- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
Jeff Williams - University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Items from this call
- Review AIs Grouper Project Action Items (Google Doc)
- Approve minutes
- Review AIs
- Agenda bash
- BaseCAMP July 20 - 24, 2020 https://meetings.internet2.edu/2020-basecamp/program/
- July 23, 2020, 2:35pm - 3:30pm
- Erik Coleman, U of Illinois, Urbana-Champaign, leading Access and Grouping 101
- Chris leading Access and Grouping 201
Grouper School in Oct 6-9, 2020 (online)
- Moving beginning sections of Grouper training to Canvas LMS
- Promote this at your institutions
- Some people are initially “afraid” of Grouper but embrace it after training
- Penn has had 8 people do Grouper training and it’s been helpful
Current work tasks, and next tasks
- Define subject sources to provision, add the ID
- options about mapping to target
- User and group settings, how to resolve things
- Half is provisioner generic and half is LDAP specific (if you are provisioning to LDAP)
- Base provisioner has a lot of logic
- Base config class can manage settings
- LDAP config class that subclasses that and does LDAP specific stuff
- Base target DAO specifies signatures
- There is BASE target DAO and Custom target DAO
- Use target beans for compare
- Provisioning Framework strives to be flexible, customizable, configurable
- Comment: it’s the right amount of extensibility
- How much of the pieces are re-usable directly?
- LDAP, AD, OpenLDAP
- Non relational database, use subclass?
- Can inherit and wire things together
- Multiple universities might use same target but use it differently
- Use one DAO or multiple
- Multiple provisioner instances
- For example, 3 ways to provision to DUO so 3 provisioner instances?
- Shilen: included to have multiple provisioners
- Carey: Great to be able to provision Grouper privileges for access management on target systems
- Will make the screens more complex, but that’s OK
- Depending on what you select in the membership fields, you are provisioning privileges to a target.
- Could have two provisioners, one for memberships, another for privileges?
- Privilege provisioner could detect if an object is not there, and mark it
- Provisioners create a group in the target system
- Provisioner creates privileges in the target system?
- Three ways to get events in real time model:
- change log
- Grouper messages from the UI
- In object model there are sync tables, sync tables have a state in them, such as if there is an error, trying to provision
- Zoom, Box, Duo
Chris – 2.5.33 release
- TomEE upgrade was an issue
- Chris updated the wiki with best practices
- Try for release bi weekly
- Chris has been helping with provisioning
Shilen – provisioning, vacation
- Added LDAP configuration class
- Chris and Shilen discuss Grouper DAO work
Chad – pspng
- Heard from MichaelG regarding performance issues
- New provisioning framework will help
- Erik trying to get Azure changelog consumer working
- Getting error on ESB event type not right
- Chris: ESB is layer on top of changelog consumer
- Changelog consumer Object model is generic
- You specify event types: membership add, membership delete, etc
- Github pull requests for library upgrades
- You should upgrade message
- Could be a waste of time in some cases
- When we are just using interally
- Recent discussion on courses in Grouper, was discussed on a software call last Friday
- We support 3 versions of Grouper, Perhaps change it to 2.
- It’s a problem that people do new installs with an old version
JIRAs over last 2 weeks
installer does not install maturity level 0 Think this is fixed
server.xml is not setting new tomcat settings correctly
Add permission action to the audit log
driver is not required in database config, or needs more documentation
if there is an encrypted password issue, it doesnt list which config has the issue
ehcaches not found for sync objects
recent memberships attribute error
morphString in file with newline has issue again
if there is a daemon missing a config, the daemon screen bombs
grouperReport does not have a configuration
grouper installer does not install the container
GROUPERUI_LOGOUT_REDIRECTTOURL is set in wrong place in container workflow
remove p6spy, current version doesnt work
- Chad found this does not work, but earlier version also did not work
- Chris: keep deleting, sometimes works, removed it from the POM
- Take that code from Grouper 2.4 ?
- OK to take p6spy out of Grouper
reduce common redundant queries
Configuration UI sorting, grouping and filtering
Configuration UI unable to change "Expression Language Scriptlet" indicator
Subject API backed by local RDMBS cached data
warning logged about local entity creating objects
simple new LDAP provisioner
Limited-privilege users cannot revoke membership from subject page
add configuration in database caching to database cache clearing
- Chris: there is now a table in Grouper , Grouper Cache Overall
- Has one row? Update the cache instance and flag to look for something that changed.
- Consider using this , clears cache more quickly
add field finder to database cache clearing
Deadlock after db issues
add apache/tomcat/shib versions to release notes page
Updating french translation
SLACK over last 2 weeks
Matthew B- Is there a way to get Grouper to recalculate a user's membership in a group when the user name changes in the subject source?
Nicholas R -Maybe the subject source view(s)/search filter(s) should prevent anyone who doesn’t have a username from making it in to grouper? Then when they get a username, they show up?
Matthew B -Grouper is used to decide who is eligible to register an account. Hiding unregistered users would not help. The old IDM uses large chunks of java and groovy to figure out if a user is eligible, Grouper does a bit a group math to figure out the state of the user.
Chris Hyzer - The "recent memberships" aka "grace periods" feature is revamped for 2.5.30
Chris Hyzer - @channel the current plan is to release 2.5.30 on monday-ish. If there are small non-pspng jiras that arent done and you want them done let me know and I will try to complete them
Jeffrey W Limited-rights account can manage a group it has admin privs on. HOWEVER... If said user searches for a subject of the group and tries to revoke their membership that way, they get a 'cannot find group' error.
Michael G - do you ever notice grouper loader getting “wedged/stuck” and you have to restart the loader?
Andy Mo - We have a SQL_GROUP_LIST loader job that ended up removing (emptying) the membership of a number of groups even though the removal exceeded the failsafe threshold.
Carey - Grouper+deprovisioning :
An existing group ( "bob's group" ) that has memberships that were created by hand over time.
Along comes a new deprovisioning group…….
Erik - beginning the process of converting our .properties files to database configs.
Bill T - Lafayette is working on getting our course rosters into Grouper. If you’ve already done this and have advice/regrets/pointers on things like naming convention, grouper privilege management, exception handling, course roster group lifecycle, etc please let me know. 2
Erin M - We're excited to announce that registration is open for Grouper School! Join us from October 6 - 9th
Jeffrey W Has anyone done user resolution for an attribute in subject.properties for someone that wasn't the subject e.g Manager, Reports, etc?
Sean M - completed upgrading our production Grouper service to 2.5.29
Drew A - attempting test of removing the direct memberships of group 'Test A', by anyone who is in group 'group b'. Zachary Hanson-Hart 1:02 PM
Jeffrey C - started playing with the "permissions" structure again and we are getting messaging when a permission changes via RabbitMQ. However I'm not sure I'm seeing audit log entries related to permission changes. Do permission changes get audited currently?
Erin M - we have opened Expression of Interest for the Collaboration Success Program (CSP).
Erik C Been testing our upgrade to 2.5.29 containers, and previously in 2.4.x I was setting a local CATALINA_OPTS=-Duser.timezone=America/Chicago in order to set the local timezone on the application. It seems my variable is not getting picked up any longer, so how best to set the timezone so that Grouper QuartzCron is using local times?
Erik in an LDAP_SIMPLE Loader, does this Subject ID JEXL do what I think it does:
Sean M - an example of a "connector" that is using the new Grouper provisioning strategy?
Chris Hyzer Grouper 2.5.31 is ready to be used
Paul R Just for our own sanity when creating new groups via a grouperLoader process, we cannot seem to figure out how to give a distinct NAME and a DISPLAY_NAME value when creating those groups. We want a different format for the ID versus what the user sees as the DISPLAY NAME.
Beth H - Our team is working on a Grouper PoC/Pilot. As we are going to be moving from multiple SQL databases and LDAP directories which currently support access management to Grouper, we are going to have multiple data "warehouses"
Chris Hyzer -
- databases and ldaps and other things are "external systems" now, and we have configuration and management of those in the UI. This is a new feature so if you try it out, check the resulting configs in the database and confirm its what you want.
- In order to support complex relationships between prod/test/dev envs, all the external systems support multiple connections of the same type (e.g. multiple database warehouses). with the exception of smtp, you get one email provider :slightly_smiling_face:
- Can announce another enhancement too, if you go to the daemon screen, you will see an edit button
- You can configure each daemon in a context specific way. Thanks @Vivek Sachdeva!
- this part isnt ready to use, but this is all for provisioning (and other things). 1. Configure an external system, 2. Configure a provisioner (below), 3. Configure the realtime and full sync daemons.
Here is the provisioner screen (which doesnt do anything, but you can see the UI). Again context specific
Erik - What a great improvement! Looking forward to this! What version will this be release on? 2.5.31?
Michael on 2.5.32 in my dev environment and working on getting .32 into test. Great work - as always - to the entire Grouper Dev team!
Carey Change Log Consumer... don't see an easy way to find out who "caused the event"?
Chris Hyzer this tomee upgrade was a pain.
Beth - New Grouper Admin Question: We are currently building course composite groups (using addIncludeExclude), etc. We have over 4000+ groups. That is awesome. However, when one goes away in the system of record, we want them to be deleted. In the Loader configuration tiny text for "Groups like..." it says, "Note, if the group is used anywhere as a member or composite member, it won't be removed.". Our groups that we are provisioning in Office 365 are composite groups (systemOfRecord + include - exclude). What is the best means by which to automate the deprovisioning and deletion of the composite (and its member groups)?
- v2.5 Release Notes
- Grouper v2.5 container unit tests
- Release steps for new build
- Grouper v2.5 customize container config files
- DDL in Grouper v2.5+
- Install the Grouper v2.5 container maturity level -1 quick start
- Grouper container management for Grouper developers
- Grouper container documentation for v2.5
- Grouper generic provisioner framework
- Grouper LDAP provisioner in v2.5 tasks
- Grouper automatically managed recent memberships (grace periods)
- Re: [grouper-users] containerized grouper noob questions, Greg Haverkamp, 07/21/2020
- Re: [grouper-users] Class Rosters for Grouper, Alan Crosswell, 07/10/2020
- Re: [grouper-users] Class Rosters for Grouper, Bill Thompson, 07/13/2020
- [grouper-users] docker environment issue?, T-Heetderks, 07/15/2020
- [grouper-users] Grouper Messaging with Apache Kafka, Coleman, Erik C, 07/16/2020
- RE: [grouper-users] Grouper Messaging with Apache Kafka, Hyzer, Chris, 07/22/2020
- [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Hafer, Christopher G, 07/21/2020
- RE: [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Hafer, Christopher G, 07/21/2020
- RE: [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Hyzer, Chris, 07/22/2020
- RE: [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Hafer, Christopher G, 07/22/2020
- RE: [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Black, Carey M., 07/22/2020
- Re: [grouper-users] Grouper 2.5.29 Installer errors on hibernate connections, Hyzer, Chris, 07/21/2020
Next Grouper Call : Wed August 5, 2020