Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
Jeff Williams - University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Items
- AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments
- AI Chad - look at GRP-2968 ArithmeticException (after Grouper training in October)
- AI Shilen - start a wiki about Shib and Grouper and container, document what people should do. Explain what files go in what directories
- AI Chad create JIRA around adding filters for CAS, add web XML filters and then dynamic filters
- AI Vivek Revisit rules documentation , it’s not clear enough (after provisioning work is complete)
DISCUSSION
- Administrivia
- http://www.internet2.edu/membership/ip.html
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper Training
Grouper School Oct 13-16, 2020
https://www.incommon.org/academy/grouper/
- A virtual class, spanning 4 half days
- Chris and Chad are the trainers
- Chad being sure modules work and make sense
- Chris recording 101 videos and getting them into Canvas
- Next week, get container spun up
- Then students are to do 10 hours of prework for training
- Will leave more time during training
- For next training, will collect thoughts on the content
- Tasks that people need to do
- Hope for a new list of what is highly relevant to cover
- Chad: could improve material on grace periods , there’s a 201 module on recent grads and it will need constant updates
Internet2 TechEx Tuesday Oct 6, be sure to register (no charge)
- Tuesday Oct 6 TechEx programming will include two featured keynote presentations.
- The first is Trust and Identity/ Research / NIH Oriented:
- “Science at the Speed of Infection: NIH Responds to the Pandemic with Academic Researchers," will be presented by Andrea Norris, Chief Information Officer of the National Institutes of Health and Mike Tartakovsky, Chief Information Officer of the National Institute of Allergy and Infectious Diseases and Director Office of Cyber Infrastructure and Computational Biology, and will focus on research challenges in the era of the pandemic.
Current Work
Provisioning work, Chris, Vivek and Shilen
- Test to simulate LDAP use case , challenges with workflow and order of the updates
- Challenge identifying which attributes are being read, inserted
- Type of attributes, compares
- Confusing , issues around empty values for attributes
- Can still use translation scripts
- Take a field or an attribute, from an attribute map,
- Target representation of the object
- Can also configure all the attributes or fields and put settings on the attributes, will be managed thru the UI
- To make the UI work, you first say how many you are going to have (for groups 6 attributes, for example)
- With configs you say what value type
- Are there things we should add to the attribute config?
- Can have entity attributes, from an entity link
- Test cases work
- Chris has been focusing on the logging, there is a logging switch per provisioner
- One log output at the end so everything is in one place
- There are configuration features to help with support
- DAO , perhaps add reflection
- Provisioner behaviors class, you don’t have to do much with it
- SQL group attributes
- Provisioner can tell framework what it should be doing as opposed to what it can do
- Will translate groups and entities to the target format. For SQL need an ID field, DN and GID number
- Then can get target ID
- Carey: special case for LDAP
- Need member attribute for create
- Some LDAPs take Null value
- Print out action that DAO is going to receive
- Translating the memberships
- Shilen: before, needed to remove membership object when removing group object
- Chris: Next Steps: Look at each part of the framework, which part in LDAP or SQL, for example search attributes, maybe not needed
- Looking at behaviors and perhaps fleshing them out
- Shilen: Added to behaviors to get LDAP test to work
- Chris: the way behaviors are intended to work is all fields are upper case booleans,
- If a user sets something we use it, otherwise make assumptions.
- Trying to only print out things that are configured
- Add more test cases
- Chris will schedule a meeting with Shilen and Vivek
- Shilen: testing has been full syncs, what is situation w incremental syncs?
- Chris: perhaps went down wrong path, lot of code in ESB change log handler
- Does things like gets sync objects, converts things to full sync
- We are limited with that set up , forced to use the change log
- Chris will take this work and put it in the incremental provisioner framework code
- So if things come in thru events or otherwise could still batch things up and filter
- It works now
- In ideal world, would refactor the logic to go into the provisioner. May need to wait to do this
- Ideally grouper provisioner framework knows what must happen,
- Takes metadata and decides whether to provision, if a group sync can be done
- Provisioning framework will do the logic and handle in a consistent way
- Not much to do with real time, but need to refactor
- Code is pretty well organized and that will help with the real time
Shilen
- Updating the LDAP DAO, adding more methods
- Plan to continue that and other provisioning work
Chad
- JIRA 2958 , makes reports nicer
- GRP-2958
Reports should use column names from metadata instead of the original sql
Issue Roundup
JIRAs in past 2 weeks
- GRP-2969
PSPNG: log entries contain spurious NUL character at the end of LDAP error messages - GRP-2968
PSPNG: "ArithmeticException: Multiplication overflows a long" in ProgressMonitorPSPNG: "ArithmeticException: Multiplication overflows a long" in ProgressMonitor was on Grouper Users email list, one improvement, don’t look at last interval, should be an easy fix, - AI Chad - look at GRP-2968 ArithmeticException after training
AI Jeffrey work on GRP 2343 and commit patch, there is a code proposal in comments
- GRP-2343
LdapSystem.performLdapSearchRequest doesn't return any members when group has more than 1500 memberships , AI for Jeff to commit patch - GRP-2967
When exporting config files, do export passwords that are expression language Vivek worked on this and it’s done for now - GRP-2966
Change enable/disable groups to just act on memberships, discussed and converging on solution - GRP-2965
Attestation should optionally disable Memberships that are not attested after a grace period - GRP-2964
UI Config not sorting all values properly… incrementally improved this in the past, can filter on something and that will help, new filters should resolve this, more work to do, it’s much better than it used to be. Top section for other job, stuff in remaining config is for other job, for things like this use the daemon config screens,
make splitting off into sections optional - GRP-2963
allow hasMember WS by subjectIdentifier (currently requires subjectId) Chris handled this - GRP-2962
remove tomee ROOT directory - GRP-2961
allow DDL upgrade from 2.2.1 Chris looked at this, don’t like auto upgrade scripts, when they fail you don’t know. We should recommend against using auto upgrade scripts. Tweek the DDL so one script updates the database, including DDL table, get a script and run it. Talk to Chris about your thoughts on this - GRP-2960
add dynamic update of grouper_ddl to end of ddl scripts relates to above 2961 - GRP-2959
add option to not redirect from / to /grouper in apache container file - GRP-2958
Reports should use column names from metadata instead of the original sql Good solution , you can quote column aliases - GRP-2957grouper running as tomcat user has apache error on startup
- GRP-2956Add user audit when enabling/disabling daemon jobs
- GRP-2955 LdapGroupProvisioner with needsTar
Grouper WIKI updates in past 2 weeks
North Dakota State University Grouper Contribution (Richard Frovarp)
Install docker postgres database (John Imholz)
Grouper Slack in past 2 weeks
Jeffrey It seems like when searching for entities, using a comma ',' has some sort of special meaning. Most of our records are stored like "LASTNAME, FIRST I." but it seems to split the search when using a coma in the search. Is there a way. to turn that off?
Keith Hazelton Is Spaces Wiki the home of the most current version of the Grouper Deployment Guide?
Lacey Is it possible to assign an attribute to a group as part of a loader job, similar to the metadata on groups option in SQL_GROUP_LIST?
Richard F - get the description of a group/stem to render effectively newlines
Erik In my message queue testing, I have an ActiveMQ node running with the Grouper Client installed. What part am I missing to actually make the client pull changelog events from Grouper itself and create messages on the ActiveMQ side?
Marwan How do you deal with loader groups from a source (let’s say AD) that have been nested into Grouper groups, when the source group gets renamed/deleted/moved at the source?
Marwan Does anyone assign a unique identifier attribute to groups created outside of Grouper and let Grouper load the groups based on that attribute?
Jeffrey C Question about https://todos.internet2.edu/browse/GRP-2921. I was testing this but updating a group that doesn't impact any provisioning against our LDAP. we were averaging around 550 records processed per min.
Erik C is there a Lite method to check a group membership by subjectIdentifier?
Zachary I have some classes that I want to package separately and drop in the container alongside the existing jars.
Chris Grouper Training is right around the corner: Oct 13-16.
Carey Question about the UI and adding config values via the UI.
Just starting to kick the tires on 2.5.35
Josh I am still having an issue in UI v2.5, concerning loader config...
Josh in my Dockerfile( which is in /opt/grouperContainer/ on the host), I have
COPY slashRoot /
....yet even though I have a slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties file that I have modified to tune certain loggers, the file is NOT being copied in the container, to /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties. Instead my mods ARE showing up in the container, in /opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties (edited)
- Chris take a look at this, it is what we have working at penn https://spaces.at.internet2.edu/display/Grouper/Penn+v2.5+container+example
Chris I updated this page about customizing grouper config files... comments welcome
Carey Seeking community input/comments/watches/( up or down) votes for :
Attestation should optionally disable groups that are not attested after a grace period (GRP-2965)
Feel free to discuss here in Slack or on the GRP.
Carey Seeking community input/comments/watches/( up or down) votes for :
Attestation should optionally disable Memberships that are not attested after a grace period (GRP-2965)
Lacey Any idea what would cause a large amount of these INFO messages in the daemon logs?
Richard Is there a way to get attestation messages to only go to members of a certain group instead of all of the admin/update users?
Chris In order to make upgrades easier and to make sure steps arent missed, the release notes now does not have the upgrade instructions from v2.5.X container version to v2.5.Y. The upgrade steps are captured here:
https://spaces.at.internet2.edu/display/Grouper/v2.5+Upgrade+Instructions+from+v2.5
Also, the Grouper team will spend more effort trying to automate upgrade steps or have ways to log errors when things are incorrect to make things more foolproof and easier to upgrade. Feel free to edit that wiki to make things easier for others.
Feedback welcome. Thanks!
Shilen Is the grouper report error here a known issue?
Jeffrey Grouper 2.4. Had a full-sync job that I wanted to stop, so I did the following …..:
they seem to not do anything after loading for at least 5 -10 minutes. Blew out the old containers and started fresh ones, not seeing any changes to grouper_qz_triggers. the daemons don't seem to be processing anything.
Kevin R Has anyone configured mod-auth-openidc in apache for authn in grouper?
Jeffrey - trying to utilize the grouper-ws/status?diagnosticType=db link to inform a load balancer that a node is up or not.
Erin - last call for Grouper Training
Chris - documented some of Penn's Zoom access management with Grouper. If people are interested I can put more info up there, or if there are specific parts let me know and I can elaborate: https://spaces.at.internet2.edu/x/GQZgCg
Next Grouper Call: Wed. Oct. 14, 2020