Child pages
  • 21-Aug-2019
Skip to end of metadata
Go to start of metadata

  

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, UNC
  • Shilen Patel, Duke
  • Vivek Sachdiva, independent 
  • Bert Bee-Lindgren, GA Tech
  • Carey Black, the Ohio State University
  • Emily Eisbruch, Internet2

Grouper Action Items are here

Discussion


Current work tasks, and next tasks


https://spaces.at.internet2.edu/display/Grouper/v2.4+Bug+roundup

Vivek – Bugs

  • Finished Workflow, now released in patch,
  • Type fixed yesterday
  • Chris will push  w next patches
  • Deprovis caching , resolved

Was Working on deprovisioning for root

  • plan was:
    • Copies data onto all 
    • Now at runtime it will look at root,
    • If root has the info, act on it
    • Rather then persist on Grouper stem
    • For Provisioning and Deprovisioning ,  there will be an exception for root
    • Go look at root config
  • Bert has some concerns 
  • If keeping stats per group Why not just walk up tree to look for groups properties
  • Performance issue?
    • Nesting up to 10 levels for example
  • Matt: Grouper in API branch does not have great way to find attributes in sub folders
  • Matt wrote a workaround, may not be optimal
  • Chris: there is config on folders, you can enable or disable (provision to or not) at folder level
  • Better to have copies of attributes than to have to walk the tree each time
  • For deprovisioning , crashed trying to deal with  all folders
  • Root is special case for deprovisioning
  • Bert: Goal was to keep stats on the groups
  • Chris : idea was Take any group or folder , no more logic needed
  • Bert: concern on changlog temp
  • Generalizing root into folder, could have issues with scale of attributes being copied
  • Try more pure inheritance versus replication?
  • Configuration is not done that often, but can be a large number of groups
  • Matt: Way we currently do inheritance is a bckgroup back process
  • So do propagation as background in loader instead of in UI
  • And should guard against it being deleted when it should not be
    • Yes agreed, recent use case at U Penn is relevant,
    • Relates to security
    • Could create chaos on change log consumer
    • Security , performance and usability

tOSU : PSPNG integration, because of bushy structure, need folder at high level in AD, with sub OUs into that Organizational  Unit (OU)

    • If give admin access to a sub OU, 
    • Would like to punt to AD admins
    • Chris: this will be doable
    • But deprovisioning risk? Of changing attributes on the folders
    • Cycle churn possibility
    • If inherited it should be not removable
    • Inheritance should be defined on the parent/source stem and never violated in a child stem due to child stem changes/deletes. ( Should apply to privileges, attributes, attribute values, etc.. anything inherited down the stem tree )


  • Chris : attribute prop is done in loader job and also in UI
  • Same  as w inherited privileges
  • When you make assignment … look for threads in UI to see example
  • It will tell user it is working in background
  • Summary: when copying attributes to children…… use thread approach, so not holding up the UI

Create a JIRA on messages during deprovisioing...


AI Vivek will change provisioning UI so it runs in a thread and will give progress as it works. During deprovisioning should state in message: In progress… this many done, then state success at end…...Vivek and Chris will talk offline about this.

Vivek  will use use Matt’s example as a reference (membership upload from a file in the UI )


 Chris 

  • Database Configuration
  • Patches

Bert  

  • Making progress on jiras 
  • Will work on PSPNG issue from email  that Chris forwarded to Bert
  • Subject ID and nulls… some concern on that, saw it in demoserver, subject API should handle that more gracefully, special definition of not found, added  filter to membership query, Chris worries it is an invalid query, but will wait and see
  • Safety net issue at GA tech, deleting memberships that should not be deleted.
  •   Perhaps caused by 
    • Case problems   and
      incremental loading
    • 10 K people removed if it runs long enough
    • There is a safety net per group, using percentage
    • But this involves unresolvables
    • Existing safety net should catch that
    • LDAP subject source
    • [AI] Bert will create a jira on the safety net issue and invite MG to a meeting to discuss this

 Shilen, created JIRA and create option to allow case  insensitive matching between subject source and loading data  for incremental and full sync for subject ID or extra subject identitier and change error message to explain how to change the switch    

  • Grouper is case sensitive….

https://todos.internet2.edu/browse/GRP-2293



Shilen  



Chad 

  • Working on bugs related to Java and installer
  • Ant versus Maven issues

 Chris, longer term, we should move to containers versus heavy focus on the Grouper installer.


Matt - will encourage Grouper users to vote on importance of addressing Grouper JIRAs


Review of BaseCAMP in Milwaukee - Chris and Shilen attended https://meetings.internet2.edu/2019-basecamp/

  • New faces  at BaseCAMP
  • 30% women
  • Motivated to make Grouper easy to use for smaller institutions
  • Wizards, containers, etc.
  • Shilen: great conference for intro to IDM, hope to have others from Duke attend next year


Upcoming Grouper Training  

 

Issue Roundup


 Grouper-Users email list since Aug  7, 2019


Grouper Dev List email


Slack

  • Add members button , Jasonrap, Aug 7
  • Nick Roy: Internet2 s using Grouper for access to things like the wiki, JIRA, and provisioning some mailing lists. building reference groups like “TI staff” and “Internet2 staff” - challenge that application owners can’t see those groups by default. Looking for pattern   for default read access/etc. for groups like this? f working on our group taxonomy “agile-ly” and wondering if need to account for Grouper permissions (read, as above, etc.) when designing that taxonomy.

  • AlbertWu:  is there specific recommended folder/group naming convention for Grouper groups created for internal access control management? I am a bit concerned using terms like "security" might create name collision. 2. within ref: , is it generally better to move all (I'll call it ACL) grouper ACL groups inside a single folder near the top? Or spread the groups out to sub folders?
  • Ryan R and Bert: Trying to run a full sync, seems to be solved
  • JeffW: add a composite as a member of another group
  • Jeffrey C: if a grouper loader job is creating multiple groups but sometimes one of them is not populated, Grouper doesn't remove the group right, just all the members.  (Chad replied)
  • M Gettes:  does anyone have any generalized performance characteristics of how long it takes to GET a group membership where the group has about 100 members?  How many milliseconds???
  • M Gettes: Loader job average times.
  • M Bearfoot: Error moving to 2.4,  web.xml, Grouper WS questions
  • J Williams :  member of a group with create privs to a folder cannot create a group.  Other members, however, seem to be able
  • Dusty E: Is there a way to efficiently restore a group’s membership from PIT group memberships?
  • Mark Day:  trying to standardize how we create app folders using gsh scripts (new to groovy), and there's something I don't quite understand about  the groovy namespace
  • Greg  H : Upgraded to 2.4 today, based on the TIER images,  comment formatting and config overlays
  • Sundheer: PSPNG lo load grouper groups into LDAP .. trying to use PSPNG to load grouper groups to LDAP .I referred to grouper documentation but it is very confusing to me as i am new to grouper technology .I am not sure what properties to use and what properties are mandatory for this functionality to work.Can you share some information regarding this?
  • Bert: safetynets against excessive deprovisioning and de-loading  ... undiagnosed problem where the loader is emptying at least one reference group which cascades to a massive deprovisioning event


 JIRAs since JIRA 2260

  • 2261 configuration in ui edit screens
  • 2264 Attestation UI doesn't show correct date to recertify
  • 2266 Accessibility issue with Visualization
  • 2267 Switch Maven license check to Checkstyle
  • 2269 Allow an enabled/disabled date when adding a memberships and allow times in input
  • 2271 pspng should delete AD conflict objects
  • 2277 configuration screen should list all config files which have a property name
  • 2278 allow WS authn by searching for dn by filter, and allowing anonymous or authn search
  • 2279 Membership graph
  • 2281 show something about folder composites perhaps?
  • 2285 non base config files should be optional
  • 2286 configuration constraint edit/add same key
  • 2287 message about another file is not correct
  • 2288 default group workflow should work or be easier to user for current group with no changes
  • 2290 "members" tab doesnt work when on electronic forms screen
  • 2291 jar file mismatch: aws-java-sdk-s3
  • 2292 Fix typo in workflow daemon job config




Next Grouper Call: Wed. Sept  4, 2019

  • No labels