Child pages
  • 2-Sept-2020
Skip to end of metadata
Go to start of metadata

 

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Jeff Williams - University of North Carolina Greensboro

  • Emily Eisbruch, Internet2


Intellectual Property reminder: http://www.internet2.edu/membership/ip.html

 Grouper Action Items are here  

New Action Items


  • AI Chris explain the Loader issue, and maybe have another upgrade task in Grouper 2.5.35
  • AI Vivek and Chris come up with script and tests for 2.5.35 to handle PIT tables

  

DISCUSSION


Grouper School Oct 13-16, 2020

https://www.incommon.org/academy/grouper/


  • Chris and Chad will be instructors
  • 1st third will be pre-work
  • Then the class time will be less hurried 
  • Hope for the Grouper training in the future…  to look at what a Grouper operator , power user, help desk person, the types of things they need to do.
  • So it becomes more intuitive.
    • Group needs privilege, this group needs to manage that, etc.   
  • Please promote the October Grouper Training  


Current Work Status

Grouper Release

  •  Hope to have Grouper release soon
  • Fixes stop start in container
  • Fixes some Tomcat issues
  • Have container fail if startup containers fail
  • OR very verbose on container issues (went this route)
  • Logs to Docker
  • Most things are info, some are errors
  • Tell where the error is coming from, function it comes from
  • View into what the startup does and how to troubleshoot
  • Q: if just using container  to run GSH, is this too much verboseness?
  • A: this only goes to the Docker logs
  • Chad: In openshift everything goes to standard output
  • Would need to create a volume
  • Chris : just echos from start script
  • Chris will update the release notes with the JIRAs and explain what’s in the release
  • Carey: moved 2.5.29 to 2.5.34 - move to using point in time tracking for the Grouper configuration, is there a release step to pre-populate with existing stuff
  • It was blank, 
  • Verify underlying table is there
  • Need a GSH script people can run, or make a new release with  upgrade pass
  • We need to Loop thru the config and insert things into PIT table
  • It’s only PIT for database, not for the files
  • AI Vivek and Chris come up with script and tests for 2.5.35 to handle PIT tables


  • Chad : in upgrade path to 2.5.27 creates a loader job w query that looks for …  not looking at the query.   
  • Chris worked w Michael G to solve a similar issue
  • Delete job and restart Grouper
  • AI Chris explain the Loader issue, and maybe have another upgrade task in Grouper 2.5.35
  • Chris will address these issues before 2.5.35 release
  • Loader query and group query as simple? Yes
  • Replacing long query with a view. View looking at group uuid instead of group name
  • Attribute called Group Name
  • Recent memberships was doing nothing, but fixed when you run the command
  • Detection of whether need to run not working right
  • There is an upgrade note that can help
  • Chris will call attention to that and make things easier in 2.5.35

Current Work Status


Chris


New Provisioning Work

  • https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+translations
  •  
  • Issue of group ids and membership
  • Discussed on slack
  • Shilen says Chris’s testing proposal is good 
  • Two test cases
  • Config for provisioning
  • Implementing showed some issues
  • To make things generic, a lot has to do w translations between what we get from Grouper and what we get from target and how we put things back in target
  • There  is a solution where we get things from Grouper, and from target
  • When things come out of Grouper and Target, the label is provisioning object
  • Set of beans w same structure
  • Groups users membership, can have attributes 
  • Coming out of Grouper and target
  • Translate to common format
  • Stay in same classes
  • Make some changes , called translation step
  • Grouper common objects and target common objects
  • Compare and make changes
  • Common format is Target centric
  • Similar to what target has but natural structure of relations
  • Memberships have a group ID , etc.
  • Move things around so the engine can work with them 
  • So Grouper format is similar to target format
  •  Will use JEXL to copy things between Beans
  • Can use shortcuts to be less Java ish
  • With JEXL you can do translations easily
  • SQL
  • Membership table with 2 columns
  • Starting simple,  
  • Using provisioning framework UI to identify a folder to be provisioned
  • Loop thru groups and memberships and entities and translates them
  • Grouper gets the groups to be provisioned, runs through translations
  •  Grouper to Common translations
  • Get subject ID and attribute and put into ID of common entity
  • Target to Common translation
  • Can be compared in common way
  • Can do a full sync to SQL
  • Will refactor what Shilen did for LDAP so it is similar
  • Provisioing group bean inherit from same super class
  • Value does not have to be a string
  • Could be set of things or list of things
  • When LDAP filter runs and we get list of groups
  • There would be an attribute for members
  • Attribute value would be a set of strings that are DMs
  • Translation method
  • Links to membership
  • Translation takes groups and translates 
  • Memberships would have group ID as ID index
  • Translate from groups w multi valued attributes to list of membership w group ID and entity ID
  • Some data synced in sync table can link
  • Translation may not be group to group , membership to membership
  • Training module, documentation , Logging is key,  
  •  doing dry runs may be helpful  
  • End user perspective is grouper to target
  • Does the user need to get involved with common?
  • Leaky abstraction
  • User needs to understand internals of the system?
  • Could a UI help? YES
  • Lot of internals to provisioning
  • Good news : a common object can be used for all provisioners
  • Shilen: this handles issues we had in 1st round
  • Not sure how else to solve them
  • This handles things in a generic way
  • Need this for LDAP , with groups with list of names that don’t have intuitive structure
  • Need to put in an engine that can be compared
  • For Zoom or DUO, may be simpler, 
  • Similar to how subject properties works
  • Wish it was simpler
  • Must know some of the complexity and the internals
  • Need a UI for subject properties too
  • Carey: a couple of staging/ mapping tables, ordered in a flow
  • A couple of columns to map to next columns
  • Data injection issues and JEXL expressions, using JEXL2
  •   Chad  will Make a Jira around Look at JEXL2 versus JEXL3 issues?
  • Maybe put in next major release? Maybe 2.6? Upgrade might impact current things.
  • Time to think about using Spring? Could help w transformations?
    • Probably not at this time


  • Idea for SQL connector to do things like LDAP does
  • Around multi valued attributes 
  • Normal JUNIT test will not need to simulate
  • Simulate in JDBC


Shilen

  • Working on LDAP provisioning
  • Will modify the framework per common mapping approach

  • USDU work , fixes composite issues


Chad

  • Working on configuration property, if you don’t want to be able to delete attributes with assignments, even as a root user,
  • Can use a hook
  • Started working on a Grouper change
  • Issue of attributedefname sets
  • Reference to itself 
  • Call a normal delete method
  • Check the assignment view
  • May work on Group History Jira, maybe after the Grouper training in Oct


Chris

  • DDL for MYSQL has a lot as text
  • No upgrade for DDL utils, it’s unsupported
  • Changing SQL could impact existing deployments
  • Chris will solve it as a one  off.
  • Is this related to the MYSQL slowness issues?
  • Depends on searches on those columns?
  • Ohio State and U Florida? And a few others use MYSQL


UI with GSH script 


https://spaces.at.internet2.edu/display/Grouper/Grouper+custom+template+via+GSH

  • Custom inputs
  • Create course groups
  • Use form to specify term, for example
  • Admin would set this up 
  • Specify who can run it
  • That person sees it as option under templates
  • Can run as self or as group system
  • REGEX on all form elements 
  • GSH container had scripts, then rebuilt and they are gone
  • This approach would be better, more wizard like
  • In Attribute value or Clob table
  • Question: what variables?
  • Don’t want to give full access?
  •  the variables put in are validated
  • Might only need alpha numeric parameters
  • We could mandate that by default
  • Could have front door regex
  • Constraining but more secure



 

ISSUE ROUNDUP


Wiki pages updated





JIRAS


GRP-2944

There is a group that is used as a Deny group for 3644 composite groups. I can navigate to the folder with the group. But when I try to "open the group".... the browser "times out" at exactly 60 seconds.


GRP-2943

RabbitMQ connection gets cached, fails when unused for a while


GRP-2942

Option to not log stacktraces for WsSubjectLookup with SubjectNotFoundException


GRP-2941

member finder findBySubjectIds(subjectIds, subjectSourceId) should use sourceId in query


GRP-2940

patch for pspng subject caching impacts full sync


GRP-2939

PITAttributeDefFinder method symmetry broken compared to AttributeDefFinder


GRP-2938

grouper duo has wrong job name in hib3 loader log


Grouper Emails


Slack


Peter use-case where a small number of group admins have a lot of groups to manage (100's) and want to take a number of these (about 50 or so) as favorites. Currently, in 2.2.1, there is a limit of 30 favorites  

 

Carey added two rules to a group Email notification on flattened membership add to group and Email notification on flattened membership remove.

 

Lacey  performance tuning for Grouper (2.5.33). As our Grouper instance has grown certain basic tasks can sometimes (not always) take a long time,  


Justin  I updated the subject identifier for our stage environment. I see it in the members table subject_identifier0, but searches in the UI and using that value in the loader job doesn’t find anyone. 


Jeffrey  way to disable the membership of a group via gsh.  I dug around the commands and not seeing which ones handle enable/disable with or without dates.  

 

Carey 

RE:  Subject API security by realm

   Is this a UI supported feature or only API/WS feature?


Chad  

If I create a group as a Recent Memberships loader, and include current memberships, what should I be seeing?  


Noel  

UMD.  experiencing performance issues with our production Grouper deployment.  


Christopher  

 Oracle 19 database for grouper?  Anything special needed for it (updated JDBC drivers etc.)?


Erik

  first foray with Grouper Client. 


Carey Grouper local entities

Specifically "Since there is an optional subjectIdentifier attribute, queries for search or findByIdentifier will consider that value."

   Can you set the 'optional subjectIdentifier attribute' from the UI? ( either during creation or a modify? )


Drew I have a grouper rule that is supposed to create a membership (direct) to a group once a user's membership to another 'target' group ends.  


Shilen reflect Azure permissions into Grouper (https://docs.microsoft.com/en-us/azure/role-based-access-control/overview).  Either sourcing the permissions in Grouper and sync'ing them to Azure using their APIs.  Or sourcing the permissions in Azure and sync'ing to Grouper for auditing/reporting/attestation/etc purposes.  


Liam  How does MIM compare to Grouper as an access managment system?


Michael  Feature Request:  In the folder-Delete dialog it would be really nice if I could select to delete ONLY empty groups.  I am configured to not actually delete empty groups as we have AD and deleting a group in AD unexpectedly is painful given the GID. 

 


Ryan  if we make subject.properties changes that add new attributes we need to run usdu to populate or make available that attribute to daemon jobs?

 


Ryan  Any ideas on this NPE? Trying out the Azure provisioner and it we get a NPE for every change log entry.

 

Lacey  I created a loader job and then renamed the group that had a loader configuration (preserving the alternate ID). Now I have two daemon jobs for this  loader, one with the former group name one with the new, and I don’t see a way to delete the old one. Or is disabling sufficient? I don’t want it to accidentally get re-enabled.  

 

Baron  Is there a way to put Grouper (v2.2.2) in read-only mode? 


Carey  Is the order of Rules (and/or Hooks) firing determinant and controllable in some way?

    Could I have Veto if not eligible in org rule and Forever membership rule(s) that would always fire "before" the veto?

Or would I be better off with a custom hook so all the logic/code fired in one unit?  

 

Jeffrey 

It appears that the http to https rewrite may not be working correctly out of the box.  


Erin  We're making some awesome enhancements to the Grouper training that will be held in October. Interested in attending? 


Scott  looking at https://todos.internet2.edu/browse/GRP-2329 , is this a fair statement: as of now, the best practice for configuring the PSPNG is to use a grouper-loader.properties file with the desired configuration and to NOT use the UI to directly set configuration in the database.

 

Scott   I am running the Grouper image i2incommon/grouper:2.5.29 and attempting to convert a 2.3.x configuration for the PSP into a 2.5.x configuration for PSPNG.

Scott  It looks like you only provision hasMember. Do you also provision member? We need both for this deployment…

Chris Hubing We populate member, hasMember and isMemberOf.. 

Paul the openldap overlay is for memberOf, the user attribute which contains the DN of a group


Peter  In a large Grouper environment  having 10's of 1000's of groups, how does your team running Grouper handle requests for specific group memberhship changes for groups where you can't find the ownership - 


PollyAPP   Do you use grouper to provide group membership/entitlements on a per entityID basis through your IdP?


Bill T  better question?  “Do you use grouper to provide authorization policy decisions in the form of membership/entitlements on a per entityID basis through your IdP?”

 

Erik  Trying out the new Grouper 2.5.33 "External Systems Connector" to connect to our Oracle data warehouse. It says "you probably don't have to enter a driver...", yet the field is marked "required", which is it? :slightly_smiling_face:  And since it is forcing me to enter something, what is the syntax for specifying the Oracle class driver?   


Scott  using Grouper 2.5.29 via the TAP image. I have a PSPNG changelog configuration for groupOfNames that appears to be mostly working, except that when the group becomes “empty”, the PSPNG reflects the LDAP error that groupOfNames requires at least one member attribute. 


Brett  I recall seeing a chart of the count of group membership over time. Perhaps this was something @Shilen Patel showed at TechEx? Was that a contribution awaiting integration into grouper? Anyone have something similar, e.g. PIT membership count query grouped by date or some such thing?

 

Erik  Has anyone by chance tried to reflect Azure permissions into Grouper  

 

Carey  

I have stumbled into an odd thing in my prod instance.

  There is a group that is used as a Deny group for a set, ( large ish? ) of composite groups. I can navigate to the folder with the group. But when I try to "open the group".... the browser "times out" at exactly 60 seconds.  NOTE:  I believe there are no members in the group.

Any ideas on how to "fix that"?

Beverly  Does anyone have any guidance on setting up application suite access roles in Grouper?  We are trying to create 'product suite' type roles where a developer will be automatically included in groups for different application access like Jira project, a Bitbucket project, Oracle access, and other applications.  Are there similar examples out there of a good folder structure or design for this type of group access bundling?  

Nic  That’s pretty much what we are doing with the Internet2 Collaboration Platform’s Grouper deployment to enable community access to suites of services. @wkaufman can probably point you at stuff about what we’re doing.






Next Grouper Call : Wed Sept 16, 2020

 

  • No labels