Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
Jeff Williams - University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Items
AI Vivek -- make a JIRA around exporting the Expression Language
AI Shilen make wiki on how to start up LDAP container
AI Shilen add a JIRA for list of all the things that are audited and respond to Jeffrey on Slack
AI Shilen reply to Scott K on Slack re Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI. seemingly randomly we have to reauthenticate (already successfully addressed by others on Slack?)
AI Jeff look at and reply to provisioning question on the email list [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/10/2020
AI Jeff -- reply to gidNumber question on email, referencing properties setting Re: [grouper-users] Is there a way to add the gidNumber attribute to existing
AI Chad reply to building docker image question on email list [grouper-users] git commands for building docker image, Michael Porter, 09/14/2020
AI Chad add a JIRA for someone falls out of active membership plus all grace period groups, send a message and make a way to trace
AI Chris and Chad discuss rules
AI Chris rely to Grouper Users Email question on log4j.properties [grouper-users] New grouper user here, trying to get log4j.properties to update, Michael Porter, 09/10/202
AI Chris reply to Todd inquiry on slack re added 500 members to a group. I want to be able to export out the IDs for that population.
AI Chris - look at feature Matt requested for provisioner. Split config for “object” from “action/event” to be performed by the provisioner. ( AKA: not “...createGroup = true” but “...group.create = true”) Separate the object and the actions against the object to maybe support a special “action/event” = “*” to mean all. And separate the list of actions for that object into an interface/structure. Should help avoid lots of changes as new objects and/or “action/events” are added later.
DISCUSSION
Grouper Training
- Grouper School Oct 13-16, 2020
- https://www.incommon.org/academy/grouper/
- A virtual class, spanning 4 half days
- Synchronous sessions will be scheduled between 1:00 – 5:00 ET from October 13 – 16
- Chad and Chris doing prep for the Grouper School, will meet on Thurs Sept 17
- Lots to do
- Please encourage enrollment!
Current Issues
- New Grouper Release 2.5.35 https://spaces.at.internet2.edu/display/Grouper/v2.5+Release+Notes
- Shilen replied to Colorado issue/ Marwan and inherited privileges
- Grouper Team: Please help reply to Grouper Slack issues, Chris is focused on provisioning and getting ready for training
Chris – Provisioning, training
- User Attribute use case
- use case at Penn https://spaces.at.internet2.edu/display/Grouper/Grouper+LDAP+provisioner+v2.5+use+case+PA
- AD flat Group memberships
- If membership says group name and subject ID says something else, must translate to DNs before doing membership change
- Cache the DNs in the database
- For Full sync, do refresh
- But with incremental there will be no cached value
- Changed translation approach since last Grouper call
- Using target ID
- Search filters, JEXL based
- Implement switches for “do you want to create entities, do you want to create groups, do you want to delete groups” etc.
- Use configurations to inform provisioner of actions you want it to do
- UI will have a friendly label
- AI Chris - look at feature Matt requested for provisioner. Split config for “object” from “action/event” to be performed by the provisioner. ( AKA: not “...createGroup = true” but “...group.create = true”) Separate the object and the actions against the object to maybe support a special “action/event” = “*” to mean all. And separate the list of actions for that object into an interface/structure. Should help avoid lots of changes as new objects and/or “action/events” are added later.
- Caching issues
- Make cache short lived?
- Description value in downstream system that should flow back (load) to Grouper
- When delta occurs do you want to fix it in one direction of the other
- Right now cache is for primary keys
- Full sync is intended to be run once per day at night
- Could take a lot of memory , at least for large targets
Vivek
- Issue w provisioning service
- A lot of churn in some situations
- Optimized that
- Writing unit tests for provisioning
- 2 kinds of tests
- Integration tests
- Logic is involved
- Tests for functions
- Working on migration script
- Writing a simple utility for attributes migration
- Exporting passwords now not happening
- Expression lang on a password field , will also not be exported
- Everything else will be exported
- Carey: when I have expression language and doing migration from test to prod, will need to put expressions in passwords
- If we show the EL on the UI we may as well export it
- AI Vivek -- make a JIRA around exporting the Expression Language
Shilen – Provisioning
- Fixed Rules issue
- Provisioning work
- Test was working, starting an LDAP container
- Some refactoring has happened
- Will work on this testing again
- LDAP DAO - will work on
- If you make a DAO
- Need a wiki for steps and rules
- AI Shilen make wiki on how to start up LDAP container
- Chris: Get rid of DAO super class?
- For each method in DAO there are many beans
- Problem , as framework uses the DAO interface, if it needs to retrieve one group and only the multi one is implemented… this might translate back to single, so each DAO can list what it implements and framework uses those Identifications to know what is implemented
- With SQL can do multiple batching
- Certain conventions for each method
- Get a timing gate of operations that go to the DAO, at a minute level
- Then call method at end that says what you are calling etc and the framework can keep stats on time spent on each call.
- Must come out with object model being requested
- Shilen: this is helpful
- Chris: Two changes to implement.
- 1. DAO will set booleans about what it’s implementing (I am able to insert groups, etc)
- 2. When provisioner is started and reads config, it can inform the framework about the ability / structure of this provisioning instance
- DAO may be configured not to do some of the things it “can” do
- Overall making good progress and making provisioning easier/ better
- Hoping to get use case working, Chris needs to focus on training, perhaps Shilen and Vivek can get into the code more
Chad – Training
- JIRA to document the CI tests
- RabbitMQ wiki changes for Grouper release 2.5.35
- UNC looking forward to the fix for priv helping looping (wheel)
- Tried the fix on a sample database
- JIRA for some of the calls around object types that get copied, not handled efficiently
- GRP-2952
- When priv checking is improved, things will be better
- Chris: Note: even as an admin creating groups can be slow
- Chad: Might be related to using GSH?
- Chris: Need to test creating a group in new version
- On create and delete group, doing things with attributes??
- Need to make things more efficient
- Checking is not efficient now
Issue Round up
JIRAS
GRP-2955 LdapGroupProvisioner with needsTargetSystemUsers = FALSE does not properly add/delete users in the changelog consumer
GRP-2954 add param for mod_remoteip Scott K issue
GRP-2953 UI for attribute assignments on attributes should "pad" in a column for "Group" to keep the values and columns alligned
Matt
GRP-2952 Improve performance of object types on new stem/group create
GRP-2951 inherited privilege check when creating group errors if subject in group via multiple paths
SHILEN FIXED
GRP-2950 ddl deep check does not add views
GRP-2949 Document current CI tests
GRP-2948 Job history chart should show "incomplete" jobs
Use filter in visualization
GRP-2947 add grouper db config history
GRP-2946 grouper installer installContainer should chmod o+w on logs dir so container can access in certain envs (e.g. windows wsl)
GRP-2945 remove creation of database config l
Grouper User Email List
- [grouper-users] Grouper 2.5.22: LDAP Group/Attribute provisioning, kokumari, 08/26/2020
- Re: [grouper-users] Grouper 2.5.22: LDAP Group/Attribute provisioning, Hyzer, Chris, 09/01/2020
- [grouper-users] 2.5.33 container won't restart, Samuel Harmon, 08/26/2020
- Re: [grouper-users] 2.5.33 container won't restart, Hyzer, Chris, 09/01/2020
- [grouper-users] UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS) error while synching to RAD using grouper 2.3 PSP modifyRequest, Siju Jacob, 09/01/2020
- Re: [grouper-users] CAS Authentication Help, Jonathan Keller, 09/01/2020
- Re: [grouper-users] CAS Authentication Help, Hyzer, Chris, 09/01/2020
J Keller did update here: https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI
- [grouper-users] Struggling with grouper-ui-2.4.33, Francesco Malvezzi, 09/07/2020
- Re: [grouper-users] Struggling with grouper-ui-2.4.33, Francesco Malvezzi, 09/09/2020
- RE: [grouper-users] Struggling with grouper-ui-2.4.33, Black, Carey M., 09/08/2020
- [grouper-users] FW: Come CAMPing - Your invitation to submit a proposal (and/or register), Lomax, Erica, 09/09/2020
- [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/10/2020
- Re: [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/14/2020
AI Jeff will look at Dominique P. Provisioning question on the email list from Sept 10, 2020 [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/10/2020
- [grouper-users] New grouper user here, trying to get log4j.properties to update, Michael Porter, 09/10/2020
AI Chris rely to Grouper Users Email question on log4j.properties
- [grouper-users] git commands for building docker image, Michael Porter, 09/14/2020
AI Chad reply to building docker image question on email list
- Re: [grouper-users] NoSuchMethodError: convertToMultiKey, Yoann Delattre, 09/14/2020
- Re: [grouper-users] NoSuchMethodError: convertToMultiKey, Ben Beecher, 09/14/2020
- [grouper-users] Is there a way to add the gidNumber attribute to existing Active Directory groups using PSPNG, Siju Jacob, 09/15/2020
- RE: [grouper-users] Is there a way to add the gidNumber attribute to existing Active Directory groups using PSPNG, Black, Carey M., 09/15/2020
AI Jeff -- reply to gidNumber question on email, referencing properties setting
- Re: [grouper-users] Is there a way to add the gidNumber attribute to existing Active Directory groups using PSPNG, Dominique Petitpierre, 09/15/2020
- [grouper-users] Global readers on folders unable to create groups, Marwan Shaher, 09/15/2020
AI Shilen reply on folders unable to create groups on email list (DONE)
- [grouper-users] PSPNG: "ArithmeticException: Multiplication overflows a long" in
- ProgressMonitor, Dominique Petitpierre,
Wait for new provisioner on this
Grouper WIKI updates
Authentication to the Grouper UI (J Keller of UC Davis updated)
Nested groups with provisioning, is that an important use case?
Not sure, possibly LIGO or GA Tech?
Jeff pointed to the PSP code
Grouper Slack
Beverly guidance on setting up application suite access roles in Grouper?
Peter Re entries in grouper_config table; would grouperUi.configurationEditor.sourceIpAddresses need to have all addresses comma separated on a single line, or can this be multivalued?
Carey RE: "Miscellaneous > Daemon jobs > Job history chart"
Does the graph only show "success"/"completed" jobs?
Carey "Registration Open: Internet2 TechEXtra KICKOFF - Oct 6-7".
Emily Please submit proposals related to Grouper for this November event. https://incommon.org/academy/camp-meetings/camp-call-for-participation/ (edited)
Carey interesting UI issue with deprovisioning.
I have a group that I am being notified about ( for deprovisioning ) that shows me the following when I click on the link.
"Note: there are no deprovisioned entities with memberships or privileges on this group"
And I am getting the emails daily.
Jeffrey We had an odd upgrade issue going from 2.4 to 2.5.33 that didn't happen in any environment other than production last night.
Michael https://evotec.xyz/visually-display-active-directory-nested-group-membership-using-powershell/
Scott using Grouper 2.5.29 via the TAP image. ….
The last remaining piece I need is for the PSPNG to also write the isMemberOf attribute on the group record with the value(s) being the other groups (both direct and indirect) of which the group is a member. How can I do that?
ScottK For the same Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI. seemingly randomly we have to reauthenticate.
AI Shilen reply to Scott K on Slack re Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI. seemingly randomly we have to reauthenticate (already successfully addressed by others on Slack?)
Michael are the grouper group permissions (read, view, update, etc..) exposed as attributes any place? i am having trouble locating them.
ok, i found them defined in grouper_fields table.
Erik How can one control the page rendering of Grouper UI in terms of margins and widths of the columns?
Scott
I have looked at images i2incommon/grouper:2.5.29 and i2incommon/grouper:2.5.33 and I do not see that the Apache HTTP Server mod_remoteip (https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html) is being configured. Could that be added in the future?
Erin early bird rate for Grouper School will be ending on Friday.
Todd loader job that added 500 members to a group. I want to be able to export out the IDs for that population. I can view the audit log and "show extended results" which includes the ID field, but I don't see a way to export that out. Is there an easy why to export out the added population?
AI Chris reply to Todd inquiry on slack re added 500 members to a group. I want to be able to export out the IDs for that population.
Jeffrey, list of all the things that are audited? We have a loader job that was set to disabled. Nobody seems to remember doing that. (For all I know it could have been me). I couldn't find anything in the audit table I don't think.
AI Shilen add a JIRA for list of all the things that are audited and respond to Jeffrey on Slack
Chad I'm looking at a new app to send a message to a queue when someone falls out of active membership plus all grace period groups. Has anyone done something like this?
- Seems like a common use case, the wiki on rules is a bit out of date
- Rule for if someone drops out of a group, take action such as send a message
- Need a rule then clause
- Hard coded to only do certain things
- AI Chad add a JIRA for someone falls out of active membership plus all grace period groups, send a message and make a way to trace
- AI Chris and Chad discuss rules
Zachary Should git PRs be based off of master or GROUPER_2_5_BRANCH? Or is there another preferred way to submit patches?
Zach -is a setting to make the default 'Show' results 100 instead of 50 on a page?
Jonathan You'd override in grouper-ui.properties or via the DB config for that property set
Peter We're in the process of documenting the upgrade path from 2.2.1 (current prod) to 2.5.29 (current container); we hit a snag when trying to upgrade the database DDL via ./gsh -registry -check and hit this ...
2020-09-11 14:40:12,527: [main] ERROR GrouperDdlEngine.updateDdlIfNeededWithStaticSql(748) - - Grouper ddl object type 'Grouper' has dbVersion: 29 (2.2.1) and java version: 32 (2.5.0)
java.lang.RuntimeException: Cant start this Grouper version against a database before 2.3. Upgrade to 2.3 first!
This appears to mean that we have to also install 2.3.x for this step, is there an alternative?
Erin - Grouper training in October
Bill Grouper v2.5 installation in a production environment. I have successfully installed Grouper v2.5 maturity level 0 with installer; however, this isn’t good enough for a production environment.
Kevin - we successfully integrated Grouper 2.5.29 with our OpenLdap instance using ldaptive libs and SASL EXTERNAL authn over TLS using a pkcs12 keystore if anyone needs that config. Helps to have two ldaptive devs on the team.
Chris -We are proud to announce Grouper v2.5.35 is released.
Next Grouper Call: Sept. 30, 2020