Attending:
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Bert Bee Lindgren, Georgia Tech
- Chad Redman, UNC
- Vivek Sachdiva, independent
- Matt Black, The Ohio State University
- Emily Eisbruch, Internet2
New Action Items
[AI] (Chris) for the types work Vivek is doing, Chris will update the wiki with a strawman on links to the owner of the type relationship
[AI] (Chris) for the types work Vivek is doing, Chris will suggest some security parameters , Chris will email the users list to get input
[AI] (Shilen) email the Grouper list with the Daemon Screen work
[AI] (All) Go through report from Chad on unresolved JIRAS, see Chad's email of 11/14/2018
- [AI] (Bert) make the Grouper installer change
[AI] (Bert) release patch for LDAP attributes
DISCUSSION
Current work tasks, and next tasks
Vivek – Object types
https://spaces.at.internet2.edu/display/Grouper/Grouper+types+on+objects
Chris will send Vivek info for the screens.
Best way to indicate direct or indirect ?
For privileges checkmarks are light grey or dark.
Matt does not like the hidden tabs, does not like use of a button.
Chris: we have same structure for attestation and other screens so it’s a different discussion.
Loader job, services, can we link horizontally to the owner of the type relationship to the group
[AI] (Chris) update the wiki with a strawman on links to the owner of the type relationship
Using Tooltips and links are a good idea
Think about what should be displayed by default
For multiple types, sentences that look like a paragraph.
“Ref” and in paren a link to the loader job
So Type and tooltip and optional link
These are attribute based
How does access control work?
Chris: these are public, if you can view a group you can view this
It’s not sensitive, it’s just descriptive
Matt: Details of the query could be sensitive
Bert: if you click on the loader job, there may be details to hide
Attribute is query description, could be sensitive and not good to be public
Want to allow the right people to see the attributes
Risk that no one will use this feature, this was intended to be public
Could allow for other, private attributes
If we get into adding your own types, then there could be private attributes
Vivek: Daemon job work is still to be done
Which use case requires background job?
Chris: hard to trust real time changes
Should check the hierarchies to be sure they are right
Vivek: some values don’t have anything to show for certain fields, that’s OK
Vivek: need to refactor some code and run the daemon job for hierarchy
Not doing attribute security, so need to be group admin to configure the attributes.
Shilen: could be use cases where you want to prevent just anyone from saying their group is a ref group.
Some should be able to be assigned by group admins, but some should require a sys admin.
Matt: if value for attribute name can be derived from a query, then you could ? that so the value of type name could be their own structures. To control who can see Ref groups, who can see policy groups, who can see Basis group
Bert: this is replacing free form description paragraph and providing structure to it.
The technical cost of trying to enforce lots of vetting is problematic
Want this to be easy to use, but need some security
[AI] Chris suggest some security parameters, Chris will email the users list to get input
Chris – Database configs
https://spaces.at.internet2.edu/display/Grouper/Grouper+configuration+in+the+database+and+UI
- JSON string
- To help the UI display the config item and help user enter the right thing
- What setting need to be restarted?
- Reloaded every 60 seconds by default?
- Chris will think about this
- Will support morph string
- Morph string will be outside the database
- Some items are sensitive and should not be displayed
- Support for paragraphs? That’s the Regex part.. Need to think about this
- PSPNG will have its own wizard
- Q: How does this work w custom properties or hooks?
- A: everything is laid out in sections from the base file.
- Could be freeform at bottom of screen for a key and a value
- Needs more thought.
- Would be in base config file.
- People should not edit that file
- If people are on different patch levels that could be some issues
- Use of class files, there is code involved\
- AI Chris document at top of wiki page the advantages of this config database approach versus existing approach (done) https://spaces.at.internet2.edu/display/Grouper/Grouper+configuration+in+the+database+and+UI
Bert – PSPNG patches
- Master branch of API not compiling last few days
- Created version of installer that did not compile API for PSPNG patches
- Do we need to be compiling API?
- If should check in changes that are PSP specific? Or generalize them?
- Chris: we need everything in GIT to compile, If it does not, comment out the part and ask the submitter to fix problem
- Chris: It’s OK to change someone else’s code to make it compile.
- send emails to the core team around such issues
- Using maven local repository
- ant build, does not install into local maven repo
- Bert: changes only kick in for PSPNG
- Possible to make more available if needed
- Idea of getting latest jars into the build process
- This is a decent way to build from recent code and live with unstable branch
- Bert is doing a create patch for PSPNG
- It is ant based
- Script needs to run before running the installer
- Environment used to get ready off current branch being patched
- That used to be OK, but if failed in last weeks when branch did not compile.
- Matt: should we stay with both ant and maven.
- Move to Gradle?
- Need to discuss in future.
- Bert will make the Grouper installer change
- Bert will release patch for LDAP attributes
- GRP-1908 patched (ldap cred logging)
Shilen
- Patch of Daemon screen
- Modifying the creating process of loader job
- To have option to schedule immediately
- We default of yes
- Can sync to use daemon instead of UI
- Copying Daemon logs from loader screen to Daemon screen to see the status
- Q: Is there a way to prevent the UI from running a loader job?
[AI] Shilen will email the Grouper list with the Daemon Screen work
- Shilen available to start new project..
- Will look at the Grouper Roadmap https://spaces.at.internet2.edu/x/_oXd
Chad – patches and next task?
Closed two issues , no patches, will be in next release
Config hibernate and environment properties
Look in Grouper.properties files
Will help w the Database Config work that Chris is working on
Chris will include these classes
These are resolved Jiras
Maven builds does not have build timestamp
So Chad went thru pom files and fixed this
Did a few minor adjustments w ants
Chad will work on the visualization topic from Aukland and M. Gettes
Good starting point
Can be converted to java
Start w something simple on a group…
Get patch so people can look at it
AI All Go through report from Chad on unresolved jiras , see Chad's email of 11/14/2018
Issue roundup (did not have time for this on the call)
Matt: status servlet should not use config file
Matt: PIT API parity with non PIT
Pull request for missing UI images
Pagination with find members (something to do here?)
Auto patching version number
Group attribute filter
Pspng missing classfile?
Grouper UI filtering
Reload properties files
Finding subgroups in WS
Database corruption on upgrade
Finding admins of services
GSH wiki improvements
Grouper types wiki, what to do https://spaces.at.internet2.edu/x/QIbd
- I2midev6 monitoring
- Brown looking for permissions use in Grouper
Next Grouper Call: Wed, Dec 12, 2018