Child pages
  • Grouper Call 7-Dec-2011
Skip to end of metadata
Go to start of metadata

Minutes: Grouper Call 7-Dec-2011

Attending

Tom Barton, U. Chicago, Chair
Chris Hyzer, Penn
Gary  Brown, Bristoll
Shilen Patel, Duke   
Tom Zeller, Unicon  
Jim Fox, University of Washington  
Steve Olshansky, Internet2  
Emily Eisbruch, Internet2 (scribe)

New Action Items

[AI] (Gary) will look at the issue of paging in the Admin UIhttps://bugs.internet2.edu/jira/browse/GRP-716

[AI ] (Chris) will reverse the changes to the secure member sort / search.

[AI] (Shilen) will forward to Emily and SteveO a request about the Grouper demo and SAML2

[AI] (Jim) will create a wiki page on reconciling the two LDAP source adapters

[AI]  (TomZ) will email the list about  LDAPPC-NG naming issues.

 [AI] (TomZ) will put test data in the Grouper demo to show using an LDAP source

Carry Over Action Items

[AI] (TomZ) will talk with community members about reviewing LDAPPC-NG real time provisioning docs in January 2012

[AI] (TomZ) will review Jira issues for the next release and ensure they are properly fleshed out.

[AI] (TomZ) will review the Grouper LDAP Loader doc and provide feedback to Chris, possibly with lessons learned from LDAPPC work.https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP

[AI] (TomZ) will update JIRA to reflect the priorities  

[AI] (Rob) will follow up with Danno on obtaining the server for the Continuous Integration Environment.  

[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.

DISCUSSION

Admin UI Paging Issue

An issue needing resolution for the Grouper 2.02 release involves the Admin UI and subject search paging.

- The UI generally gets all subjects for a query, saves them in memory and you can page thru them
- But if sources.xml settings are such that not all results are saved in memory, then often there is no 2nd page of results available
- In these cases, the paging buttons should be removed from the Admin UI

[AI] (Gary) will look at the issue of paging in the Admin UIhttps://bugs.internet2.edu/jira/browse/GRP-716

Secure Member Sort/ Search issue

https://bugs.internet2.edu/jira/browse/GRP-715

- If group A is member of group B
- and the person (Mary) viewing the group B does not have privileges to view group A
- should Mary be able to see the name or UUID of  group A?
- Currently, Mary can see the name of group A.
- Maybe Mary should only be able to see the UUID but not the name?

- TomB: This can go either way, view issues become problematic.

- Decision was to keep things the way they are now (one advantage, things will be faster)
- Chris will reverse some changes he made recently.

[AI ] (Chris) will reverse the changes to the secure member sort / search.

Releasing Grouper 2.02

- Will release Grouper 2.02 during the week of Dec. 12 if possible.
- There will be modest needs on communications and outreach
- Try to communicate that this is not a critical release
- This release is most important affected by the stale state exception issue
- SteveO will need the bullet points of what's changed

Naming Local Entities

Naming of non-person entities was discussed on the last Grouper-dev call.https://spaces.at.internet2.edu/display/Grouper/Grouper+Call+22-Nov-2011

-  "local entity" has been suggested as the term to use and so far there are no objections.
-  don't have to make a final decision until we get closer to releasing Grouper 2.1

Grouper Demo

Access to the Grouper demo is failing when SAML2 authentication is used.

[AI] Shilen forward to Emily and SteveO request about Grouper demo and SAML2 (DONE)

LDAP Source

- TomZ reported that he has OpenLDAP and phpLDAPadmin configured on the Grouper demo.
- TomZ raised these questions about the LDAP source and how to show it on the Grouper demo:

       - Do we want to use an LDAP subject source instead of / in addition to JDBC ?
       - Do we want to allow authenticated users to browse the LDAP directory ?
        - What data should be put in the Grouper demo to show how LDAP source  works?

- TomZ would rather have a real use case, but we need some data for testing.
- need subject and need a source XML config that points to it
- there are different approaches to generating the test subjects
- need some randomness to the names
- [AI] TomZ will put test data in the demo to show using an LDAP source

- Should we change the identifier scheme because we have two sources?
- Chris: it does not matter much on the demo server be cause authentication to UI is EPPN-based
- there won't be an EPPN identifier in LDAP

Q: Will there be a source for LDAP and a source for vt-LDAP?

- TomZ: We should move to using the new vt-LDAP by default, and just leave old code there so things don't break
- if we continue to put the older LDAP in the package, it must be in the test
- or we can communicate that we are going to deprecate the older LDAP and then we can pull it out.
- or we could keep it in SVN  but not put it in distribution
- the config is not exactly the same, but maybe could be merged
- suggestion to give Chris sources for vt-LDAP and then do the merge
- have one source on the demo server, and in Grouper 2.1 we will merge the two

Jim will create a wiki page outlining the steps.
[AI] (Jim) will create a wiki page on reconciling the two LDAP source adapters

Naming LDAPPC-NG or PSP (provisioning service provider?)

- Should the name indicate association with just Grouper and just LDAP or should it be broader?  
- indicate the beginnings of  more general provisioning system?

- TomZ looked at using the Grouper Loader to get code into Grouper, and compared that to LDAPPC NG
- There were issues with the workspace getting messed up with so many renames

-  Starting over with a clean slate, how to organize the JAVA class files?
- This should not involve changing much code, but organizing things
- TomZ looked at IdP v.3 layout as an example to work from
- The goal is to help a deployer who wants to customize a source for a target

Modules could be:

psp-provisioning-engine
psp-grouper-source
psp-grouper-target
psp-ldap-source
psp-ldap-target
psp-grouper-changelog
psp-parent
grouper-shib

- important to highlight parts that are sources, the parts that are targets, and the engine in the middle
- would be good to get contributions from Brown from their provisioning work

- TomB: the PSP names proposed make sense
- The list could grow longer over time

Java Package Name

TomZ: there is also an issue re the Java package name. These is:

 -java package name (LDAPPC)
- XML namespace name (LDAPPC)
- name config file (mixed names between LDAPPC and LDAPPC NG)
- project name is LDAPPC NG

- Assuming the LDAPPC-NG code could replace the LDAPPC code, we do not want to put LDAPPC-NG in XML

- TomB: maybe we should replace the term LDAP over time anyhow
- TomZ: could go to PSP everywhere

- we have the name Shibboleth for an IDP
- still need a namespace qualifier
- it could be LDAPPC or Grouper

- we want to scope this correctly
- Maybe in the future it will more general purpose
- for now, we don't want to promote it as such
- what about  use cases like Google, or box.net ?
- need to consider trademark when picking names

[AI]  (TomZ) will email the list about  LDAPPC-NG naming issues.

Web services availability design idea ( Chris )

Chris proposed ideas about always available web services:https://spaces.at.internet2.edu/display/Grouper/Grouper+always+available+web+services

- Chris's proposed a protocol for how clients should interact with the multiple WS servers, with the protocol being implemented in the Grouper client.  
- TomB noted that LDAP and DNS are alike in the they both require the client to have a list of servers to go to
- The group agreed with Chris's proposal.

- Jim suggested that longer-term, a production Grouper system ought to include with it internally a  couple of LDAPs
- this would give the speed and redundancy that's needed

Next Call: Wed. Dec 21 at noon ET.

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook

  • No labels