Child pages
  • Grouper Call 26-Oct-2011
Skip to end of metadata
Go to start of metadata

Minutes: Grouper-dev Call 26-Oct-2011


Tom Barton, University of Chicago (chair)  
Shilen Patel, Duke
Chris Hyzer, U. Penn
Tom Zeller, Unicon
Jim Fox, University of Washington
Steve Olshansky, Internet2

New Action Items

[AI] (All) Review Jira issues for the next release and ensure they are properly fleshed out.

Carry Over Action Items

[AI] (Emily) work with Shilen and Chris on a wiki documentation page with descriptions/recommendations on ongoing operational tasks. Then possibly send a pointer to the Grouper-users list asking for additions. (In progress at  )

[AI] (TomZ) will review the Grouper LDAP Loader doc and provide feedback to Chris, possibly with lessons learned from LDAPPC work.

[AI] (TomZ) will update JIRA to reflect the priorities  

[AI] (Rob) will follow up with Danno on obtaining the server for the Continuous Integration Environment.  

[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.


- TomB will not be available for the Grouper-dev call on Wed., Nov. 9 --- Chris volunteered to lead this call.

- Thank you to Gary for his email on UI accessibility issues:

Grouper v2.0.1 Release

Grouper v2.0.1 is ready.

There are 6 JIRA items fixed in the 2.0.1 release:
Chris and SteveO will work together on the release notes, on updating the software download page, and on other steps as specified on the Release Steps page of the wiki:

The hibernate upgrade work will be in the upcoming Grouper 2.1 release

On-going Administration Tasks Wiki Page

Thank you to Shilen who added content to the new wiki page documenting ongoing Grouper Admin. tasks, such as  pruning these logs:
-change log
-daemon logs
-user audit logs
-point in time logs

Additional information that should be added:

- Using rules to send notifications by email  (Shilen will add this)
- Setting up XMPP notification  (Shilen will add this)
- Pruning the registry, for example to delete old course groups (Chris will add  this)  
- Set up Nachos to check the web service status page  to be sure the daemons are running (Chris will add this)
- Be sure your logs email you so you can see when people have errors (Chris will add this)
- Set up a recurring meeting in Outlook that says "Go change a Confluence group and be sure the XMPPs are still going across" (Chris will add this)
- Check the daily Grouper Loader report (Chris will add this)

Supporting New Grouper Deployments  

- TomB noted that there may be about 60 potential new Grouper deployments in the pipeline
- Discussions have started about how to provide support, including a plan to develop a training program and materials
-  There is an effort to encourage commercial partners, such as  UNICON, to provide consulting support
- Potential sites who may be candidates for consulting relationships at some point in the future could include University of Wisconsin - Madison and PSU.
- Should the Grouper project team be  expanded? TomB thinks this would make sense.
Grouper v2.1 Planning

  . Real-time incremental LDAPPCNG (TomZ is working on this)

  . LDAP Grouper loader (done)
  . Grouper entities in namespace   (done)
  . Hibernate upgrade   (done)
  . Grouper WS/client group/s item finder sorting/paging   (done)
  . Subject attribute WS security  (Chris will do)
  . Always available readonly client  - ( Chris might do)
  . Grouper WS attr/permission expansion - ( Chris might do)
  . uPortal integration update  -- (Shilen got some info from partners in France, but no coding work done yet)
  . Unix GID management  --( Chris is not doing this )

 - Permissions notification (Shilen will do)  JIRA 611

[AI] (All) Review Jira issues for the next release and ensure they are properly fleshed out.

Progress on Real-time incremental LDAPPC-NG for Grouper 2.1

- TomZ has rewritten parts of the plugin to Shib, to support provisioning based on the change log
- has rewritten the test harness
- assumption that people will not use JDBC source
- now will work on configuring the jobs to run in real time as well as full synch
- must look at Loader jobs to figure that out

- it makes sense to use the Grouper demo as a test environment
- Need to revisit the Grouper demo setup, could take a day

 There are 4 connectors to plug into Shib Attribute Resolver:
-  groups
- members
- stems  
- change log

Right now can't plug into an IdP

-- LDAPPC-NG uses the change log consumer "wiring" to read changes off the change log
- There is a limited mechanism to filter the things you want to see
- Aiming for simple at first.
- There may be some tweaking based on Penn State's feedback, or feedback from others once the demo site is ready

- To start, we will support adding or removing a group, membership or stem
- After that we will look at supporting more advanced items like permissions

Q: What about renames to groups and stems, will those get provisioned?
A: Was going to do renames in the next phase, after 2.1 most likely

- Need to be sure deployments can operate reasonably w 2.1
- Maybe a daily full sync will be sufficient to handle any renames?
- Most likely, a full sync would remove the old group and add the new one, and this is not good for provisioning to AD
- LDAPPC did not handle group and stem renaming
- Is it worth folding renaming into the Grouper 2.1 release?  
- TomZ will investigate how group/stem renaming provisioning would work

- After getting the demo site working with LDAPPC-NG, TomZ will start working with Penn State on testing in their environment

Grouper Entities

Chris reviewed the work on Grouper user managed entities

- These are similar to groups, but with no members
- there is a type of Group attribute for "Entity"; so now a group can be of type Group, Role or Entity
- Entity can be used to represent a schema
- non-grouper-admins can create and manage these entities
- VIEW and ADMIN are the only privileges that can be assigned
- assigning READ, UPDATE, OPTIN, OPTOUT to an entity, will produce an error
- Grouper entities have a subject source different than the grouper subject source (though similar).
- there is a subject identifier attribute, which must have prefix of the folder to ensure uniqueness
- Shilen will add this to renaming mechanism, so if a stem is renamed then the entity is renamed
- you are not constrained by the allowable characters in Grouper for that extension; can contain any characters including colons
- must be fully qualified by folder structure so it's unique

Q:: Doesn't the entity naming scheme make it tough to rename a stem ? Wouldn't it be easier to compute that part of the subject identifier?

A: Chris: this approach avoids namespace conflicts

Next Grouper Call: Wednesday, 9-Nov-2011 at noon ET.

  • No labels