Grouper BOF at Internet2 2015 Technology Exchange in Cleveland
Oct 6, 2015
Please review the slides for this BOF here:
https://spaces.at.internet2.edu/download/attachments/14517786/grouperBofTechEx2015.pdf
Welcome from Chris Hyzer, University of Pennsylvania, Grouper Project Chair
New Team Members (see slides)
Release of Grouper 2.2.2
Fewer minor releases due to patches
Still have them due to package managers and clear patch slate (yearly?)
We will try to only maintain 2.2.2 in the 2.2 branch, please upgrade
Includes ~47 patches and other fixes (54 jiras)
If you are on a patched version of 2.2.1 this is low risk
- upgrade to 2.2.2 to get new patches
Discussion
Michael Gettes: CMU requests capability to inhibit renaming of groups.
In CMU GAP code, doing a group rename w LDAP is complex
Want to prevent it at the UI layer , it’s easier
Support both global setting and setting via an attribute on a group or folder.
Grouper Roadmap
https://spaces.at.internet2.edu/display/Grouper/Grouper+Product+Roadmap
TIER packaging and Standard AUTHZ will be in Grouper 2.3
April release date for Grouper 2.3
Q: only test and verify in Tomcat 6?
Misagh: Tomcat 7 works fine,
there’s a bug in Admin UI but we have found a fix for that
Misagh: For deploying Grouper,we are considering Dockerized Grouper deployment
to automate a base image
so you don’t have to know about Tomcat 7 vs Tomcat 8
MichaelG: sounds good
Q: TIER packaging is Docker containers?
Chris: it’s being discussed and there is a lot of buzz around Docker
right now we have ANT scripts
we have the Grouper installer, which is one JAR that can do multiple things
===
Java 8 support?
Chris: Tomcat versioning… Java 8 might be supported for Grouper 2.3
Use case for provisioning, some outputs are flat (no stem) and others are bushy
hard to configure
Dave agrees that is a problem
In the DN you want OU?
Need ones that don’t have hierarchy for Posix based groups\
But to provision for POSIX (flat) have to copy all to flat format
makes resolver long
lots of cut and paste needed
Chris: improvig Grouper provisioning is on the roadmap. See here
===
Chris: There have been many requests on lists for tweaks to Grouper
recently the Grouper team has done many patches
but now the Grouper Team need to focus on new development.
Some enhancements will have to wait so we can focus on Grouper 2.3
===
TIER
http://www.internet2.edu/vision-initiatives/initiatives/trust-identity-education-research/
for standardized API, the TIER project we will start with the work done by the CIFER-API effort
will not replace Grouper web service so it still will be possible to use web service
===
MichaelG: the Grouper loader is heavyweight ; it can take a long time
ScottK: deployment tries to run loader every minute
MichaelG: CMU runs it every 30 minutes and it takes 15 or 20 minutes to run
CMU does file based differencing outside of Grouper, then uses web services
doing singleton changes that way – versus loading a lot into a table?
Chris: it does not load into a table…it does adds and subtracts
frequency: it runs by default every minute
Grouper has a bunch of nodes
we want one ordered event queue to come out of that using timestamps
changelog consumers sent the data to messaging
By default that runs every minute; you can make it more real time if you want
the heavyweight part is if you do a whole class list or org list
you may not have many changes, but it will still look at all
thinking about - just look at one member
or use a ? table to do incremental changes instead of a complete batch
Yes Grouper Loader could be made better
if you add or delete a loader job you must bounce your loader process
want to be able to make changes dynamically w out bounce
also it assumes all changes are resolvable
but if loader manages things that are unresolvable right now it fails; we hope to change that
Q: where does Grouper Loader run?
A: where you want it to; you specify one place, but we want it to be able to run on multiple loads
That is on the Grouper roadmap under Improve Loader
Misagh: what about creating a loader job in the new UI?
you can create it in the ADMIN UI…
Chris: for SQL you use ADMIN UI
LDAP: use New attrib Framework w LITE UI
on roadmap, this will be moved so you can manage old school attributes and types in NEW UI
and just like rules, loader is a specific thing
so when you edit a loader job, it can do validation
====
New to Grouper, can you have regular users not see all the UI types?
The Grouper LITE UI can be confusing
Right now you can turn them on or off
Chris: it’s in the config, please send email about this to the Grouper users list if you have questions
Feedback about getting Grouper running?
Jeffrey Crawford: Had trouble finding doc on how to Shibbolize access to Grouper.
NOTE: the documentation on this (from Newcastle) that was hard to find is now linked to from the top of this page
Lafayette went from zero to Grouper pilot in 3 months
REMINDER
Please help out the Grouper community by setting up a Grouper Contrib page for your deployment here and keeping it updated. Questions on doing this? Email emily@internet2.edu
ADDITIONAL GROUPER SESSIONS AT 2015 TECHNOLOGY EXCHANGE in Cleveland: University of Colorado Boulder presented a lightning talk on Grouper with Exchange/Office 365, linked from here
|
|---|