Grouper Call 13-June-2018
Attending:
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redmond, UNC
- Carey Black, The Ohio State University
- Vivek Sachdiva, independent
- Emily Eisbruch, Internet2
Action Items: Grouper Project Action Items (Google Doc)
New Action Items
[AI] (Chris) will share his vision of abstraction for provisioning.
[AI] Shilen update the API and UI tarballs with config/installer change
{AI] (Bert) work on patch for invalid active-directory operations
Discussion
Current work tasks
Vivek
- Deprovisioning:https://spaces.at.internet2.edu/display/Grouper/Grouper+deprovisioning
- Work going well.
Chris
Deprovisioning
Chris working on issue around Custom email subject
Vivek will send names of variables that can be substituted in emails
Variable back to the groups deprovisioning page, for example
There are a list of deprovisioning TO DOs here at bottom of page https://spaces.at.internet2.edu/x/ZQlhBg
Idea was that if a user is in deprov group for 2 weeks then the user should be locked out and warning will be provided if there’s an attempt to add such a deprovisioned user to a group.
Vivek will add dependency related to SCIM
TomEE not picking up certain info correctly
Document possible need to change Log4J Properties
Grouper Home directory can get changed by Grouper Installer
U of Utah experiencing some issues with DDL not matching, could related to database pointer
Vivek responded to Utah to find out about database being used
also should mention to be sure config files have been copied from previous installation
Chris working on questions from the grouper email lists
Penn looking at integration with Remedy. Looking at two Remedy systems
Basic REST UI
Chris has an implementation for that. Involves copy and paste of what Chris did for Box and DUO.
Trying to come up w abstract classes for provisioner that only talks to the remote system.
Grouper can put it into a change log consumer or messaging listener.
Simple Java Beans , like DTOs
Membership puts them together
Generic to handle multiple cases
Carey: Springbased model?
Scott Cantor is knowledgeable on Spring approach
No need to compile as a project
Pull in classes dynamically.
Scripting, Groovy based provisioner
Shib IDP, which uses Spring, has scripting features
Abstract class is more restrictive than Spring approach
Spring is open ended
Chris: in past, Grouper project had decided not to add the complexity that comes w Spring, but may want to look again
Can PSPNG do something similar? See PSPNG Abstract Class (createGroup)
Has been used by Bert to implement LDAP, it’s a starting point
Chris will review that
[AI] (Chris) will share his vision of abstraction for provisioning.
Attestation
Can we consider un-attested group empty after a certain period?
Wait for Group disable dates in Grouper 2.5?
But stopgap solution for Grouper 2.4?
Disable all memberships in that group or remove them temporarily?
Or use and attributes to keep track of what was done for attestation?
Group is about 100 people, but must be attested
Use Intermediate intersection composite
It’s like include/exclude.
Decision: discuss this again in a month or so
Next Steps
Chris will release Deprovisioning patch and UI patch.
Then focus will be on testing the Grouper 2.4 release.
Bert
PSPNG
Testing and fixing, particularly around full-sync exceptions that are really warnings
Patching for group attributes
Need some more Jexl Utilities
OpenLdap & scalability of Groups (?)
Does midpoint do a better job maintaining large groups? https://evolveum.com/midpoint/
Issues w openLDAP and large groups
389
Bert will consult w Keith Hazelton
Large group is 25K to 250K users
{AI] (Bert) work on patch for invalid active-directory operations
Bert: Gsh & Docker/Cloud: Groovysh & GrouperUI (github)
Shilen
Grouper 2.4 Release
Fixed loader diagnostics
Finding and fixing issues for 2.3 to 2.4 upgrades
There are configs the installer needs to know about. Shilen working on this
[AI] Shilen will update the API and UI tarballs with config/installer changes
Copy into master and commit, then make changes
Trace through bin directory / build grouper all
With UI upgrade, it tries to revert files that may not be there.
Asks re force revert. Is this intended behavior?
Perhaps we need to change the revert logic.
If files don’t exist , don’t worry about that
Properties files converted from XML could be confusing.
We should not change properties files formats in a patch in the future
Need to hit enter many times in some cases.
Shilen will add an option for “download/install all”
Chad
Grouper 2.4 Release
Lite UI removal almost ready to go
Rebasing to master
HSQL not finding deprovisioning defname
Chad will email this error to Chris
Put admin UI in legacy folder
Now you can potentially restore from legacy both Admin UI and LITE UI
Could edit the web xml if only one is needed
Integration testing for UI would be good to have in the future
Issue roundup
· Typo in deprovisioning job in config
· When was Grouper born
· Changing subject sources and dealing with legacy sources
· Google apps provisioner change
· GSH library issue
· Loader issue with AD, was this resolved? Need to look again at this
· PSPNG custom user attributes in user search filter (documentation about how to do EL substitutions)
· Loader diagnostics issue - Chris will handle
· COmanage to Grouper, and midpoint to Grouper integrations
· Lafayette member group composite issue (resolved?)
· Assign privileges to account or person , to be discussed on TIER API call today
· SCIM server issues
· Loader jobs cron information, 2nd request for this
· Java8 PSP error major.minor version
· Deprovisioning questions
· Membership start dates on UI, we should add this at some point
· https://bugs.internet2.edu/jira/browse/GRP-1823 null pointer on loader patch
· Disabling recent activity widget
· AD extended attribute anchor
Next Grouper Call : Wed. June 27, 2018