Attending

Chris Hyzer, Penn, Chair
Chad Redman, University of North Carolina Chapel Hill
Shilen Patel, Duke
Carey Black, the Ohio State University
Jeff Williams, University of North Carolina Greensboro
Vivek Sachdiva, independent
Steve Zoppi, Internet2
Emily Eisbruch, Internet2

Action Items

DISCUSSION

New Action Items from this call

AI Chad to cron the javadoc generation

AI Chris make the CLC and daemon configurable, default to off for 2.4, default to on for 2.5, and update the release notes about it. Look into daemon rule.

AI Chris to update wiki on penn process of copying data from one database to another

AI Jeff to create a JIRA on gsh command that will replace a left or right group in a composite without having to rebuild it . Note: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function. Not sure how well it scales for larger groups

AI EmilyE Look for the requirements page for Grouper…. Be sure MSSQL is taken out

Grouper School

scheduled for Greensboro in April 2020 was postponed to June 2-3
will be virtual
see https://www.incommon.org/academy/grouper/
Bill and Chris will lead

Grouper 2.5 release discussion

Chris working on last 2.4 patch
And merge changes into master
Need new table for automatic upgrades
Will be ready to start 2.5 release steps
Hope to have the done today.
Team should focus on testing
Chris Hubing did last environment variable, Vivek will test

Oracle

Q: Are we allowed to ship the Oracle license?
A: Steve: hold off for now. Legal team will look at this regarding the Oracle license
Current process: the container will not have Oracle

Current work tasks, and next tasks

Vivek – Building and packaging, Rule CLC and daemon, attribute pit churn

In Grouper 2.4 there was JIRA, can define a folder, subjects can only be added if they exist in a group https://todos.internet2.edu/browse/GRP-2143
define w a rule, enhancement recently , should be deleted from folder.
Rule defines consistency
Request from Jeff Crawford
Rule Veto if not eligible by folder
Grouper rules use case - Veto if not eligible by folder
But what happens if someone is not an employee anymore and real time changes don’t take effect
Now there’s a change log consumer to do this
Vivek wrote a daemon, part of the rules daemon
Checks if things are assigned to someone not in the check group.
Carey: likes the idea, is this optional? Can you create a rule to behave the old way or the new way?
Is there a daemon configuration?
When you delete a member from the check group, can be fired, and subject deleted.
Currently no , this is not optional
Carey: beware of unexpected deletions
So put 2 switches, one for change log consumer and one for daemon?
Changing the default is OK in Grouper 2.5 perhaps
Need to raise the flag so people are not surprised
2.4 default to off and 2.5 default to on
make it always configurable

AI Chris make the CLC and daemon configurable, default to off for 2.4, default to on for 2.5, and update the release notes about it. Look into daemon rule.
Vivek will touch base w Chris later
Also working on this:
https://spaces.at.internet2.edu/display/Grouper/Grouper+attributes
Will work on items for 2.5 next

Chris – SQL sync, provisioning, simple ui, bugs

LDAP interface
API for the data access objects will mimic LDAP session API that Shilen has made
This will work fine
Tuned up some of the operations

Simple UI

https://spaces.at.internet2.edu/display/Grouper/Grouper+custom+UI
current status on simple UI: pretty much done.
Final patch to Grouper 2.4.
Today hopefully then merge to Grouper 2.5,
Chris started a wiki page on this.
The Grouper custom UI
Helps end users and administrators view and troubleshoot access state and problems
Allows end users to easily opt in or opt out of a group without all the bells and whistles of the Grouper UI
Custom UI to help people understand their access state and problems.
Allow someone to easily join or leave a group.
All the buttons on the Grouper UI are a distractions for poeple who want to do a specific function and don’t understand all the options.
Can take a group and decorate it w attributes. It’s a bit technical to configure it.
Attributes that have a JSON string, config is overall config for the UI.
User Query Schemes to set variables and text configs.
Set things for the UI
As part of the process, there will be checks for where the data flows to
Five types of queries,
can do expression language
This custom UI feature is set up on a group
Can only have one custom UI per group
The items admins can see, can it be done on other groups not using the custom opt in opt out feature?
Users w read or update of a group, they can see this table
Could put the table in the admin UI
Duke has several use cases where someone might need to be in a variety of different groups.
Groups get populated thru other systems
There are often support issues, it’s not clear to a help desk person how to troubleshoot
This feature can help with the troubleshooting
Some texts and some decisions
Help link at the top can be customized
If the enroll or unenroll button shows, you can put logic, can hide it altogether
What Shilen suggests would work but it’s not in admin UI
Change description of the group or add something below so people can see more info on the group screen
Could have table to explain everything.
Sysadmins see more info that others

Shilen – ldap provisioning

Shilen’s made updates to the interface
Can create an object in LDAP, delete an object
Ready a list of entries, do a purge
Move an object, working on completing that
Good chunk of that is done now
Looking at the PSP implementations but mostly doing it by scratch.
Then will test when done and compare w PSPNG
Can put this on hold as we release 2.5

Chad – maven builds, azure provisioner

Azure provisioner
Emailed to Charise re taking Unicon Azure provisioner ,
Similar to what was done w Google provisioner
JJ is supposed to get in touch
Chad may need to reach out to JJ
Chad working on the code himself
Trying to identify needs for broader audience
Seems like a proof of concept right now
Trying to get this to work as is, then later look at the new provisioning framework
At this point its a separate Jar
Uses basis membership
After 2.5 is out, as we go to new provisioning framework we will want to pop this into the new framework
A group add would not have provisioning info
Once attributes assigned then it will be figured out
Don’t get events one at a time in order
Get a set of events from a change log consumer
It is easier to work with
Will revisit that after 2.5 is out
Chad getting up to speed on how the change log consumer works
Figuring out why not implementing the add
Attributes for Azure : the group ID,
Chad: uses Hierarchical dependency for these situations
Err on side of doing as little as possible until we get the new provisioning framework , since that will solve many of these issues
Chris: If GUID is assigned to configuration use that , if not go to Azure and filter by a group attribute value.
Perhaps we can support this
Get group UI by looking it up that way
This is all done by configuration
Chris: approach is that Group name equals display name in Azure

Web service jars question…. A wrinkle in plan to run everything from one web app

With all jars in one folder
The Web service security jars are outdated
Chad looked a year ago
They were more current than the API jars
Can we do that for 2.5? Chad will look at web service jars
Need to update them
If running Grouper in web service mode, will have jars in lib directory, but maybe in other modes, should delete those jars?
Comment on Slack that our jars may be too old
Multiple versions of library being pulled in…. Need to prevent that

Bill – ad hoc types

Jeff – pspng

Local campus priorities have taken over

Issue Roundup

Slack

March 4: Carey: Can a workflow support a user uploading a file as one of the inputs? https://todos.internet2.edu/browse/GRP-2610

March 5: when moving from Oracle to Postgres, what tool has been used to translate the data between the two databases?
Answer : Talend
Comment from Carey: Should be documented to help others
AI Chris to update wiki on penn process of copying data from one database to another

March 5: Carey: SQL Loader job question , Is there a way to set the Membership creation and/or Expiration date in the process of loading data? GRP-2611
Loader jobs should be able to add attributes and values to Groups or memberships that are loaded

March 6: Jeff W: Is there a gsh command that will replace a left or right group in a composite without having to rebuild it?
Answer: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function. Not sure how well it scales for larger groups?
Makes sense, discussion on turning of change log when re doing composites , then starting it back up later.

AI Jeff to add a JIRA on gsh command that will replace a left or right group in a composite without having to rebuild it . Note: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function. Not sure how well it scales for larger groups

March 6: Alex P: is there any way to restrict the population visible in a general search to non-admins?

March 6: J Crawford: for the url based subject search, how do you specify that you are searching via subject_identifer as opposed to subject_id?
URL based without params is not supposed to be full featured.

March 6 : Adam Chang: DB Error , MSSQL and Oracle not supported
AI EE Look for the requirements page for Grouper…. Be sure MSSQL is taken out

March 10 Marwan: upgrading just the API to v2.4 while keeping the UI and WS at version 2.3 ? This is not something we can realistically support

March 10: Andy Morgan: Does the Grouper container do anything different for a Docker "stop" command vs a Docker "kill" command.
Can kill Grouper, but a hook running long could create issues. EXAMPLE: Hook creates a folder and 3 groups, might have created folder but not all 3 groups.

Advice : you can do a stop , but if needed you can kill and it should be OK

Tell people a JAVA app may take a while

March 10: Andy Morgan: slow folder and group creation
As we build out , may need a wiki page for DDL checks

March 11: Chad: finding more cases where statistics aren't enough, and we needed to add histograms to certain columns. If you have GrouperAll or other certain users that have a lot of permissions, the membership data can be skewed far from the even distribution that the statistics assume
wiki on this https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517958#APIBuilding&Configuration-DatabaseTuning

Can Grouper add histogram index automatically? It is database specific
Oracle syntax is idiosyncratic
Not enough info sometime
UI page could give more advice
Hoping doing historgram can help performance on folder display
What if privileges were exported to a table that includes helper things, to say if public or not? Could solve the folder problem? Separate memberships and privileges? Flatten them. So queries for secure things are easier. Privileges still stored in memberships, but have another copy to make queries faster.

Shilen: have an attribute or a column on a group to say if public
Privileges in a flattened structure
Privileges don’t change that often
Back in the day when membership were flattened there were issues
One has access to thousands then adding a member to that one group is painful
Another approach: caching technique?
But has to be in database
These things might not be queued in change log consumer way
So would not block
Couple of minutes for change to take effect
Could address folder view issue and query issue

March 11: M Geddes: looking for a wiki page for Grouper and DB configuration.

March 11: HaverKamp: tombstones available for deleted groups and/or folders?
Going thru point in time and provisioning,

New provisioning approach will handle this in the future

March 12: Carey: Debate question / Feature idea: Should "Optin" be required to allow a user with "Update" privilege on a group to add themselves?

Good discussion on this on Slack
Do we want to support it or not?
Related issue w app template
Make someone an updater and they have inherited priv, they can make themselves an admin when they should not
Solution would be a custom rule
Take a look as we get requirements in future

March 12: Marwan: is there a setting or a way to speed up the transfer of entries from the temp change log to the change log? (suggestion to upgrade to Grouper 2.4)

March 13 : Sudheer: How long before a groups' attestation is coming up, is the email sent to the admins? Is it one day prior, two days prior?

Need to look at this in Grouper 2.5.

Kill a group that is not attested.

Have not worried about it too much, but it could matter more in future

March 13: J Crawford: Issue w links to the web service raw documentation https://spaces.at.internet2.edu/display/Grouper/Get+Memberships

Fix this as we get the new JAVA doc up

Add the needed links

Get the raw HTML from confluence and do some search and replace

Chad and Chris will get those links working again in Confluence

Could ask Confluence admins for help

Emails

Grouper-Users list
[grouper-users] PSPNG mostly working, Weston, Todd, 03/09/202