Attending 

  • Chris Hyzer, Penn, Chair
  • Shilen Patel, Duke
  • Chad Redman, University of North Carolina Chapel Hill
  • Vivek Sachdiva, independent
  • Jeff Williams UNCG
  • Jonathan Johnson, Unicon
  • Emily Eisbruch, Internet2

New Action Items from this call

AI Chris will write note for JJ on approach to reduce bounce 
AI  Chris document on wiki how to pop Grouper out of a container

Discussion

 Administrivia

  External Authentication Work

  • JJ from Unicon has done work on external authentication
  • This is important for the next version of Grouper Container. 
  •  Code is here:
  • https://github.com/uniconLabs/grouper/tree/IAMSE-1169-External-Authentication
  • Can start testing / kicking tires
  • At Components architects call, there's been discussion of future of Shibboleth SP
    • Not a strategic component
  • If we can get Grouper Container to one process, Tomcat, it will simplify things
  • JJ: this work has been done by Unicon in collaboration with Universities 
    • U of Hawaii - CAS
    • Virginia tech Tech - OIDC
  • SAML part did not have a sponsor
  • Came as follow on to the other parts
  • Grouper allows Authentication based on remote user
  • Setting up a Shib SP that will broker the SAML negotiation, generate remote user, pass it to TOMCAT
  • Makes it easy to add in something else
  • Philosophy of Shib SP where everything is above/outside application 

  • Tie to a particular implementation
  • Java, advantage of working in a container
  • Filters can take place of any layers on top
  •  Pack for J library
    • Widely used framework 
  • Unicon contributes to pack for J
    • Success with Pack for J in CAS project
    • Supports myriad authentication methods
    • Pack for J was designed as a replacement for Spring Security
    • Spring Security was hard to configure and challenging to understand
  • JEE in Grouper, servlet filter
  • Some use Spring Boot integration
  • There is a fork of Grouper under Unicon Labs

  • See under Grouper Misc, Authentication
  • Servlet container initializer initializes the 2 filters for Pack for J
  • Call back filter is used when you leave the application and do authentication
  • Sent back
  • Brokers authentication
  • 2nd filter sets up the security
  • Security filter takes the configuration for the IDP you are using 
  • Gets CAS , SAML config, whatever
  • Battery? generates the configuration needed
  • Only have the UI side public, U Hawaii and VA Tech are using 
  • Web services side not yet public (it’s not as well tested)
  • Is OIDC a web service thing? (token for web services)
  • Not yet, it’s strictly for Grouper UI
  • Web services , can use the OIDC token
  • Generate appropriate config based on what you have out there
  • JJ showed sample of CAS config
  • For CAS , login URL is needed
  • Some reflection is used so don’t have to maintain so much code
  • Chris: can put in Grouper Jar?, don’t want to maintain too many subprojects
  • JJ: it’s in a module in Grouper Misc for authentication
  • JJ needs to ask about publishing
  • Size of Jar is 11 meg
  • If its shaded and in maven that's fine
  • Maven could pull  in dependencies
  • Some local changes , some Java 9 code was added , needed to be rewritten to work in Java 8
  • Still a year or so of support, we will eventually need to move to Java 11
  • JJ is kicking tires on Java 11 version of Grouper
  • Grouper team will need to  upgrade to Java 11
  • Chad: Jacks B and Groovy libraries issue
  • Chad: UI versus web service authentication?
  • JJ: check context, 
  • There will be another block  when web services portion is ready
  • JJ: protect status?
  • Take a path  and put an authN
  • “These are the paths that are protected”
  • Question: can this handle embedded discovery?
  • JJ: not sure if discovery is built into Pack for J
  •  Might need 3rd party for discovery
  • This provides simple AUTHN 
  • Shilen: looks good
  • Chris: Take common CAS , SHIB or OIDC things and make environment variables?
  • JJ: possible to do that
  • Can use the login URL
  • Can default to an environment variable
  • UI wizard for authentication
  • JJ : grab all properties in a namespace
  • Iterate through everything in a namespace, would need to enhance code
  • Chris: Trying to not require bounce when changes are made
  • JJ : reimplement to pull filter as needed, so don’t need to bounce
  • Chris will write note for JJ on approach to reduce bounce 
  • NEXT STEPS
    • think about JAR
    • probably just want the dependencies,
    • start kicking the tires

 


  • Grouper webapp
    • JJ wrote up as quick and easy way to test with Maven context
    • Builds just the war file, within context of maven,
    • To run a maven target to run Grouper locally
    • Test each of the different types of authentication available 
    • Are there dependencies in each of the modes that would conflict? 
    • Only one, in SCIM,  but since resolved
    • Hoping to take out SCIM in next major Grouper release
    • TomEE introduces some conflicts
    • Allows not having the bit to copy the live directories

 

Current Work

Vivek:


  • Use Grouper internal classes more easily
  • Library of classes
  • Not sure how to filter Javadocs
  • Good solution
  • Internal only but callable
  • But not general to GSH
  • This is tagging the things people will want to know
  • Only for classes on the list
  • Table on the wiki page
  • Older GSH documentation will be restructured
  • Must be consistent in Javadoc and  using tags
  • How to differentiate between what’s from javadocs and what isn’t?
  • Looking ahead to future, to autogenerate
  • Chris: copy and paste might be easier, but could try to automate
  • Team please think about what you can make a GSH template for and create examples
    • To help build out the documentation
  • Next for Vivek:  
    • optimizing ,  to get better performance versus everything appearing in real time. 
    •  do not propagate all attributes, all object types

 

Chris:

  • In the APIs, classes already exist in some cases
  • Some have a secure flag, use Run as Root in future
  •  Replace all settings,
  • can do either a put or a patch
  • Defaults to true
  • Overwrites
  • Safe Mode
  • Finder, return either single group or list of groups
  • Be consistent in making new classes
  • Did not go back and add everything to what already existed

 

  • Chris Still working on Chad’s Azure project
    • Insert into a target
    • If a matching attribute is pulled from the target, that should not be an error. Should try to insert, should be able to be used. Matching attribute is not in Grouper, it’s only generated in target
    • Chris hopes to finish by tomorrow
    • Some want to move off changelog consumer, no full syncs

 

Chad:

  • Taking break from Azure provisioner. 
  • UNC has upgraded. 
  • Will work with GSH templates

 

Shilen

  • Working on minor fixes  , bushy support for LDAP
  • Added config for allowing the RDM for groups to be specified
  • Would like to see a dropdown for that
  • Will work on Load Testing
  • Look at issues Liam is finding
  • LDAP to CAS implementation and DAO   to help debug? 
  • Chris: no, want the framework to do the logging and handle exceptions from DAO
  • We have better low level DAO 
  • Can see what filters and results come back
  • Be sure exceptions thrown from the DAO have all the info that is needed
  • AI Chris will add more low level DAO logging
  • Shilen: Creating a bunch of folders, hard to know what was done, you just know what the exception is 
  • If we need DAO specific logging, it’s last resort,
  • Hope to be more generic
  •  
  • Shilen can try testing in test environment at Duke


Issue Roundup 

 

Jiras   (March 17 thru March  22)

  • Note that for mysql issue, JIRA was not a good idea. Just say no
  • Chris added JIRAs for API work
  • GSH Template shows percent complete, See the movie Chris made
  • Started using reports at Penn, some issues to circle back to

  • GRP-3280
    add GdgTypeGroupFinder builder


 

 

Grouper Emails in past two weeks

Re: [grouper-users] performance issue with grouper 2.4, Hyzer, Chris, 03/17/2021

AI Chris reply to Carl W email on Grouper Rules and Indirect Membership (DONE)

AI  Chris document on wiki how to pop Grouper out of a container

 

 

Grouper wiki updates in past two weeks


Next Grouper Call: Wed. April 14, 2021 

  • No labels