Child pages
  • 15-April-2020
Skip to end of metadata
Go to start of metadata

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Jeff Williams, University of North Carolina Greensboro
  • Vivek Sachdiva, independent
  • Bill Thompson, Lafayette College
  • Matt Wolfley, Unicon
  •  Emily Eisbruch, Internet2


  Action Items

 Grouper Action Items are here  


NEW ACTION ITEMS FROM THIS CALL

  • AI Chad create wiki doc on using Docker Compose, start this in Grouper Developer wiki area
  • AI Chris document newlines in morph string at  newline 

Discussion

  • Approve minutes
  • Agenda bash


Grouper 2.5 Release 


Grouper School Moved to Online June 2-3, 2020


Grouper 2.5 Release and what we’ve been working on

Grouper Roadmap

Chad 

    • Worked on 2.4 and 2.5 container
    • 2.5 container is cleaner to work with 
    • Docker compose
    • Test specific set of things
    • Spin up a blank database and Docker compose
    • GSH into it to start it up
    • In 2.5 maybe start damon and it will work well
    • Test proxy settings for Grouper Azure
    • Proxy container could access Internet
    • Can take containers down, fix and spin back up again
    • Not a lot of juggling
    • Have Level 0 , making a adjustment and restarting is easy

    • Azure provisioner works well in Grouper 2.4 and Grouper 2.5
    • Will have base files in Jar soon, new container in about a week


  • AI Chad create wiki doc on using Docker Compose, start this in Grouper Developer wiki area 
  • Focus on how to test Azure in 2.4 and 2.5
  •  Issue around tracing thru a debugger
  • Running integration tests now
  • Next task for Chad, work on AIs, then reach out to Chris

Bill:

  • Got 2.5 Container running locally, worked
  • GTE upgrade - Grouper Training Environment

Vivek: 

  • https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy
  • Grouper External systems (LDAPs , databases) 
  • Mail is slightly different case
  • O365, DUO, Box will be externalized
  • Using config ID as glue
  • This is a 1st step to getting provisioning working well
  • Each external system can have a validate method
  • There will be a test method , can be implemented for external system
  • Can do a compare or search
  • Can find a group or find an object
  • So you know it works
  • Metadata in config files to drive the config in the database
  • Trying to put as much in there as we can
  • Value type if it’s a string, etc
  • New UIs can re use components
  • Similar validations
  • Using generic screens
    • See Subclass of Grouper External system screen
  • Issue of saving to database… not everyone wants config saved in database
  • Orderings will get fixed
  • Configuration in database will help with using Wizards


  • Organize by things global and things that are admin tasks
  • Wheel admins see some items others don’t see
  • Did not want a sub page for now
  • There is an edit screen
  • Give me all the attributes… build HTML
  • Some values from property files
  • Merge to get final attributes
  • Expression languages can be turned into a text field
  • Adding password, Java can read value
  • There will be hide/show wizardy things

  • Chad : Question on renamed, passing in from changelog engine, could only have one provisioner called o365, now you can have multiple, 
  • Can add  another config attribute for config ID
  • Busy work of externalizing things into labels
  • Need Grouper 2.5 for the wizard

  • Carey: pulling some items to different tree in property settings?
  • Will there be a single registry problem ?
  • Difficult to have multiple versions
  • Each external system has method to say what uses it (optional field)

  • SHILEN : how will it be communicated that something is disabled?
  • Each external provisioner should have isenabled if possible
  • UsedBy will be helpful

  • Bill: move from Grouper toolkit to product where community makes more decisions on how the product functions benefits the community
  • Exporting config out of database, or providing guidance to deployers about best practices around production changes is helpful
  •  
  • Q: is the default that database config overrides local?
    A: yes, but can be changed
  • You can add your own override properties to hierarchy in grouper properties
     

Jeff W

  • UNCG will upgrade to 2.5. 
    Hope to update to Grouper 2.5 in Q4 2020 or in 2021, working on onboarding Azure provisioner


Shilen

    • Duke interested in Azure provisioner
    • Shilen created code for that
    • Can add onto Chad’s work on Azure
    • Roadmap items (Grouper catching up to Shilen at Duke)

    • Opportunity to upgrade  Duke to Grouper 2.5
    • Doing testing for that upgrade


  • AI Chris will document newlines in morph string at  newline 
  •  Using external file?
  • Need switch?  Make change where flag defaults to not use newline
  • Ldap Dao , separate from Grouper… Merge into master?

USDU changes 

 
https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy

  • https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517820
  • leaning towards getting rid of existing Daemon
  • Could be a rename 
  • Subject Daemon
  • Subject resolving
  • USDU name is in several places , will be inconvenient to change
  • Update member table
  •  
  • It’s a provisioning thing 
  • New provisioner tables that have word “sync” in them
  • Opportunity to cache 4 things, on grouper side or target side
  • For provisioning , to link a subject in group w subject in external system
  • Must do something w subject API attributes
  • Concatenate
  • Change log consumer or full sync, having to get all subjects each time is burder
  • Cache scriptlet , put in sync table for provisioner
  • Full sync every night based on this daemon
  • USDU util is going to resolve all the subjects, get them ready, and make updates
  • Will happen in batches
  • Now provisioner can use the cache value
  • This is the 1st step

  • At OSU there is a type of identity or account for priv access , different username, but might need both usernames,
    There are local accounts in the provisioning system, independent subjects in Grouper
  • Subject ID sprawl
  • Conventions for this?
  • UNCG has similar situation, they come across as different subjects, not have to resort to running GSH scripts to relate a person’s admin account to their primary account
  • Duke: handle same way, use single name space, any staff can request any number of service accounts, some more formal than others, some have a convention for the name.  Deprovisioning… all accounts.
  • PENN: KEDM accounts, for DUO, check for linked, sets aliases
  • Are these admin IDs (accounts) in the IdM system, in same namespace? At UNCG yes, don’t treat them in a special way.  Constrained to primary accounts, 
  • Linking accounts would be interesting
  • Bill T : Privileged account and access management is a class of software products: usually accomplised in 2 ways, Guests get admin or priv account in regular Lafayette person namespace OR in other cases it’s handled in local basis.  Has not been a major pain point. Since cases for this are usually small. 
  • Chris: Issue of what is a subject? A person ? or an account / credential ?  Worth exploring
  • Chad: UNC , import subjects from LDAP,  in AD there are ? accounts that hopefully correspond to someone in LDAP,  try to reconcile, in loader job you can reference EL utils, and convert to usable subject ID. Can be subject identifiers
  • Chris: Penn uses subject identifiers, uses DUO 
  • Carey: identifiers for subject on a given system -- could be more than one, using multiple subject sources, 
  • There is a need
  • Difference between identity and account
  • Need policy for an identifier of  a subject

  • Resolve member project? Batching project not important

  • Change deamon so it resolves everybody
  • Needs to download every subject, resolve it
  • Update member table if needed

Chris Hyzer:

  • Using Maturity level 1
  • Penn has maturity level 3
  • Plan is for new container every 2 weeks 


Issue Roundup

Slack

  •   Tommy D - installation issues  - need a data source for subjects first , 
  • Chris talking w Tommy about this, setting up a subject source is challenging
  • Wizard in the UI , if it breaks do diagnostics from command line
  •  - Michael G: as i consider switching to DB config for grouper 2.5… i just went to view my config in the UI and was told I don’t have access due to an IP address change (C-19 is causing all sorts of networking changes).  If I were switched over to a DB config - how would I fix this problem? 
    • Put in grouper UI config file
    • Shilen  : trust authentication is doing the right thing
    • Depends if you have MFA enabled, if you trust your authentication stack, might want to limit in some way
    • DECISION: leave it as is for now, later can change the default, it’s now on for the configuration 


  •   Michael G - Tomcat Auth question , all set now
  •  Scott K between MariaDB and PostgreSQL, Grouper is more often deployed using MariaDB
  • Seems postgres is best database for Grouper, updated wiki to say Postgres is prefered , can use SQL server for some parts 
  • Around performance, remember some campuses can’t always go ask your DBA
  • BillT: Grouper project can state we can assure better performance if you use postgress. This would reduce burden on the Grouper core team. 
    Chris: Agree, and will be helpful to state suggested postgres settings, need to think about how to get to those recommendations
  •   Brett - our AD folk assert that the AD Sync tool up to Azure AD can only handle groups with members of 50k or less. Sooooo, they've asked me if there's an easy way to split a group into smaller chunks


  • Good idea for self attestation
  • Carey - I want to set an expire date on a membership. Send an email to the member ( n days before it expires) and force them to click a link to keep the membership. ( Basically extending the membership expiration date by some interval when they login and click the link. ) Another variant might be to hook the login event and do the same kind of things
  • Chad - slashroot is now going to /opt/grouper/slashRoot? What is going to root then?
  • Chris Hyzer - do we want to keep /opt/grouper/conf and /opt/grouper/lib
  • Andy Morgan - We are looking forward to v2.5.  We just upgraded to v2.4, expect to upgrade to v2.5 in the next month or two.
  • Ryan R - installation issues, will grab newer
  • Chris Hyzer - default max memory is set in the Grouper container, or other default java switches that grouper uses,


  • J Crawford - Is there a way to make the UI default to filter on direct memberships? Some of our groups are really huge and it takes a long time to load but they only have a few source groups
  • Is there a way to have a loader job "delay" removing an account if it was added in the last x days?
  • Babb  - upgraded to 2.4 last week and have had some new performance problems pop up with web services. UPDATE FROM BABB: proved to be a hibernate configuration issue from something carried over from long ago in our environment., 2.4 is otherwise performing excellent!
  • Peter St Onge - Shouldn't a full sync clear these



JIRAS




Grouper Users list

Next Grouper Call: Wed. April 29, 2020 
 



  • No labels