Grouper BOF at Global Summit in DC
April 25, 2017
Slides:
http://meetings.internet2.edu/media/medialibrary/2017/05/01/20170425-hyzer-grouperBOF.pdf
What is Grouper?
Central authorization, groups, permissions, provisioning , auditing, delegation and distributed management
Grouper and TIER
• TIER provides:
- Requirements for development
- Funding
- Architectural guidance
- Standards to harmonize with other TIER product\s
- Contributions in areas such as: packaging, security, administrative help, etc
Grouper progress in last 6 months
• Patches - Not making changes to core
• These things are low risk enhancements
• You can pick which patches you want to install
• The upgrades should be similar to what you are already deploying
• Instrumentation
• Real time loader
• View and edit Grouper loader in UI
• Attestation - so someone has to look every once in a while
• Subject API diagnostics - its been hard to configure , this helps you look at diagnostics and trouble shoot
Instrumentation
• TIER interested in collecting metrics for TIER components
• If large # of institutions are changing defaults we could change how we default things
• Right now no production TIER collector, but you can enable an send to a test collector
• Things to add
◦ Counts of operations
◦ Monitoring of adds / deletes
◦ That thread reports to database
◦ Grouper UI will show that data
◦ Demo of collection - all aviabl in a patch
Real Time Loader
- Before this all loader jobs id full comparisons
- Query source, get all memberships and do comparison
- Problem for large loader jobs
- If you want to capture changes every minute that;s a problem
- So now with patch in 2.3 you can capture incremental
Loader in UI
https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+on+UI
• Makes queries easier
• Only for admins or those to whom you give permission
• In on each of the items
• Doc on each of items
• Should be in your audit log
• Now you can schedule..
• Can do logs to look at past runs of this
• Can see failures and errors; Can filter by times or status
• WIll help troubleshoot a loader job
• Hope to do a dashboard of all loader jobs , both SQL and LDAP
Attestation
https://spaces.at.internet2.edu/display/Grouper/Grouper+attestation
• Require group admins to review memberships
• Helps with deprovisioning
• Vivek has worked on this - there is now a test patch
• You go to folder or group
• Click on attestation menu item
• You can configure
• You want this group or groups to be periodically reviewed (re-certified) by the admins
Config Migrated to Properties
• Sources.xml and ehcache.xml
• Makes configuration more consistent
• Upgrades easier (no merging or editing XML files)
• TIER packaging easier (or even possible)
• Optional for 2.3.0+patches
Subject API diagnostics
https://spaces.at.internet2.edu/display/Grouper/Grouper+subject+API+diagnostics+in+UI
- Config migrated to properties files
- Migrated to be properties overlays
- Optional for Grouper 2.3.0
- You can run installer task
TIER API in installer
- You can install the TIER API from the Grouper installer
- TIER API is full J2ee, SCIM, can’t run in tomcat
- Installs TomEE, there are a couple of issue
- Email Chris Hyzer if you want to know when this will work
UI Accessibility
https://spaces.at.internet2.edu/display/Grouper/Grouper+accessibility
- Report from U of Colorado was extremely helpful
- Fixed the issues, committed to github
- • Waiting on review from Colorado
PSP
Please see Slides on pages 15-17 here:
http://meetings.internet2.edu/media/medialibrary/2017/05/01/20170425-hyzer-grouperBOF.pdf
comments:
• Works with incremental provisioning and full sync
• If group was wrong and you want to re-sync
• Read Grouper and the target and make it correct?
• Automated Q - integrated tests (Docker)
• Makes sure the stuff still works
• Empty group issue has been fixed…
• It’s been a challenge with life cycle -- foundational improvements came up
• ScottK: Our deployment is leveraging what PSP has, but PSP NG does not
- Munging full group name in interesting names
- Before its provisioned to LDAP? It’s working..
- How long will PSP continue to work before need another solution.
- Bert: no plan to stop shipping it
- Talk about this at 2017 TechEx? -Whatever feature you are using, can we add it to PSP NG
• It’s a full REGEX replace
• Finishing 2.3 and getting to 2.4 -- we hope to have answers for some of these gaps.
• As we look at 2.5
- Discuss on list new endpoints, absorb some of the open source code for endpoints
- Google, Box, Office 365.. Taking on some of those and getting out of LDAP focus
- PSP performance and simplicity… bring into other endpoints and keep them up to date.
- Provisioning means de-provisioning too… removing groups and members
- Need to work on Failsafe
- How to approve
-------
Plans for Grouper 2.4
- Deprovisioning in UI
- Replace Admin and Lite UI with “New UI”
- New messaging strategies (AWS, AQMP)
- Provisioning in UI
- Integrate other contributions – GSH – Unicon O365?
- Release this summer hopefully
- Your item here
After Grouper 2.4
- Provisioning – Improvements – More targets
- Add more WS operations
- Add more TIER API operations
- Get more institutions to use the TIER API and packaging
- More UIs for: – Attributes – Configuration – Rules
- Group expire dates
- your item here
Discussion
Reconciling so if you provision to AD or 365 an people still using native --pull back in
• Multimaster
• AD SOR and Grouper SOR
Provisioning and target directory … it logs that subjct does not exist
What about replicate the subject across?
There is code from a year ago that has subject creation
Replicate a subject to a target
- Chris: if you are creating a subject with an ID it would be worthwhile to have lightweight user creation
- We say, don’t put data in Grouper
- But if target already in Grouper
- Google provisioner does that
Note there have been updates to Google Grouper provisioner
https://github.com/Internet2/grouper/tree/master/grouper-misc/googleapps-grouper-provisioner
Question : subset in mobile UI?
A: it is responsive now
------
Grouper Deployment Guide
Bill Thompson, Lafayette
- Was a community effort
- Thanks to all the Grouper community contribs in the wiki
- Community came together on a model
- Bodes well on things to come
- identity as a domain and body of knowledge
- Grouper is powerful and flexible
- Lafayette took 6-8 weeks to review contribs in wiki and then to decide how to do it
- This led to of idea of Deployment guide to reduce time needed for deployers in the future
- Worked with Columbia University on their Grouper Deployment Guide
- Grouper Deployment Guide focuses on a few use cases
- NIST doc talks about natural langage policy into digital policy that can control access to systems. Grouper Deployment Guide talks about how that works
- Access policy are attribute based , the model the guide talks about is attribute based access policies. Since Grouper is so focused on groups. People lose sight that it’s about subject attributes….. …
- Keep concept of NIST doc is accommodating the unanticipated user. So if your access policy is attribute based, then when a new user comes into the system their access to systems is keep in sync and provisioned and de-provisioned as needed.
----
Grouper Training
For those interested in Grouper Training, please check out the
Grouper Training at Open Apereo on June 4 2017 in Philadelphia
- June 4th, 2017
- 1:30pm Grouper half-day session
- Bill Thompson and Chris Hyzer
- Philadelphia Hilton Penn’s Landing (maybe?)
Please Contribute Your Grouper Deployment Story
Please contact emily@internet2.edu if you can contribute a Grouper deployment story from your campus to the Grouper Community Contributions wiki.
Thanks for attending the Grouper BOF