Child pages
  • v2.5 Release Notes
Skip to end of metadata
Go to start of metadata

 Grouper v2.5 new features

New Features in Grouper 2.5

 Grouper 2.5 includes many helpful new features, as listed below, as well as the enhancements provided in Grouper 2.4 patches, such as visualization and reporting

The upgrade from 2.4.0 to 2.5 is not generally a major upgrade.  The database did not change much. 

You are required to use a container when running Grouper. This will ensure you have consistent directory structure, the correct version of libraries, and low risk and low effort upgrades.  There are instructions to make using the container as easy as possible.


v2.5 builds

Grouper container upgrade instructions 

These will be marked as stable once they are out for a while without issue and/or as people start using these in production.  This is a judgment call by the Grouper team.  If you are using a new release please inform us so we can provide better advice.


Container tag (version)


Enhancements and bugs fixed in this version, known issues with this version

Upgrade instructions
and notes

2020/10/20i2incommon/grouper:2.5.36NOT RELEASED
do not use yet
26 Jiras in total ()



LATEST STABLE22 Jiras in total ( -5 bugs+15 Improvements, +2 New Features )2 upgrade instructionsShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_265



Tomee security advisory and update to web profile 7.0.8

48 Jiras in total ( 21 bugs25 Improvements, 2 New Features )

Known issue: Container will not stop/start, you need to rm and run it

7 upgrade instructionsShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_262


STABLEAPI fixes: GRP-2806GRP-2805GRP-2804GRP-2797GRP-2795
Container updates: GRP-2708GRP-2800GRP-2802GRP-2803
Google provisioner: GRP-2788GRP-2789
12 Jiras in total

Shib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.7
Openjdk: 1.8.0_252




Various google provisioner fixes: GRP-2787GRP-2786GRP-2785GRP-2784GRP-2783

GRP-2705: configs in UI show unmasked password for properties not in base config
34 Jiras in total

2 upgrade instructions



GRP-2723: Grace periods
GRP-2744: Grouper quickstart
GRP-2709: Database migration utility
GRP-2712: Fix attribute def name editing
GRP-2711: Search with magnifying glass doesn't work
34 Jiras in total

Known issues
GRP-2757: Mysql unix needs recent memberships loader job tweak
GRP-2762: config editor in UI problem
GRP-2767: env vars in container that end in _FILE need tweak

6 upgrade instructions



Known issues
GRP-2748: Multiple contexts causes issues
GRP-2750:the first upgrade to 2.5.26 doesnt exit if running gsh -registry (kicks off daemon)


2020/04/21i 2incommon/grouper:2.5.23


Various Azure provisioner updates: GRP-2691GRP-2670GRP-2668GRP-2669GRP-2671
GRP-2680: "other job" that can run sql or gsh scripts
GRP-2683: Package base properties into their respective jars
GRP-2685: update gantt chart
31 Jiras in total

Known issues
GRP-2712: Attribute def name editing is wrong
GRP-2711: Search with magnifying glass doesn't work

5 upgrade instructions

2020/04/08 i2incommon/grouper:2.5.22


2.5 initial release

Bugs fixed in this version
GRP-2657: grouperClient requires commons-lang
GRP-2654: pspng error on wrong slf4j libraries
GRP-2658: take /opt/grouper/conf and /opt/grouper/lib out of installer
GRP-2661: gsh init fails on -registry -check -runscript -noprompt

Enhancements fixed in this version
GRP-2646: make a new gsh entrypoint if not auto upgrading DDL to run install or upgrade

Known issues

2.5 DDL changes

NOT STABLEBugs fixed in this version: GRP-2648GRP-2642GRP-2651, GRP-2556
Known issues with this version:  GRP-2657, GRP-2654GRP-2658

2020/04/05i2incommon/grouper:2.5.19NOT STABLE

Bugs fixed in this version:  GRP-2635, GRP-2636GRP-2638GRP-2637GRP-2641 

2020/04/01i2incommon/grouper:2.5.15NOT STABLE

Enhancements:   GRP-2630, GRP-2634 
Bugs fixed in this version:  GRP-2629 
Known issues with this version:  GRP-2635GRP-2636 

2020/03/31i2incommon/grouper:2.5.14NOT STABLEKnown issues with this version:  GRP-2629

For more information about upcoming plans, see the Grouper Product Roadmap .

Many other fixes and improvements were also made to all components of the Grouper Toolkit: Grouper API, Administrative & Lite UIs, Grouper Web Services, Grouper Client, Grouper Shell, Grouper Loader, PSP, and the Subject API.


When selecting which Grouper v2.5 container to use (which build number), review the release notes wiki.  When you do a minor build update in the future, look at this wiki to verify the stability of the version

v2.5 is a minor upgrade from the latest v2.4 container.  Some defaults have changed in the properties files, and the container layout has drastically changed but it should be easy to adjust your docker file.

If you use v2.4 not in a container, then you will have to start using the container.  You don't need orchestration or a container practice in your organization, you can still use the same server you use now, just install docker and use the maturity level 0 advice to run Grouper.  This should not be a barrier to running Grouper.  If you are forbidden from running a container, at your institution and still want v2.5, it is possible to install docker, get the container, copy files out, and remove docker (sounds painful right?  hope you don't have to do that (smile)).

If you are in v2.2.1+, then it is similar to v2.4 not in a container.  The DDL upgrade to 2.5 can run automatically from v2.2.1, but you should follow the "v2.4 Upgrade Instructions from v2.3" for everything except DDL. (and "v2.3 Upgrade from v2.2" if applicable) (Note: you need Grouper v2.5.36+ if you are in 2.2.1)   

If you are in 2.2.0 or before, you need to upgrade to v2.2.1 before upgrading to v2.5 (or notify the Grouper team for advice)

There are a lot of specifics here based on where you are in Grouper, this document will attempt to unravel that.

Upgrade from v2.4 to v2.5

  • If you don't have a, add one to the classpath (e.g. /opt/grouper/conf) and put a random alphanumeric upper/lower 16 char secret in there for all JVMs (UI/WS/daemon/GSH)
  • If you are not using configuration in the database, you should migrate to that
    • You have various envs, dev, test, prod.  In one env, you have various JVMs: UI, WS, daemon, GSH.  Multiply that out and you have a lot of config files.
    • With configuration in the database you don't need those config files and the configuration is in the database and editable from the UI (no need to deploy your container).  So all the JVMs (UI, WS, daemon, GSH) in one env (dev, test, prod) will automatically be consistent.
    • The config files not in the database are:,,
    • Take an env (e.g. dev) and look at all the config files of each type (e.g., consolidate those, and import into the UI, and dont provide that config file anymore
    • This will make config file changes easier (and mostly runtime), you will not have issues when different JVMs are inconsistent (dont need to copy config file to multiple containers)
  • Database upgrade.  There are a few low risk database changes (a few new tables, views, indexes).  Grouper v2.4 will run against a v2.5 registry fyi.  Grouper v2.3 should also.  (disabled groups in v2.5 could be enabled in v2.4-)
    • If Grouper is running the DDL automatically, or you run it from gsh manaually, or you run the script in your DB UI tool or whatever, if it fails part-way through, you need to grab the rest of the DDL scripts (from WEB-INF/ddlScripts) and run the rest manually.  Grouper will not be able to start where it left off and you need to fix it.
    • Views grouper_groups_v or grouper_roles_v will be changed.  Oracle and mysql will replace those views, postgres will drop and create.  If you use Postgres, see if there are any grants to those views and recreate them after DDL upgrade.  For all three see if views or objects select from those views and make sure everything is intact afterwards (keep source of objects that use grouper objects and keep grants of grouper objects)
    • Grouper DDL auto-upgrade.  It is recommended to set this in to auto-upgrade the database.  will work from v2.3+ to v2.5 and will auto upgrade from here on in.  Note, your database username that grouper uses needs to be permitted to make DDL changes in its database.  You might need to get the DBAs to adjust that user.  If you set this in, turn on the container, and it will upgrade the database automatically.  Any future v2.5 DDL will be backwards compatible with all v2.5.* containers
    • If you want the legacy DDL of manual updates, then turn on the container, and run "gsh -registry -check" and review and run that script.  Some examples for various databases are here.  Compare the generated script with one of these scripts and run against your database.  Note: each time you update your container you should check the release notes page about DDL requirements.  We will be changing DDL with various 2.5 builds periodically.  Auto-DDL is strongly recommended.
  • = false   by default.  This is the recommended setting.  It means everyone can see all folders whether they have objects inside or not.  If you want the old default behavior, set that in
  •  Do you have the rule that vetoes assignments in folder if subject not in group?  The default in v2.5 (different than v2.4) is to enforce that by change log and daemon.  This is recommended and you probably want this.  But it could remove assignments when you turn Grouper on.  Which is probably what you want
  • Tomcat basic auth and apache basic auth can be replaced.  Do you use tomcat-users.xml or apache user file?  You should switch to Grouper basic auth (note you dont have to switch).
  • Custom Java
    • You should check to see if your Java still compiles until 2.5.  It should, but check anyways.  Tweak it if you need to or ask for advice on slack.  You might want to rebuild anyways.
    • Note that the daemon runs in tomee now, so calls like ClassLoader.getSystemResource... will not work
  • Container changes
    • For your overlays of existing files, look at the new container files, and make sure that the changes you made do not overwrite other things in the file.  e.g. server.xml, grouper-www.conf, web.xml, etc
    • There is no more /opt/tomcat.  It is /opt/tomee now.  It uses Tomcat 8.5 so things should generally be the same, but if you were overlaying files into /opt/tomcat, then you should redo those changes for tomee (diff your overlay with tomee, and make sure you are only changing your changes, not introducing other changes from the old container)
    • If you are doing WS/UI authentication in tomcat (e.g. ldap), you need to merge with the new server.xml and make sure the connector tomcatAuthentication is true (defaults to false now).  Also make sure the web.xml is right
    • There is only one webapp now, not one webapp for UI/WS/SCIM
    • There is no longer a command line daemon
    • If you ran v2.4 in a container, then you will need to adjust your mounts and Dockerfile
    • The path to Grouper is: /opt/grouper/grouperWebapp
    • If used this previous path: /opt/grouper/conf, change to /opt/grouper/grouperWebapp/WEB-INF/classes
    • If used this previous path: /opt/grouper/lib, it will not work.   If the jar is for the UI/daemon/GSH.  e.g. a new change log consumer, use /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon.  If it is a driver that should be in those things and WS and SCIM, then put it in /opt/grouper/grouperWebapp/WEB-INF/lib instead
    • Note: there is no Oracle driver anymore in the container (unless you used installer and agreed to Oracle terms).  You need to download the oracle driver and put in /opt/grouper/grouperWebapp/WEB-INF/lib.  Might want to use this:
    • If you used /opt/grouper/grouper.ui,, grouper.apiBinary, grouper.scim, you need to adjust those.  There is one webapp dir in /opt/grouper/grouperWebapp
    • It is recommended to just put files here: /opt/grouper/slashRoot especially for mounting   (will copy the structure to the root dir / in the container)
      • If you do not have a Dockerfile, you only need one mount path to the container 
      • Example for classpath file: /opt/grouper/conf/ or /opt/grouper/slashRoot/opt/grouper/conf/
    • All things run in tomee (not daemon command line anymore).  So this is how to set memory for all envs.  Note, it used to be different for daemon envs, so adjust those accordingly.  Daemon should have 12gigs at least

      Test the memory setting in all your containers:
      # ps -ef | grep tom   (get pid)
      # sudo -u tomcat jmap -heap <pid>     (see max heap, should be approx what you expect)
    • If you copy files into the container, you should end your (Dockerfile or whatever) script by setting the owner of the webapp dir

      RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp
  • vt-ldap is no longer supported.  Make sure you are not using it in

This gets you to the first v2.5 release.  Now look at the steps to get to the v2.5.X that you want to install

See Also

Release Notes for Grouper 2.5

See Also

Grouper Downloads

Blog on Grouper 2.5 (April 2020)

Blog on Grouper Deprovisioning with Grouper 2.4 (September 2018)

  • No labels