- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
Jeff Williams - University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Intellectual Property reminder: http://www.internet2.edu/membership/ip.html
New Action Items from this call
- July 8, 2020 - AI Chris take a look at GRP-2852 FROM CHAD
Make it harder to accidentally delete an attribute name that is in use
InCommon BaseCAMP (Virtual)
- BaseCAMP July 20 - 24 https://meetings.internet2.edu/2020-basecamp/program/
- July 23, 2:35pm - 3:30pm
- Erik Coleman, U of Illinois, Urbana-Champaign, leading Access and Grouping 101
- Chris Hyzer leading Access and Grouping 201
Current work tasks, and next tasks
Vivek –Provisioning configuration https://spaces.at.internet2.edu/display/Grouper/Grouper+generic+provisioner+UI+tasks
- There is a dashboard
- Inside provisioner you can have multiple jobs
- Link ID is now clickable
- Info on last sync
- List of jobs
- Section on each job
- Most recent Logs
- Grouper Loader Log and Grouper Sync log table
- Incremental sync?
- Some groups need to be synced more frequently than others
- Special sync job for those?
- Incremental works on the change log
- Full sync does sync for everything
- Knowing how many events it’s behind, how deep is the queue
- Can see that from the Daemon screen
- “Pending in queue”
- For full sync, it asks synchronous or async mode
- Using Grouper internal messaging system
- Can send messages to incremental job
- To keep the cache and database tables consistent, multiple syncs cant run at same time
- But can use asynch mode
- It does the calculations, does not change anything
- Will pump changes thru as messages
- In Grouper Loader Properties, all the metadata for provisioners
- Provisioning screen is more user friendly than a config file
- Overall provisioner screen will drill down to a provisioner
- Also can look at a folder level or group level or membership or group level
- Nothing in Java code that relates to Active Directory
- Feedback: looks good
- JSON now in Grouper loader
- All config files (except externalized text) have JSON
- Tells config UI what and how to show
- Can have a dynamic dropdown on these screens,
- Can pull from externalized text
- Makes things easier for configuration versus using a file
- Carey: UI limits the subject APIs provisioned to the provisioner
- If not from one of the checked ones, it skips that subject
- If from one source I send a NETID, but if a grouper group I send Group name
- Multiple person sources and you send NETID from each of them..
- But provisioning group objects and subjects
- Subject sources in grouper are more than people
- Provisioning a group is different than provisioning a person
- Best practice to harmonize naming
- What about provisioning folders into an application?
- Such as OSU privilege management service
- Currently folders not covered in this generic provisioning
- Should add folders to provisioning later
- Vivek: next tasks
- Make My Job clickable
- Option to see the metrics
- Access controls around who can see the data?
- May need groups to manage
- For some power users
- The concept of self service is good, but some organizations may not like this
- “When was I last provisioned to an application”
Shilen – provisioning
- Looking at the Docker Container that Bert had created
- Will Copy this to Grouper Misc
- Have Chris Hubing create an image in Docker Hub
- Could be a run script for now
- Eventually it should all be ready to go
- Using junit test with docker java to create new container, start the container, configure the subject source, do queries, delete the container
- If we don’t do Docker Java, could use shell scripts to start the container
- Do we want each test to kill the container and start a new container? Yes
- PSPNG is done with GSH and it’s slow
- Controlling things w Java is faster
- Docker Java means many more JARS
- Tradeoff between developer environment
- Reproducibility and speed
- Try System call and wrap into one library
- Concept of doing something and checking to see if TCP port is listening
- Chris Hubing does it w command line call
- Grouper installer has a utils method
- Sleep and check the port
- For next steps
- Data already there is enough
- Subject source works
- Use the configuration that’s in 2.5
- Need to release 2.5.30
- Hoping for DDL changes
- Afterward the release we can add more
- Branch off 2.5 and there’s the LDAP section
- Need a class to manage configuration
- Need Validation
- First step: full sync to provision subject IDs to a group
- Attribute where you put strings
- Yes, start with something simple
- Get something running and then refactor it
- Chris and Shilen will work on this
- Make a class based on the configuration
- Don’t focus on getting stuff from Grouper yet
- One uber class with many methods?
- How much of an interface do you want?
- Monolithic class with many overrides?
- As long as it’s all documented, either works.
- Keep splitting things up and organizing
- Shilen will take a look
- Each item on diagram will be its own base class
- Chad: issues kicking off change log provisioner from GSH
- Doesn’t know its name, you are locked into implementation
- Unit tests will help
- Composition versus inheritance
- Use in memory CRUD or provisioner to test the logic
Chris – Recent memberships, templates, composites ng
- Release Grouper 2.5.30 is a priority
- Plan is to wait until Monday to try to include Chad’s PSPNG work
- API Unit tests are pointing at 2.5
- See if tests are passing ,
- Adding in some minor things
- Recent membership changes
- Attributes are on the group …
- Can put decimal points to see 100th of a day
- New Grouper Loader option for Recent memberships
- Can pick from a group, can state number of days and whether you want current members there
- PIT , point in time, lightweight view only shows records that make sense
- Easier to query using the new view
- Now there’s a view on the configuration
- Uses Grouper timetable
- Can do math, efficient query
- Recent membership changes go thru change log consumer, helps w real time data queries
- Need to decide the direction for how the screens fit together
Chad – pspng
- Making progress
- Goal for next Monday July 13
- Michael can help with testing before commits
Issue Round up
- AI Chris will take a look at this
Updating french translation
attribute def not found when making template application
add stem name validation like groups
Grouper provisioner configuration UI tasks
add obliterate to stem delete WS
Show membership create date and who created the membership on the "Edit membership and privileges" sub page
show group loader info with different access level
subjectId (not identifier) required in hasMember
turn off directory indexes in apache in container
group filter should allow ad hoc group that the use can READ
group filter should have option to not return group objects
add rule if enum for if group has membership (immediate or effective)
Users with "Create" privileges in a folder can see "Reports" on the "More Actions" button.. .only leads to an error message. "Error: not allowed to administer folder:"
shibboleth logs external to container option
Ability to "run a loader job" with alternate "loader.failsafe.*" config for a "one off run"
- Grouper-users] Grouper and TeamDynamix, Coleman, Erik C, 07/01/2020
- [grouper-users] University of Waterloo deployment story, Sean Mason, 07/02/2020
- [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/03/2020
- Re: [grouper-users] containerized grouper noob questions, Olivier Salaün, 07/03/2020
- Re: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
- Re: [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/03/2020
- Re: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
- Re: [grouper-users] containerized grouper noob questions, Darren Boss, 07/04/2020
- Re: [grouper-users] containerized grouper noob questions, Baron Fujimoto, 07/04/2020
- RE: [grouper-users] containerized grouper noob questions, Black, Carey M., 07/05/2020
- RE: [grouper-users] containerized grouper noob questions, Black, Carey M., 07/06/2020
- RE: [grouper-users] containerized grouper noob questions, Hyzer, Chris, 07/03/2020
- [grouper-users] Class Rosters for Grouper, Bill Thompson, 07/07/2020
InCommon Grouper Slack
Chris Hyzer what do people think about recent memberships configured from loader tab?
Alex P , so, grouper friends, Friday will be my last day in IT at UMD (starting a new job in a few weeks), and hence my last day as a full time Grouper operator (aka UMD's Lord of Grouper). I'm extremely thankful for all of you: the slack channel has improved my daily work (and our Grouper deployment) substantially. I wrote up a long retrospective called "My Year with Grouper" and have it on my personal tech blog: https://equul.us/2020/06/10/My-Year-with-Grouper/ I imagine it'll be useful to other Grouper deployers so I share it here. it was fun to write :slightly_smiling_face:. I'll pull this together into some form that can be put on the grouper wiki too.
My Year with Grouper (The Web Application, not the fish!)
A Technologist and Philologist on Technology https://equul.us/2020/06/10/My-Year-with-Grouper/
Matthew B I have grouper 2.5.29 running in Docker CE. My grouper-loader.properties is in the database. I modified chagneLog.consumer.....groupCreationLdifTemplate in the UI. Unfortunately, the new template does not seem to be showing up in the grouper loader.
Ross W Is there guidance posted on grouper "taking over" existing groups?
Chris Hyzer you can change idIndex (not sure about WS, but you can edit the DB or use GSH), as long as its less than the current max idIndex pointer and its not used for another group
Jeffrey C What is the best way to remove the EveryEntity view rights on really old groups via WS.
Carter S trying to put our Grouper instance behind a nginx reverse proxy but keep running into CSRF problems in the UI.
Chris H anyone interested in provisioning to zoom?
Krishnan Question on use of Grouper when another enterprise Identity management product solutions are in place - We have OIM as enterprise IDM solution.
Chris Hyzer Simple zoom provisioner: https://spaces.at.internet2.edu/display/Grouper/Grouper+zoom+provisioning
Let me know if anyone is interested.
Emily E Thanks to University of Waterloo (@Sean Mason) for the new Grouper Community Contribution https://spaces.at.internet2.edu/display/Grouper/University+of+Waterloo
Has anyone used log4j with a gsh script? I'd like to have the script's logs formatted/rotated like other loggers.
having great success building some SQL Loader jobs that query the Grouper database. One thing I noticed is that for LDAP loaders and for SQL_SIMPLE loader types, I can set an "And Group" that essentially builds a composite requiring people to also be members of another group when they get populated. However, on SQL_SIMPLE, it gives me an error saying "And groups not allowed", and for SQL_GROUP_LIST, I don't even see the ability to specify an "And Group".
What's the best way to run the loader in 2.5.29? We are using docker container, maturity level 1 so far.
Also, has anyone seen this error before?
2020-06-30 15:33:45,504: [ajp-nio-8009-exec-8] ERROR GrouperUiRestServlet.doGet(368) - -
I’m not sure what you mean by “run the loader”. We are using really simple containers as well. We start one container with the “daemon” command to run the daemon (loader). We start 2 other containers as “ui-ws”.
suggest renaming the "Grouper daemon" to be called the "Hydrocynus goliath" ?
Can ( if if so ... how..) Grouper+Custom+UI be used to:
Basically what I want is the "Group memberships for groups under this folder" UI.
However I want to "collect" a set of these for each app across all of Grouper into a single folder
Josh O Working with v2.5.29, I have been having issue with getting built in Grouper authn working for WS.
Carey had a user report what looks like a timeout in the UI to me. But I have not been able to track down where the setting is to "adjust it". ( If it exists.)
trying to delete a stem and all it’s groups using DELETE - /stems/stem:name, but i’m getting back
deleting stems.edu.internet2.middleware.grouper.exception.StemDeleteException: cannot delete stem with child groups
Afternoon I wanted to ask what people were doing about privilege escalation in grouper.
The Grouper "Custom UI" is an attempt to help troubleshoot access problems (when not providing a simple mechanism for optin/optout). Here is an example of analyzing O365/Azure data at penn for the help desk or for IT support providers to help end users.
Carey question about the /status servlet ...
Carter S Trying to troubleshoot an issue with attestation emails.
Erik C I'm about to embark on Grouper 2.5.29 in our test environment.
Michael G but but but - isn’t slashRoot the easiest thing to do? i thought the idea was to reduce the plethora of ways of doing things to simplify the config.
Chris Hubing In my case, it’s probably more a matter of technical debt… need to switch to secret’s manager as well.
Chris Hyzer , was just replaying about fixing the paths... yes, now i see the slashRoot question at the end...
Carey Can a Workflow be restricted to only being used by a specific group?
olivier We use group attribute validator to contrain the group names format as follows :….
I did not find mention ofstem.attribute.validator in the default grouper.base.properties.
Is there a way to perform that check? (edited)
Bill -Lafayette is working on getting our course rosters into Grouper.
Matthew B -Is there a way to get Grouper to recalculate a user's membership in a group when the user name changes in the subject source?
Next Grouper Call: Wed July 22, 2020