Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Jeff Williams, University of North Carolina Greensboro
- Vivek Sachdiva, independent
- Matt Wolfley, Unicon
- Emily Eisbruch, Internet2
Action Items
New Action Items from this call
- AI Shilen look at the migration work Chris did and provide feedback. https://spaces.at.internet2.edu/x/7gAOCg
- AI Chris and Vivek add ability in external systems to handle custom config attributes
- AI Chris create plan for large database /reporting/storage issue and share it for community input
- AI Chris change the Grace Period feature to be Recent members feature
- AI Emily look at mentions of Grace period in Grouper wiki, and update the documentation noting the new RECENT MEMBERSHIPS option
update Grouper automatically managed recent memberships (grace periods)
Administrivia
- http://www.internet2.edu/membership/ip.html
- Approve minutes
- Review Grouper Action Items Grouper Project Action Items (Google Doc)
- Agenda bash
Current work tasks, and next tasks
Vivek
- https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy
- Wrapping up Grouper External systems
- Sections for admin tasks and non admin tasks
- Test, tries to connect to external system
- Supports expression language
- Working on hide/show capability , can put in an expression
- No need for java logic
- Whatever makes the wizards easier to use
- This will be pattern for Grouper UIs
- Similar screen for Daemons https://spaces.at.internet2.edu/display/Grouper/Daemon+configuration
- Drive off metadata
- Custom tag for form element controls
- Can add edit delete daemon tasks and other configuration
- As we work forward w new provisioning framework, other provisioners can migrate to this type of organization where you can configure jobs this way.
- (People could also stick with change log consumer)
- But will be nice to pull up a list of external systems and jobs
- Right now the types are hard coded in Java, could change to be extensible in future
- Metadata config for properties UI
- Don't edit your base config is a rule of Grouper
- Testing is done from the UI
- Issue: UI may or may not be allowed out externally
- Could get a false negative when testing from the UI
- Might actually work from Daemon
- Could make GSH method to test an external connection
- Carey suggests use a one-off Quartz job for checking the connection
- Chris: Wish daemon has web service layer
- Shilen: with the ldap config, with ldaptive, we give ldaptive a map of properties,
- the base config has most properties, but not all,
- Can a property be added thru UI, or must be in base first
- Answer: Can add from the configuration editor
- Not from External system editor, it gets properties from REGEX
- Question of how to extend
- Not allowed to modify base files, but perhaps you could extend?
- Need a more dynamic screen, where it’s not just working from metadata
- Or have properties come from somewhere that’s not “hit” by REGEX
- Key as label, don’t assume types,
- so config does not get deleted
- AI Chris and Vivek add ability in external systems to handle custom config attributes
-
- In future will make screens that can tell you if everything is up to date
- Group screens will show provisioning status and have a button to update
- Is this group up to date for Box ?
- Shilen and Chris will need to work on LDAP provisioner, with new tables
- Reporting Database and storing large amounts of data
- Storing Clobs in database
- Chris has proof of concept of large character field in all 4 kinds of databases.
- Need Long texts
- Oracle and HSQL, can use CLOB
- If size greater than 3700 bytes
- Transparent if you have large attribute value
- Change reporting and workflow, which use the storage
- Have them use attribute values
- No worry on containers w mounted file systems
- Chris will do the attribute value work
- Anyone using these reports or workflow features will need to speak up and we can have transition period
- Or they can start over on new version
- Will define by value query still work?
- For the ones that are small YES, over 3700 No, won’t work
- Will 10 meg be sufficient for larger reports? Hope so
- Use a text field?
- HSQL doesn't matter
- Keep all big things in another table, or have a field in attribute value that is larger
- Need two mapping files
- One for all, one for clobs
- FTP option?
- Hassle to set up FTP
- Vivek and Chris will make decisions
- AI Chris create plan for large database /reporting/storage issue and share it for community input
In metadata In config file, specify what’s required, class name, validation
Chris: looks great,
Chris
- Migration
- AI Shilen look at the migration work Chris did and provide feedback.
- Grace period https://spaces.at.internet2.edu/display/Grouper/Grouper+grace+periods
- Only used one view
- Defaults to on, can be turned off
- Eventually can do a custom UI pretty easily
- AI Emily look at other mentions of Grace period in Grouper wiki, and update the documentation noting the new grace period option for Grouper 2.5
HOLD OFF ON THIS UNTIL CHRIS CHANGES THE FEATURE
- Could this grace period group be used for other purposes?
- It’s a recent members group.
- Could remove the word Grace and Eligible
- Include current members
- AI Chris change the Grace Period feature to be Recent members feature
Shilen
- USDU updates, it updates member table
- Data refresh
- configuration for LDAP provisioner, create class for validation,
- Config class to read config and have it ready for provisioner
- Example w SQLsync
- Harmonize that w Vivek’s work on external systems
- Provisioner configuration, then work on full sync
- LDAP DAO, grab data and compare and make updates
- AI CHRIS make an LDAP config tasks wiki
Chad
- Azure provisioner is out,
- Updated wiki
- Emailed Grouper Users list
- Heard from Yale , around Office 365 use case
- Making assumptions on format of user principal name
- Want more flexibility
- Putting JEXLs
- Instrumentation graphs https://spaces.at.internet2.edu/display/Grouper/Visualization+UI
- Fixed Issue w number of pixels and y axis too high
- For visualization work Chad updated a C3 library
- There was no longer a default for the width
- Looks in Jar file for version
- Was not working w snapshot versions
- Updated the regular expression to handle that
- Go to external systems branch, Grouper Azure, Office 365,
- Chad put a test method in there?
- If there is a connect method, that is the easiest,
- Can add another config to help test
- Add a config showing which to use…
- Or, Instead of config in change log consumer put in Grouper properties…
-
- Can look at the GIT suggestions on libraries, security related issues
- Ask Vivek to test SCM and AWS and RabbitMQ
- Don’t change Grouper until these get tested
- Objects from JSON, some security issues
Matt
- Concept for former members new feature (formerly grace period)
- Implemented a local hook
- Look at attributes assigned
- Auto assign other attributes
-
- Anytime gets assigned anywhere
- Find list of other attributes that need to be assigned and auto assign
- Hook would look at Grace Marker and know what to do around attributes
- Carey has code but it’s not perfect
- Everyone writing custom attributes would benefit
- Until we have a UI, having it auto populate would make it easier
- Shilen likes this idea
- Loop back to new attribute definition to look for other auto assigns
- The marker is an attribute name
- Definition of a marker specifies…
Issue Roundup
InCommon-Grouper Slack
April 15 - Alex P - odd problem in dev with the 2.5 container
April 16 - Chris Hyzer https://todos.internet2.edu/browse/GRP-2677
Do people want do to as suggested where the back button will work with search results (whether in upper right or in search form), or not have search results (or possible PII) in any URLs and the back button will not work with search results
April 16 - Alex P - membership limits for groups,
Chris Hyzer: address this at some point, loaders and change log consumers, that pattern will help, but with effective memberships and trying to limit a group, hard to do
April 16 - MG and J Crawford and A Morgan - prefer IMMUTABLE images
Moving from public GIT to internet2 GIT, we will all have accounts, getting access to build images , still some work to do with the image. 5 open JIRAs about this. Issue on running image as non root, can of worms to run image as non root, will be discussed at today’s 3pm integration call, harmonize processes, Shib is upstream container, need some flexibility , once you can run as one UID it should run as NON Root
April 17- Tommy D -Is there a configuration setting to help prevent SMTP messages from being sent to end users? This will be helpful for non-production environments.
New feature allows all mail to one address in non prod,
April 18- Ryan R - Tomcat/Tomee HTTP Basic auth for Grouper WS had any issues after upgrading to 2.5.22?
April 18 Chris Hyzer: reorganized this doc: https://spaces.at.internet2.edu/display/Grouper/Grouper+Web+Services+Authentication
Includes recipes to help , there is a JIRA to make things more automatic for TomCat
Improved LDAP auth , can look up a DN, people can start using the Grouper auth
April 20 - Tommy D - creating LDAP loader job that will need to get subjects from two different subject sources, but sometimes the subject will appear in both sources.
Need to start out with one subject source for people
April 20 - Josh O - Grouper 2.5x and config
April 20 A Morgan - How do I remove/cleanup an old consumer?
Eventually there will be a UI for change log consumers
April 20 - Carey - container... RE: prod best practices NTP
Nice if outer container has right time and time zone
April 21 - Ryan R - exception in the findBadMemberships job after upgrade 2.5.22
Shilen will take a look at this - it looks like they needed to tune a query in their database.
April 21 - Chris Hyzer - Grouper project currently supports Grouper v2.5+ running only in the i2incommon container (including of course subcontainers). If you want to take pieces out and run in an unsupported way feel free to do that on your own. If you have questions about how to do something with the container that you think you cannot do and think you need to do surgery, please discuss it with us first
There was some debate, we need people to run the I2 container, we can’t support multiple
April 21 Chris Hyzer -Grouper v2.5.23 is released on Dockerhub
About to release v.2.5. 25
April 22 - Paul R - How long is 2.4.x for grouper going to receive patches
April 22 - Andrew M - Grouper Rules to handle grace periods
April 22 - Tommy D - LDAP loader for Active Directory.
April 23 - Jeff W - Docker question: turn on single-node swarm mode in docker to make use of secrets. is there any significant overhead or other considerations to be aware of?
Need to document higher security levels around Docker , especially around secrets, please help w documentation if possible. Jeff: RED HAT does not support swarm mode in 7.5 and above, go thru docker compose if that works. Running docker secrets as a service does not work. RED Hat is dropping Docker.
Carey: Can roll back to community version of Docker, Not the Red Hat Docker
April 23 - Chris Hyzer - grouper treats any file similarly just put the path (e.g. /run/secrets) in the password config value and keep the encrypted secret in that file.
April 23 - Scott K - upgrade a fully patched 2.4 to the current stable 2.5 container i2incommon/grouper:2.5.22
April 23 - Erik C - daemon container running Grouper Version 2.4.0-a65-u38-w6-p8-20190722-rc1, getting error
April 24 - Tommy D -replacing a subject source essentially requires recreating any loader jobs and the groups associated with the loader. Is that about what one should expect
April 24 - Alex P - grouper still running a hibernate 5.0.* release?
There is a newer hibernate version, perhaps in Grouper 2.6 we will move up to new hibernate
Issue w P6 5 ? P6 Fi ?
April 27 - Chris B - Any way to easily forbid/trim trailing spaces in stem and group IDs?
April 28 -Richard F In 2.4, how does one test a JDBC connection in the subject API?
April 28 - Carey https://todos.internet2.edu/browse/GRP-2727
don't display the "+ Add members" button on a composite group
Visualization screen might help, option to highlight groups w different privileges
April 29 - MG -Using grouper shell how would i invoke an LDAP query against one of the LDAP defined DB definitions in grouper-loader?
Feed from LDAP to SQL
========
JIRAS, many are now closed
- GRP-2728
add includeEligible to grace periods
GRP-2727
don't display the "+ Add members" button on a composite group
GRP-2726
add parameters to pit attribute value view so it shows value rows
GRP-2725
update pit memberships view to show valid rows
GRP-2724
tomee in container gets confused with ws urls
GRP-2723
add grace periods to grouper
GRP-2722
Remove daily.report.usdu.daysToRun and daily.report.badMembership.daysToRun options from grouper loader config
GRP-2721
add daemon configuration UI screen
GRP-2720
By default, the status page shouldn't show information like group names
GRP-2719
Restrict access to diagnostics/status pag
GRP-2718
add _FILE env var convention in container like shib and comanage
GRP-2717
Investigate making container run as non-root
GRP-2716
print registry deep report to stdout since its run from gsh
GRP-2715
fix registry deep check, it tries to add foreign keys twic
GRP-2714
move morphString.base.properties to client git and client jar
GRP-2713
trim inputs from subject api diagnostics
GRP-2712
grouper attribute name update in ui doesnt change all fields
GRP-2711
search using magnify glass doesn't work
GRP-2710
LDAP authentication failures return 400 instead of 401
GRP-2709
add database migration utility
GRP-2708
take out grouper patch status
GRP-2707
increase the ajax timeout from 3 minutes to 30 minutes
GRP-2706
allow loader diagnostics to run from command line
GRP-2705
edit config set password, is not encrypted
GRP-2704
Providing alternate ways of providing userPrincipalName instead of auto generating
GRP-2703
Issues with rules daemon
GRP-2702
Deprovisioning daemon shouldn't do anything if disabled
GRP-2700
get memberships member paging first page is size 1
GRP-2699
Error viewing UiV2Main.globalInheritedPrivileges
GRP-2698
add setting for email to be sent to one address for non prod
GRP-2697
GrouperVersion should handle -SNAPSHOT in version
GRP-2696
remove vt-ldap
GRP-2695
add env var to switch to tomcat ws authn
GRP-2694
add env var to switch to maturity level 0 logging
GRP-2693
add rule if condition that checks membership count
GRP-2692
USDU update to sync cached provisioning data for subjects
GRP-2691
Azure provisioner add configurable mail nickname and description
GRP-2690
Group configuration to limit total number of memberships
GRP-2689
workflow daemon is misspelled in grouper-loader.base.properties
GRP-2688
USDU no longer fixes member table attributes from subject sources
GRP-2687
morphString key in external file with whitespace around key (including newline) uses whitespace in the key itself
GRP-2686
add "schedule jobs" button to All Daemons page
GRP-2685
update gantt chart
GRP-2684
OTHER_JOB total count is zero for realtime loader when ins/del is non-zero
GRP-2683
Package base properties into their respective jars
GRP-2682
add connection provider to subject api diagnostics and allow run from gsh
Grouper Users List
- [grouper-users] How does on page using the Java API?, Richard Frovarp, 04/15/2020
- [grouper-users] New Blog on Grouper, emily, 04/20/2020
- [grouper-users] Announcing new features in the Grouper Azure provisioner, Redman, Chad, 04/22/2020
- [grouper-users] Openshift Deployment, Oliver Trieu, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Scott Koranda, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Oliver Trieu, 04/27/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/27/2020
- Re: [grouper-users] Openshift Deployment, Scott Koranda, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
- RE: [grouper-users] Old PIT data?, Hyzer, Chris, 04/23/2020
- Re: [grouper-users] Old PIT data?, Alex Poulos, 04/23/2020
- RE: [grouper-users] Oracle Incompatibility, Hyzer, Chris, 04/23/2020
- [grouper-users] Keeping secrets secret, Darren Boss, 04/27/2020
- Re: [grouper-users] Keeping secrets secret, Poddar, Amit, 04/27/2020
- Re: [grouper-users] Keeping secrets secret, Alex Poulos, 04/27/2020
- Re: [grouper-users] Keeping secrets secret, Oliver Trieu, 04/27/2020
- Re: [grouper-users] Keeping secrets secret, Poddar, Amit, 04/27/2020
- Re: [grouper-users] Keeping secrets secret, Alex Poulos, 04/27/2020
- [grouper-users] LDAP timeouts after Java upgrade, Baron Fujimoto, 04/28/2020
- Re: [grouper-users] LDAP timeouts after Java upgrade, Alex Poulos, 04/28/2020
- Re: [grouper-users] LDAP timeouts after Java upgrade, Alex Poulos, 04/28/2020
- Re: [grouper-users] LDAP timeouts after Java upgrade, Robert Bradley, 04/28/2020
- [grouper-users] Any tips for k8s ingress configuration, Darren Boss, 04/28/2020
- Re: [grouper-users] Any tips for k8s ingress configuration, Christopher Bongaarts, 04/28/2020
-
- Re: [grouper-users] Any tips for k8s ingress configuration, Darren Boss, 04/29/2020
- Re: [grouper-users] Any tips for k8s ingress configuration, Christopher Bongaarts, 04/28/2020
- Re: [grouper-users] Any tips for k8s ingress configuration, Alex Poulos, 04/28/2020
Grouper Wiki Updates
- Daemon configuration
- Grouper Daemon
- Grouper Product Roadmap
- v2.5 Release Notes
- v2.5 Upgrade Instructions from v2.4
- Grouper Downloads
- Upgrade from Grouper v2.4 to v2.5 on the demo server
- GrouperShell (gsh)
- Grouper grace periods
- Install the Grouper v2.5 container with maturity level 1 manually
- Install the Grouper v2.5 container with maturity level 0 manually
- Grouper container documentation for v2.
- Grouper overall summary administrative report
- External systems configuration
- Point in Time Auditing
- DDL in Grouper v2.5+
- Change log consumers
- Grouper rules use case - Disabled-date addition to grace period group when removed effectively from a policy subgroup
- Externalize and encrypt grouper passwords
- Grouper database migration utility
- Grouper Azure provisioner
- Grouper Web Services Authentication
- Grouper web services - authentication - Tomcat authentication
- Grouper web services - authentication - Grouper Kerberos
- Grouper web services - authentication - custom authn
- Grouper web services - authentication - Grouper LDAP
- Grouper web services - authentication - Apache http password
- Grouper web service - subject source - local entities
- Grouper web service - subject source - SQL table
- Grouper rules use case - Veto if too many members
- Grouper USDU v2.5+
- Grouper LDAP provisioner in v2.5
- Grouper developers coding standards\Grouper provisioning strategy
Next Grouper Call: Wed May 13, 2020