Child pages
  • 14-Oct-2020
Skip to end of metadata
Go to start of metadata



  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Vivek Sachdiva, independent
  • Emily Eisbruch, Internet2

Intellectual Property reminder:

 Grouper Action Items are here  

New Action Item from this Call

 AI Jeff -   handle this inquiry from Dominque  [grouper-users] PSPNG/messaging: cannot trigger a full sync of a single group when there is an underline character in the provisioner's name?, Dominique Petitpierre, 10/01/2020


  1. Administrivia

Grouper Training

  • Grouper School Oct 13-16, 2020
  • Going well, new format using Canvas with assigned pre work is helpful
  • Most students at least watched the videos
  • Many did the exercises
  • First day of training went well, discussed access policies
  • About 25 participants
  • Getting good questions
  • Consider a subscription model for Grouper Training ? Make LMS training modules when there are new Grouper features, for example with new provisioning approach there will be a lot to explain.
  • Need to replace the old Grouper Training videos on the wiki
  • Canvas is a good tool for explaining Grouper
  • Need to end today’s Grouper call by 12:55pm since training starts at 1pm

Current work tasks, and next tasks

  Vivek – Provisioning

  • Working on logs for provisioners
  • Click on logs
  • Pagination
  • Chris: 
    • will put entries in the log table for full sync and incremental sync
    • Then will put log entry for that
    • Like the config screen
    • With filter at top  and maybe a search box
    • See logs for a particular object
  • Shilen: seems right
  • How much logging will be produced? How many entries and how big are they?
  • Incremental would have an overall summary
  • Full output is several K, if you set it to On
  • If it’s off, you get similar to what’s in the loader log
  • Another screen to look at errors
  • Chad: It’s good to have something more persistent in the database
  • New DDL Scripts
  • DDL uses static scripts now (since last year)
  • Folder w 4 upgrade scripts for each database
  • Grouper used to read script and insert statement
  • Now the scripts will be stand alone  and insert statement is specific to the DDL syntax of each database ,  you can take the script and run it if you want 
  • Insert and update statements are now database specific
  • Shilen: before there was a config to specify upgrades 
  • Chris: that is still there and there are warnings if you don’t turn it on, 
  • Changing how the files worked
  • Looking at the minimum UI for the 1st release of New Provisioner
  • Config the Provisioner
  • Some extra features, like looking at logs

 Chris – Provisioning, training

  • Upgraded to 2.5.35
  • There were issues with full syncs
  • Deleted all the groups in LDAP
  • Fixed that in PSPNG
  • Still issues with slowness
  • Picking out things that are provisionable, was redundant
  • Was not caching decisions
  • Chris making changes to that
  • Full and incremental unit tests for PSP NG
  • Currently  there are shell scripts hard to get running
  • JUNIT is faster
  • Chris has been posting a bit to Slack on the PSP NG changes

  • Also reorganizing the beans in the new provisioning
  • Where the new provisioning framework stores things is important to keep straight
  • So framework knows where to get and store data
  • Data Index is main place where framework keeps objects its working on
  • Two types of indexes, one from Grouper side and one from Target side
  • “Matching ID” to entity wrapper, to group wrapper, membership
  • Still doing some refactoring
  • A bean should only have a handful of things
  •  Should have significant performance improvement
  • Instrumentation to record how long things take… perhaps in the future
  • Don’t use expressions too much, then performance tune later
  • Do we only need provisioned fields on change objects?
  • Ok to keep them on both
  • Framework can assume object is provisioned
  • Can keep that in mind to implement

Shilen – Provisioning

  • Added LDAP tests using new configuration format
  • Updated LDAP DAO
  • Get new config working with the UI
  • Max under 20
  • Look at error handling and DAO
  • If an update is happening and there is a provisioning object change
  • First pass at retry in DAO
  • Shilen will make sure

Chad –Grouper Training and beyond

  • After training will add PSPNG to CI testing
  • Worked on getting Grouper Client  Into CI
  • Currently has errors around cascading properties.
  • Test reading from a file in a more neutral way
  • Can get URL and filename
  • Could Read from /temp
  • Could move to Grouper API and test there
  • For PSP NG, will pull in as a dependency

Issue Roundup

JIRAs created in past 2 weeks

Grouper Emails in past 2 weeks

Grouper Wiki Updates in past 2 weeks

InCommon Group Slack in past 2 weeks

Chris Hyzer I documented some of Penn's Zoom access management with Grouper.  

Erik C trouble with the Custom UI functionality  

Jeffrey C queston on multiple AD's/Azure Tenants that are not connected and provision groups to them based on some requirements. 

Richard F 

 first version of NDSU's Grouper Community Contribution authored and posted to the wiki:  

Carey  Re: Grouper and Postgres  ( Specsheet )

Jeffrey C We have a series of groups that allow someone to be a member of a group that ends in a composite group, we have one user that switched groups and seems to have fallen out of that composite group even though should not have.

I ran the find bad memberships job and it seems to have found them and fixed them, but it found 13 memberships that were bad. I 


Lacey  Is it possible to specify multiple URL’s in the loader ldap.url config (like a primary and failover)? We had an issue where PSPNG appears to have created the same group (GUID) twice in AD and thinking it could have to do with replication, since we are pointing Grouper at a load balancer for the entire pool instead of an individual DC. I would only want to move away from the load balancer URL if we could specify some type of failover in the Grouper configs.

Justin R We are using the failsafe properties for loaders, but have come across a scenario where a set of groups will regularly (weekly) be completely replaced with a new user set.  

Jon M  massive slowdown in processing of our Changelog, and our DBAs sent us this.  

Josh  Running v2.5.35...   trying to override certain native entries, AND add a couple new loggers.  

Josh I am trying to get finer logging on the package because we are getting an error from that package when we try to use Loader options.  

Chris H  discussed with Josh, two things:

Needs groups.wheel.use = true

When overlaying, need to pass in env var: GROUPER_LOG_TO_HOST = false

Josh O  moving from UI to WS config.  Our UI is configured for ShibSP authn, and currently our legacy system is using tomcat auth for all WS Rest calls.

Jeffrey C Do you guys have a good rule of thumb when you should move to loading multiple records into a group via a WS call vs converting to a loader job?  

Chris Hyzer We will have a container env var for tomcat session timeout.   

Sara J  @osreebny is pulling together a team to work on AWS SSO (the product) and Grouper. If you are interested in participating in the discussion, please express your interest here:

Oren  I've had a couple of questions about the scope of the AWS SSO and Grouper discussion.  

Jeffrey C  was thinking about   wondering if that script could have a script on shutdown. 

Lacey Question about the daemon logs for PSPNG in the UI… 

Jeffrey C when running a loader job, does it add members before deleting them?  

Chris Hyzer We are going to take another pass at minor pspng updates to keep everyone running ok with pspng.   

Josh O 

What is the port strategy if running UI and WS in separate containers (as is recommended for production)?  

Andy M 

you need something in front to proxy and map the URLs - such as Apache


I'm running apache inside the containers.  The problem is the docker command to run the containers (which share the same sub-image).   

Scott K 

No, you can have your webproxy just pass the traffic through.


What technology are you using for container orchestration? Docker Swarm? Kubernetes? Docker compose?

Shilen  We let our load balancer map the ports so from the client's end, it's always 443 and the backends can run on different ports.

Erik C 

Does the "Test Query" functionality actually work on the Grouper External Systems feature?  

Richard F 

The Tomcat maintainers would like to move off of the AJP port. So I would just proxy HTTP traffic with mod_proxy_http if you are doing this fresh.


Seeking community input/comments/watches/( up or down) votes for :  GRP-2984

       Allow a configuration option on a Member to alter the subject that is given "Admin" privileges on objects they create. (edited) 


Is there a lightweight method to determine if a group exists with a particular group ID (not UUID, but the:full:stem:groupname)

Chris Hyzer 

Im going to see how long it takes to do some pspng provisioning (with some performance improvements) in my test env.  

Peter St. Onge  10:12 AM

Working through our IS requirements, figured I'd ask if it is common when running the Grouper container to run the internals using a different user than 'tomcat'? (edited) 


Next Grouper Call: Wed. Oct. 28, 2020

  • No labels