Child pages
  • 8-Jan-2020
Skip to end of metadata
Go to start of metadata




  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  •  Bill Thompson, Lafayette College
  • Jeff Williams, University of North Carolina Greensboro
  • Charise Arrowwood, Unicon
  •  Emily Eisbruch, Internet2

Action Items

New Action Items from this call

  • AI Chris make sure the attribute churn is not polluting the point in time 
  • AI Chris make JIRA about more explicit error message for SQL Loader Job to populate a group membership and job is failing because some subjects unresolvable 
  • AI Jeff  regarding schedule periodic full syncs, remove that or make a JIRA for  Full sync at start up
  • AI Jeff make JIRA for automatically strip out the returns, and auto escaped the LDAP characters, option for JEXL stip out return characters, use UTIL class, strip them and get flattened string?  


  1. Administrivia

Vivek is working on Grouper Building and packaging

Grouper Packaging strategy

See  wiki page:  Grouper Packaging and Versioning for v2.5+

Grouper 2.5.0 will require running in the InCommon Trusted Access Platform (ITAP) container in Jan/Feb 2020

  •  Currently some tarbals are binary
  • Come w combined jars
  • Some just have source
  • Some just have git repo
  • Grouper installer will download the tarballs
  • Put them together
  • Using the proposed approach, will not need to compile
  • Will build Grouper web app
  • Will apply patches
  • Strategy sounds similar to Shib
  • Download where UI jar is already compiled
  • Do building the jar is quicker
  • No one will be installing from the tarballs
  • People might download tarballs to compile their extensions
  • Grouper Installer used for multiple purposes
  • Downloads containers
  • Puts them in a certain directory
  • Detects containerization
  • Asks pertinent questions
  • Gives some instructions and  “advice”
  • Walks user thru the process

Maven issue

  • Move to fully built maven model?
  • An issue: Maven not useful for patches currently
  • More frequent versions is the answer 
  • Snapshot repository has issue that snapshots roll off
  • Jars based on the container?
  • More frequent versions
  • Some places versions are in properties files
  • Decouple that 
  • Every time there's a container release there should be a Maven release

  • Not sure how strict Maven  is on version numbers
  • Chad: some uploads are date stamps  Grouper 2.4.1_U
  • Decision: Use this date stamp??? No, like this: grouper-2.5.0-a87-u54-w10-p12.jar Maven approach for Grouper 2.5, Chad will help with this
  • Source code will not be in operational environment, container will be minimal
  • Perhaps should remove source code from patches
  • Vivek working on Ant tasks, cleaning up , list of standard tasks, hope people not using things out of the targets.
  • Plan is to pare down Ant scripts
  • Ant will no longer start tomcat nor do anything in database

Maven or Gradle

  • Build w local dependency
  • Java to WISDL 
  • Or use simple Ant for this?
  • Suggestion to use Maven for this. 
  • Maven has the momentum at the moment
  • Can call Ant from Maven perhaps when needed
  • Most important that things are in a repo
  • Bill: need to clarify Grouper documentation on build, subversion, etc.
  • Separate discussion on custom development
  • Some items in the doc are out of date
  • Chris: need to look at doc and make simpler
  • Snapshot issue w Maven
  • Previously, go into PSPNG directory and build just that one snapshot
  • It went to Maven repository and pulled different version API, causing issue
  • What the proposed container looks like..
  • Merging UI Jars and API jars
  • Including the WS jars ?
  • Problem with overlaying the directory structures
  • Hope to pare down to minimum
  • Not have tomcat and TomEE anymore
  • Get rid of tomcat, keep TomEE
  • Just need a grouper directory that’s a webapp that TomEE will fire up
  • WebXML is slightly complicated
  • Idea  is everything in one place
  • Everything runs from TomEE
  • Have quickstart, less error prone
  • Comment: sounds awesome
  • If you have a webapp you run the daemon from there
  • Merge WebXMLs from there
  • Daemon server inside of TomEE
  • Operationally running 3 things, but you don’t have to expose them
  • At TechEx 2019 in New Orleans there was comparison of Grouper with MidPoint and how simple it is
  • Example of issue w Box Provisioner and easily debugging “why am I not in the Box Group?”
  • The new approach adds more flexibility in such questions
  • Matt: security concern around items we don’t want exposed in the UI
  • Requires some trust in the environment
  • Wizards involve a level of trust
  • Matt: concern around treating daemon like a webapp, could make things harder
  • Timeline for packaging strategy, goal is end of Feb 2020: hope to complete the work for Grouper 2.5, 
  • OSU moving to Grouper 2.4, using containers
  • Docker file has overlays
  • From Grouper 2.4 to 2.5 will need to make small changes to Docker overlays, but it won’t be a pain
  • Currently there are 4 environment and 8 places (directories)
  • In future just prod and non prod

  • Advice on credential management
  • If Grouper has database secret and encryption secret
  • It is recommended to use encryption  secret for other secrets in database
  • Morph string approach  is valuable when storing credentials locally on host
  • At OSU, pulling password dynamically at runtime
  • Using things outside container that will be mapped in
  • So morph  string does not protect database password
  • Could pull in morph string dynamically
  • Comes from external
  • OSU using generic JEXL expression
  • Bill: Util of having Grouper be able to easily be configured and connect to systems for debugging and configuration. 
  • Current world, need passwords to connect, in cloud native world there are other mechanisms, don’t require passwords, 
  • Need reasonable controls and seems we have them
  • Important to be sure controls are in place to avoid leaking important data
  • Protecting Grouper appropriately
  • Chris: looking at Grouper as Software as a Service
  • You generally  enter a password
  • Your UI must be secure in any case
  • Once pwd is encrypted and in database, it won’t be shown, no way to get to it
  • Stored in database and encrypted
  • In summary: we should  advise people to move to the new approach, will help with diagnostics, but there are still choices
  • Option to Change the morph string pwd?  Not available currently
  • Rolling keys is an important part of security
  • We should look at changing Morph string pwd

Chris –  SQL sync, bugs

  • Disabled groups and permissions change log


  • Bugs, libraries in 2.5, gantt chart


  1. GDG
    1. Duke Paranoid IAM
    2. Guidance on ref groups - rosters, student, dept, etc
    3. Grouper Security Model
    4. other?
    1. GDG Open, ReOpened, InProgress
    2. New Content?
  2. Dev Env
    1. Reproducible how to setup grouper dev/debug env
    2. Refresh/updates for:

Issue Roundup


Dec 19, 2019 Carey: Syntax help 

Ended up making a JEXL class to add a static method to parse the attribute value and “rip it apart”. ( Doing it in JEXL was not working out, but a Java method worked. )

Dec 19 Gettes: usdu

(wiki page last updated 2015, should it be updated?)

  • With patch coming soon, New feature allows putting attributes on a member and provides additional info
  • 30 day config default   
  • AI Chris make sure the attribute churn is not polluting the point in time 
  • AI Matt add JIRA for Better USDU design to have attribute assigned to attribute def and mark as NOT point in time audited →  DONE
  • General practice around  subject disappearing? 
  • Unresolvable subjects is an important IDM topic, should we address this in the Grouper Deployment Guide
    • General Background  around how IDM system works w Subject API, this is foundational
    • Hard to explain everything in GDG but this should be mentioned
    • Related to practice around affiliates at a particular institution
    • External entities are also part of the picture
  • On roadmap is making wizard for making a subject source, making it easier to configure them

Dec 31, 2019 Sudheer: schedule periodic full syncs ,  setting a param, using old namespace. Change to PSPNG namespace?  We should remove that entirely…

       AI Jeff  regarding schedule periodic full syncs, remove that or make a JIRA for  Full sync at start up

  • AI Jeff make JIRA for automatically strip out the returns, and auto escaped the LDAP characters, option for JEXL stip out return characters, use UTIL class, strip them and get flattened string?  

Jan 2 , 2020  J Crawford:  Permissions and change logs, Shilen will look into this

Jan 2    Docker demise? is the future for grouper building the containers from a branch in internet2 git, or still have all the tarballs and patches and stuff,   maybe refer to a more generic approach

Jan 5 containers, Is there a way for the container to know how much memory it has and some logic will allocate X-500m, hard problem to do that automatically, for Java 10 a lot being handled within Java itself.  Could be a big jump from JAVA 8 to JAVA 10.

Jan 7   Sudheer: created a SQL loader job to populate a group membership and the job is failing because some subjects are unresolvable,  error message need to be more explicit

AI Chris make JIRA about more explicit error message for SQL Loader Job to populate a group membership and job is failing because some subjects unresolvable 

Jan 7: Justin Robinson:  Container issue in upgrade ,   Issue is fixed, reminder that the more we can make upgrade steps automatic, the better, or explicit info if there’s a failure, the better




Miscellaneous >> All daemon jobs page add a "common searches" button/menu


Miscellaneous >> All daemon jobs "Apply filter" button does not honor URL parameter value ( Example: daemonJobsFilter=usduDaemon )


Policy Template Permissions


change "subject resolution" to "unresolvable subjects" in ui


TAP container memory allocation


source getAllSubjectIds fails on json marshalling


all daemon jobs screen should allow to run daemons without overall status or most recent status of SUCCESS


all daemon jobs screen should filter by status

GRP-2534 should default to false


Grouper security model and administrative access control


Guidelines on making group refactoring possible, easier


Operational considerations - incremental process, start basic,...


Expand on reference group models - rosters, orgs, affiliations, etc 


Describe responsibilities of data owners, policy managers, etc


Incorporate Duke Paranoid IAM concepts into GDG


various deprovisioning issues


WS startup issue - message issued many times until WS query comes in


deprovisioning not reading correct base config (should be root folder)


editing an attribute value should show the attribute name being edited


do we need blank attribute assignments? maybe remove them?


usduDaemon: subject resolution stats: column heads no


Need to define Security Groups before used in Understand Grouper


Add Attribute discussion to Understanding Grouper prior to Privileges section


usdu screen doesn’t show anything on "deleted" or "unresolved" but yes on "all".


client autopaging with no results can return null result object which is different than before

GAP HERE, so many!  See all the JIRA s


add Grouper permission role hierarchy visualization 


add "implies resource" visualization


add optional entity (subject) input to group or folder visualization

Next Grouper Call: Wed Jan 22, 2020


  • No labels