- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Vivek Sachdiva, independent
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Item from this Call
AI Jeff - handle this inquiry from Dominque [grouper-users] PSPNG/messaging: cannot trigger a full sync of a single group when there is an underline character in the provisioner's name?, Dominique Petitpierre, 10/01/2020
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
- Grouper School Oct 13-16, 2020
- Going well, new format using Canvas with assigned pre work is helpful
- Most students at least watched the videos
- Many did the exercises
- First day of training went well, discussed access policies
- About 25 participants
- Getting good questions
- Consider a subscription model for Grouper Training ? Make LMS training modules when there are new Grouper features, for example with new provisioning approach there will be a lot to explain.
- Need to replace the old Grouper Training videos on the wiki
- Canvas is a good tool for explaining Grouper
- Need to end today’s Grouper call by 12:55pm since training starts at 1pm
Current work tasks, and next tasks
Vivek – Provisioning
- Working on logs for provisioners
- Click on logs
- will put entries in the log table for full sync and incremental sync
- Then will put log entry for that
- Like the config screen
- With filter at top and maybe a search box
- See logs for a particular object
- Shilen: seems right
- How much logging will be produced? How many entries and how big are they?
- Incremental would have an overall summary
- Full output is several K, if you set it to On
- If it’s off, you get similar to what’s in the loader log
- Another screen to look at errors
- Chad: It’s good to have something more persistent in the database
- New DDL Scripts
- DDL uses static scripts now (since last year)
- Folder w 4 upgrade scripts for each database
- Grouper used to read script and insert statement
- Now the scripts will be stand alone and insert statement is specific to the DDL syntax of each database , you can take the script and run it if you want
- Insert and update statements are now database specific
- Shilen: before there was a config to specify upgrades
- Chris: that is still there and there are warnings if you don’t turn it on,
- Changing how the files worked
- Looking at the minimum UI for the 1st release of New Provisioner
- Config the Provisioner
- Some extra features, like looking at logs
Chris – Provisioning, training
- Upgraded to 2.5.35
- There were issues with full syncs
- Deleted all the groups in LDAP
- Fixed that in PSPNG
- Still issues with slowness
- Picking out things that are provisionable, was redundant
- Was not caching decisions
- Chris making changes to that
- Full and incremental unit tests for PSP NG
- Currently there are shell scripts hard to get running
- JUNIT is faster
- Chris has been posting a bit to Slack on the PSP NG changes
- Also reorganizing the beans in the new provisioning
- Where the new provisioning framework stores things is important to keep straight
- So framework knows where to get and store data
- Data Index is main place where framework keeps objects its working on
- Two types of indexes, one from Grouper side and one from Target side
- “Matching ID” to entity wrapper, to group wrapper, membership
- Still doing some refactoring
- A bean should only have a handful of things
- Should have significant performance improvement
- Instrumentation to record how long things take… perhaps in the future
- Don’t use expressions too much, then performance tune later
- Do we only need provisioned fields on change objects?
- Ok to keep them on both
- Framework can assume object is provisioned
- Can keep that in mind to implement
Shilen – Provisioning
- Added LDAP tests using new configuration format
- Updated LDAP DAO
- Get new config working with the UI
- Max under 20
- Look at error handling and DAO
- If an update is happening and there is a provisioning object change
- First pass at retry in DAO
- Shilen will make sure
Chad –Grouper Training and beyond
- After training will add PSPNG to CI testing
- Worked on getting Grouper Client Into CI
- Currently has errors around cascading properties.
- Test reading from a file in a more neutral way
- Can get URL and filename
- Could Read from /temp
- Could move to Grouper API and test there
- For PSP NG, will pull in as a dependency
JIRAs created in past 2 weeks
Visualization for Privileges
pspng change log should not run during full sync on same jvm for 10 minutes
- Clearing cache and issue around incremental
Fix database test connection
Allow a configuration option on a Member to alter the subject that is given "Admin" privileges on objects they create.
- Someone only has create but not admin , request to remove individual and put admin on ,
pspng finds all attributes of groups and stems and doesnt need to
remove an admin and click around, get temporary attribute error for a couple minutes
- Problem with inherited priv. They run as user who created. If I remove myself, things may not run. Need an upgrade task to look for inherited priv and change the ACT AS. hope to get this in next release
pspng insert update delete count doesnt work
NPE in LDAP loader when extra attribute not found - CHAD it Returns an empty list, throw exception
pspng error when deleting folder This was a bad bug
make composite minus arrows accessible
allow status diagnostic types to be specified by url and not param
- Chad - Diagnostic status page looks outdated, loader jobs that have not run in 24 hours always return an error,
- Can adjust this.
- Look at schedule of jobs
- Cron parser
- UNC has large number of loader jobs
- Many possible combinations of containers
tomcat kicks users out after 30 minutes
add option for daemon screen to not refresh
tomcat auth in ui-ws container for ws and not ui does not work
custom ui accidentally hides underlying exceptions
grouper loader tab when no admin group gives stack
daemons should have descriptive comments
Loader exemption to fail-safe Justin
Grouper Emails in past 2 weeks
- Re: [grouper-users] RegistrySubjectAttribute.addOrUpdate throws exception on change, Michael Porter, 10/01/2020
- [grouper-users] PSPNG/messaging: cannot trigger a full sync of a single group when there is an underline character in the provisioner's name?, Dominique Petitpierre, 10/01/2020
- Jeff AI handle this inquiry from Dominque [grouper-users] PSPNG/messaging: cannot trigger a full sync of a single group when there is an underline character in the provisioner's name?, Dominique Petitpierre, 10/01/2020
- Re: [grouper-users] PSPNG/messaging: cannot trigger a full sync of a single group when there is an underline character in the provisioner's name?, Dominique Petitpierre, 10/01/2020
- [grouper-users] ServiceNow integration, Keith B. Martin, 10/12/2020
- RE: [grouper-users] ServiceNow integration, David Langenberg, 10/12/2020
Grouper Wiki Updates in past 2 weeks
InCommon Group Slack in past 2 weeks
Chris Hyzer I documented some of Penn's Zoom access management with Grouper.
Erik C trouble with the Custom UI functionality
Jeffrey C queston on multiple AD's/Azure Tenants that are not connected and provision groups to them based on some requirements.
first version of NDSU's Grouper Community Contribution authored and posted to the wiki:
Carey Re: Grouper and Postgres ( Specsheet )
Jeffrey C We have a series of groups that allow someone to be a member of a group that ends in a composite group, we have one user that switched groups and seems to have fallen out of that composite group even though should not have.
I ran the find bad memberships job and it seems to have found them and fixed them, but it found 13 memberships that were bad. I
Lacey Is it possible to specify multiple URL’s in the loader ldap.url config (like a primary and failover)? We had an issue where PSPNG appears to have created the same group (GUID) twice in AD and thinking it could have to do with replication, since we are pointing Grouper at a load balancer for the entire pool instead of an individual DC. I would only want to move away from the load balancer URL if we could specify some type of failover in the Grouper configs.
Justin R We are using the failsafe properties for loaders, but have come across a scenario where a set of groups will regularly (weekly) be completely replaced with a new user set.
Jon M massive slowdown in processing of our Changelog, and our DBAs sent us this.
Josh Running v2.5.35... trying to override certain native log4j.properties entries, AND add a couple new loggers.
Josh I am trying to get finer logging on the log4j.logger.edu.internet2.middleware.grouper.grouperUi.serviceLogic package because we are getting an error from that package when we try to use Loader options.
Chris H discussed with Josh, two things:
Needs grouper.properties: groups.wheel.use = true
When overlaying log4j.properties, need to pass in env var: GROUPER_LOG_TO_HOST = false
Josh O moving from UI to WS config. Our UI is configured for ShibSP authn, and currently our legacy system is using tomcat auth for all WS Rest calls.
Jeffrey C Do you guys have a good rule of thumb when you should move to loading multiple records into a group via a WS call vs converting to a loader job?
Chris Hyzer We will have a container env var for tomcat session timeout.
Sara J @osreebny is pulling together a team to work on AWS SSO (the product) and Grouper. If you are interested in participating in the discussion, please express your interest here: https://forms.gle/bN4fdqobLuXB6fzK7
Oren I've had a couple of questions about the scope of the AWS SSO and Grouper discussion.
Jeffrey C was thinking about https://spaces.at.internet2.edu/display/Grouper/Grouper+v2.5+customize+container+config+files wondering if that script could have a script on shutdown.
Lacey Question about the daemon logs for PSPNG in the UI…
Jeffrey C when running a loader job, does it add members before deleting them?
Chris Hyzer We are going to take another pass at minor pspng updates to keep everyone running ok with pspng.
What is the port strategy if running UI and WS in separate containers (as is recommended for production)?
you need something in front to proxy and map the URLs - such as Apache
I'm running apache inside the containers. The problem is the docker command to run the containers (which share the same sub-image).
No, you can have your webproxy just pass the traffic through.
What technology are you using for container orchestration? Docker Swarm? Kubernetes? Docker compose?
Shilen We let our load balancer map the ports so from the client's end, it's always 443 and the backends can run on different ports.
Does the "Test Query" functionality actually work on the Grouper External Systems feature?
The Tomcat maintainers would like to move off of the AJP port. So I would just proxy HTTP traffic with mod_proxy_http if you are doing this fresh.
Seeking community input/comments/watches/( up or down) votes for : GRP-2984
Allow a configuration option on a Member to alter the subject that is given "Admin" privileges on objects they create. (edited)
Is there a lightweight method to determine if a group exists with a particular group ID (not UUID, but the:full:stem:groupname)
Im going to see how long it takes to do some pspng provisioning (with some performance improvements) in my test env.
Peter St. Onge 10:12 AM
Working through our IS requirements, figured I'd ask if it is common when running the Grouper container to run the internals using a different user than 'tomcat'? (edited)
Next Grouper Call: Wed. Oct. 28, 2020