Child pages
  • 18-March-2020
Skip to end of metadata
Go to start of metadata


  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Jeff Williams, University of North Carolina Greensboro
  • Vivek Sachdiva, independent
  • Steve Zoppi, Internet2
  •  Emily Eisbruch, Internet2

  Action Items

 Grouper Action Items are here  



New Action Items from this call

AI Chad to cron the javadoc generation

AI Chris make the CLC and daemon configurable, default to off for 2.4, default to on for 2.5, and update the release notes about it.  Look into daemon rule.

AI Chris to update wiki on penn process of copying data from one database to another

AI Jeff to create a JIRA on  gsh command that will replace a left or right group in a composite without having to rebuild it . Note: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function.  Not sure how well it scales for larger groups

AI EmilyE Look for the requirements page for Grouper….  Be sure MSSQL is taken out

Grouper School 

 Grouper 2.5 release discussion

  • Chris working on last 2.4 patch
  • And merge changes into master
  • Need new table for automatic upgrades
  • Will be ready to start 2.5 release steps 
  • Hope to have the done today. 
  • Team should focus on testing
  • Chris Hubing did last environment variable, Vivek will test 


  • Q: Are we allowed to ship the Oracle license?
  • A: Steve:  hold off for now.  Legal team will look at this regarding the Oracle license
  • Current process: the container will not have Oracle

Current work tasks, and next tasks

Vivek Building and packaging, Rule CLC and daemon, attribute pit churn

    • In Grouper 2.4 there was JIRA, can define a folder, subjects  can only be added if they exist in a group
    •  define w a rule, enhancement recently , should be deleted from folder. 
    • Rule defines consistency
    • Request from Jeff Crawford
    • Rule Veto if not eligible by folder
    • Grouper rules use case - Veto if not eligible by folder
    • But what happens if someone is not an employee anymore and real time changes don’t take effect
    • Now there’s a change log consumer to do this 
    • Vivek wrote a daemon, part of the rules daemon
    • Checks if things are assigned to someone not in the check group.
    • Carey: likes the idea, is this optional? Can you create a rule to behave the old way or the new way?
    • Is there a daemon configuration?
    • When you delete a member from the check group, can be fired, and subject deleted.
    • Currently no , this is not optional
    • Carey: beware of unexpected deletions
    • So put 2 switches, one for change log consumer and one for daemon?
    • Changing the default is OK in Grouper 2.5 perhaps
    • Need to raise the flag so people are not surprised
    • 2.4 default to off and 2.5 default to on 
    • make it always configurable

Chris –  SQL sync, provisioning, simple ui, bugs

  • LDAP interface
  • API for the data access objects will mimic LDAP session API that Shilen has made
  • This will work fine
  • Tuned up some of the operations

 Simple UI

  • current status on simple UI: pretty much done. 
  • Final patch to Grouper 2.4. 
  • Today hopefully then merge to Grouper 2.5,
  •  Chris started a wiki page on this. 
    The Grouper custom UI
  • Helps end users and administrators view and troubleshoot access state and problems
  • Allows end users to easily opt in or opt out of a group without all the bells and whistles of the Grouper UI
  • Custom  UI to help people understand their access state and problems.  
  • Allow someone to easily join or leave a group.
  •  All the buttons on the Grouper UI are  a distractions for poeple who want to do a specific function and don’t understand all the options.  
  • Can take a group and decorate it w attributes. It’s a bit technical to configure it. 
  • Attributes that have a JSON string, config is overall config for the UI. 
  •  User Query Schemes to set variables and text configs. 
  •  Set things for the UI 
  • As part of the process, there will be checks for where the data flows to 
  • Five types of queries,  
  •  can do expression language
  • This custom UI feature is set up on a group
  • Can only have one custom UI per group
  • The items admins can see, can it be done on other groups not using the custom opt in opt out feature?
  • Users w read or update of a group, they can see this table
  • Could put the table in the admin UI
  • Duke has several use cases where someone might need to be in a variety of different groups.
  • Groups get populated thru other systems
  • There are often support issues, it’s not clear to a help desk person how to troubleshoot
  • This feature can help with the troubleshooting
  • Some texts and some decisions
  • Help link at the top can be customized
  • If the enroll or unenroll button shows, you can put logic, can hide it altogether
  • What Shilen suggests would work but it’s not in admin UI
  • Change description of the group or add something below so people can see more info on the group screen
  • Could have table to explain everything.
  • Sysadmins see more info that others

Shilen – ldap provisioning

  • Shilen’s made updates to the interface 
  • Can create an object in LDAP, delete an object
  • Ready a list of entries, do a purge
  • Move an object, working on completing that
  • Good chunk of that is done now
  • Looking at the PSP implementations but mostly doing it by scratch.
  • Then will test when done and compare w PSPNG
  • Can put this on hold as we release 2.5

 Chad – maven builds, azure provisioner

  • Azure provisioner
  • Emailed to Charise re taking Unicon Azure provisioner ,
  • Similar to what was done w Google provisioner
  • JJ is supposed to get in touch
  • Chad may need to reach out to JJ
  • Chad working on the code himself
  • Trying to identify needs for broader audience
  • Seems like a proof of concept right now
  • Trying to get this to work as is, then later look at the new provisioning framework
  • At this point its a separate Jar
  • Uses basis membership
  • After 2.5 is out, as we go to new provisioning framework we will want to pop this into the new framework
  • A group add would not have provisioning info
  • Once attributes assigned then it will be figured out 
  • Don’t get events one at a time in order
  • Get a set of events from a change log consumer
  • It is easier to work with
  • Will revisit that after 2.5 is out
  • Chad getting up to speed on how the change log consumer works
  • Figuring out why not implementing the add
  • Attributes for Azure : the group ID, 
  • Chad: uses Hierarchical dependency for these situations
  • Err on side of doing as little as possible until we get the new provisioning framework , since that will solve many of these issues
  • Chris: If GUID is assigned to configuration use that , if not go to Azure and filter by a group attribute value.
  • Perhaps we can support this
  • Get group UI by looking it up that way
  • This is all done by configuration
  • Chris: approach is that Group name equals display name in Azure

Web service jars question…. A wrinkle in plan to run everything from one web app

  • With all jars in one folder
  • The Web service security jars are outdated
  • Chad looked a year ago
  • They were more current than the API jars
  • Can we do that for 2.5? Chad will look at web service jars
  • Need to update them
  • If running Grouper in web service mode, will have jars in lib directory, but maybe in other modes, should delete those jars?
  • Comment on Slack that our jars may be too old
  • Multiple versions of library being pulled in…. Need to prevent that

 Bill – ad hoc types 

Jeff – pspng

  • Local campus priorities have taken over

Issue Roundup



March 4: Carey: Can a workflow support a user uploading a file as one of the inputs? 

March 5: when moving from Oracle to Postgres, what  tool has been used to translate the data between the two databases?
Answer : Talend 
Comment from Carey: Should be documented to help others
AI Chris to update wiki on penn process of copying data from one database to another

March 5: Carey: SQL Loader job question , Is there a way to set the Membership creation and/or  Expiration date in the process of loading data? GRP-2611
Loader jobs should be able to add attributes and values to Groups or memberships that are loaded

March 6: Jeff W: Is there a gsh command that will replace a left or right group in a composite without having to rebuild it?
Answer: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function.  Not sure how well it scales for larger groups?
Makes sense, discussion on turning of change log when re doing composites , then starting it back up later.    

AI Jeff to add a JIRA on  gsh command that will replace a left or right group in a composite without having to rebuild it . Note: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function.  Not sure how well it scales for larger groups

March 6: Alex P: is there any way to restrict the population visible in a general search to non-admins? 

March 6: J Crawford: for the url based subject search, how do you specify that you are searching via subject_identifer as opposed to subject_id?
URL based without params is not supposed to be full featured. 

March 6 : Adam Chang: DB Error , MSSQL and Oracle not supported
AI EE Look for the requirements page for Grouper….  Be sure MSSQL is taken out

March  10 Marwan: upgrading just the API to v2.4 while keeping the UI and WS at version 2.3 ?  This is not something we can realistically support 

March 10: Andy Morgan: Does the Grouper container do anything different for a Docker "stop" command vs a Docker "kill" command.
Can kill Grouper, but a hook running long could create issues. EXAMPLE: Hook creates a folder and 3 groups, might have created folder but not all 3 groups. 

Advice : you can do a stop , but if needed you can kill and it should be OK

Tell people a JAVA app may take a while

March 10: Andy Morgan: slow folder and group creation
As we build out , may need a wiki page for DDL checks

March 11: Chad: finding more cases where statistics aren't enough, and we needed to add histograms to certain columns. If you have GrouperAll or other certain users that have a lot of permissions, the membership data can be skewed far from the even distribution that the statistics assume
  wiki on this

  • Can Grouper add histogram index automatically? It is database specific
  • Oracle syntax is idiosyncratic
  • Not enough info sometime
  • UI page could give more advice 
  • Hoping doing historgram can help performance on folder display
  • What if privileges were exported to  a table that includes helper things, to say if public or not? Could solve the folder problem?  Separate memberships and privileges? Flatten them. So queries for secure things are easier. Privileges still stored in memberships, but have another copy to make queries faster.   

  • Shilen: have an attribute or a column on a group to say if public
  • Privileges in a flattened structure
  • Privileges don’t change that often
  • Back in the day when membership were flattened there were issues
  • One has access to thousands then adding a member to that one group is painful
  • Another approach: caching technique?
  • But has to be in database
  • These things might not be queued in change log consumer way
  • So would not block 
  • Couple of minutes for change to take effect
  • Could address folder view issue and query issue 

March 11: M Geddes: looking for  a wiki page for Grouper and DB configuration.

March 11: HaverKamp: tombstones available for deleted groups and/or folders? 
Going thru point in time and provisioning,

New provisioning approach will handle this in the future

March 12: Carey: Debate question / Feature idea:  Should "Optin" be required to allow a user with "Update" privilege on a group to add themselves?

  • Good discussion on this on Slack
  •  Do we want to support it or not?
  • Related issue w app template
  • Make someone an updater and they have inherited priv, they can make themselves an admin when they should not
  • Solution would be a custom rule
  • Take a look as we get requirements in future


March 12: Marwan: is there a setting or a way to speed up the transfer of entries from the temp change log to the change log? (suggestion to upgrade to Grouper 2.4)

March 13 : Sudheer: How long before a groups' attestation is coming up, is the email sent to the admins? Is it one day prior, two days prior? 

Need to look at this in Grouper 2.5.  

Kill a group that is not attested.

Have not worried about it too much, but it could matter more in future

March 13: J Crawford:   Issue w links to the web service raw documentation

Fix this as we get the new JAVA doc up

Add the needed links

Get the raw HTML from confluence and do some search and replace

Chad and Chris will get those links working again in Confluence

Could ask Confluence admins for help


Grouper-Users list
[grouper-users] PSPNG mostly working, Weston, Todd, 03/09/202

[grouper-users] Inherited Privileges via Web Services, Benjamin N Hall, 03/05/2020

[grouper-users] [PSPNG] Full sync of a single group, Yoann Delattre, 03/12/2020

  • Jeff  will look at this and reply

Wiki Changes

Grouper Daemon

API Building & Configuration

Get Subjects

Point in Time Auditing


Penn LMS Grouper groups

Grouper provisioning change log esb workflow

Grouper LDAP provisioner in 2.5

Grouper custom UI

Managing one-time tasks in 2.5+ upgrades

Grouper LDAP provisioner in 2.5


Next Grouper Call: Wed April 1, 2020

  • No labels