Child pages
  • 16-Oct-2018 at TechEx in Orlando
Skip to end of metadata
Go to start of metadata

  

Click here for Grouper BOF slides 

Grouper BOF at 2018 TECH EX in Orlando  Tuesday, Oct. 16, 2018

  • Welcome

  • Agenda bash

  • Core Team

    • (details to be added from slides)

  • What’s Grouper

    • Centralized authentication.

    • TIER provides requirements to particpants

    • Grouper provides

  • Roadmap & Scheduling  https://spaces.at.internet2.edu/x/_oXd

    • Plan for Grouper 2.5

    • Support 2.4

    • Continue low impact improvements to 2.4

    • Patches for Grouper 2.4

    • 2.4

      • Tag & diusolay Grouper objects with TIER attributes (e.g what groups mean in UI, how to use them, ability to use existing folder structures for existing Grouper deployments rather than have to use TEIR’s)

      • Improvements for performance

      • Provisioning managed from UI

      • Store Configs from DB

      • Membership reports

        • (All are encouraged to request specific reports!)

    • Simple approvals

    • Subject source configs in UI

    • 2.5

      • Group delete dates

      • Database field for memberhsip notes

      • “Internal” groups - useful for internal groups that might confuse average users

      • Removing dependednce on some libraries

  • Community Contributions

  • Progress since 2018 Global Summit

    • Primarily focusing on Grouper 2.4

      • Added deprovisioning

        • Register realm in config

        • Identify deprov admins per realm

        • Handle optional deprov of loader jobs

        • Notify admins of applications where Grouper is read only

        • See reports of inactive users, including automated messages to relevant admins.

        • Provisioning to BMC ready

      • Consolidated UI flavors into single UI

      • Real time loader with LDAP and SQL

      • Enable loader

      • Template Wizard

        • Create structure with a few clicks

        • Provides config presets, selected with check boxes & drop-downs

        • Spins up folder structure & permissions based on those inputs. Services can be added in individual folders.

        • Also allows deprovisioning of users and/or user attributes

      • (additional details to be added)

    • Grouper Deployment Guide

      • Grouper seminars to date

        • Techex 2017, Global Summit 2018

      • Training environment

        • Presented at TechEx18 on 10/15

        • Series of lesson plans, training exercises, and Docker modules.

        • Organized in lessons series, each building on the other

        • Training materials are available in Grouper/TIER Training Environment (link to be added later)

        • Grouper Training Slack channel also available (link to be added later)

      • Question: WIth deprovisioning is it possible to reference & deprovision groups?

        • Answer: Yes. They’ll need to be readded to system if they rejoin, or join a different group

      • For groups that have intersections will they be removed from adhoc groups as well?

        • Answer: They’ll be removed from groups, but may remain in adhoc groups

        • Additional: There will always be cases wither SIS is slow and misses something and ACL may miss as well.

      • Chris H: I’d like to create self training videos & instructions on spinning up containers.

  • 2.4 improvements

    • Real-time loader improvements

      • Previously only supported SQL jobs

      • Added support for LDAP jobs (available as 2.4 patch)

      • Allow changes in LDAP to trigger messages to Grouper

    • GSH improvements

      • Now returns exit code from Groovy, instead of generic “0” exit code.

      • Option to immediately exit if script fails.

      • Can handle subject source failures more gracefuly

      • Show and manage daemon jobs in UI (available as 2.4 patch)

        • Enable/disable jobs

        • Run jobs now

        • (additional details to be added later)

    • Quesiton: LDAP changes - are there specific protocols you’re allowing?

      • Answer: You’ll have to capture LDAP messages and send to Grouper. Package includes info on how to format messages

    • Question: Is old job run functionality still present in 2.4 patch?

      • Answer: Yes.

      • Follow-up request to allow option to turn off that option in the UI

  • Grouper Provisioning

    • Reliability - bug fixes, simplification

      • PSPNG patches

      • New test harness

      • Moving forward with new patches

    • Quieter

    • Modularity

    • PSPNG Roadmap

      • Performance

        • Trigger FullSync for heavy changelog load

      • FullSync: More selective

        • Rate-Limiting?

        • GUI: Config, feedback, control

      • Documentation on extending PSPNG

      • Bug fixes & To-dos

        • Need multi-schema groups

          • Question: What are these?

          • Answer: Different LDAP attributes per group schema. Username vs. NetID, etc. When two are present we need to settle on a method for figuring out which one to use.

        • Need DN-searching and escaping

    • Legacy UI removal

      • Removal of Admin and Lite UI

        • Struts removed, has made security scans easier

    • Library updates

      • Updated most 3rd party librarires in API and UI

        • WS planned for 2.5

        • Libraries with changed APIs still need upgrading (e.g. hibernate, etc)

      • Updated Maven builds to match ant builds

        • Includes scim-server, pspng

        • CI builds snapshots, can get Maven repositories now

      • Now supporting Java 8 and Tomcat 8 (servlet v3.1)

    • Question: Does latest build have all patches?

      • Answer: No, but the Grouper installer will add the latest patches

  • Discussion

    • Question: Has anyone found a good way to identify user accounts that have recently moved departments and used a temporary group to handle tasks like removal from groups, addition to new ones, etc.

      • Answer: Have heard of someone adding a “former departmental employees” group. Could be intersected with current employees. Seems like a good way to handle those horizontal moves

      • Follow-up: Intersections might not be granular enough to capture that sort of move though.

      • At Penn we use org chart to handle affiliation mapping, etc. Have a rule that states a user leaving a folder automagically goes to an admin for review. Provides review of what moves were made, how it impacted the user’s group attributes

    • Question: With PSP all changes go to single queue. Issue I have is when a huge load of group changes, things get bogged down. Big group changes tend to starve smaller group changes. Does pspng help with that?

      • Answer: We’re looking at how to get smaller changes out of incremental queue (done asynchronously). Should move big group changes out of the way and allow smaller jobs to be processed as full. Triggers for that are configurable.

      • Chris H: Will look at roadmap for that

    • Question: Any chance for changes getting out of order? E.g. later changes beating a provisioning order to processing?

      • Answer: PSPNG locks changes until earlier job is complete.

  • No labels