Grouper Call of June 5, 2024
Attending
- Chris Hyzer, Penn, Chair
Vivek Sachdiva, independent
Shilen Patel, Duke
Carey Black, Purdue
Gail Lift, University of Michigan
Henry Hyzer, intern
Emily Eisbruch, Independent
DISCUSSION
Administrivia
InCommon Basecamp is June 3-7, 2024 (online only)
Internet2 Technology Exchange 2024 is in Boston Dec 9-13
TechEx Call for BOFs and Working Groups is now open
https://na.eventscloud.com/website/69276/call-for-proposals-3/
Emily has submitted request for a Grouper BOF
Current Work
Vivek
SCIM
For Service Now, requirement to sync custom attributes, service now employee number
Have added more options for SCIM based provisioners
Can specify an Expression Language
Give me a list of users , etc.
Want to sync a nested attribute
Use JSON pointer
Grouper Rules (in Grouper v5)
Looking at some edge cases, various scenarios around permissions
Harry
Swagger
Each one has a wrapper
You can drill down into each parameter
Harry changed each version so they are in numeric order and alpha order
Did wrappers for the responses
In Grouper Web Services, in source
Working on v4 branch
In Grouper v5, the generation of the swagger JSON is a manual process.
If we add a new operation we will manually kick that off again
Same operational library for v4 and v5
How hard will it be to catch up to v5 branch when work gets ported forward?
Challenge: with Swagger it is intended to be restful
Grouper is plain old JSON
We have some more restfulish operations
We can document those in swagger more specifically
Version that any web services sends to server is intended to be what version you are calling
We pioneered this before the standard was developed
Need to make a fix in Grouper, only works in a certain version
Leave Sagger in v4 static
Search and replace in v5
Grouper Rule Discussion
Carey: Looking for a Grouper rule for removing someone from a group when added to a different group
Did not find this
Seems like a common pattern, should likely be added
Carey will ping Chris about this
https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+patterns
There is a recent addition of this, according to Vivek
AI Vivek will improve this rules documentation, (in response to Carey’s question) Grouper rules pattern - Remove invalid membership due to group
Chris: Rules are actions that happen when other things happen
Membership lifecycle , deprovisioning, reminder to attest or review something
With new Rules UI easier to use and to delegate to admins , can be assigned
Many requests from GA Tech; Great ideas on membership life cycle
Bert pointed out some gaps
Even though the rules UI is a step in right direction, it’s not the final goal
https://spaces.at.internet2.edu/display/GrIntDev/Grouper+membership+eligibility
Chris and Emily are working on an InCommon Trust and Identity Newsletter blog (for June or July likely)
The planned blog will be about RULES: past, present and also about the future plans
There are exciting plans for future of rules
Attributes on stems
Keeping track of life cycle events
Having the timeline on a person available for attestation
UI can say “you have these people, 5 people w life cycle event, review them”
Hope to put resources towards that for Grouper v5
Chris plans to update the Grouper roadmap
Currently in planning stages
Carey: Would be helpful to have improvements around point in time queries?
Be able to dive all the way to the bottom quickly
As valuable as the higher level archetype
There are tons of paths to query point in time
Vision for v5: if you are SQL cachable we want to keep flattened membership and flattened point in time memberships in a table
Shilen
Grouper HTTP client
Lead operations being doing like HTTP delete, not cleaning up resources
You can easily run out of resources
Fix was put in
Flag to re use connections was an issue
There is a flag to re use HTTP client
Goal: Always have re use of Grouper client
Chris will not for next release, upgrade instruction to remove that flag
Don’t set that flag moving forward
OIDC updates
Integration for UI and web services, only found claims thru user info endpoint
Need to find thru ID token
Added some new configs
Not it asks for needed info
Will commit for V5
Shilen will cherry pick this back to v4
OIDC is best option
Proxy settings for OIDC were not working
Shilen made an adjustment on this
Needs to do more testing
Shilen will look at HTTP proxy issue
Chris
There have been a few Grouper releases, many new features
https://spaces.at.internet2.edu/display/Grouper/v5+Release+Notes
Hope for release cadence of at least once per month
Want to integrate new build scripts
Move to Rocky 9
SCIM gitlab provisioning is important
Provisions a list of users
- Ability to handle dynamic organizations
- What about Gitlab? Yes it does SCIM
- Chris talked about Tableau provisioning
- Grouper provisioning SCIM for Tableau
- Dynamic attributes, complex use cases
- Should be able to map custom attributes
- Will be turned off by default in production
- The jars are there for you, but not enabled by default
- Chris put this in Grouper POM
- Only 4 libraries for dependencies
- When we build container, we move those jars to another container
- If you set environment variables
- Wiki shows things being done at Penn
- Validates that a group updated successfully
- Slack Chris if you want more functionality
- Chris wrote standards for what we should be doing in the UI
- UI is intended to be browsed by a browser
- Will follow some standards so when we implement builder pattern classes it will be consistent
- A new environment variable for the container
- Will make a bash script
Issue Roundup
JIRAs
- GRP-5483
javascript error when search has a percent in it
GRP-5482
searching for stem which doesnt exist causes 500 on web service
GRP-5481
Date Picker for start/end dates for memberships
GRP-5480
add playwright into the grouper pom
GRP-5479
scim command logging not working in provisioning
GRP-5478
add to template runtime if it is a WS or UI request
GRP-5477
Property to toggle displaying group membership count in group name in UI
GRP-5476
Add a Tomcat "packetSize" parameter for container
GRP-5475
Upgrade bootstrap version
GRP-5474
support utf8mb4 with mysql (shorten indexes)
GRP-5473
take underscore out of csrf header
GRP-5472
Error on unique last modifier index on midpoint provisioner
GRP-5471
Midpoint error on provisioning performance enhancement
GRP-5470
add support for multiple keys in JWT WS
GRP-5469
ws calls for find group should not cache
GRP-5468
identify loader vs jexl loader (scripted groups) for loaded groups
GRP-5467
Should be an option to not delete all memberships if a group is unmarked provisionable
GRP-5466
Wrong label for deleteGroupsIfUnmarkedProvisionable and deleteGroupsIfGrouperCreated
GRP-5465
Improve security of 'Grouper Rules' in the UI
GRP-5464
when there is EL in provisioning names, the drop downs should show evaluated values
GRP-5463
allow EL in provisioning name but the screen should evaluate the expression
GRP-5462
If a UI wizard form element is read-only there should not be a label associated with it
GRP-5461
UI wizard with radios gives each radio the same HTML id
GRP-5460
on grouper wizards on the UI, drop down values not escaped (e.g. single quote)
GRP-5459
testing in bearer token external system fails if response has newlines
GRP-5458
scim unit test should setup provisioner like the UI would so it can be saved without removing entries
GRP-5457
externalize provisioning entity option
GRP-5456
indent provisioning entity 2 advanced options
GRP-5455
require github scim 'orgInUrl' to be set when operating on groups
GRP-5454
do not allow github scim to insert/update/delete groups
GRP-5453
do not allow github scim with groups to select all groups at once
GRP-5452
add attribute for github scim 'orgInUrl'
GRP-5450
GrouperHttpClient doesn't release resources when doing an HTTP DELETE
GRP-5449
add id token to grouper ui oidc authn
GRP-5448
User with read/update and provisioner admin privs can set provisioning but not remove it
GRP-5447
grouper ws getGrouperPrivileges does not calculate implied privileges
GRP-5446
add jexl script tester example for groupAttribute in loader groups from attributes
GRP-5445
add another loader query so attributes on groups can be loaded
Wiki updates
Programmatic access to the Grouper user interface with Playwright
Using the Playwright script recorder (this page lacks proper header)
…. And more
Next Grouper Call: Friday, June 21, 2024 (instead of Wed. June 19)
Next Grouper meeting: will discuss Grouper documentation