Grouper BOF at 2019 Global Summit in Washington DC
https://meetings.internet2.edu/2019-global-summit/detail/10005392/
March 6, 2019
Slides are here
Welcome
Overview of Grouper
Central authorization
Groups
Permissions
Provisioning
Auditing
Delegation and distributed management
- Importance of Grouper Community contributions
- please contact emily@internet2.edu to get help setting up your Grouper contrib page
- please contact emily@internet2.edu to get help setting up your Grouper contrib page
- TIER is being converted to the name “InCommon Trusted Access Platform”
Grouper is a component, as is Shib IDP, COmanage, and Midpoint
Grouper 2.4 is current version
Grouper Roadmap https://spaces.at.internet2.edu/x/_oXd
Low risk patches are integrated into 2.4
Tagging Grouper Types https://spaces.at.internet2.edu/x/5QI3C
Visualization patch done https://spaces.at.internet2.edu/x/NQFbC
Provisioning management from UI mostly done
Config in DB mostly done
Workflow approvals in progress
Grouper 2.5 should be released in Q3
Group delete dates
Membership notes
“Internal” groups
Better paging in WS
Continue dependency updates
Go to the wiki to find community contributions Grouper Community contributions
Recent Work from the Team
Chris Hyzer
has developed improved subject caching
Improved deleting procedures for folders
Improved options for config of database, so can use the UI to configure
Metadata in config files for layout and validation
Grouper provisioning UI
DUO connector improvements and paging for 2 factor services
Bert
PSP NG Grouper 2.3 and 2.4 - bug fixes for password login and escaping problematic strings, now fixed
On Grouper 2.4, full sync aspects, change log events may kick off a full sync, this can gum up change log process. This has not been addressed in Grouper 2.4 patches
Worked on subject caching for PSP NG for the target LDAP subjects and groups. Now caching is smarter, warnings now added
Improved handling for deleted groups
Next: there will be a patch for provisioning in UI, won’t change any existing configs/break anything, can migrate it to is when desired
Shilen:
Good for attestation checking
Daemon UI: https://spaces.at.internet2.edu/x/YIbd
Shows all daemon jobs in UI
Ability to manage jobs, jobs still run in daemon, not in UI
For changelog jobs, show how many are pending in queue
View log history
Loader jobs are now scheduled by default
Custom composites: can compare users in one group with another group, or an intersection
enabled/disabled dates: shows status in UI
Point in time audit queries: now exposed in UI (used to only be available through gsh or db queries)
2 AM daemon job, that sends grouper version, patch to tier collector
Improvements to LDAP loader, parsing complex attribute values
See all group memberships under a folder, good for attestation and deprovisioning use cases
Chad
Can show how group is composed (allow/denies with red and green colors)
Can show provisioning objects in graph
Shows counts in groups
May want to hide member counts if group has lots of members
Grouper training environment containers are a good way to check this out (ex401.1.4) https://github.internet2.edu/docker/grouper_training
Can click on any folder in graph, or mouse over and shows tooltips
Grouper Visualization - https://spaces.at.internet2.edu/x/NQFbC
An exciting development of Grouper
Thanks to Michael Gettes for his work on this project
Grouper team rewrote MIchael’s work in Java
API component to generate the relationships between objects and reads group properties for object styles
Can query to get nodes and edges
UI Component leverages that logic to visually display this.
Uses GraphVIZ
There’s also a text version of the screen
Click “more actions” then visualize
Vivek
Create multiple things at once easier and more consistent
Grouper supports multiple messaging systems, including Rabbitmq
Can configure with Dynamic routing keys inside of Rabbitmq
4 exchanges:
Fanout, direct, topic, headers
Changing the provision_to, not_provision_to attributes on stems, folders to more feature rich and consistent in UI
Show logs in UI
Updating DUO connector (needs updating for pagination anyway)
Types on groups and folders
based on the TIER Grouper Deployment Guide http://doi.org/10.26869/TI.25.1
Built on the attribute framework
Now can easily see the context of a group
Could be used with Visualization features
Two new templates available (application). Creates sub-structures for you
Rabbitmq changes:
Attributes for provisioning
Unresolvable deletion utility, set a certain amount of time before deleting
Bill Thompson
Coordinated development of the Grouper Deployment Guide and he is interested in updating that.
Grouper Training plans
Using an LMS
Bite sized chunks of training modules
QUESTIONS
Q: Is it OK to point tier/grouper:latest to 2.4, it’s still 2.3
Chris Hyzer:
For low risk enhancements, the Grouper team provides patches
If you don’t want patches, install 2.3
If you want the enhancements, install 2.4, that includes the patches
Q: how often are there new patches released?
A: Approx each week
Q: how are new releases announced?
A: Emails to the grouper-users list
Q: Is there someone who can help support Grouper?
A: Unicon is a good resource
Summary:
- lots of exciting plans and activities with Grouper. Feel free to reach out to the Grouper team on the grouper users list.
- To join the Grouper lists:
- https://www.internet2.edu/communities-groups/middleware/grouper-working-group/#group-participate
- Thanks to the community for their contributions