Child pages
  • Grouper Face to Face Meeting 18-Apr-2011
Skip to end of metadata
Go to start of metadata

Grouper WG  at 2011 SMM – Monday, April 18, 2011

[60 in attendance]
Slides are linked from http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001766&event=1035

Note: Thank you to Dean Woodbeck for preparing these minutes.

Agenda

Questions/topics
 - Update on LDAPPC NG  evolution
Grouper v 2.0 time frame/highlights
    • point-in-time audit demo
    • member sort/search
    • attribute UI
    • upgrading to 2.0
    • invite external users
    • syncing groups between Groupers
    • Atlassian connector
LDAP provisioning

What's New with Grouper -  Shilen Patel

Member searching and sorting
    • Problems: Grouper has limited info on subjects. Unable to effectively sort members of a group without performance hit. Unable to quickly/easily search for people in a group.
    • Solution: Grouper 2.0 allows up to 5 attributes for sorting and 5 attributes for searching for each subject. Sort/search attributes are updated when subjects are resolved in Grouper.
    • Security – each sort and search field can be configured to restrict access based on a group. Useful if attributes contain private info.
    • Fixes the performance issues sorting/searching.
    • Can put multiple items in the search column

Point in time auditing
    • Query the state of Grouper at a specific point in time
    • Memberships: Was person X a member of group Y on a given date? Who were all the members of a group on date X or between date X and date Y?
        • Permissions: Did person X have read permission on resource Y at a given date?
        • Attributes: What attributes were assigned to a group in the past and what were the attribute values?

Demo of member search/sort in UI
    • Shilen did a demo of the search/sort

Demo of point in time auditing using web services
    • Shilen did a demo of the point in time auditing – looked at queries that show whether or not someone is a member of a certain group
    • Can specify a “from” date or a “to” date or both on whether someone in a group

What’s New with Grouper - Chris Hyzer

    • Attribute framework UI. Ajax UI. Creates, edits, assigns attributes. For Grouper 2.0.
        • Attributes and actions
        • Attribute privileges
        • Attribute names
        • Groups and roles
        • Attribute assignments (to do)
        • Permission assignments (to do)

    • Upgrade from Grouper 1.6
        • March 2011 -- Penn upgraded from Grouper 1.6 to 1.7
        • Grouper 1.7 was an internal Grouper release with point-in-time, rules, external subjects
        • upgrade took five hours (including testing)
        • performed upgrade on a Friday night at 5 pm.
        • No significant downtime required for read-only services
        • Disabled Nagios monitoring on WS
        • Set UI/WS to read-only mode
        • Turn off daemons, LDAP sync
        • Backup membership lite view to a table
        • Backup DB schema
        • See details on Penn's upgrade at https://spaces.at.internet2.edu/display/Grouper/Upgrade+notes+from+Grouper+1.6+to+1.7

    • Penn’s Secure Space – to support external users
        • Secure Space is built on Grouper – three groups per space – admins, users, readonly
        • Grouper client/WS caches the list of groups for the user
        • uses InCommon for single sign-on
        • EPPN required for external users
        • External users self-register their name, email, institution
        • Installed Shib Discovery Service, customized:
                          -Support channel
                          -Easy for Penn users
                          -Recommend Protect Network for users who don't have an InCommon account which releases EPPN.
        • Chris did a demo of the Penn Secure Space system

           Q:  Have you thought about adding Google or OpenID – users are more familiar with this than Protect Network?
                   A: At Penn we are starting with Protect Network.

    • Group sync to another Grouper
        • map the folder/group from one Grouper to the folder/group in another Grouper
        • only one side needs to make configurations
        • Three types of syncing – push, pull , push_incrementaion
        • Uses Grouper web services
        • Only external members are synced
        • Example on Grouper demo server. See https://spaces.at.internet2.edu/display/Grouper/Grouper+demo+site

    • Atlassian – Grouper connector
        • Map a root folder for Confluence or Jira
        • Create/delete groups from Atlassian, although sometimes there are issues
        • XMPP messaging from Grouper to Atlassian for real time updates

 LDAPPC NG - Lynn Garrison

LDAP Provisioning
    • Group Mgmt
             • 62 standing groups – provisioned once, incremental update daily
             • course groups – 18746 for spring-- provisioned once, incremental update daily
             • delegate – 9700 – managed with web application (depts. Use for listservs, secure space)
             • hybrid/nested – 2000
    • Architecture team looks at environment and recommends to production team what to use.
        • Current environment:
             • Linux (CentOS) – Oracle express database, LDAP subject source using software from U-Wash, Shib attribute resolver
             • AIX (version 6.1 POWER7) - LDAP
    • Requirements  from Penn State
            • Performance
                       -Groups – 18 minutes to create group of 31000 members. 45 min to provision to LDAP (just do that once). Native LDAP – 40 min to provision to LDAP
                       -Need real-time provisioning
                       -Incremental provisioning
                       -Creation of groups from existing LDAP

LDAPPC NG -- Tom Zeller
        • want speed – turns out caching is key
        • need to tune cache – making it larger is a good thing
        • if want cache smaller, need to have ways for people to cache easily

               •  When tried to identify areas to improve speed, looked at identifiers – both ends (input to Grouper – out from LDAPPC NG).
               •  Maybe should get rid of API and draw from IdP?

  • No labels