28-Nov-2018

Attending: 

• Chris Hyzer, Penn, Chair
• Shilen Patel, Duke
• Bert Bee Lindgren, Georgia Tech
• Chad Redman, UNC
• Vivek Sachdiva, independent
• Matt Black, The Ohio State University
• Emily Eisbruch, Internet2

New Action Items

• [AI] (Chris) for the types work Vivek is doing, Chris will update the wiki with a strawman on links to the owner of the type relationship

• [AI] (Chris) for the types work Vivek is doing, Chris will suggest some security parameters , Chris will email the users list to get input

• [AI] (Shilen)  email the Grouper list with the Daemon Screen work

• [AI] (All) Go through report from Chad on unresolved JIRAS,  see Chad's email of 11/14/2018

• [AI] (Bert) make the Grouper installer change

• [AI] (Bert) release patch for LDAP attributes
  
  

DISCUSSION 

Current work tasks, and next tasks

Vivek – Object types

• https://spaces.at.internet2.edu/display/Grouper/Grouper+types+on+objects

• Chris will send Vivek info for the screens.

• Best way to indicate direct or indirect ?

  • For privileges checkmarks are light grey or dark.

  • Matt does not like the hidden tabs, does not like use of a button.

  • Chris: we have same structure for attestation and other screens so it’s a different discussion.

• Loader job, services, can we link horizontally to the owner of the type relationship to the group

• [AI] (Chris) update the wiki with a strawman on links to the owner of the type relationship

• Using Tooltips and links are a good idea

• Think about what should be displayed by default

• For multiple types, sentences that look like a paragraph.

• “Ref” and in paren a link to the loader job

• So Type and tooltip and optional link

• These are attribute based

• How does access control work?

• Chris: these are public, if you can view a group you can view this

• It’s not sensitive, it’s just descriptive

• Matt: Details of the query could be sensitive

• Bert: if you click on the loader job, there may be details to hide

• Attribute is query description, could be sensitive and not good to be public

• Want to allow the right people to see the attributes

• Risk that no one will use this feature,  this was intended to be public

• Could allow for other, private attributes

• If we get into adding your own types, then there could be private attributes

• Vivek: Daemon job work is still to be done

• Which use case requires background job?

• Chris: hard to trust real time changes

• Should check the hierarchies to be sure they are right

• Vivek: some values don’t have anything to show for certain fields, that’s OK

• Vivek: need to refactor some code and run the daemon job for hierarchy

• Not doing attribute security, so need to be group admin to configure the attributes.

• Shilen: could be use cases where you want to prevent just anyone from saying their group is a ref group.  

• Some should be able to be assigned by group admins, but some should require a sys admin.

• Matt: if value for attribute name can be derived from a query, then you could ? that so the value of type name could be their own structures.  To control who can see Ref groups, who can see policy groups, who can see Basis group

• Bert: this is replacing free form description paragraph and providing structure to it.

• The technical cost of trying to enforce lots of vetting is problematic

• Want this to be easy to use, but need some security

• [AI] Chris suggest some security parameters, Chris will email the users list to get input

  
  

Chris – Database configs

https://spaces.at.internet2.edu/display/Grouper/Grouper+configuration+in+the+database+and+UI

• JSON string  
• To help the UI display the config item and help user enter the right thing
• What setting need to be restarted?
• Reloaded every 60 seconds by default?
• Chris will think about this
• Will support morph string
• Morph string will be outside the database
• Some items are  sensitive and should not be displayed
• Support for paragraphs? That’s the Regex part.. Need to think about this
• PSPNG will have its own wizard
• Q: How does this work w custom properties or hooks?
• A: everything is laid out in sections from the base file.
• Could be freeform at bottom of  screen for a key and a value

• Needs more thought.
• Would be in base config file.
• People should not edit that file
• If people are on different patch levels that could be some issues
• Use of class files, there is code involved\
• AI Chris document at top of wiki page the advantages of this config database approach versus existing approach  (done) https://spaces.at.internet2.edu/display/Grouper/Grouper+configuration+in+the+database+and+UI

Bert – PSPNG patches

• Master branch of API not compiling last few days
• Created version of installer that did not compile API for PSPNG patches
• Do we need to  be compiling API?
• If should check in changes that are PSP specific?  Or generalize them?
• Chris: we need everything in GIT to compile, If it does not, comment out the part  and ask the submitter to fix problem
• Chris: It’s OK to change someone else’s code to make it compile.
• send emails to the core team around such issues 
• Using maven local repository
•  ant build, does not install into local maven repo
• Bert: changes only kick in for PSPNG
• Possible to make more available if needed
• Idea of getting latest jars into the build process
• This is a decent way to build from recent code and live with unstable branch
• Bert is doing a create patch for PSPNG
• It is ant based
• Script needs to run before running the installer
• Environment used to get ready off current branch being patched
• That used to be OK, but if failed in last weeks when branch did not compile.
• Matt: should we  stay with both ant and maven. 
  • Move to Gradle?
• Need to discuss in future.
• Bert will make the Grouper installer change
• Bert will release patch for LDAP attributes 
• GRP-1908 patched (ldap cred logging)
  

Shilen

• Patch of Daemon screen
• Modifying the creating process of loader job
• To have option to schedule immediately
• We default of yes
• Can sync to use daemon instead of UI
• Copying Daemon logs from loader screen to Daemon screen to see the status

• Q: Is there a way to prevent the UI from running a loader job?

[AI] Shilen will email the Grouper list with the Daemon Screen work

• Shilen available to start new project..
• Will look at the Grouper Roadmap  https://spaces.at.internet2.edu/x/_oXd
  
  

Chad – patches and next task?

• Closed two issues , no patches, will be in next release

• Config hibernate and environment properties

• Look  in Grouper.properties files

• Will help w the Database Config work that Chris is working on

• Chris will include these classes

• These are resolved Jiras

• Maven builds does not have build timestamp

• So Chad went thru pom files and fixed this

• Did a few minor adjustments w ants

• Chad will work on the visualization topic from Aukland and M. Gettes

• Good starting point  

• Can be converted to java

• Start w something simple on a group…

• Get patch so people can look at it

  AI  All Go through report from Chad on unresolved jiras , see Chad's email of 11/14/2018

 Issue roundup (did not have time for this on the call)

• Matt: status servlet should not use config file

• Matt: PIT API parity with non PIT

• Pull request for missing UI images

• Pagination with find members (something to do here?)

• Auto patching version number

• Group attribute filter

• Pspng missing classfile?

• Grouper UI filtering

• Reload properties files

• Finding subgroups in WS

• Database corruption on upgrade

• Finding admins of services

• GSH wiki improvements

• Grouper types wiki, what to do  https://spaces.at.internet2.edu/x/QIbd

• I2midev6 monitoring
• Brown looking for permissions use in Grouper

Next Grouper Call: Wed, Dec 12, 2018