Attending 

  • Chris Hyzer, Penn, Chair
  • Shilen Patel, Duke
  • Chad Redman, University of North Carolina Chapel Hill
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Jeff Williams, UNCG
  • Steve Zoppi, Internet2
  • Emily Eisbruch, Internet2


Discussion

Grouper Training Online



Poll on Grouper Slack:
Grouper will provide a "type" of group which represents a group that is human managed that contains individual people.  i.e. this type of group probably needs attestation, and probably needs a composite or rule or report up the policy stack to make sure people in it are active/appropriate.  This is for groups for which there isnt a query somewhere to get the population, or one-off exceptions, or other reasons.  Note, this is a type similar to "ref" or "policy", and a group can have multiple types, e.g. a "ref" group for "test" systems, which also has the selected type below.  We would like to play the name-game, so please vote with emojis.  Note, please do not try to skew the results by asking others to vote for your preferred answer.  This is not a political exercise   Michael, ChrisB, and I seem to have been the most interested in this topic, so we will review the results and pick the term.  The term needs to be something not too long, not abbreviated, not used for other things in the product space, that helps the average Grouper user, etc.  There are a few questions so we dont need a revote.

Question 1.  What category of term should it be?

conveys "human managing members"

conveys "the usual thing non-admin people do with groups"

Question 2.  Favorite "human managing members" term (vote for up to three)?

ad hoc

handcrafted

handpicked

manual

non-auto

Question 3.  Favorite "the usual thing non-admin people do with groups" term (vote for up to three)?

elemental

key

normal

primary

prime

primitive

regular

simple

standard

Current Work Tasks


  • Vivek - working on types
  •  Ad hoc type (  change this term?)
  • Intermediate type
  • Intermediate is by default checked.
  •  Limit is display 2000 groups
    • Message will say “you are seeing a subset”
  • Must figure out name for ad hoc groups
  • Chris: See Grouper Slack post on naming and vote for your favorite  
  • Ad hoc does not come into play w provisioning
  • Policy types do come into play
  • Could filter intermediate groups from provisioning targets
  • Shilen: would be good to make UIs look better
    • Perhaps fewer check boxes?
  • Whoever is making policies would be using this screen, not the average user

  • Chris: in provisioning config, do you want to filter types to be provisioned?
  • We track if something is provisioinable using attributes on a group, those attributes flow down from folder
  • Two ways to go: attributes that flow from folder to group, OR  use a query to get groups of interest.

  • If marked  as provisionable with attribute, don’t mark with groups by type
  • OR
  • If folder is provisionable it filters down to the groups

  • Tradeoffs: if we try to keep the provisioning attributes correct then query for provisioning is simpler, but must carefully manage the provisioning marker,

  • Shilen: if the attribute is not managed correctly, then why have it, could be too confusing
  • Point is so you don’t have to go up the folder structure to find out what is provisioned
  • There is also a new feature for provisioning metadata
  •  We need to add some generic configuration into  framework to say “do you want to restrict Grouper results based on type?”  
  •   answer impacts how the attributes get propagated
  • Could get an error  saying “you need to mark this as a policy group”
  • Agree do provision should be propagated and set correctly.
  • Shilen: checking for validation is also relevant
  • Chris: need to solve problem of keeping things in sync
  • Do provision flag should take types into consideration
  • Allow users to create their own types?
  • Could there be logic for any attribute on the group, not just types?
  • Vivek: change how provision to propagates down, Vivek and Chris will talk about details after this call

  •   Custom Metadata
  • https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+custom+metadata
  •  
  • Mark as Public private , similar to Azure use case
  • You may want to have custom translation on an object, specific to that group or folder, instead of for everything in the provisioner
  • “If” statement would not be needed
  • JSON object has Variable names and valued from the UI 
  • Is this provisionable, is this a unified group, public / private, what is the translation, 
  • To test this, using the LDAP provisioner
  • For every provisioner, do I need to add the extra metadata
  • Stored in JSON and propagated to groups
  • Solves issue of DN structure on folder, this can be a can of worms
  • Would be good to have flexibility to change any of the fields


Chris:


  • Mock Services Framework  https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+mock+services
  • If there is a service that can be easily implemented (mocked) to test the provisioning DAO, implement in the Grouper Mock Services
  • In Grouper hibernate file, you can pick 
    • IS US or 
    • IS WS or 
    • IS MOCK SERVICES
  • New servlet , needs to be secure , but not really, can’t do much
  •  
  • Each of the objects would have their own tables
  •  Can do source IP address filtering
  • Have example of copying from the UI
  • Creating simple tables using DDL utils
  • Access token and it expires
  • For users in Azure there a flags it supports
  •  
  • Turn on Tomcat w IS MOCK SERVICES to be true
  • Explain how to implement provisioner
  • Helps with paging issues

  • Chad had inherited the Azure work from Unicon
  • So had fine tuned what they had 
  • Retrofit library was a pain, this is better
  • This new approach is good
  • Shilen: this looks great


  • Grouper team: please  review this in the app Azure folder
  • Azure provisioner is looking good.
  • There is no get all memberships web services
  • Can iterate thru groups, but that could be wasteful
  • We should have a flag in provisioner to handle this
  • Can you retrieve all memberships?
  • Duke has a lot of groups in Azure
  • Put an attribute on group in azure, then use  a filter


  • Carey: naming issue, starting w “mock”
  • Chris: can’t start w “grouper”
  • Not controlled by Grouper DDL utils
  • Prefix requirement
  • These might only be for internal developers


Steve Z

  • Thanks for the work during 2020, a challenging year
  • Sharp uptick in interest in Grouper and Grouper integration
  • Shows up in CSP, Collaboration Success Program
  • Community appreciates all the progress made around Grouper
  •  For 2021, there will be increased focus on integration (gluing things together) : Grouper Shib, COmanage, etc
  •  Component architects discussions  talk  through  the implications of changes around one component and how it impacts other components
  • Looking at the “right boundaries”
  • Larger institutions have capacity to absorb changes in the environment
    • Smaller institutions have their own challenges
  • More interaction coming in 2021 w the Cloud Services community
  • There are tradeoffs
  • Chris: the questions facing us in 2021 are exciting, regarding staying in lanes, working with other teams
  • We will focus work, perhaps half on provisioning and connections , and half on Grouper internals
  • Script for policy groups, templates, 
  • Hope for Grouper 2.6 release in next 6 months
  • Chris: There is a blog on Grouper provisioning coming along, we will ask the whole team to review it
  • Steve: with middleware there are always boundary issues
  • Finding deployment profiles to suit more complex institutions down to less complex institutions is important
  • We can’t address every need on the spectrum
  • We are trying to define 3 primary deployment profiles
  • Hoping to simplify and confine 
  • Some organizations are taking a hit in the IAM staffs due to COVID 
  •  Organization sent a  person to training, wanted to solve simple use case, did not want to go thru all the reference groups,  Chris helped them after training.  The setup was not trivial. Want to make things easier. 
  • SteveZ: Should we put these scenarios into a training module?
  • Internet2 will be working with Grouper and COmanage  in 2021 to solve Internet2 use cases
  • Value chain can be created
  • Chris: has shared with Erin, idea of institutions subscribing yearly to Grouper Training,
    • Grouper team would   come up w 12 Canvas LMS modules on what’s new to Grouper, 
    • Grouper team would develop new content to make that worthwhile
    • SteveZ: this is being discussed
  • Want to contextualize InCommon School course content apart from the solution
    • "If you want to accomplish this, take these courses"

Issue Roundup 


Jiras in past two weeks

GRP-3084

ldap provisioner validate string dn configured for groups and entities (if appl)


GRP-3083

add mock services framework


GRP-3082

add "intermediate" type to grouper


GRP-3081

azure provisioner (NG) with no extra libraries


GRP-3080

handle group/entity creates where id is assigned by target and is the search attribute


GRP-3079

add searchAttribute flag to provisioner attributes/fields


GRP-3078

If external system test has multiple errors, UI only shows latest one


GRP-3077

When importing members into a group, OK button on the progress screen does not work


GRP-3076

add provisioning configuration validation


GRP-3075

allow stems, groups, members, memberships to have provisioning metadata


GRP-3074

when filling out the provisioning form


Grouper Emails in past two weeks




Grouper wiki updates in past two weeks



Grouper Slack in past two weeks


Benjamin R   We are working on setting up a proof of concept instance of Grouper and need it to be able to run loader jobs against an Oracle Database. Is there a best practice for getting the driver loaded into the image?

 

Chris Hyzer    Arizona has a provisioner pull (loader) use case that we will work on in addition to the Michigan LDAP use case...

https://spaces.at.internet2.edu/display/Grouper/Grouper+membership+SQL+provisioner+loader+use+case+Arizona


Jon M  is there a way or plans to make a way to stop someone from opening a Root session in GSH?  (say, a config option that makes only only people in wheel able or something?)  ... I thought I remembered talk about it, but I can't find any docs and I think I might be hallucinating as usual.

James B  Has anyone run in to issues with GetSubjects WS call when looking up someone by an identifier?

Chad R  For those looking to use this for OpenShift, what components would you need to run in the container?  …


Chris Hyzer  

While we are working on the new "intermediate" type….


Erin Murtha   

  Grouper training is coming up in February! 


Jeffrey C 

Anyone know what the default subject record caching timeout is? We had a record get an email update is updated in LDAP but grouper keeps showing the old one when someone looks up the record.


Chad R 

A wiki has been started for workarounds to run Grouper in OpenShift. It is a work in progress, so comments welcome! https://spaces.at.internet2.edu/display/Grouper/Grouper+container+running+on+OpenShift 

 

Next Grouper Call: Wed Jan. 20, 2021

 

  • No labels