8-July-2020

Attending 

• Chris Hyzer, Penn, Chair
• Chad Redman, University of North Carolina Chapel Hill
• Shilen Patel, Duke
• Carey Black, the Ohio State University
• Vivek Sachdiva, independent

• Jeff Williams - University of North Carolina Greensboro

•  Emily Eisbruch, Internet2

Intellectual Property reminder: http://www.internet2.edu/membership/ip.html

 Grouper Action Items are here  

 New Action Items from this call

• July 8, 2020 - AI Chris take a look at    GRP-2852 FROM CHAD
  Make it harder to accidentally delete an attribute name that is in use

 Administrivia

• http://www.internet2.edu/membership/ip.html
• Review AIs Grouper Project Action Items (Google Doc)

InCommon BaseCAMP (Virtual)

• BaseCAMP July 20 - 24 https://meetings.internet2.edu/2020-basecamp/program/
• July 23,  2:35pm - 3:30pm
• Erik Coleman, U of Illinois, Urbana-Champaign, leading Access and Grouping 101
• Chris Hyzer leading  Access and Grouping 201

 Current work tasks, and next tasks

Vivek –Provisioning configuration https://spaces.at.internet2.edu/display/Grouper/Grouper+generic+provisioner+UI+tasks

• There is a dashboard
• Inside provisioner you can have multiple jobs
• Link ID is now clickable 
• Info on last sync
• List of jobs
• Section on each job
• Most recent Logs
• Grouper Loader Log and Grouper Sync log table
• Incremental sync?
• Some groups need to be synced more frequently than others
• Special sync job for those? 
• Incremental works on the change log
• Full sync does sync for everything
• Knowing how many events it’s behind, how deep is the queue
• Can see that from the Daemon screen
• “Pending in queue”
• For full sync, it asks  synchronous or async mode
• Using Grouper internal messaging system
• Can send messages to incremental job
• To keep the cache and database tables consistent, multiple syncs cant run at same time
• But can use asynch mode
• It does the calculations, does not change anything
• Will pump changes thru as messages
• In Grouper Loader Properties, all the metadata for provisioners
• Provisioning screen is more  user friendly than a config file 
• Overall provisioner screen will drill down to a provisioner
• Also can look at a folder level or group level or membership or group level
• Nothing in Java code that relates to Active Directory
• Feedback: looks good
• JSON now in Grouper loader
• All config files (except externalized text) have JSON
• Tells config UI what and how to show
• Can have a dynamic dropdown on these screens,
• Can pull from externalized text
• Makes things easier for configuration versus using a file
• Carey: UI limits the subject APIs provisioned to the provisioner
• If not from one of the checked ones, it skips that subject
• If from one source I send a NETID, but if a grouper group I send Group name
• Multiple person sources and you send NETID from each of them..
• But provisioning group objects and subjects
• Subject sources in grouper are more than people
• Provisioning a group is different than provisioning a person
• Best practice to harmonize naming
• What about provisioning folders into an application?
• Such as OSU privilege management service
• Currently folders not covered in this generic provisioning
• Should add folders to provisioning later
• Vivek: next tasks
• Make My Job clickable 
• Option to see the metrics
• Access controls around who can see the data?
• May need groups to manage
• For some power users
• The concept of self service is good, but some organizations may not like this
• “When was I last provisioned to an application”

Shilen – provisioning

• Looking at the Docker Container that Bert had created 
• Will Copy this to Grouper Misc
• Have Chris Hubing create an image in Docker Hub
• Could be a run script for now
• Eventually it should all be ready to go
• Using junit test with docker java to create new container, start the container, configure the subject source, do queries, delete the container
• If we don’t do Docker Java, could use shell scripts to start the container
• Do we want each test to kill the container and start a new container? Yes
• PSPNG is done with GSH and it’s slow
• Controlling things w Java is faster
• Docker Java means many more JARS
• Tradeoff between  developer environment
• Reproducibility and speed
• Try System call and wrap into one library
• Concept of doing something and checking to see if TCP port is listening
• Chris Hubing does it w command line call
• Grouper installer has a utils method
• Sleep and check the port
•  For next steps
• Data already there is enough
• Subject source works
• Use the configuration that’s in 2.5
• Need to release 2.5.30
• Hoping for DDL changes
• Afterward the release we can add more
• Branch off 2.5 and there’s the LDAP section
• Need a class to manage configuration 
• Need Validation
• First step: full sync to provision subject IDs to a group
• Attribute where you put strings
• Yes, start with something simple
• Get something running and then refactor it
• Chris and Shilen will work on this
• Make a class based on the configuration
• Don’t focus on getting stuff from Grouper yet
• One uber class with many methods?
• How much of an interface do you want?
• Monolithic class with many overrides?
• As long as it’s all documented, either works.
• Keep splitting things up and organizing
• Shilen will take a look
• Each item  on diagram will be its own base class
• https://spaces.at.internet2.edu/display/Grouper/Grouper+generic+provisioner+framework
• Chad: issues kicking off change log provisioner from GSH
• Doesn’t know its name, you are locked into implementation
• Unit tests will help 
• Composition versus inheritance
• Use in memory CRUD or provisioner to test the logic

Chris – Recent memberships, templates, composites ng

• Release Grouper 2.5.30 is a priority
• Plan is to wait until Monday to try to include Chad’s PSPNG work
• API Unit tests are pointing at 2.5 
• See if tests are passing , 
• Adding in some minor things

• Recent membership changes
• Attributes are on the group …
• Can put decimal points to see 100th of a day
• New Grouper Loader option for Recent memberships
• Can pick from a group, can state  number of days and whether you want current members there
• PIT , point in time, lightweight view only shows records that make sense
• Easier to query using the new view
• Now there’s a view on the configuration
• Uses Grouper timetable 
• Can do math,  efficient query
• Recent membership changes go thru change log consumer, helps w real time data queries
• Need to decide the direction for how the screens fit together

Chad – pspng

• Making progress
• Goal for next Monday July 13
• Michael can help with testing before commits

Issue Round up

Wiki

• Grouper Custom UI

• Grouper automatically managed recent memberships (grace periods)

• Grouper generic provisioner UI tasks

• Grouper Custom UI example to analyze O365 accounts

• Unresolvable Subject Deletion Utility (USDU)

• USDU delete subjects after unresolvable for X days

• Authentication to UI and Web Services in Grouper v2.5+

• Grouper zoom provisioning

• SLAC National Accelerator Laboratory

• University of Waterloo

• University of Nebraska Grouper Project Page

• Grouper loader from attributes example

• v2.5 Release Notes

• Release steps

• Grouper UI csrf xsrf prevention

JIRAS

• GRP-2852 FROM CHAD
  Make it harder to accidentally delete an attribute name that is in use

• AI Chris will take a look at this

• GRP-2875
  Updating french translation
• GRP-2873
  attribute def not found when making template application
• GRP-2872
  add stem name validation like groups
• 
  GRP-2871
  Grouper provisioner configuration UI tasks
• GRP-2868
  add obliterate to stem delete WS
• GRP-2867
  Show membership create date and who created the membership on the "Edit membership and privileges" sub page
  
  GRP-2866
  show group loader info with different access level
  
  
  GRP-2865
  subjectId (not identifier) required in hasMember
• 
  GRP-2862
  turn off directory indexes in apache in container
• 
  GRP-2860
  group filter should allow ad hoc group that the use can READ
• 
  GRP-2859
  group filter should have option to not return group objects
• 
  GRP-2858
  add rule if enum for if group has membership (immediate or effective)
• 
  GRP-2857
  Users with "Create" privileges in a folder can see "Reports" on the "More Actions" button.. .only leads to an error message. "Error: not allowed to administer folder:"
• 
  GRP-2856
  shibboleth logs external to container option
• 
  GRP-2855
  Ability to "run a loader job" with alternate "loader.failsafe.*" config for a "one off run"
  
  

Grouper-Users Email

• Grouper-users] Grouper and TeamDynamix, Coleman, Erik C, 07/01/2020
• [grouper-users] University of Waterloo deployment story, Sean Mason, 07/02/2020
• [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/03/2020
  • Re: [grouper-users] containerized grouper noob questions, Olivier Salaün, 07/03/2020
  • Re: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
  • Re: [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/03/2020
  • Re: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
  • Re: [grouper-users] containerized grouper noob questions, Darren Boss, 07/04/2020
  • Re: [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/04/2020
  • RE: [grouper-users] containerized grouper noob questions, Black, Carey M., 07/05/2020
  • RE: [grouper-users] containerized grouper noob questions, Black, Carey M., 07/06/2020
• RE: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
• [grouper-users] Class Rosters for Grouper, Bill Thompson, 07/07/2020
• Re: [grouper-users] Class Rosters for Grouper, Blair X Christensen, 07/07/2020
• Re: [grouper-users] Class Rosters for Grouper, Jeffrey Williams, 07/07/2020
• Re: [grouper-users] Class Rosters for Grouper, Julio Polo, 07/07/2020

InCommon Grouper Slack

Chris Hyzer   what do people think about recent memberships configured from loader tab?

Alex P , so, grouper friends, Friday will be my last day in IT at UMD (starting a new job in a few weeks), and hence my last day as a full time Grouper operator (aka UMD's Lord of Grouper). I'm extremely thankful for all of you: the slack channel has improved my daily work (and our Grouper deployment) substantially. I wrote up a long retrospective called "My Year with Grouper" and have it on my personal tech blog: https://equul.us/2020/06/10/My-Year-with-Grouper/  I imagine it'll be useful to other Grouper deployers so I share it here. it was fun to write :slightly_smiling_face:. I'll pull this together into some form that can be put on the grouper wiki too.

EquulusEquulus

My Year with Grouper (The Web Application, not the fish!)

A Technologist and Philologist on Technology https://equul.us/2020/06/10/My-Year-with-Grouper/

Matthew B    I have grouper 2.5.29 running in Docker CE.  My grouper-loader.properties is in the database.  I modified chagneLog.consumer.....groupCreationLdifTemplate in the UI.  Unfortunately, the new template does not seem to be showing up in the grouper loader.    

Ross W   Is there   guidance posted on grouper "taking over" existing groups? 

Chris Hyzer   you can change idIndex (not sure about WS, but you can edit the DB or use GSH), as long as its less than the current max idIndex pointer and its not used for another group

Jeffrey C What is the best way to remove the EveryEntity view rights on really old groups via WS. 

 Carter S trying to put our Grouper instance behind a nginx reverse proxy but keep running into CSRF problems in the UI.   

Chris H anyone interested in provisioning to zoom?

Krishnan Question on use of Grouper when another enterprise Identity management product solutions are in place - We have OIM as enterprise IDM solution. 

Chris Hyzer   Simple zoom provisioner: https://spaces.at.internet2.edu/display/Grouper/Grouper+zoom+provisioning

Let me know if anyone is interested.

Emily E Thanks to University of Waterloo (@Sean Mason) for the new Grouper Community Contribution https://spaces.at.internet2.edu/display/Grouper/University+of+Waterloo    

Jeffrey 

Has anyone used log4j with a gsh script?  I'd like to have the script's logs formatted/rotated like other loggers.

Erik  

  having great success building some SQL Loader jobs that query the Grouper database. One thing I noticed is that for LDAP loaders and for SQL_SIMPLE loader types, I can set an "And Group" that essentially builds a composite requiring people to also be members of another group when they get populated.  However, on SQL_SIMPLE, it gives me an error saying "And groups not allowed", and for SQL_GROUP_LIST, I don't even see the ability to specify an "And Group".  

Josh O 

What's the best way to run the loader in 2.5.29?  We are using docker container, maturity level 1 so far.

Also, has anyone seen this error before?

2020-06-30 15:33:45,504: [ajp-nio-8009-exec-8] ERROR GrouperUiRestServlet.doGet(368) -  -  

Andy M 

I’m not sure what you mean by “run the loader”.  We are using really simple containers as well.  We start one container with the “daemon” command to run the daemon (loader).  We start 2 other containers as “ui-ws”.

Carey  

 suggest renaming the "Grouper daemon" to be called the "Hydrocynus goliath" ?

Carey  

Can ( if if so ... how..) Grouper+Custom+UI  be used to:

Basically what I want is the "Group memberships for groups under this folder" UI.

However I want to "collect" a set of these for each app across all of Grouper into a single folder 

Josh O Working with v2.5.29,  I have been having issue with getting built in Grouper authn working for WS.

Carey had a user report what looks like a timeout in the UI to me. But I have not been able to track down where the setting is to "adjust it". ( If it exists.)

Jonathan S 

 trying to delete a stem and all it’s groups using DELETE - /stems/stem:name, but i’m getting back

deleting stems.edu.internet2.middleware.grouper.exception.StemDeleteException: cannot delete stem with child groups

Jeffrey C 

Afternoon I wanted to ask what people were doing about privilege escalation in grouper.  

Chris Hyzer   

The Grouper "Custom UI" is an attempt to help troubleshoot access problems (when not providing a simple mechanism for optin/optout).  Here is an example of analyzing O365/Azure data at penn for the help desk or for IT support providers to help end users.  

https://spaces.at.internet2.edu/display/Grouper/Grouper+Custom+UI+example+to+analyze+O365+accounts

Carey question about the /status servlet ... 

Carter S Trying to troubleshoot an issue with attestation emails.   

Erik C  I'm about to embark on Grouper 2.5.29 in our test environment. 

 Michael G but but but - isn’t slashRoot the easiest thing to do?   i thought the idea was to reduce the plethora of ways of doing things to simplify the config.

Chris Hubing In my case, it’s probably more a matter of technical debt… need to switch to secret’s manager as well.

Chris Hyzer , was just replaying about fixing the paths... yes, now i see the slashRoot question at the end... 

Carey  Can a Workflow be restricted to only being used by a specific group?

olivier  We use group attribute validator to contrain the group names format as follows :….

 I did not find mention ofstem.attribute.validator in the default grouper.base.properties.

Is there a way to perform that check? (edited) 

Bill   -Lafayette is working on getting our course rosters into Grouper.  

Matthew B -Is there a way to get Grouper to recalculate a user's membership in a group when the user name changes in the subject source?

Next Grouper Call: Wed July 22, 2020