Grouper
Child pages
  • 29-April-2020
Skip to end of metadata
Go to start of metadata

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Jeff Williams, University of North Carolina Greensboro
  • Vivek Sachdiva, independent
  • Matt Wolfley, Unicon
  •  Emily Eisbruch, Internet2


  Action Items

 Grouper Action Items are here  


New Action Items from this call

  • AI Shilen  look at the migration work Chris did and provide feedback.   https://spaces.at.internet2.edu/x/7gAOCg
  •  AI Chris and Vivek add ability in external systems to handle custom config attributes
  •  AI Chris create plan for large database /reporting/storage issue  and share it   for community input
  • AI Chris change the Grace Period feature to be Recent members feature   
  • AI Emily look at  mentions of Grace period in Grouper wiki, and update the documentation noting the new RECENT MEMBERSHIPS option 
     update  Grouper automatically managed recent memberships (grace periods) 

 

 Administrivia

Current work tasks, and next tasks

 

Vivek 

  • https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy
  • Wrapping up Grouper External systems
  • Sections for admin tasks and non admin tasks
  • Test, tries to connect to external system 
  • Supports expression language
  • Working on hide/show capability , can put in an expression
  • No need for java logic
  • Whatever makes the wizards easier to use
  • This will be pattern for Grouper UIs 
  • Similar screen for Daemons https://spaces.at.internet2.edu/display/Grouper/Daemon+configuration
  • Drive off metadata
  • Custom tag for form element controls
  • Can add edit delete daemon tasks and other configuration
  • As we work forward w new provisioning framework, other provisioners can migrate to this type of organization where you can configure jobs this way.  
  • (People could also stick with change log consumer)
  • But will be nice to pull up a list of external systems and jobs
  • Right now the types are hard coded in Java, could change to be extensible in future


  • Metadata config for properties UI
  • Don't edit your base config is a rule of Grouper

 

  • Testing is done from the UI
  • Issue: UI may or may not be allowed out externally
  • Could get a false negative when testing from the UI
  • Might actually work from Daemon


  • Could make GSH method to test an external connection
  • Carey suggests use a one-off Quartz job for checking the connection
  • Chris: Wish daemon has web service layer

 

  • Shilen: with the ldap config, with ldaptive, we give ldaptive a map of properties, 
  • the base config has most properties, but not all,  
  • Can a property be added thru UI, or must be in base first
  • Answer: Can add from the configuration editor
  • Not from External system editor, it gets properties from REGEX
  • Question of how to extend
  • Not allowed to modify base files, but perhaps you could extend?
  •  Need a more dynamic screen, where it’s not just working from metadata
  • Or have properties come from somewhere that’s not “hit” by REGEX
  • Key as label, don’t assume types, 
  •   so config does not get deleted
  •  AI Chris and Vivek add ability in external systems to handle custom config attributes
  •  
  • In future will make screens that can tell you if everything is up to date 
  • Group screens will show provisioning status and have a button to update
  • Is this group up to date for Box ? 
  • Shilen and Chris will need to work on LDAP provisioner, with new tables



  • Reporting Database and storing large amounts of data
  • Storing Clobs in database
  • Chris has proof of concept of large character field in all 4 kinds of databases.  
  • Need Long texts
  • Oracle and HSQL, can use CLOB
  • If size greater than 3700 bytes
  • Transparent if you have large attribute value
  • Change reporting and workflow, which use the storage
  • Have them use attribute values
  • No worry on containers w mounted file systems
  • Chris will do the attribute value work
  • Anyone using these reports or workflow features will need to speak up and we can have transition period
  • Or they can start over on new version
  • Will define by value query still work?  
    • For the ones that are small YES, over 3700 No, won’t work 
  • Will 10 meg be sufficient for larger reports? Hope so
  • Use a text field?
  • HSQL doesn't matter
  • Keep all big things in another table, or have a field in attribute value that is larger
  • Need two mapping files
  • One for all, one for clobs
  • FTP option?
    • Hassle to set up FTP 

 

  • Vivek and Chris will make decisions 
  •  AI Chris create plan for large database /reporting/storage issue  and share it  for community input

  

In metadata In config file, specify what’s required, class name, validation

Chris: looks great, 


 

Chris 

  • Migration
  • AI Shilen  look at the migration work Chris did and provide feedback.
  • Grace period   https://spaces.at.internet2.edu/display/Grouper/Grouper+grace+periods
  • Only used one view
  • Defaults to on, can be turned off
  • Eventually can do a custom UI pretty easily
  •  
  • AI Emily look at other mentions of Grace period in Grouper wiki, and update the documentation noting the new grace period option for Grouper 2.5 
    HOLD OFF ON THIS UNTIL CHRIS CHANGES THE FEATURE

 

  • Could this grace period group be used for other purposes? 
  • It’s a recent members group.
  • Could remove the word Grace and Eligible
  • Include current members
  • AI Chris change the Grace Period feature to be Recent members feature   

 

Shilen 

  • USDU updates, it updates member table
  • Data refresh
  • configuration for LDAP provisioner, create class for validation,
  • Config class to read config and have it ready for provisioner
  • Example w SQLsync 
  • Harmonize that w Vivek’s work on external systems
  • Provisioner configuration, then work on full sync
  • LDAP DAO, grab data and compare and make updates
  • AI CHRIS make an LDAP config tasks  wiki  
     

 

 Chad  

  • Azure provisioner  is out, 
  • Updated wiki 
  • Emailed Grouper Users list
  • Heard  from Yale , around Office 365 use case
  • Making assumptions on format of user principal name
  • Want more flexibility
  • Putting JEXLs 

 

  • Instrumentation graphs  https://spaces.at.internet2.edu/display/Grouper/Visualization+UI
  • Fixed Issue w number of pixels and y axis too high
  • For visualization work Chad updated a C3 library
  • There was no longer a default for the width

  • Looks in Jar file for version
  • Was not working w snapshot versions
  • Updated the regular expression to handle that
  • Go to external systems branch, Grouper Azure, Office 365, 
  • Chad put a test method in there?
  • If there is a connect method, that is the easiest,
  • Can add another config to help test

 

  • Add a config showing which to use…
  • Or, Instead of config in change log consumer put in Grouper properties… 
  •  
  • Can look at the GIT suggestions on libraries, security related issues

 

  • Ask Vivek to test SCM and AWS and RabbitMQ
  • Don’t change Grouper until these get tested
  • Objects from JSON, some security issues

 

Matt 

  • Concept for former members new feature (formerly grace period)
  • Implemented a local hook
  • Look at attributes assigned 
  • Auto assign other attributes
  •  
  • Anytime gets  assigned anywhere
  • Find list of other attributes that need to be assigned and auto assign
  • Hook would look at Grace Marker and know what to do around attributes
  • Carey has code but it’s not perfect
  • Everyone writing custom attributes would benefit
  • Until we have a UI, having it auto populate would make it easier
  • Shilen likes this idea
  • Loop back to new attribute definition to look for other auto assigns
  • The marker is an attribute name
  • Definition of a marker specifies…

 

Issue Roundup

 

InCommon-Grouper Slack

 

April 15 - Alex P - odd problem in dev with the 2.5 container

 

 April 16 - Chris Hyzer  https://todos.internet2.edu/browse/GRP-2677

Do people want do to as suggested where the back button will work with search results (whether in upper right or in search form), or not have search results (or possible PII) in any URLs and the back button will not work with search results

 

 

April 16 - Alex P - membership limits for groups,
      Chris Hyzer: address this at some point, loaders and change log consumers, that pattern will help, but with effective memberships and trying to limit a group, hard to do 

 

April 16 - MG and J Crawford and A Morgan - prefer IMMUTABLE images

   Moving from public GIT to internet2 GIT, we will all have accounts, getting access to build images , still some work to do with the image. 5 open JIRAs about this. Issue on running image as non root, can of worms to run image as non root, will be discussed at today’s 3pm integration call, harmonize processes, Shib is upstream container, need some flexibility , once you can run as one UID it should run as NON Root

 

April 17- Tommy D -Is there a configuration setting to help prevent SMTP messages from being sent to end users? This will be helpful for non-production environments.

New feature allows all mail to one address in non prod, 

 

 April 18- Ryan R - Tomcat/Tomee HTTP Basic auth for Grouper WS had any issues after upgrading to 2.5.22?

 

April 18 Chris Hyzer: reorganized this doc: https://spaces.at.internet2.edu/display/Grouper/Grouper+Web+Services+Authentication

 

   Includes recipes to help , there is a JIRA to make things more automatic for TomCat

Improved LDAP auth , can look up a DN, people can start using the Grouper auth

 

April 20 - Tommy D -  creating   LDAP loader job that will need to get subjects from two different subject sources, but sometimes the subject will appear in both sources.

 

    Need to start out with one subject source for people

 

April 20 - Josh O - Grouper 2.5x and config

 

April 20  A Morgan - How do I remove/cleanup an old consumer? 

 

   Eventually there will be a UI for change log consumers

 

April 20 - Carey -  container... RE: prod best practices NTP

 

    Nice if outer container has right time and time zone

 

April 21 - Ryan R - exception   in the findBadMemberships job   after   upgrade 2.5.22

 

    Shilen will take a look at this - it looks like they needed to tune a query in their database.

 

April 21 - Chris Hyzer   - Grouper project  currently supports Grouper v2.5+ running only in the i2incommon container (including of course subcontainers).  If you want to take pieces out and run in an unsupported way feel free to do that on your own.  If you have questions about how to do something with the container that you think you cannot do and think you need to do surgery, please discuss it with us first

 

     There was some debate, we need people to run the I2 container, we can’t support multiple

 

April 21 Chris Hyzer -Grouper v2.5.23 is released on Dockerhub

 

  About to release v.2.5. 25

 

April 22 - Paul R - How long is 2.4.x for grouper going to receive patches

 

April 22 - Andrew M - Grouper Rules to handle grace periods

 

April 22 - Tommy D - LDAP loader for Active Directory.

 

April 23 - Jeff W - Docker question:   turn on single-node swarm mode in docker to make use of secrets.   is there any significant overhead or other considerations to be aware of?

 

   Need to document higher security levels around Docker , especially around secrets, please help w documentation if possible.  Jeff: RED HAT does not support swarm mode in 7.5 and above,   go thru docker compose if that works.  Running docker secrets as a service does not work.  RED Hat is dropping Docker.
Carey: Can roll back to community version of Docker, Not the Red Hat Docker

 

 

April 23 - Chris Hyzer - grouper treats any file similarly just put the path (e.g. /run/secrets) in the password config value and keep the encrypted secret in that file. 

 

April 23 - Scott K - upgrade a fully patched 2.4 to the current stable 2.5 container i2incommon/grouper:2.5.22

 

April 23 - Erik C  - daemon container running Grouper Version 2.4.0-a65-u38-w6-p8-20190722-rc1, getting error 

 

April 24 - Tommy D -replacing a subject source essentially requires recreating any loader jobs and the groups associated with the loader. Is that about what one should expect 

 

April 24 - Alex P - grouper still running a hibernate 5.0.* release? 

 

   There is a newer hibernate version, perhaps in Grouper 2.6 we will move up to new hibernate

Issue w P6 5 ?  P6 Fi ? 

 

 

April  27 - Chris B - Any way to easily forbid/trim trailing spaces in stem and group IDs? 

 

April 28 -Richard F In 2.4, how does one test a JDBC connection in the subject API? 

 

April 28 - Carey https://todos.internet2.edu/browse/GRP-2727

   don't display the "+ Add members" button on a composite group

 

Visualization screen might help, option to highlight groups w different privileges

 

April 29 - MG -Using grouper shell how would i invoke an LDAP query against one of the LDAP defined DB definitions in grouper-loader?

 

Feed from LDAP to SQL

 

========

JIRAS, many are now closed

 

Grouper Users List

 

Grouper Wiki Updates

 


 


 Next Grouper Call:  Wed May 13, 2020

 

  • No labels