6-March-2019 Grouper BOF at Global Summit

  

Wiki Home	Download Grouper	Grouper Guides	Community Contributions	Developer Resources	Deployment Guide

Grouper BOF at 2019 Global Summit in Washington DC

https://meetings.internet2.edu/2019-global-summit/detail/10005392/

March 6, 2019

Slides are  here  

Welcome  

Overview of Grouper

• • Central authorization 


  • Groups 


  • Permissions

  • Provisioning 


  • Auditing 


  • Delegation and distributed management
    

    
    

•  Importance of Grouper Community contributions
  •  please contact emily@internet2.edu to get help setting up your Grouper contrib page  
    

• TIER is being converted to the name “InCommon Trusted Access Platform”
  

  • Grouper is a component, as is Shib IDP, COmanage, and Midpoint

• Grouper 2.4 is current version

• Grouper Roadmap https://spaces.at.internet2.edu/x/_oXd

• Low risk patches are integrated into 2.4

• Tagging Grouper  Types https://spaces.at.internet2.edu/x/5QI3C

• Visualization patch done https://spaces.at.internet2.edu/x/NQFbC

• Provisioning management from UI mostly done

• Config in DB mostly done

• Workflow approvals in progress

• Grouper 2.5 should be released in Q3

• Group delete dates

• Membership notes

• “Internal” groups

• Better paging in WS

• Continue dependency updates

• Go to the wiki to find community contributions Grouper Community contributions

Recent Work from the Team

• Chris Hyzer

• has developed improved subject caching

• Improved deleting procedures for folders

• Improved options for config of database, so can use the UI to configure

• Metadata in config files for layout and validation

• Grouper provisioning UI

• DUO connector improvements and paging for 2 factor services

• Bert

• PSP NG Grouper 2.3 and 2.4 - bug fixes for password login and escaping problematic strings, now fixed

• On Grouper 2.4, full sync aspects, change log events may kick off a full sync, this can gum up change log process. This has not been addressed in Grouper 2.4 patches

• Worked on subject caching for PSP NG for the target LDAP subjects and groups. Now caching is smarter, warnings now added

• Improved handling for deleted groups

• Next: there will be a patch for provisioning in UI, won’t change any existing configs/break anything, can migrate it to is when desired

• Shilen:

  • Good for attestation checking

• Daemon UI:  https://spaces.at.internet2.edu/x/YIbd

• Shows all daemon jobs in UI

• Ability to manage jobs, jobs still run in daemon, not in UI

• For changelog jobs, show how many are pending in queue

• View log history

• Loader jobs are now scheduled by default

• Custom composites: can compare users in one group with another group, or an intersection

• enabled/disabled dates: shows status in UI

• Point in time audit queries: now exposed in UI (used to only be available through gsh or db queries)

• 2 AM daemon job, that sends grouper version, patch to tier collector

• Improvements to LDAP loader, parsing complex attribute values

• See all group memberships under a folder, good for attestation and deprovisioning use cases

• Chad

  • Can show how group is composed (allow/denies with red and green colors)

  • Can show provisioning objects in graph

  • Shows counts in groups

  • May want to hide member counts if group has lots of members

  • Grouper training environment containers are a good way to check this out (ex401.1.4) https://github.internet2.edu/docker/grouper_training

  • Can click on any folder in graph, or mouse over and shows tooltips

• Grouper Visualization -  https://spaces.at.internet2.edu/x/NQFbC

• An exciting development of Grouper

• Thanks to Michael Gettes for his work on this project

• Grouper team rewrote MIchael’s work in Java

• API component to generate the relationships between objects and reads group properties for object styles

• Can query to get nodes and edges

• UI Component leverages that logic to visually display this.

• Uses GraphVIZ

• There’s also a text version of the screen

• Click “more actions” then visualize

• Vivek

  • Create multiple things at once easier and more consistent

  • Grouper supports multiple messaging systems, including Rabbitmq

  • Can configure with Dynamic routing keys  inside of Rabbitmq

  • 4 exchanges:

  • Fanout, direct, topic, headers

  • Changing the provision_to, not_provision_to attributes on stems, folders to more feature rich and consistent in UI

  • Show logs in UI

  • Updating DUO connector (needs updating for pagination anyway)

• Types on groups and folders

• https://spaces.at.internet2.edu/x/5QI3C

• based on the TIER Grouper Deployment Guide  http://doi.org/10.26869/TI.25.1

• Built on the attribute framework

• Now can easily see the context of a group

• Could be used with Visualization features

• Two new templates available (application). Creates sub-structures for you

• Rabbitmq changes:

• Attributes for provisioning

• Unresolvable deletion utility, set a certain amount of time before deleting

• Bill Thompson

• Coordinated development of the Grouper Deployment Guide  and he is interested in updating that.

• Grouper Training plans

• Using an LMS

• Bite sized chunks of training modules
  
  

• QUESTIONS   

• Q:   Is it OK to point tier/grouper:latest to 2.4, it’s still 2.3

• Chris Hyzer: 

  • For low risk enhancements, the Grouper team provides patches

  • If you don’t want patches, install 2.3

  • If you want the enhancements, install 2.4, that includes the patches
    
    

• Q: how often are there new patches released?

• A: Approx  each week
  
  

• Q: how are new releases announced?

• A: Emails to the grouper-users list
  
  

• Q: Is there someone who can help support Grouper?

• A: Unicon is a good resource

Summary:

• lots of exciting plans and activities with Grouper. Feel free to reach out to the Grouper team on the grouper users list.
• To join the Grouper lists:
• https://www.internet2.edu/communities-groups/middleware/grouper-working-group/#group-participate
  
• Thanks to the community for their contributions