Attending 

• Chris Hyzer, Penn, Chair
• Shilen Patel, Duke
• Chad Redman, University of North Carolina Chapel Hill
• Carey Black, the Ohio State University
•  Emily Eisbruch, Internet2

New Action Items

• AI  - Chris - create proof of concept for Selenium testing, possibly with GSH template 

 Discussion

Administrivia

• https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
• Approve minutes
• Review AIs  Grouper Project Action Items (Google Doc)
• Agenda bash

Grouper Training June 22-25, 2021

https://www.incommon.org/academy/grouper/

Current Work

Chris

• Working on preparing for  Grouper  Training, June 22-25, along with Chad
• Good enrollment for training
• VMs for training are ready
• Next work - prework modules
• New modules: LDAP Loader, GSH Templates
• Idea of using Workbench in the future for Grouper Trainings

• Chris is upgrading Penn’s Grouper to the latest version 2.5.5.2. 
• Chris creating JIRAs when he finds issues. 
• There is an issue with the LITE UI

Chris working on Loader Privileges

• https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader
• There is a post on Grouper slack about trying to delegate Grouper Loader work
• Loader permissions on wiki 

  Things protected with Grouper Loader

• Misc Loader screen with the UI - we once said this might go away and just use daemon screen, thinking about it
• Readonly loader functions, you see what the query is,
• Read write, where you can configure or add a  loader job
• Sysadmin can do all of the above
  
  
• Two groups related to Loader Privileges in Grouper UI properties

• •   loader viewers  
  •   loader editors
• Groups will be created and empty
• Can be populated.
• Used to be a blank config
• But it is useful not to have to have to figure it out
• Now there is a default for those, can be configured
• Must have view on a group to be able to configure the loader jobs 

•  There are  sysadmin readers and sysadmin viewers
• You can add these groups   if desired
• There is a switch for if    group admins can read loader
• There is also a switch for admins to run loader jobs 
• Chris is setting up test subjects

• Shilen: Currently only sysadmins have access? Or is it based on attribute framework privileges?
• Chris: Could edit the attributes manually, but not get into the Loader screens
• Chris: Like the attribute privileges for the attribute editor
• Don’t want to create issues
• Adding someone to a group is easier than adding attribute privileges

• Comment: From wiki update, it was not clear what was changed
• Chris: Fixed some bug, now View is different, groups are autocreated and autonamed
• Matt:
• With Grouper Config, would be nice to have represented as 1st order objects, Each folder becomes a key…..
• Becomes a local entity, use attributes on local entities
• Bust out of overarching group models
• Too much one off etsy loader view

• Chris: A lot of config is private, with separate tables
• Surfacing to the UI is something to consider
• Balance between extremely fine tunable versus easy to use
• Like to err on side of easy to use
• Worked on point in time in database, export / import
• Desire consistent user interface

• Mentioned on wiki: Display extensions in loader jobs
• If Loader  should   edit those
• Two issues: 
• 1 If loader column is group display name and a parent folder display extension changes, should it change that
• 2. If group display extension should change that? 
• Chad: Changing parent folder is situational
• For course enrollments, group name might say students, 
• If course name changes, you want to capture that
• So you do want to change the folder
• Setting where a loader job can only edit under a certain folder
• How many levels of parent folders can you change names on
• Default to zero, Most likely would be to change to 1
• At some point folder names get hard coded
• Could change folder names 
• Matt: generally if it can make sense to do it, should be allowable
• There may be use cases
• Share concern about consequences
• Conversion issues
• When loader job is running, full ID structure must match, talking about when display strings don’t match
• Consequence: If ID changes, and you want to rename the ID, loader can’t do that as is
• Complex to try to support this
• Prefer config not be global, but tied to individual jobs
• Don’t have backwards sweeping decision
•  Root model could be valuable, protect root but allow anything under to change
• Just folder extension of grandparent extension can change
• Chris will think about this

• Get incremental loading to work
• Null ID
• Chris started looking into this
• Make incremental work
• Incremental change comes in, uses the event verb (add/remove member), tells the DOA that this translated group or entity structure is added or removed , try to get that to work w LDAP

U Delaware  interested in LDAP provisioning use case

• Chris posted that to the list
  
  

Chris: Subject source needs to be provisioned, issue with entity, now fixed

Shilen

• Did bug fixes
• Performance testing shows improvement
• Fixed Bug, around config setup where you don’t delete group but mark it as non conversion-albe and delete it manually, it gets recreated, FIXED NOW

• Wait to get incremental testing before doing more load testing

Shilen Question:

• Starting Group sessions and using the Callback
• Has anything changed with that? 
• Chris: If something is happening and you call  a function that must act as root user or different user, when it goes back, if it is expected ? to be there, it gets hosed? 
• What you have   should still work
• Could work as a callback

Chad:

• Working on upcoming Grouper training 

Matt: 

• Trying to get to Grouper 2.5.2
• Dependency changes with OK HTTP
• Added 2 back, 
• Provisioning framework, what can it provision?
• Can provision groups, entities, memberships, subject attributes, metadata
• Everything is configurable
• If you need to change query 
• If not a high volume provisioner
• What about target location? 
• If you provision to LDAP
• Capable of arbitrarily producing LDAP objects?
• Shilen: you can replace any class that you want
• Bushy versus flat 
• User objects versus groups
• Custom LDAP class
• Shilen: works fine for bushy
• Including object class

• Matt: working on getting files storage outside of database working 
• S3 features and Dell’s Isilon
• Not compatible 
• Customizable S3 implementation choice?
• Matt: shared file system option could make sense

Chris: 

• With monthly deployments, would like  script to make web service calls, check to see if Daemons are running, got test credential to IDP, use selenium https://www.selenium.dev/ to log in and run templates, try LITE UIs, 
• Need jars for selenium, should those be built into Grouper?
• Browser that Selenium can use. 
• Keep it lean.
• Comment: this is needed for the project
• For validation testing
• If this is a GSH template, deploy Grouper, go to this URL, heavyweight status URL
• This necessitates need for a database
• If you spin up a database you have limitations and advantages
• Not talking about CICD
• Talking about after deployment
• CICD could deploy  as part of the build
• Talking about different things?
• Before and after deployment
• Validate deployment should be embeddable into a CICD
• Need it to be a mock live system
• Chad: sounds interesting
• Should it be built in or an add on?
• would like it to be a GSH template in Grouper, could be external
• Record a script
• Get session IDs back and cookies you need to parse
• Selenium does that
• Are the selenium libraries shipped so you can do that
• Or is the first step to do setup and then record script?
• Chad: external seems better
• More at ease if not in a database others can access
• AI  - Chris - create proof of concept for Selenium testing, possibly with GSH template 
• Option to run GSH template, acting as a user, but that only impacts the Grouper session
• Only let trusted people write GSH templates, you must be a sysadmin

• Shilen: over time, with new releases do we anticipate the number of upgrade instructions going up, down, or staying the same?
• Chris: Could go down if we use the upgrade tasks
• Plan is : We support 2 active releases, one that gets upgrades and one that does not (has only security updates)
• Chris: At Penn, upgrade instructions are not the problem, it’s testing, dues to version having enhancements, migrating and Custom UI issue. Custom UI attributes, now it has become easier. But it’s a process 
• Shilen: At Duke, testing after deployment would not be a big issue, would have been in the test environment for some time.  People mention if something is wrong. So deployments are “cheap.”  Just need to look at upgrade steps. That takes more time than the deployment
• Some of the deployment tasks/notes are more burdensome than others. 
• If you have a stable release and a bleeding edge release, some things should still be pushed off to next stable release
• List: we didn’t change the default behavior we would like to
• Next time we make  a branch.
• Perhaps make a new wiki to list things that are not an upgrade step for this version, remember to do it next time 

Issue Roundup 

Jiras in past two weeks

• GRP-3496
  customui azure group id should not be required
• 
  GRP-3495
  custom ui should support 100 configs (not 50)
• 
  GRP-3494
  error while accessing loader screen as non sysadmin
  
  
  GRP-3493
  auto-create loader viewer and editor groups
• 
  GRP-3492
  alphabetize goruper loader menu
• 
  GRP-3491
  log sql statement example and adjustment
• 
  GRP-3490
  pspng config in default is not correct
• 
  GRP-3489
  status url should work if logged in as some level of admin (not check source IP).
• 
  GRP-3488
  Loader Job Group Display Name not updated
• 
  GRP-3487
  NPE with grouperProvisioningOutput
  
  
• 
  GRP-3486
  Grouper Provisioning - non-provisionable groups recreated when not configured to delete
• 
  GRP-3485
  Script from gsh export fail with dollar in attribute value
• 
  GRP-3484
  grouper will not start with no db tables
• 
  GRP-3483
  add option when converting custom ui attributes to config to not delete old attributes
• 
  GRP-3482
  fix DN override UI label and description
• 
  GRP-3481
  null pointer on gc sync object when provisioning groups
  
  .
  GRP-3480
  subject source should be at top of provisioning screen
• 
  GRP-3479
  removing config gives wrong history timestamp
• 
  GRP-3478
  grouper has issues starting, maybe not running as root session?
• 
  GRP-3477
  Bump duo client library from 0.2.1 -> 0.3.0
  
  
  

Grouper Emails in past two weeks

• [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Baron Fujimoto, 06/04/2021

• Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Shilen Patel, 06/04/2021

• Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Baron Fujimoto, 06/04/2021

• Re: [grouper-users] LDAP UnboundID bug? (hardcoded JNDI reference), Shilen Patel, 06/07/2021

Grouper wiki updates in past two weeks

• Grouper - Loader 

• Logging SQL queries in Grouper

• Grouper LDAP provisioner in v2.5 demo2

• How to Setup a lite Grouper Development Environment for Grouper v2.5

• Grouper provisioning strategy

• Grouper Training Environment developer notes

• Grouper Provisioning: PSPNG

• Grouper Duo provisioning (v2.5 provisioning framework)

• Grouper Azure provisioner (new provisioning framework)

• v2.5 Upgrade Instructions from v2.5

• v2.5 Release Notes

• Grouper v2.5 container unit tests

• Grouper diagnostics

• Release steps for new container build

• Requirements from LIGO Project

• Grouper Custom UI

• Grouper custom template via GSH

• Grouper new UI