Grouper BOF at 2018 TECH EX in Orlando Tuesday, Oct. 16, 2018
(details to be added from slides)
TIER provides requirements to particpants
Roadmap & Scheduling https://spaces.at.internet2.edu/x/_oXd
Plan for Grouper 2.5
Continue low impact improvements to 2.4
Patches for Grouper 2.4
Tag & diusolay Grouper objects with TIER attributes (e.g what groups mean in UI, how to use them, ability to use existing folder structures for existing Grouper deployments rather than have to use TEIR’s)
Improvements for performance
Provisioning managed from UI
Store Configs from DB
(All are encouraged to request specific reports!)
Subject source configs in UI
Group delete dates
Database field for memberhsip notes
“Internal” groups - useful for internal groups that might confuse average users
Removing dependednce on some libraries
Lightning talk tomorrow (10/17/2018)
Share your Grouper experience!
Email email@example.com for a Spaces/Wiki account
Progress since 2018 Global Summit
Primarily focusing on Grouper 2.4
Register realm in config
Identify deprov admins per realm
Handle optional deprov of loader jobs
Notify admins of applications where Grouper is read only
See reports of inactive users, including automated messages to relevant admins.
Provisioning to BMC ready
Consolidated UI flavors into single UI
Real time loader with LDAP and SQL
Create structure with a few clicks
Provides config presets, selected with check boxes & drop-downs
Spins up folder structure & permissions based on those inputs. Services can be added in individual folders.
Also allows deprovisioning of users and/or user attributes
(additional details to be added)
Grouper Deployment Guide
Grouper seminars to date
Techex 2017, Global Summit 2018
Presented at TechEx18 on 10/15
Series of lesson plans, training exercises, and Docker modules.
Organized in lessons series, each building on the other
Training materials are available in Grouper/TIER Training Environment (link to be added later)
Grouper Training Slack channel also available (link to be added later)
Question: WIth deprovisioning is it possible to reference & deprovision groups?
Answer: Yes. They’ll need to be readded to system if they rejoin, or join a different group
For groups that have intersections will they be removed from adhoc groups as well?
Answer: They’ll be removed from groups, but may remain in adhoc groups
Additional: There will always be cases wither SIS is slow and misses something and ACL may miss as well.
Chris H: I’d like to create self training videos & instructions on spinning up containers.
Real-time loader improvements
Previously only supported SQL jobs
Added support for LDAP jobs (available as 2.4 patch)
Allow changes in LDAP to trigger messages to Grouper
Now returns exit code from Groovy, instead of generic “0” exit code.
Option to immediately exit if script fails.
Can handle subject source failures more gracefuly
Show and manage daemon jobs in UI (available as 2.4 patch)
Run jobs now
(additional details to be added later)
Quesiton: LDAP changes - are there specific protocols you’re allowing?
Answer: You’ll have to capture LDAP messages and send to Grouper. Package includes info on how to format messages
Question: Is old job run functionality still present in 2.4 patch?
Follow-up request to allow option to turn off that option in the UI
Reliability - bug fixes, simplification
New test harness
Moving forward with new patches
Trigger FullSync for heavy changelog load
FullSync: More selective
GUI: Config, feedback, control
Documentation on extending PSPNG
Bug fixes & To-dos
Need multi-schema groups
Question: What are these?
Answer: Different LDAP attributes per group schema. Username vs. NetID, etc. When two are present we need to settle on a method for figuring out which one to use.
Need DN-searching and escaping
Legacy UI removal
Removal of Admin and Lite UI
Struts removed, has made security scans easier
Updated most 3rd party librarires in API and UI
WS planned for 2.5
Libraries with changed APIs still need upgrading (e.g. hibernate, etc)
Updated Maven builds to match ant builds
Includes scim-server, pspng
CI builds snapshots, can get Maven repositories now
Now supporting Java 8 and Tomcat 8 (servlet v3.1)
Question: Does latest build have all patches?
Answer: No, but the Grouper installer will add the latest patches
Question: Has anyone found a good way to identify user accounts that have recently moved departments and used a temporary group to handle tasks like removal from groups, addition to new ones, etc.
Answer: Have heard of someone adding a “former departmental employees” group. Could be intersected with current employees. Seems like a good way to handle those horizontal moves
Follow-up: Intersections might not be granular enough to capture that sort of move though.
At Penn we use org chart to handle affiliation mapping, etc. Have a rule that states a user leaving a folder automagically goes to an admin for review. Provides review of what moves were made, how it impacted the user’s group attributes
Question: With PSP all changes go to single queue. Issue I have is when a huge load of group changes, things get bogged down. Big group changes tend to starve smaller group changes. Does pspng help with that?
Answer: We’re looking at how to get smaller changes out of incremental queue (done asynchronously). Should move big group changes out of the way and allow smaller jobs to be processed as full. Triggers for that are configurable.
Chris H: Will look at roadmap for that
Question: Any chance for changes getting out of order? E.g. later changes beating a provisioning order to processing?
Answer: PSPNG locks changes until earlier job is complete.