Attending 

• Chris Hyzer, Penn, Chair
• Chad Redman, University of North Carolina Chapel Hill
• Shilen Patel, Duke
• Carey Black, the Ohio State University
• Vivek Sachdiva, independent

• Jeff Williams - University of North Carolina Greensboro

• Emily Eisbruch, Internet2

Intellectual Property reminder: http://www.internet2.edu/membership/ip.html

 Grouper Action Items are here  

New Action Items

•  AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments
•  AI Chad - look at GRP-2968 ArithmeticException (after Grouper training in October)
•  AI Shilen -  start a wiki about Shib and Grouper and container, document what people should do.  Explain what files go in what directories
• AI Chad create JIRA around adding filters for CAS, add web XML filters and then dynamic filters   
• AI  Vivek  Revisit rules documentation , it’s not clear enough  (after provisioning work is complete)

DISCUSSION

1. Administrivia

• http://www.internet2.edu/membership/ip.html
• Approve minutes
• Review AIs  Grouper Project Action Items (Google Doc)
• Agenda bash

Grouper Training

Grouper School Oct 13-16, 2020

https://www.incommon.org/academy/grouper/

• A virtual class, spanning 4 half days  
• Chris and Chad are the trainers
• Chad being sure modules work and make sense
• Chris recording 101  videos and getting them into Canvas
• Next week, get container spun up
• Then students are to do 10 hours of prework for training
• Will leave more time during training
• For next training, will collect thoughts on the content
• Tasks that people need to do
• Hope for a new list of what is highly relevant to cover
• Chad: could improve material on grace periods , there’s a 201 module on recent grads and it will need constant updates 

 Internet2 TechEx  Tuesday Oct 6,  be sure to register (no charge)

• Tuesday Oct 6 TechEx programming will include two featured keynote presentations.  
• The first  is Trust and Identity/ Research / NIH Oriented:
  • https://www.internet2.edu/news-events/events/techextra-2020/

•  “Science at the Speed of Infection: NIH Responds to the Pandemic with Academic Researchers," will be presented by Andrea Norris, Chief Information Officer of the National Institutes of Health and Mike Tartakovsky, Chief Information Officer of the National Institute of Allergy and Infectious Diseases and Director Office of Cyber Infrastructure and Computational Biology, and will focus on research challenges in the era of the pandemic. 

 Current Work

Provisioning work, Chris, Vivek and Shilen

• Test to simulate LDAP use case , challenges with workflow and order of the updates
• Challenge identifying which attributes are being read, inserted
• Type of attributes, compares
• Confusing , issues around empty values for attributes
• Can still use translation scripts
• Take a field or an attribute, from an attribute map,
• Target representation of the object
• Can also configure all the attributes or fields and put settings on the attributes, will be managed thru the UI
• To make the UI work, you first say how many you are going to have (for groups 6 attributes, for example)
• With configs you say what value type  
• Are there things we should add to the attribute config?
• Can have entity attributes, from an entity link
• Test cases work
• Chris has been focusing on the logging, there is a logging switch  per provisioner
• One log output at the end so everything is in one place
• There are configuration features to help with support
• DAO , perhaps add reflection
• Provisioner behaviors class, you don’t have to do much with it
• SQL group attributes
• Provisioner can tell framework what it should be doing as opposed to what it can do
• Will translate groups and entities to the target format. For SQL need an ID field, DN and GID number
• Then can get target ID
• Carey: special case for LDAP
• Need member attribute for create
• Some LDAPs take Null value
• Print out action that DAO is going to receive
• Translating the memberships
• Shilen: before, needed to remove membership object  when removing group object
• Chris: Next Steps: Look at each part of the framework, which part in LDAP or SQL, for example search attributes, maybe not needed
• Looking at behaviors and perhaps fleshing them out
• Shilen: Added to behaviors to get LDAP test to work
• Chris: the way behaviors are intended to work is all fields are upper case booleans, 
• If a user sets something we use it, otherwise make assumptions.
• Trying to only print out things that are configured
• Add more test cases 
• Chris will schedule a meeting with Shilen and Vivek
• Shilen: testing has been full syncs, what is situation w incremental syncs?
• Chris: perhaps went down wrong path, lot of code in ESB change log handler 
• Does things like gets sync objects, converts things to full sync
• We are limited with that set up , forced to use the change log
• Chris will take this work and put it in the incremental provisioner framework  code
• So if things come in thru events or otherwise could still batch things up and filter
• It works now
• In ideal world, would refactor the logic to go into the provisioner. May need to wait to do this
• Ideally grouper provisioner framework knows what must happen,
• Takes metadata and decides whether to provision, if a group sync can be done
• Provisioning framework will do the logic and handle in a consistent way
• Not much to do with real time, but need to refactor
• Code is pretty well organized and that will help with the real time

Shilen

• Updating the LDAP DAO, adding more methods
• Plan to continue that and other provisioning work

Chad

• JIRA 2958 , makes reports nicer
• GRP-2958
  Reports should use column names from metadata instead of the original sql 

 Issue Roundup

JIRAs in past 2 weeks

• GRP-2969
  PSPNG: log entries contain spurious NUL character at the end of LDAP error messages
• GRP-2968
  PSPNG: "ArithmeticException: Multiplication overflows a long" in ProgressMonitorPSPNG: "ArithmeticException: Multiplication overflows a long" in ProgressMonitor   was on Grouper Users email list, one improvement, don’t look at last interval,  should be an easy fix, 
• AI Chad - look at GRP-2968 ArithmeticException after training

AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments

• GRP-2343
  LdapSystem.performLdapSearchRequest doesn't return any members when group has more than 1500 memberships  , AI for Jeff to commit patch
• GRP-2967
  When exporting config files, do export passwords that are expression language  Vivek worked on this and it’s done for now
• GRP-2966
  Change enable/disable groups to just act on memberships, discussed and converging on solution
• GRP-2965
  Attestation should optionally disable Memberships that are not attested after a grace period
• GRP-2964
  UI Config not sorting all values properly…  incrementally improved   this in the past, can filter on something and that will help, new filters  should resolve this, more work to do, it’s much better than it used to be.  Top section for other job, stuff in remaining config is for other job, for things like this use the daemon config screens,
  make splitting off into sections  optional
• GRP-2963
  allow hasMember WS by subjectIdentifier (currently requires subjectId)  Chris handled this
• GRP-2962
  remove tomee ROOT directory
• GRP-2961
  allow DDL upgrade from 2.2.1   Chris looked at this, don’t like auto upgrade scripts, when they fail you don’t know. We should recommend against using auto upgrade scripts. Tweek the DDL so one script updates the database, including DDL table, get a script and run it. Talk to Chris about your thoughts on this
• GRP-2960
  add dynamic update of grouper_ddl to end of ddl scripts  relates to above 2961
• GRP-2959
  add option to not redirect from / to /grouper in apache container file
• GRP-2958
  Reports should use column names from metadata instead of the original sql   Good solution , you can quote column aliases
• GRP-2957grouper running as tomcat user has apache error on startup
• GRP-2956Add user audit when enabling/disabling daemon jobs
• GRP-2955 LdapGroupProvisioner with needsTar

Grouper WIKI updates in past 2 weeks

• Selenium testing example

• Grouper Custom UI example Zoom

• Penn Grouper with Zoom

• North Dakota State University Grouper Contribution (Richard Frovarp)

• Install docker postgres database (John Imholz)

• Grouper Training Environment

• Grouper School: Training Workshops

• Grouper database - Postgres

• Grouper database

• v2.5 Release Notes

• v2.5 Upgrade Instructions from v2.4

• Penn upgrade from v2.4 to v2.5

• Penn v2.5 container example

• Grouper v2.5 customize container config files

• Grouper v2.5 container unit tests

• Authentication to the Grouper UI

• Grouper LDAP Ldaptive SASL TLS

• Grouper LDAP provisioner v2.5 use case PA

• Grouper provisioning target DAO

• LDAP container for testing

Grouper Slack in past 2 weeks

Jeffrey  It seems like when searching for entities, using a comma ',' has some sort of special meaning. Most of our records are stored like "LASTNAME, FIRST I." but it seems to split the search when using a coma in the search. Is there a way. to turn that off?

Keith Hazelton Is Spaces Wiki the home of the most current version of the Grouper Deployment Guide?

Lacey  Is it possible to assign an attribute to a group as part of a loader job, similar to the metadata on groups option in SQL_GROUP_LIST?

Richard F - get the description of a group/stem to render effectively newlines

Erik  In my message queue testing, I have an ActiveMQ node running with the Grouper Client installed.  What part am I missing to actually make the client pull changelog events from Grouper itself and create messages on the ActiveMQ side?

Marwan How do you deal with loader groups from a source (let’s say AD) that have been nested into Grouper groups, when the source group gets renamed/deleted/moved at the source?  

Marwan   Does anyone assign a unique identifier attribute to groups created outside of Grouper and let Grouper load the groups based on that attribute?  

Jeffrey C  Question about https://todos.internet2.edu/browse/GRP-2921. I was testing this but updating a group that doesn't impact any provisioning against our LDAP. we were averaging around 550 records processed per min.

Erik C    is there a   Lite method to check a group membership by subjectIdentifier?  

Zachary    I have some classes that I want to package separately and drop in the container alongside the existing jars.  

Chris   Grouper Training is right around the corner: Oct 13-16.   

Carey Question about the UI and adding config values via the UI.

    Just starting to kick the tires on 2.5.35

Josh   I am still having an issue in UI v2.5, concerning loader config...

 Josh in my Dockerfile( which is in /opt/grouperContainer/ on the host), I have

COPY slashRoot /

....yet even though I have a slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties file that I have modified to tune certain loggers, the file is NOT being copied in the container, to /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties.  Instead my mods ARE showing up in the container, in /opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties (edited) 

• Chris   take a look at this, it is what we have working at penn https://spaces.at.internet2.edu/display/Grouper/Penn+v2.5+container+example

Chris  I updated this page about customizing grouper config files... comments welcome

Carey  Seeking community input/comments/watches/( up or down) votes for :

 Attestation should optionally disable groups that are not attested after a grace period (GRP-2965)

Feel free to discuss here in Slack or on the GRP.

Carey   Seeking community input/comments/watches/( up or down) votes for :

 Attestation should optionally disable Memberships that are not attested after a grace period (GRP-2965)

Lacey Any idea what would cause a large amount of these INFO messages in the daemon logs? 

Richard   Is there a way to get attestation messages to only go to members of a certain group instead of all of the admin/update users?   

Chris   In order to make upgrades easier and to make sure steps arent missed, the release notes now does not have the upgrade instructions from v2.5.X container version to v2.5.Y.  The upgrade steps are captured here:

https://spaces.at.internet2.edu/display/Grouper/v2.5+Upgrade+Instructions+from+v2.5

Also, the Grouper team will spend more effort trying to automate upgrade steps or have ways to log errors when things are incorrect to make things more foolproof and easier to upgrade.  Feel free to edit that wiki to make things easier for others.

Feedback welcome.  Thanks!

Shilen  Is the grouper report error here a known issue?

https://grouperdemo.internet2.edu/grouper_v2_5/grouperUi/app/UiV2Main.index?operation=UiV2Admin.daemonJobs

Jeffrey  Grouper 2.4.  Had a full-sync job that I wanted to stop, so I did the following …..:

they seem to not do anything after loading for at least 5 -10 minutes.  Blew out the old containers and started fresh ones, not seeing any changes to grouper_qz_triggers.    the daemons don't seem to be processing anything.   

Kevin R Has anyone configured mod-auth-openidc in apache for authn in grouper?

Jeffrey - trying to utilize the grouper-ws/status?diagnosticType=db link to inform a load balancer that a node is up or not.  

Erin  - last call for Grouper Training

Chris  - documented some of Penn's Zoom access management with Grouper.  If people are interested I can put more info up there, or if there are specific parts let me know and I can elaborate: https://spaces.at.internet2.edu/x/GQZgCg

Next Grouper Call: Wed. Oct. 14, 2020