Click here for Grouper BOF slides
Grouper BOF at 2018 TECH EX in Orlando Tuesday, Oct. 16, 2018
Welcome
Agenda bash
Core Team
(details to be added from slides)
What’s Grouper
Centralized authentication.
TIER provides requirements to particpants
Grouper provides
Roadmap & Scheduling https://spaces.at.internet2.edu/x/_oXd
Plan for Grouper 2.5
Support 2.4
Continue low impact improvements to 2.4
Patches for Grouper 2.4
2.4
Tag & diusolay Grouper objects with TIER attributes (e.g what groups mean in UI, how to use them, ability to use existing folder structures for existing Grouper deployments rather than have to use TEIR’s)
Improvements for performance
Provisioning managed from UI
Store Configs from DB
Membership reports
(All are encouraged to request specific reports!)
Simple approvals
Subject source configs in UI
2.5
Group delete dates
Database field for memberhsip notes
“Internal” groups - useful for internal groups that might confuse average users
Removing dependednce on some libraries
Community Contributions
Lightning talk tomorrow (10/17/2018)
Share your Grouper experience!
Spaces/Wiki https://spaces.at.internet2.edu/x/RYHn
Email emily@internet2.edu for a Spaces/Wiki account
Join mailing list https://www.internet2.edu/communities-groups/middleware/grouper-working-group/#group-participate
Progress since 2018 Global Summit
Primarily focusing on Grouper 2.4
Added deprovisioning
Register realm in config
Identify deprov admins per realm
Handle optional deprov of loader jobs
Notify admins of applications where Grouper is read only
See reports of inactive users, including automated messages to relevant admins.
Provisioning to BMC ready
Consolidated UI flavors into single UI
Real time loader with LDAP and SQL
Enable loader
Template Wizard
Create structure with a few clicks
Provides config presets, selected with check boxes & drop-downs
Spins up folder structure & permissions based on those inputs. Services can be added in individual folders.
Also allows deprovisioning of users and/or user attributes
(additional details to be added)
Grouper Deployment Guide
Grouper seminars to date
Techex 2017, Global Summit 2018
Training environment
Presented at TechEx18 on 10/15
Series of lesson plans, training exercises, and Docker modules.
Organized in lessons series, each building on the other
Training materials are available in Grouper/TIER Training Environment (link to be added later)
Grouper Training Slack channel also available (link to be added later)
Question: WIth deprovisioning is it possible to reference & deprovision groups?
Answer: Yes. They’ll need to be readded to system if they rejoin, or join a different group
For groups that have intersections will they be removed from adhoc groups as well?
Answer: They’ll be removed from groups, but may remain in adhoc groups
Additional: There will always be cases wither SIS is slow and misses something and ACL may miss as well.
Chris H: I’d like to create self training videos & instructions on spinning up containers.
2.4 improvements
Real-time loader improvements
Previously only supported SQL jobs
Added support for LDAP jobs (available as 2.4 patch)
Allow changes in LDAP to trigger messages to Grouper
GSH improvements
Now returns exit code from Groovy, instead of generic “0” exit code.
Option to immediately exit if script fails.
Can handle subject source failures more gracefuly
Show and manage daemon jobs in UI (available as 2.4 patch)
Enable/disable jobs
Run jobs now
(additional details to be added later)
Quesiton: LDAP changes - are there specific protocols you’re allowing?
Answer: You’ll have to capture LDAP messages and send to Grouper. Package includes info on how to format messages
Question: Is old job run functionality still present in 2.4 patch?
Answer: Yes.
Follow-up request to allow option to turn off that option in the UI
Grouper Provisioning
Reliability - bug fixes, simplification
PSPNG patches
New test harness
Moving forward with new patches
Quieter
Modularity
PSPNG Roadmap
Performance
Trigger FullSync for heavy changelog load
FullSync: More selective
Rate-Limiting?
GUI: Config, feedback, control
Documentation on extending PSPNG
Bug fixes & To-dos
Need multi-schema groups
Question: What are these?
Answer: Different LDAP attributes per group schema. Username vs. NetID, etc. When two are present we need to settle on a method for figuring out which one to use.
Need DN-searching and escaping
Legacy UI removal
Removal of Admin and Lite UI
Struts removed, has made security scans easier
Library updates
Updated most 3rd party librarires in API and UI
WS planned for 2.5
Libraries with changed APIs still need upgrading (e.g. hibernate, etc)
Updated Maven builds to match ant builds
Includes scim-server, pspng
CI builds snapshots, can get Maven repositories now
Now supporting Java 8 and Tomcat 8 (servlet v3.1)
Question: Does latest build have all patches?
Answer: No, but the Grouper installer will add the latest patches
Discussion
Question: Has anyone found a good way to identify user accounts that have recently moved departments and used a temporary group to handle tasks like removal from groups, addition to new ones, etc.
Answer: Have heard of someone adding a “former departmental employees” group. Could be intersected with current employees. Seems like a good way to handle those horizontal moves
Follow-up: Intersections might not be granular enough to capture that sort of move though.
At Penn we use org chart to handle affiliation mapping, etc. Have a rule that states a user leaving a folder automagically goes to an admin for review. Provides review of what moves were made, how it impacted the user’s group attributes
Question: With PSP all changes go to single queue. Issue I have is when a huge load of group changes, things get bogged down. Big group changes tend to starve smaller group changes. Does pspng help with that?
Answer: We’re looking at how to get smaller changes out of incremental queue (done asynchronously). Should move big group changes out of the way and allow smaller jobs to be processed as full. Triggers for that are configurable.
Chris H: Will look at roadmap for that
Question: Any chance for changes getting out of order? E.g. later changes beating a provisioning order to processing?
Answer: PSPNG locks changes until earlier job is complete.