Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Carey Black, the Ohio State University
- Emily Eisbruch, Internet2
New Action Items
- AI - Chris - create proof of concept for Selenium testing, possibly with GSH template
Discussion
Administrivia
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper Training June 22-25, 2021
https://www.incommon.org/academy/grouper/
Current Work
Chris
- Working on preparing for Grouper Training, June 22-25, along with Chad
- Good enrollment for training
- VMs for training are ready
- Next work - prework modules
- New modules: LDAP Loader, GSH Templates
- Idea of using Workbench in the future for Grouper Trainings
- Chris is upgrading Penn’s Grouper to the latest version 2.5.5.2.
- Chris creating JIRAs when he finds issues.
- There is an issue with the LITE UI
Chris working on Loader Privileges
- https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader
- There is a post on Grouper slack about trying to delegate Grouper Loader work
- Loader permissions on wiki
Things protected with Grouper Loader
- Misc Loader screen with the UI - we once said this might go away and just use daemon screen, thinking about it
- Readonly loader functions, you see what the query is,
- Read write, where you can configure or add a loader job
- Sysadmin can do all of the above
- Two groups related to Loader Privileges in Grouper UI properties
- loader viewers
- loader editors
- Groups will be created and empty
- Can be populated.
- Used to be a blank config
- But it is useful not to have to have to figure it out
- Now there is a default for those, can be configured
- Must have view on a group to be able to configure the loader jobs
- There are sysadmin readers and sysadmin viewers
- You can add these groups if desired
- There is a switch for if group admins can read loader
- There is also a switch for admins to run loader jobs
- Chris is setting up test subjects
- Shilen: Currently only sysadmins have access? Or is it based on attribute framework privileges?
- Chris: Could edit the attributes manually, but not get into the Loader screens
- Chris: Like the attribute privileges for the attribute editor
- Don’t want to create issues
- Adding someone to a group is easier than adding attribute privileges
- Comment: From wiki update, it was not clear what was changed
- Chris: Fixed some bug, now View is different, groups are autocreated and autonamed
- Matt:
- With Grouper Config, would be nice to have represented as 1st order objects, Each folder becomes a key…..
- Becomes a local entity, use attributes on local entities
- Bust out of overarching group models
- Too much one off etsy loader view
- Chris: A lot of config is private, with separate tables
- Surfacing to the UI is something to consider
- Balance between extremely fine tunable versus easy to use
- Like to err on side of easy to use
- Worked on point in time in database, export / import
- Desire consistent user interface
- Mentioned on wiki: Display extensions in loader jobs
- If Loader should edit those
- Two issues:
- 1 If loader column is group display name and a parent folder display extension changes, should it change that
- 2. If group display extension should change that?
- Chad: Changing parent folder is situational
- For course enrollments, group name might say students,
- If course name changes, you want to capture that
- So you do want to change the folder
- Setting where a loader job can only edit under a certain folder
- How many levels of parent folders can you change names on
- Default to zero, Most likely would be to change to 1
- At some point folder names get hard coded
- Could change folder names
- Matt: generally if it can make sense to do it, should be allowable
- There may be use cases
- Share concern about consequences
- Conversion issues
- When loader job is running, full ID structure must match, talking about when display strings don’t match
- Consequence: If ID changes, and you want to rename the ID, loader can’t do that as is
- Complex to try to support this
- Prefer config not be global, but tied to individual jobs
- Don’t have backwards sweeping decision
- Root model could be valuable, protect root but allow anything under to change
- Just folder extension of grandparent extension can change
- Chris will think about this
- Get incremental loading to work
- Null ID
- Chris started looking into this
- Make incremental work
- Incremental change comes in, uses the event verb (add/remove member), tells the DOA that this translated group or entity structure is added or removed , try to get that to work w LDAP
U Delaware interested in LDAP provisioning use case
- Chris posted that to the list
Chris: Subject source needs to be provisioned, issue with entity, now fixed
Shilen
- Did bug fixes
- Performance testing shows improvement
- Fixed Bug, around config setup where you don’t delete group but mark it as non conversion-albe and delete it manually, it gets recreated, FIXED NOW
- Wait to get incremental testing before doing more load testing
Shilen Question:
- Starting Group sessions and using the Callback
- Has anything changed with that?
- Chris: If something is happening and you call a function that must act as root user or different user, when it goes back, if it is expected ? to be there, it gets hosed?
- What you have should still work
- Could work as a callback
Chad:
- Working on upcoming Grouper training
Matt:
- Trying to get to Grouper 2.5.2
- Dependency changes with OK HTTP
- Added 2 back,
- Provisioning framework, what can it provision?
- Can provision groups, entities, memberships, subject attributes, metadata
- Everything is configurable
- If you need to change query
- If not a high volume provisioner
- What about target location?
- If you provision to LDAP
- Capable of arbitrarily producing LDAP objects?
- Shilen: you can replace any class that you want
- Bushy versus flat
- User objects versus groups
- Custom LDAP class
- Shilen: works fine for bushy
- Including object class
- Matt: working on getting files storage outside of database working
- S3 features and Dell’s Isilon
- Not compatible
- Customizable S3 implementation choice?
- Matt: shared file system option could make sense
Chris:
- With monthly deployments, would like script to make web service calls, check to see if Daemons are running, got test credential to IDP, use selenium https://www.selenium.dev/ to log in and run templates, try LITE UIs,
- Need jars for selenium, should those be built into Grouper?
- Browser that Selenium can use.
- Keep it lean.
- Comment: this is needed for the project
- For validation testing
- If this is a GSH template, deploy Grouper, go to this URL, heavyweight status URL
- This necessitates need for a database
- If you spin up a database you have limitations and advantages
- Not talking about CICD
- Talking about after deployment
- CICD could deploy as part of the build
- Talking about different things?
- Before and after deployment
- Validate deployment should be embeddable into a CICD
- Need it to be a mock live system
- Chad: sounds interesting
- Should it be built in or an add on?
- would like it to be a GSH template in Grouper, could be external
- Record a script
- Get session IDs back and cookies you need to parse
- Selenium does that
- Are the selenium libraries shipped so you can do that
- Or is the first step to do setup and then record script?
- Chad: external seems better
- More at ease if not in a database others can access
- AI - Chris - create proof of concept for Selenium testing, possibly with GSH template
- Option to run GSH template, acting as a user, but that only impacts the Grouper session
- Only let trusted people write GSH templates, you must be a sysadmin
- Shilen: over time, with new releases do we anticipate the number of upgrade instructions going up, down, or staying the same?
- Chris: Could go down if we use the upgrade tasks
- Plan is : We support 2 active releases, one that gets upgrades and one that does not (has only security updates)
- Chris: At Penn, upgrade instructions are not the problem, it’s testing, dues to version having enhancements, migrating and Custom UI issue. Custom UI attributes, now it has become easier. But it’s a process
- Shilen: At Duke, testing after deployment would not be a big issue, would have been in the test environment for some time. People mention if something is wrong. So deployments are “cheap.” Just need to look at upgrade steps. That takes more time than the deployment
- Some of the deployment tasks/notes are more burdensome than others.
- If you have a stable release and a bleeding edge release, some things should still be pushed off to next stable release
- List: we didn’t change the default behavior we would like to
- Next time we make a branch.
- Perhaps make a new wiki to list things that are not an upgrade step for this version, remember to do it next time
Issue Roundup
Jiras in past two weeks
- GRP-3496
customui azure group id should not be required
GRP-3495
custom ui should support 100 configs (not 50)
GRP-3494
error while accessing loader screen as non sysadmin
GRP-3493
auto-create loader viewer and editor groups
GRP-3492
alphabetize goruper loader menu
GRP-3491
log sql statement example and adjustment
GRP-3490
pspng config in default is not correct
GRP-3489
status url should work if logged in as some level of admin (not check source IP).
GRP-3488
Loader Job Group Display Name not updated
GRP-3487
NPE with grouperProvisioningOutput
GRP-3486
Grouper Provisioning - non-provisionable groups recreated when not configured to delete
GRP-3485
Script from gsh export fail with dollar in attribute value
GRP-3484
grouper will not start with no db tables
GRP-3483
add option when converting custom ui attributes to config to not delete old attributes
GRP-3482
fix DN override UI label and description
GRP-3481
null pointer on gc sync object when provisioning groups
.
GRP-3480
subject source should be at top of provisioning screen
GRP-3479
removing config gives wrong history timestamp
GRP-3478
grouper has issues starting, maybe not running as root session?
GRP-3477
Bump duo client library from 0.2.1 -> 0.3.0
Grouper Emails in past two weeks
- [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Baron Fujimoto, 06/04/2021
- Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Shilen Patel, 06/04/2021
- Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Baron Fujimoto, 06/04/2021
- Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Shilen Patel, 06/07/2021
Grouper wiki updates in past two weeks