (automatic UI)
GRP-3257
report attestation broken
GRP-3256
missing audits in UI cause log messages (no error in UI)
GRP-3255
Support for RFC4373 "Bulk Update / Replication Protocol" (LBURP)
GRP-3254
grouper system cant run wheel templates
GRP-3253
gsh template output lines do not show up on screen
GRP-3252
add grouper version to admin page
GRP-3251
the allowed population for a provisioner should include members and not privs
Grouper Emails in past two weeks
Re: [grouper-users] performance issue with grouper 2.4, Hyzer, Chris, 03/17/2021
- RE: [grouper-users] performance issue with grouper 2.4, Siju Jacob, 03/17/2021
- [grouper-users] Grouper Rules and indirect membership, Carl Waldbieser, 03/23/2021
- Re: [grouper-users] Grouper Rules and indirect membership, Carl Waldbieser, 03/23/2021
AI Chris reply to Carl W email on Grouper Rules and Indirect Membership (DONE)
AI Chris document on wiki how to pop Grouper out of a container
Grouper wiki updates in past two weeks
- Grouper custom template via GSH
- Grouper SQL interface
- Grouper custom template via GSH onboarding org example
- Get Attribute Assignments
- v2.5 Release Notes
- v2.5 Upgrade Instructions from v2.5
- Grouper provisioning full workflow
- Grouper provisioning incremental workflow
- Grouper provisioning messages
- GrouperShell (gsh)
- GrouperShell (gsh) HTTP client (GrouperHttpClient)
- Grouper provisioning diagnostics
- GrouperShell (gsh) Types on groups finder (GdgTypeGroupFinder)
- GrouperShell (gsh) Privilege inheritance on folders insert / update / delete (PrivilegeStemInheritanceSave)
- GrouperShell (gsh) Attribute assignment on group insert /update / delete (AttributeAssignToGroupSave)
- GrouperShell (gsh) Privilege inheritance on groups insert / update / delete (PrivilegeGroupInheritanceSave)
- GrouperShell (gsh) Email smtp (GrouperEmail)
- GrouperShell (gsh) Grouper session (GrouperSession)
- Grouper loader linux service (legacy)
- GrouperShell (gsh) Attribute value insert / update / delete (AttributeAssignValueSave)
- GrouperShell (gsh) Provisionable groups insert / update / delete (ProvisionableGroupSave)