Minutes Grouper Call of July 30, 2014
Tom Barton, U. Chicago, Chair
Shilen Patel, Duke
Chris Hyzer, University of Pennsylvania
Jim Fox, U. Washington
Dave Langenberg, U. Chicago
Emily Eisbruch, Internet2
New Action items
[AI] (Dave) document Grouper provisioning strategy on the wiki for review and discussion (Done)https://spaces.at.internet2.edu/display/Grouper/Post+PSP+Provisioning
[AI] (Emily) assist with issues around uploading the Grouper 2.2 overview video to Youtube. Done, video is linked from here:https://spaces.at.internet2.edu/display/groupertrain/Grouper+Training
Carry Over Action Items
[AI] (Chris) will look into the error message issue on the demo access issue if no EPPN is sent.
[AI] (Shilen) create a Grouper training video on the new Grouper UI
[AI) (DaveL) look at PSP ChangeLogDataConnector Inconsistency issue
[AI] (Shilen) investigate ways to get new attribtues in a single step
Transition from SVN to GitHub
Some issues are still being worked out on the transition from SVN to GitHub.
Overall, it seems things should work well once the process is complete.
What should we have in place for provisioning for Grouper 2.3?
Tom: we had previously decided to have custom change log consumers for LDAP and for AD.
We had thought about other provisioning needs: Google, Box, Message queues, etc
Dave: A Google connector / provisioning approach (change log consumer) is being worked on in the field, with a university and help from an affiliate.
Jim: It is important to have a mechanism to differentiate which groups are being provisioned and which are not
Dave: suggestion to use the design being used at U. Chicago, which is to decorate groups with attributes that determine which provisioners should be used for the group. (I.e. I want this group to be provisioned to LDAP)
Tom: What about message queues?
CMU has been advocating for use of Active MQ
Chris: we could make that pluggable
comment: there are issues with pushing things to message queues, and determining visibility of confidential info in the messages, and there is a need for all or partial encryption.
Chris: we can follow AWS patterns for that.
Two issues: 1) Putting all messages into one queue / handler, then the messages can be pushed out to other queues.
comment: Message queue involves some latency. LDAP has to be up to date quickly.
So this is an argument against putting everything on a message queue.
U. Washington populates Google and AD through the message bus, but does not populate the main LDAP through the message bus.
For LDAP, U Washington uses a hook that writes a temporary file, like the 1st version of the change log. U Washington uses cache to respond to membership requests, so LDAP must be up to date.
- If you can't wait, use a hook
-if you can wait, use a change log or messaging queue
Question: can the hook write message to Amazon SQS or ActiveMQ?
A: Yes, you can do it before or after the commit happens.
Risk that if the system shuts down, the message could get lost.
But overall it should be OK
What do we need to know to choose between hook or change log as the implementation?
Jim: most sites are happy with the way the change log is used now.
U Washington has an special situation.
Change log may be a safer approach. Less risk of systems shutting down and losing transactions
Translating ACLs can be an issue to consider, especially around Google groups.
-Provide a change log consumer that can work w ActiveMQ and Amazon SQS
-Provide a custom change log consumer for LDAP and AD
-Make it possible to tag groups and attach attributes to groups, etc. to specify provisioning info.
We may want to make the SCIM provisioning approach more generic, but need a working SCIM end-point.
[AI] (Dave) will document Grouper provisioning strategy on the wiki for review and discussionhttps://spaces.at.internet2.edu/display/Grouper/Post+PSP+Provisioning
Grouper Roadmap for 2.3
Improve folder privileges -
Change folder privileges so that instead of the STEM privilege, there is an ADMIN privilege on folders.
The ADMIN privilege would mean you have all rights to the folder, you can rename it, delete it, change privileges, and effectively every other privilege.
It was agreed this is a good idea. Migration path would be needed.
Improve Loader -
Add the ability for the loader to run on multiple nodes to it has better availability. Also add the option for unresolvable subjects to not cause loader jobs to fail.
Add ability to set thresholds
Add real time updates to loader-based groups (so Grouper can consume messages)
Mark your calendar : IAM Online webinar on Grouper : Wed., Sept 10, 2014 at 2pm ET
Next Call: Wed. Aug 13, 2014 at noon ET.