Child pages
  • 6-March-2019 Grouper BOF at Global Summit
Skip to end of metadata
Go to start of metadata

  


Grouper BOF at 2019 Global Summit in Washington DC

https://meetings.internet2.edu/2019-global-summit/detail/10005392/

March 6, 2019

Slides are  here  

Welcome  

Overview of Grouper

    • Central authorization 


    • Groups 


    • Permissions

    • Provisioning 


    • Auditing 


    • Delegation and distributed management


  •  Importance of Grouper Community contributions


  • TIER is being converted to the name “InCommon Trusted Access Platform”
    • Grouper is a component, as is Shib IDP, COmanage, and Midpoint


Recent Work from the Team

  • Chris Hyzer

    • has developed improved subject caching

    • Improved deleting procedures for folders

    • Improved options for config of database, so can use the UI to configure

    • Metadata in config files for layout and validation

    • Grouper provisioning UI

    • DUO connector improvements and paging for 2 factor services

  • Bert

    • PSP NG Grouper 2.3 and 2.4 - bug fixes for password login and escaping problematic strings, now fixed

    • On Grouper 2.4, full sync aspects, change log events may kick off a full sync, this can gum up change log process. This has not been addressed in Grouper 2.4 patches

    • Worked on subject caching for PSP NG for the target LDAP subjects and groups. Now caching is smarter, warnings now added

    • Improved handling for deleted groups

    • Next: there will be a patch for provisioning in UI, won’t change any existing configs/break anything, can migrate it to is when desired

  • Shilen:

    • Good for attestation checking

    • Daemon UI:  https://spaces.at.internet2.edu/x/YIbd

    • Shows all daemon jobs in UI

    • Ability to manage jobs, jobs still run in daemon, not in UI

    • For changelog jobs, show how many are pending in queue

    • View log history

    • Loader jobs are now scheduled by default

    • Custom composites: can compare users in one group with another group, or an intersection

    • enabled/disabled dates: shows status in UI

    • Point in time audit queries: now exposed in UI (used to only be available through gsh or db queries)

    • 2 AM daemon job, that sends grouper version, patch to tier collector

    • Improvements to LDAP loader, parsing complex attribute values

    • See all group memberships under a folder, good for attestation and deprovisioning use cases

  • Chad

    • Can show how group is composed (allow/denies with red and green colors)

    • Can show provisioning objects in graph

    • Shows counts in groups

    • May want to hide member counts if group has lots of members

    • Grouper training environment containers are a good way to check this out (ex401.1.4) https://github.internet2.edu/docker/grouper_training

    • Can click on any folder in graph, or mouse over and shows tooltips

    • Grouper Visualization -  https://spaces.at.internet2.edu/x/NQFbC

    • An exciting development of Grouper

    • Thanks to Michael Gettes for his work on this project

    • Grouper team rewrote MIchael’s work in Java

    • API component to generate the relationships between objects and reads group properties for object styles

    • Can query to get nodes and edges

    • UI Component leverages that logic to visually display this.

    • Uses GraphVIZ

    • There’s also a text version of the screen

    • Click “more actions” then visualize

  • Vivek

    • Create multiple things at once easier and more consistent

    • Grouper supports multiple messaging systems, including Rabbitmq

    • Can configure with Dynamic routing keys  inside of Rabbitmq

    • 4 exchanges:

      • Fanout, direct, topic, headers

    • Changing the provision_to, not_provision_to attributes on stems, folders to more feature rich and consistent in UI

    • Show logs in UI

    • Updating DUO connector (needs updating for pagination anyway)

    • Types on groups and folders

    • https://spaces.at.internet2.edu/x/5QI3C

    • based on the TIER Grouper Deployment Guide  http://doi.org/10.26869/TI.25.1

    • Built on the attribute framework

    • Now can easily see the context of a group

    • Could be used with Visualization features

    • Two new templates available (application). Creates sub-structures for you

    • Rabbitmq changes:

    • Attributes for provisioning

    • Unresolvable deletion utility, set a certain amount of time before deleting

  • Bill Thompson

    • Coordinated development of the Grouper Deployment Guide  and he is interested in updating that.

  • Grouper Training plans

    • Using an LMS

    • Bite sized chunks of training modules

  • QUESTIONS   

    • Q:   Is it OK to point tier/grouper:latest to 2.4, it’s still 2.3

    • Chris Hyzer: 

      • For low risk enhancements, the Grouper team provides patches

      • If you don’t want patches, install 2.3

      • If you want the enhancements, install 2.4, that includes the patches

    • Q: how often are there new patches released?

    • A: Approx  each week

    • Q: how are new releases announced?

    • A: Emails to the grouper-users list

    • Q: Is there someone who can help support Grouper?

    • A: Unicon is a good resource


Summary:



 

 

  • No labels