Grouper WG at 2011 SMM – Monday, April 18, 2011
[60 in attendance]
Slides are linked from http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001766&event=1035
Note: Thank you to Dean Woodbeck for preparing these minutes.
Agenda
Questions/topics
- Update on LDAPPC NG evolution
Grouper v 2.0 time frame/highlights
• point-in-time audit demo
• member sort/search
• attribute UI
• upgrading to 2.0
• invite external users
• syncing groups between Groupers
• Atlassian connector
LDAP provisioning
What's New with Grouper - Shilen Patel
Member searching and sorting
• Problems: Grouper has limited info on subjects. Unable to effectively sort members of a group without performance hit. Unable to quickly/easily search for people in a group.
• Solution: Grouper 2.0 allows up to 5 attributes for sorting and 5 attributes for searching for each subject. Sort/search attributes are updated when subjects are resolved in Grouper.
• Security – each sort and search field can be configured to restrict access based on a group. Useful if attributes contain private info.
• Fixes the performance issues sorting/searching.
• Can put multiple items in the search column
Point in time auditing
• Query the state of Grouper at a specific point in time
• Memberships: Was person X a member of group Y on a given date? Who were all the members of a group on date X or between date X and date Y?
• Permissions: Did person X have read permission on resource Y at a given date?
• Attributes: What attributes were assigned to a group in the past and what were the attribute values?
Demo of member search/sort in UI
• Shilen did a demo of the search/sort
Demo of point in time auditing using web services
• Shilen did a demo of the point in time auditing – looked at queries that show whether or not someone is a member of a certain group
• Can specify a “from” date or a “to” date or both on whether someone in a group
What’s New with Grouper - Chris Hyzer
• Attribute framework UI. Ajax UI. Creates, edits, assigns attributes. For Grouper 2.0.
• Attributes and actions
• Attribute privileges
• Attribute names
• Groups and roles
• Attribute assignments (to do)
• Permission assignments (to do)
• Upgrade from Grouper 1.6
• March 2011 -- Penn upgraded from Grouper 1.6 to 1.7
• Grouper 1.7 was an internal Grouper release with point-in-time, rules, external subjects
• upgrade took five hours (including testing)
• performed upgrade on a Friday night at 5 pm.
• No significant downtime required for read-only services
• Disabled Nagios monitoring on WS
• Set UI/WS to read-only mode
• Turn off daemons, LDAP sync
• Backup membership lite view to a table
• Backup DB schema
• See details on Penn's upgrade at https://spaces.at.internet2.edu/display/Grouper/Upgrade+notes+from+Grouper+1.6+to+1.7
• Penn’s Secure Space – to support external users
• Secure Space is built on Grouper – three groups per space – admins, users, readonly
• Grouper client/WS caches the list of groups for the user
• uses InCommon for single sign-on
• EPPN required for external users
• External users self-register their name, email, institution
• Installed Shib Discovery Service, customized:
-Support channel
-Easy for Penn users
-Recommend Protect Network for users who don't have an InCommon account which releases EPPN.
• Chris did a demo of the Penn Secure Space system
Q: Have you thought about adding Google or OpenID – users are more familiar with this than Protect Network?
A: At Penn we are starting with Protect Network.
• Group sync to another Grouper
• map the folder/group from one Grouper to the folder/group in another Grouper
• only one side needs to make configurations
• Three types of syncing – push, pull , push_incrementaion
• Uses Grouper web services
• Only external members are synced
• Example on Grouper demo server. See https://spaces.at.internet2.edu/display/Grouper/Grouper+demo+site
• Atlassian – Grouper connector
• Map a root folder for Confluence or Jira
• Create/delete groups from Atlassian, although sometimes there are issues
• XMPP messaging from Grouper to Atlassian for real time updates
LDAPPC NG - Lynn Garrison
LDAP Provisioning
• Group Mgmt
• 62 standing groups – provisioned once, incremental update daily
• course groups – 18746 for spring-- provisioned once, incremental update daily
• delegate – 9700 – managed with web application (depts. Use for listservs, secure space)
• hybrid/nested – 2000
• Architecture team looks at environment and recommends to production team what to use.
• Current environment:
• Linux (CentOS) – Oracle express database, LDAP subject source using software from U-Wash, Shib attribute resolver
• AIX (version 6.1 POWER7) - LDAP
• Requirements from Penn State
• Performance
-Groups – 18 minutes to create group of 31000 members. 45 min to provision to LDAP (just do that once). Native LDAP – 40 min to provision to LDAP
-Need real-time provisioning
-Incremental provisioning
-Creation of groups from existing LDAP
LDAPPC NG -- Tom Zeller
• want speed – turns out caching is key
• need to tune cache – making it larger is a good thing
• if want cache smaller, need to have ways for people to cache easily
• When tried to identify areas to improve speed, looked at identifiers – both ends (input to Grouper – out from LDAPPC NG).
• Maybe should get rid of API and draw from IdP?