Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
Jeff Williams - University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Items
- AI Chris explain the Loader issue, and maybe have another upgrade task in Grouper 2.5.35
- AI Vivek and Chris come up with script and tests for 2.5.35 to handle PIT tables
DISCUSSION
Grouper School Oct 13-16, 2020
https://www.incommon.org/academy/grouper/
- Chris and Chad will be instructors
- 1st third will be pre-work
- Then the class time will be less hurried
- Hope for the Grouper training in the future… to look at what a Grouper operator , power user, help desk person, the types of things they need to do.
- So it becomes more intuitive.
- Group needs privilege, this group needs to manage that, etc.
- Please promote the October Grouper Training
Current Work Status
Grouper Release
- Hope to have Grouper release soon
- Fixes stop start in container
- Fixes some Tomcat issues
- Have container fail if startup containers fail
- OR very verbose on container issues (went this route)
- Logs to Docker
- Most things are info, some are errors
- Tell where the error is coming from, function it comes from
- View into what the startup does and how to troubleshoot
- Q: if just using container to run GSH, is this too much verboseness?
- A: this only goes to the Docker logs
- Chad: In openshift everything goes to standard output
- Would need to create a volume
- Chris : just echos from start script
- Chris will update the release notes with the JIRAs and explain what’s in the release
- Carey: moved 2.5.29 to 2.5.34 - move to using point in time tracking for the Grouper configuration, is there a release step to pre-populate with existing stuff
- It was blank,
- Verify underlying table is there
- Need a GSH script people can run, or make a new release with upgrade pass
- We need to Loop thru the config and insert things into PIT table
- It’s only PIT for database, not for the files
- AI Vivek and Chris come up with script and tests for 2.5.35 to handle PIT tables
- Chad : in upgrade path to 2.5.27 creates a loader job w query that looks for … not looking at the query.
- Chris worked w Michael G to solve a similar issue
- Delete job and restart Grouper
- AI Chris explain the Loader issue, and maybe have another upgrade task in Grouper 2.5.35
- Chris will address these issues before 2.5.35 release
- Loader query and group query as simple? Yes
- Replacing long query with a view. View looking at group uuid instead of group name
- Attribute called Group Name
- Recent memberships was doing nothing, but fixed when you run the command
- Detection of whether need to run not working right
- There is an upgrade note that can help
- Chris will call attention to that and make things easier in 2.5.35
Current Work Status
Chris
New Provisioning Work
- https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+translations
- Issue of group ids and membership
- Discussed on slack
- Shilen says Chris’s testing proposal is good
- Two test cases
- Config for provisioning
- Implementing showed some issues
- To make things generic, a lot has to do w translations between what we get from Grouper and what we get from target and how we put things back in target
- There is a solution where we get things from Grouper, and from target
- When things come out of Grouper and Target, the label is provisioning object
- Set of beans w same structure
- Groups users membership, can have attributes
- Coming out of Grouper and target
- Translate to common format
- Stay in same classes
- Make some changes , called translation step
- Grouper common objects and target common objects
- Compare and make changes
- Common format is Target centric
- Similar to what target has but natural structure of relations
- Memberships have a group ID , etc.
- Move things around so the engine can work with them
- So Grouper format is similar to target format
- Will use JEXL to copy things between Beans
- Can use shortcuts to be less Java ish
- With JEXL you can do translations easily
- SQL
- Membership table with 2 columns
- Starting simple,
- Using provisioning framework UI to identify a folder to be provisioned
- Loop thru groups and memberships and entities and translates them
- Grouper gets the groups to be provisioned, runs through translations
- Grouper to Common translations
- Get subject ID and attribute and put into ID of common entity
- Target to Common translation
- Can be compared in common way
- Can do a full sync to SQL
- Will refactor what Shilen did for LDAP so it is similar
- Provisioing group bean inherit from same super class
- Value does not have to be a string
- Could be set of things or list of things
- When LDAP filter runs and we get list of groups
- There would be an attribute for members
- Attribute value would be a set of strings that are DMs
- Translation method
- Links to membership
- Translation takes groups and translates
- Memberships would have group ID as ID index
- Translate from groups w multi valued attributes to list of membership w group ID and entity ID
- Some data synced in sync table can link
- Translation may not be group to group , membership to membership
- Training module, documentation , Logging is key,
- doing dry runs may be helpful
- End user perspective is grouper to target
- Does the user need to get involved with common?
- Leaky abstraction
- User needs to understand internals of the system?
- Could a UI help? YES
- Lot of internals to provisioning
- Good news : a common object can be used for all provisioners
- Shilen: this handles issues we had in 1st round
- Not sure how else to solve them
- This handles things in a generic way
- Need this for LDAP , with groups with list of names that don’t have intuitive structure
- Need to put in an engine that can be compared
- For Zoom or DUO, may be simpler,
- Similar to how subject properties works
- Wish it was simpler
- Must know some of the complexity and the internals
- Need a UI for subject properties too
- Carey: a couple of staging/ mapping tables, ordered in a flow
- A couple of columns to map to next columns
- Data injection issues and JEXL expressions, using JEXL2
- Chad will Make a Jira around Look at JEXL2 versus JEXL3 issues?
- Maybe put in next major release? Maybe 2.6? Upgrade might impact current things.
- Time to think about using Spring? Could help w transformations?
- Probably not at this time
- Idea for SQL connector to do things like LDAP does
- Around multi valued attributes
- Normal JUNIT test will not need to simulate
- Simulate in JDBC
Shilen
- Working on LDAP provisioning
- Will modify the framework per common mapping approach
- USDU work , fixes composite issues
Chad
- Working on configuration property, if you don’t want to be able to delete attributes with assignments, even as a root user,
- Can use a hook
- Started working on a Grouper change
- Issue of attributedefname sets
- Reference to itself
- Call a normal delete method
- Check the assignment view
- May work on Group History Jira, maybe after the Grouper training in Oct
Chris
- DDL for MYSQL has a lot as text
- No upgrade for DDL utils, it’s unsupported
- Changing SQL could impact existing deployments
- Chris will solve it as a one off.
- Is this related to the MYSQL slowness issues?
- Depends on searches on those columns?
- Ohio State and U Florida? And a few others use MYSQL
UI with GSH script
https://spaces.at.internet2.edu/display/Grouper/Grouper+custom+template+via+GSH
- Custom inputs
- Create course groups
- Use form to specify term, for example
- Admin would set this up
- Specify who can run it
- That person sees it as option under templates
- Can run as self or as group system
- REGEX on all form elements
- GSH container had scripts, then rebuilt and they are gone
- This approach would be better, more wizard like
- In Attribute value or Clob table
- Question: what variables?
- Don’t want to give full access?
- the variables put in are validated
- Might only need alpha numeric parameters
- We could mandate that by default
- Could have front door regex
- Constraining but more secure
ISSUE ROUNDUP
Wiki pages updated
- Grouper container documentation for v2.5
- Grouper daemon "other job" to run a script
- PSPNG at Penn
- Grouper daemon "other job" to run a script
- v2.5 Release Notes
- Grouper provisioning translations
JIRAS
RabbitMQ connection gets cached, fails when unused for a while
Option to not log stacktraces for WsSubjectLookup with SubjectNotFoundException
member finder findBySubjectIds(subjectIds, subjectSourceId) should use sourceId in query
patch for pspng subject caching impacts full sync
PITAttributeDefFinder method symmetry broken compared to AttributeDefFinder
grouper duo has wrong job name in hib3 loader log
Grouper Emails
- [grouper-users] Grouper 2.2.x with MySQL 8.0.x errors, Baron Fujimoto, 08/03/2020
- Re: [grouper-users] Grouper 2.2.x with MySQL 8.0.x errors, Baron Fujimoto, 08/06/2020
- [grouper-users] Replacing container self-signed certs, Hafer, Christopher G, 08/13/2020
- [grouper-users] lite-ui use case, Francesco Malvezzi, 08/17/2020
- Re: [grouper-users] lite-ui use case, Francesco Malvezzi, 08/26/2020
- Re: [grouper-users] lite-ui use case, Hyzer, Chris, 08/17/2020
- [grouper-users] REL-8 & PODMAN, T-Heetderks, 08/19/2020
- Re: [grouper-users] REL-8 & PODMAN, Jeffrey Williams, 08/21/2020
- Re: [grouper-users] REL-8 & PODMAN, Samuel Harmon, 08/20/2020
- [grouper-users] Issues installing GROUPER on Red Hat 7, T-Heetderks, 08/19/2020
- [grouper-users] 2.5.33 container won't restart, Samuel Harmon, 08/27/2020
- [grouper-users] CAS Authentication Help, Jonathan Keller, 08/28/2020
- [grouper-users] Grouper 2.5.22: LDAP Group/Attribute provisioning, kokumari, 08/26/2020
- Re: [grouper-users] Grouper 2.5.22: LDAP Group/Attribute provisioning, Hyzer, Chris, 09/01/2020
- [grouper-users] 2.5.33 container won't restart, Samuel Harmon, 08/26/2020
- Re: [grouper-users] 2.5.33 container won't restart, Hyzer, Chris, 09/01/2020
- [grouper-users] UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS) error while synching to RAD using grouper 2.3 PSP modifyRequest, Siju Jacob, 09/01/2020
- Re: [grouper-users] CAS Authentication Help, Jonathan Keller, 09/01/2020
- Re: [grouper-users] CAS Authentication Help, Hyzer, Chris, 09/01/2020
Slack
Peter use-case where a small number of group admins have a lot of groups to manage (100's) and want to take a number of these (about 50 or so) as favorites. Currently, in 2.2.1, there is a limit of 30 favorites
Carey added two rules to a group Email notification on flattened membership add to group and Email notification on flattened membership remove.
Lacey performance tuning for Grouper (2.5.33). As our Grouper instance has grown certain basic tasks can sometimes (not always) take a long time,
Justin I updated the subject identifier for our stage environment. I see it in the members table subject_identifier0, but searches in the UI and using that value in the loader job doesn’t find anyone.
Jeffrey way to disable the membership of a group via gsh. I dug around the commands and not seeing which ones handle enable/disable with or without dates.
Carey
RE: Subject API security by realm
Is this a UI supported feature or only API/WS feature?
Chad
If I create a group as a Recent Memberships loader, and include current memberships, what should I be seeing?
Noel
UMD. experiencing performance issues with our production Grouper deployment.
Christopher
Oracle 19 database for grouper? Anything special needed for it (updated JDBC drivers etc.)?
Erik
first foray with Grouper Client.
Carey Grouper local entities
Specifically "Since there is an optional subjectIdentifier attribute, queries for search or findByIdentifier will consider that value."
Can you set the 'optional subjectIdentifier attribute' from the UI? ( either during creation or a modify? )
Drew I have a grouper rule that is supposed to create a membership (direct) to a group once a user's membership to another 'target' group ends.
Shilen reflect Azure permissions into Grouper (https://docs.microsoft.com/en-us/azure/role-based-access-control/overview). Either sourcing the permissions in Grouper and sync'ing them to Azure using their APIs. Or sourcing the permissions in Azure and sync'ing to Grouper for auditing/reporting/attestation/etc purposes.
Liam How does MIM compare to Grouper as an access managment system?
Michael Feature Request: In the folder-Delete dialog it would be really nice if I could select to delete ONLY empty groups. I am configured to not actually delete empty groups as we have AD and deleting a group in AD unexpectedly is painful given the GID.
Ryan if we make subject.properties changes that add new attributes we need to run usdu to populate or make available that attribute to daemon jobs?
Ryan Any ideas on this NPE? Trying out the Azure provisioner and it we get a NPE for every change log entry.
Lacey I created a loader job and then renamed the group that had a loader configuration (preserving the alternate ID). Now I have two daemon jobs for this loader, one with the former group name one with the new, and I don’t see a way to delete the old one. Or is disabling sufficient? I don’t want it to accidentally get re-enabled.
Baron Is there a way to put Grouper (v2.2.2) in read-only mode?
Carey Is the order of Rules (and/or Hooks) firing determinant and controllable in some way?
Could I have Veto if not eligible in org rule and Forever membership rule(s) that would always fire "before" the veto?
Or would I be better off with a custom hook so all the logic/code fired in one unit?
Jeffrey
It appears that the http to https rewrite may not be working correctly out of the box.
Erin We're making some awesome enhancements to the Grouper training that will be held in October. Interested in attending?
Scott looking at https://todos.internet2.edu/browse/GRP-2329 , is this a fair statement: as of now, the best practice for configuring the PSPNG is to use a grouper-loader.properties file with the desired configuration and to NOT use the UI to directly set configuration in the database.
Scott I am running the Grouper image i2incommon/grouper:2.5.29 and attempting to convert a 2.3.x configuration for the PSP into a 2.5.x configuration for PSPNG.
Scott It looks like you only provision hasMember. Do you also provision member? We need both for this deployment…
Chris Hubing We populate member, hasMember and isMemberOf..
Paul the openldap overlay is for memberOf, the user attribute which contains the DN of a group
Peter In a large Grouper environment having 10's of 1000's of groups, how does your team running Grouper handle requests for specific group memberhship changes for groups where you can't find the ownership -
PollyAPP Do you use grouper to provide group membership/entitlements on a per entityID basis through your IdP?
Bill T better question? “Do you use grouper to provide authorization policy decisions in the form of membership/entitlements on a per entityID basis through your IdP?”
Erik Trying out the new Grouper 2.5.33 "External Systems Connector" to connect to our Oracle data warehouse. It says "you probably don't have to enter a driver...", yet the field is marked "required", which is it? :slightly_smiling_face: And since it is forcing me to enter something, what is the syntax for specifying the Oracle class driver?
Scott using Grouper 2.5.29 via the TAP image. I have a PSPNG changelog configuration for groupOfNames that appears to be mostly working, except that when the group becomes “empty”, the PSPNG reflects the LDAP error that groupOfNames requires at least one member attribute.
Brett I recall seeing a chart of the count of group membership over time. Perhaps this was something @Shilen Patel showed at TechEx? Was that a contribution awaiting integration into grouper? Anyone have something similar, e.g. PIT membership count query grouped by date or some such thing?
Erik Has anyone by chance tried to reflect Azure permissions into Grouper
Carey
I have stumbled into an odd thing in my prod instance.
There is a group that is used as a Deny group for a set, ( large ish? ) of composite groups. I can navigate to the folder with the group. But when I try to "open the group".... the browser "times out" at exactly 60 seconds. NOTE: I believe there are no members in the group.
Any ideas on how to "fix that"?
Beverly Does anyone have any guidance on setting up application suite access roles in Grouper? We are trying to create 'product suite' type roles where a developer will be automatically included in groups for different application access like Jira project, a Bitbucket project, Oracle access, and other applications. Are there similar examples out there of a good folder structure or design for this type of group access bundling?
Nic That’s pretty much what we are doing with the Internet2 Collaboration Platform’s Grouper deployment to enable community access to suites of services. @wkaufman can probably point you at stuff about what we’re doing.
Next Grouper Call : Wed Sept 16, 2020