Grouper
Child pages
  • 16-Sept-2020
Skip to end of metadata
Go to start of metadata

 

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent

  • Jeff Williams - University of North Carolina Greensboro

  • Emily Eisbruch, Internet2


Intellectual Property reminder: http://www.internet2.edu/membership/ip.html

 Grouper Action Items are here  

New Action Items

 AI Vivek -- make a JIRA around exporting the Expression Language   

AI Shilen make wiki on how to start up LDAP container 

AI Shilen add a JIRA for list of all the things that are audited  and respond to Jeffrey on Slack

AI Shilen reply to Scott K on Slack re  Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI.   seemingly randomly we have to reauthenticate   (already successfully addressed by others on Slack?) 

AI Jeff look at and reply to provisioning question on the email list  [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/10/2020

AI Jeff -- reply to gidNumber question on email, referencing properties setting Re: [grouper-users] Is there a way to add the gidNumber attribute to existing

AI Chad reply to building docker image question on email list  [grouper-users] git commands for building docker image, Michael Porter, 09/14/2020

AI Chad add a JIRA for someone falls out of active membership plus all grace period groups, send a message and make a way to trace

AI Chris and Chad discuss rules 

AI Chris rely to  Grouper Users Email question on log4j.properties [grouper-users] New grouper user here, trying to get log4j.properties to update, Michael Porter, 09/10/202

AI  Chris reply to Todd inquiry on slack re added 500 members to a group.  I want to be able to export out the IDs for that population. 


AI Chris - look at feature Matt requested for provisioner. Split config for “object” from “action/event” to be performed by the provisioner. ( AKA: not “...createGroup = true” but “...group.create = true”) Separate the object and the actions against the object to maybe support a special “action/event” = “*” to mean all. And separate the list of actions for that object into an interface/structure. Should help avoid lots of changes as new objects and/or “action/events” are added later.


DISCUSSION

Grouper Training

  • Grouper School Oct 13-16, 2020
  • https://www.incommon.org/academy/grouper/
  • A virtual class, spanning 4 half days  
  • Synchronous sessions will be scheduled between 1:00 – 5:00 ET from October 13 – 16
  • Chad and Chris doing prep for the Grouper School, will meet on Thurs Sept 17
  • Lots to do 
  • Please encourage enrollment!

Current Issues


Chris – Provisioning, training


  • User Attribute use case
  • use case at Penn https://spaces.at.internet2.edu/display/Grouper/Grouper+LDAP+provisioner+v2.5+use+case+PA
  • AD flat Group memberships
  • If membership says group name and subject ID says something else, must translate to DNs before doing membership change
  • Cache the DNs in the database
  • For Full sync, do refresh
  • But with incremental there will be no cached value
  • Changed translation  approach since last Grouper call
  • Using target ID
  • Search filters, JEXL based
  • Implement switches for “do you want to create entities, do you want to create groups, do you want to delete groups” etc.
  • Use configurations to inform provisioner of actions you want it to do
  • UI will have a friendly label
  • AI Chris - look at feature Matt requested for provisioner. Split config for “object” from “action/event” to be performed by the provisioner. ( AKA: not “...createGroup = true” but “...group.create = true”) Separate the object and the actions against the object to maybe support a special “action/event” = “*” to mean all. And separate the list of actions for that object into an interface/structure. Should help avoid lots of changes as new objects and/or “action/events” are added later.
  • Caching issues
  • Make cache short lived?
  • Description value in downstream system that should flow back (load) to Grouper 
  • When delta occurs do you want to fix it in one direction of the other
  • Right now cache is for primary keys
  • Full sync is intended to be run once per day at night
  • Could take a lot of memory , at least for large targets

Vivek

  • Issue w provisioning service
  • A lot of churn in some situations
  • Optimized that
  • Writing unit tests for provisioning
  • 2 kinds of tests
  • Integration tests
  • Logic is involved
  • Tests for functions
  • Working on migration script 
  • Writing a simple utility for attributes migration

  • Exporting passwords now not happening
  • Expression lang on a password field , will also not be exported
  • Everything else will be exported
  • Carey: when I have expression language and doing migration from test to prod, will need to put   expressions in passwords  
  • If we show the EL on the UI we may as well export it
  • AI Vivek -- make a JIRA around exporting the Expression Language   


Shilen – Provisioning

  • Fixed Rules issue 
  • Provisioning work
  • Test was working, starting an LDAP container
  • Some refactoring has happened
  • Will work on this testing again
  • LDAP DAO - will work on 
  • If you make a DAO
  • Need a wiki for steps and rules
  • AI Shilen make wiki on how to start up LDAP container 
  • Chris: Get rid of DAO super class? 
  • For each method in DAO there are many beans
  • Problem , as framework uses the DAO interface, if it needs to retrieve one group and only the multi one is implemented… this might translate back to single, so each DAO can list what it implements and framework uses those Identifications  to know what is implemented 
  • With SQL can do multiple batching
  • Certain conventions for each method
  • Get a timing gate of operations that go to the DAO, at a minute level
  • Then call method at end that says what you are calling etc and the framework can keep stats on time spent on each call. 
  • Must come out with object model being requested
  • Shilen: this is helpful
  • Chris: Two changes to implement.
    •  1. DAO will set booleans about what it’s implementing (I am able to insert groups, etc)
    • 2. When provisioner is started and reads config, it can inform the framework about the ability / structure of this provisioning instance
  • DAO may be configured not to do some of the things it “can” do
  • Overall making good progress and making provisioning easier/ better
  • Hoping to get use case working, Chris needs to focus on training, perhaps Shilen and Vivek can get into the code more

Chad – Training

  • JIRA to document the CI tests
  • RabbitMQ wiki changes for Grouper release 2.5.35
  • UNC looking forward to the fix for priv helping looping  (wheel)
  • Tried the fix on a sample database
  •   JIRA for some of the calls around object types that get copied, not handled efficiently
  • GRP-2952
  • When  priv checking is improved, things will be better

  • Chris: Note: even as an admin creating groups can be slow
  • Chad: Might be related to using GSH?

  • Chris: Need to test creating a group in new version
  • On create and delete group, doing things with attributes?? 
  • Need to make things more efficient
  • Checking is not efficient now


Issue Round up


JIRAS

GRP-2955 LdapGroupProvisioner with needsTargetSystemUsers = FALSE does not properly add/delete users in the changelog consumer


GRP-2954 add param for mod_remoteip Scott K issue


GRP-2953 UI for attribute assignments on attributes should "pad" in a column for "Group" to keep the values and columns alligned   
Matt 


GRP-2952 Improve performance of object types on new stem/group create


GRP-2951 inherited privilege check when creating group errors if subject in group via multiple paths  

SHILEN FIXED


GRP-2950 ddl deep check does not add views


GRP-2949 Document current CI tests


GRP-2948 Job history chart should show "incomplete" jobs

Use filter in visualization


GRP-2947 add grouper db config history


GRP-2946 grouper installer installContainer should chmod o+w on logs dir so container can access in certain envs (e.g. windows wsl)


GRP-2945 remove creation of database config l

Grouper User Email List 

J Keller did update here: https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI

AI Jeff will look at Dominique P.  Provisioning question on the email list from Sept 10, 2020 [grouper-users] PSPNG: synchronize one Grouper group member to two target directory group members?, Dominique Petitpierre, 09/10/2020


AI Chris rely to   Grouper Users Email question on log4j.properties

AI Chad reply to building docker image question on email list 

AI Jeff -- reply to gidNumber question on email, referencing properties setting

AI Shilen reply on folders unable to create groups on email list  (DONE)

Wait for new provisioner on this 

 

Grouper WIKI updates



Nested groups with provisioning, is that an important use case?

Not sure, possibly LIGO or GA Tech?

Jeff pointed to the PSP code

Grouper Slack

Beverly  guidance on setting up application suite access roles in Grouper?  

 

Peter Re entries in grouper_config table; would grouperUi.configurationEditor.sourceIpAddresses need to have all addresses comma separated on a single line, or can this be multivalued?  


Carey  RE: "Miscellaneous > Daemon jobs > Job history chart"

   Does the graph only show "success"/"completed" jobs? 

 

Carey    "Registration Open: Internet2 TechEXtra KICKOFF - Oct 6-7".

Emily  Please  submit proposals related to Grouper for this November event. https://incommon.org/academy/camp-meetings/camp-call-for-participation/ (edited) 

Carey   interesting UI issue with deprovisioning.

I have a group that I am being notified about ( for deprovisioning ) that shows me the following when I click on the link.

"Note: there are no deprovisioned entities with memberships or privileges on this group"

And I am getting the emails daily.

 

Jeffrey   We had an odd upgrade issue going from 2.4 to 2.5.33 that didn't happen in any environment other than production last night.  

 

Michael    https://evotec.xyz/visually-display-active-directory-nested-group-membership-using-powershell/

 Scott  using Grouper 2.5.29 via the TAP image. ….

The last remaining piece I need is for the PSPNG to also write the isMemberOf attribute on the group record with the value(s) being the other groups (both direct and indirect) of which the group is a member. How can I do that?  

ScottK  For the same Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI.   seemingly randomly we have to reauthenticate. 

AI Shilen reply to Scott K on Slack re  Grouper deployment (2.5.29) we are using Shibboleth SP authentication to the UI.   seemingly randomly we have to reauthenticate   (already successfully addressed by others on Slack?) 


Michael  are the grouper group permissions (read, view, update, etc..) exposed as attributes any place?  i am having trouble locating them.

ok, i found them defined in grouper_fields table.

Erik  How can one control the page rendering of Grouper UI in terms of margins and widths of the columns?   


Scott  

I have looked at images i2incommon/grouper:2.5.29 and i2incommon/grouper:2.5.33 and I do not see that the Apache HTTP Server mod_remoteip (https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html) is being configured. Could that be added in the future?  

Erin early bird rate for Grouper School will be ending on Friday. 

Todd  loader job that added 500 members to a group.  I want to be able to export out the IDs for that population.  I can view the audit log and "show extended results" which includes the ID field, but I don't see a way to export that out.  Is there an easy why to export out the added population?

AI  Chris reply to Todd inquiry on slack re added 500 members to a group.  I want to be able to export out the IDs for that population. 

 

Jeffrey,    list of all the things that are audited? We have a loader job that was set to disabled. Nobody seems to remember doing that. (For all I know it could have been me). I couldn't find anything in the audit table I don't think.

AI Shilen add a JIRA for list of all the things that are audited  and respond to Jeffrey on Slack

 

Chad  I'm looking at a new app to send a message to a queue when someone falls out of active membership plus all grace period groups. Has anyone done something like this?  

  • Seems like a common use case, the wiki on rules is a bit out of date
  • Rule for if someone drops out of a group, take action such as send a message
  • Need a rule then clause
  • Hard coded to only do certain things
  • AI Chad add a JIRA for someone falls out of active membership plus all grace period groups, send a message and make a way to trace
  • AI Chris and Chad discuss rules 



Zachary  Should git PRs be based off of master or GROUPER_2_5_BRANCH?  Or is there another preferred way to submit patches?

Zach -is a setting to make the default 'Show' results 100 instead of 50 on a page?

 

Jonathan You'd override in grouper-ui.properties  or via the DB config for that property set

 

Peter  We're in the process of documenting the upgrade path from 2.2.1 (current prod) to 2.5.29 (current container); we hit a snag when trying to upgrade the database DDL via ./gsh -registry -check  and hit this ...

2020-09-11 14:40:12,527: [main] ERROR GrouperDdlEngine.updateDdlIfNeededWithStaticSql(748) -  - Grouper ddl object type 'Grouper' has dbVersion: 29 (2.2.1) and java version: 32 (2.5.0)

java.lang.RuntimeException: Cant start this Grouper version against a database before 2.3.  Upgrade to 2.3 first!

This appears to mean that we have to also install 2.3.x for this step, is there an alternative?

Erin  - Grouper training in October

 Bill    Grouper v2.5 installation in a production environment. I have successfully installed Grouper v2.5 maturity level 0 with installer; however, this isn’t good enough for a production environment.

 

Kevin -  we successfully integrated Grouper 2.5.29 with our OpenLdap instance using ldaptive libs and SASL EXTERNAL authn over TLS using a pkcs12 keystore if anyone needs that config. Helps to have two ldaptive devs on the team.  

 

Chris -We are proud to announce Grouper v2.5.35 is released.  


Next Grouper Call: Sept. 30, 2020

  • No labels