Child pages
  • v2.5 Release Notes
Skip to end of metadata
Go to start of metadata


New Features in Grouper 2.5

 Grouper 2.5 includes many helpful new features, as listed below, as well as the enhancements provided in Grouper 2.4 patches, such as visualization and reporting

The upgrade from 2.4.0 to 2.5 is not generally a major upgrade.  The database did not change much. 

You are required to use a container when running Grouper. This will ensure you have consistent directory structure, the correct version of libraries, and low risk and low effort upgrades.  There are instructions to make using the container as easy as possible.



 

v2.5 builds

Grouper container upgrade instructions 

These will be marked as stable once they are out for a while without issue and/or as people start using these in production.  This is a judgment call by the Grouper team.  If you are using a new release please inform us so we can provide better advice.

Date

Container tag (version)

Status

Enhancements and bugs fixed in this version, known issues with this version

Upgrade instructions
and notes

Versions
2021/09/17i2incommon/grouper:2.5.57
sha256:9fd575e5f2b8feacf1
b86cdd44779f89b23a7b375
da7fdb1c77c50dd105af24b
LATEST STABLE5 Jiras
Provisioning framework fixes
Chrome 93 header fix
NoneShib: 3.2.3
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_302
2021/09/06i2incommon/grouper:2.5.56
sha256:13f32e94d90f83dd6
333fee3abad682b6ecb9179
f688fd614f8c23b57ed31680
STABLE
NO ENHANCEMENTS AFTER 2.5.56

6 Jiras
Incremental LDAP attribute provisioning improvements
Auto create LDAP provisioning filters

NoneShib: 3.2.3
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_302
2021/09/01i2incommon/grouper:2.5.55
sha256:13124e45f77733887
20ae1190f86a5e47cb5de4b
a75c8f032b16cf92c2cedc35
RELEASED

22 Jiras
Visualization for composites is accessible
Remove container taglib startup errors
OpenLDAP empty member attribute support in provisioning framework
Database migration utility fix
LDAP to SQL utility

3 upgrade instructionsShib: 3.2.3
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_302
2021/07/27i2incommon/grouper:2.5.54
sha256:6fda7bfb9c3998cdc
02b00a3bab63abd4cca3671
6fe701b2b9f13fe1d0554320
STABLE

9 Jiras
Azure provisioner in new provisioner framework
Loader screen fix
LDAP new provisioner fix
Resolved version conflicts in okio library between Azure and Duo dependencies

NoneShib: 3.2.3
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_302
2021/07/15i2incommon/grouper:2.5.53
sha256:a144bbedc1d484b3e
b968a973bb1073b0340d0c4
323caa08f7aad8e9460a040b

STABLE

Misc loader screen:  GRP-3530
New prov framework ldap issues: 
GRP-3533GRP-3534

25 Jiras
SCIM provisioner for AWS
Reports can generated from GSH
Attestation notifications can be sent to a group
Loader can manage group display names
Can delegate loader management
1 upgrade instructionShib: 3.2.3
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_292
2021/05/27i2incommon/grouper:2.5.52
sha256: a8ecd8a4d953321b
37eacdbe50475295e885a83
ef33598cb1de66a4f277ba160
STABLE27 Jiras
Incremental provisioning performance improvements
Custom UI configuration moved from group attributes to UI wizard and config
GSH template improvements
5 upgrade instructionsShib: 3.2.2
Apache: 2.4.6
Tomee: 7.0.9 (8.5.57)
Openjdk: 1.8.0_292
2021/05/01i2incommon/grouper:2.5.50
sha256:f108efdceaaf875b7c
8879a091557c6a64969545e
633e4e6efe5803b5520a057
STABLE6 Jiras
Loader doesn't create ancestor folders
Incremental LDAP doesn't provision recalc memberships
NoneShib: 3.2.2
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_292
2021/04/28i2incommon/grouper:2.5.49
sha256:a1d389eb6735d02d4
2c510805c735c05a5824d656
bb6a49034bb19a4eb4cc8ef

RELEASED

Loader issue: GRP-3444

Provisioning: GRP-3445

71 Jiras
GSH template updates / fixes
Incremental provisioning performance improvements
Attribute propagation re-write (e.g. "types" daemon)
New default validation on Grouper object system names (see upgrade instructions)
4 upgrade instructionsShib: 3.2.2
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_292
2021/03/29i2incommon/grouper:2.5.47
sha256:e1523aed42d6af97f
14267fa31ad0ac765c32831
6c9d3d52e1ab9483508c17de

RELEASED

GSH bugs: GRP-3349
GRP-3348GRP-3350

For GSH templates use 2.5.50+

46 Jiras
Bushy LDAP provisioning
GSH api additions / improvements
Email enhancements

1 upgrade instructionShib: 3.2.1
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/03/18i2incommon/grouper:2.5.46
sha256:e19f928406355cb54
08ba7f271f6915b3db5ef856
2a25ef15458b94d8dc9469a

RELEASED

For GSH templates use 2.5.50+

14 Jiras
Small fix with provisioning and GSH templates

NoneShib: 3.2.1
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/03/17i2incommon/grouper:2.5.45
sha256:f94bfdf83fc5bd55d3
11164dd77dcf36f4efde8629
b85ea264a55c63528328db

RELEASED

For GSH templates use 2.5.50+

33 Jiras
GSH templates can be run from UI
Provisionable groups and folders improved
Provisioning diagnostics starting point
Grouper client can be used in multi-app JVM
Upgrade mysql/postgres drivers and improve quartz pooling
2 upgrade instructionsShib: 3.2.1
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/03/03i2incommon/grouper:2.5.44
sha256:1953b5475f237aba6
44a53124643686d407c7f8e5
8ee12ceaec8db9d815435d1
RELEASED

29 Jiras
GSH templates and WS enhancements
Sync to Grouper from another Grouper or SQL enhancements
JDBC/Hibernate fetch size bumped up to 1000 (oracle performance improvement)

NoneShib: 3.2.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/02/24i2incommon/grouper:2.5.43
grouper@sha256:20ab5adf6c2
8834c8945cf6df449a67f4df19a
162a9bfccd865918206c34a3b0
STABLE12 Jiras
GSH templates and WS
Sync various objects to Grouper via SQL or another Grouper instance
GSH scripts in daemon can have blocks on multiple lines
Grouper external subject source issue resolved
2 upgrade instructionsShib: 3.2.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/02/12i2incommon/grouper:2.5.42
grouper@sha256:00cd2a6d4ba
c27025f679ebdcf8a8a372403c2
0da6fa3147dcee320018a8cd2d

STABLE

(if you do not use Grouper
external subject source)
13 Jiras
Provisioning improvements
LDAP loader improvements
MembershipFinder enhancements
NoneShib: 3.2.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/02/01i2incommon/grouper:2.5.41
sha256:bb21a34ad75a9fa3a7
5596645ffc75c4a53d3c3bbe
5b13de8180ac4311919990

STABLE

(if you do not use Grouper
external subject source)

Known issue: GRP-3118 (grouperExternal subject source broken)

14 Jiras
Azure legacy provisioner is tested and works
Fix provisioning membership issues
LDAP provisioning metadata via configuration (and not testing metadata)
Container updates for SSL

1 upgrade instructionShib: 3.2.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2021/01/27i2incommon/grouper:2.5.40
sha256:74f445fb55dea3821
58b79ff88d5d1d27bdbb604
a7fbb4d18bf39402e6c70ce7

STABLE

(Azure CLC provisioning
might not work)

33 Jiras
Subject source wizard (experimental)
Openshift support
Email notifications daemon
Add "manual" and "intermediate" group types
SCIM and Azure provisioners (new framework) (experimental)
Provisioner targets in visualization

2 upgrade instructionsShib: 3.2.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_282
2020/12/09i2incommon/grouper:2.5.39
sha256:df647042eb12ff088a
7cfaff186a387286b23ac782
183923c587daa5f24a47ea
STABLE18 Jiras
Grouper provisioning
LDAP/DB pools dynamically adjust without restart on config change
Custom UI updates
Import members audit improvement
1 upgrade instructionShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_275
2020/11/09i2incommon/grouper:2.5.37.1
sha256:b1708b7e022472b2e9
055676aefe50a7dd773b053b
2d817ee96369712b56a04a
STABLEGRP-3015 and os updatesNoneShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.9
Openjdk: 1.8.0_275
2020/10/30i2incommon/grouper:2.5.37
sha256:d384f0c4f67e18be3b
138649050d6d687b16be5a4
76fcc3c65a0280748365a58
SECURITY ISSUE
GRP-3015

13 Jiras in total ( -2 bugs, +18 improvements )
Group import screen progress indicator
PSPNG Active Directory large group fix
Security improvement prevents stealing tomee session cookie

NoneShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_272
2020/11/09i2incommon/grouper:2.5.36.1
sha256:9ba5d138515246b64
a711fafe451fb7a1730f9aee1
3a7d2af4e1355defacedd8
STABLE

GRP-3015 and os updates

NoneShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_275
2020/10/20i2incommon/grouper:2.5.36
sha256:27f50a205208a48c3e
78ef24b62a6480a7460e4270
31b2c4d71bc34e09000ddc
SECURITY ISSUE
GRP-3015
26 Jiras in total ( -8 bugs, +18 improvements)
Lots of PSPNG improvements
3 upgrade instructionsShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_265
2020/09/16

i2incommon/grouper:2.5.35
sha256:158ff566eb
4e5b920
8ac881d6dba126e968d34ee
f78192086359cefa8e163e1f

STABLE22 Jiras in total ( -5 bugs+15 Improvements, +2 New Features )2 upgrade instructionsShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_265
2020/07/21

i2incommon/grouper:2.5.33
sha256:d3c880f3ebd670425
7cab4c423897dfb4feb50442
ef5533e9cafb7b0a43ada50

STABLE

Tomee security advisory and update to web profile 7.0.8

48 Jiras in total ( 21 bugs25 Improvements, 2 New Features )

Known issue: Container will not stop/start, you need to rm and run it

7 upgrade instructionsShib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.8
Openjdk: 1.8.0_262
2020/05/18

i2incommon/grouper:2.5.29
sha256:6e57a508dfb83c382
9e0be8e278e663ab59ea305
ea67dab4c84215250da4b395

STABLEAPI fixes: GRP-2806GRP-2805GRP-2804GRP-2797GRP-2795
Container updates: GRP-2708GRP-2800GRP-2802GRP-2803
Google provisioner: GRP-2788GRP-2789
12 Jiras in total
None

Shib: 3.1.0
Apache: 2.4.6
Tomee: 7.0.7
Openjdk: 1.8.0_252

2020/05/13

i2incommon/grouper:2.5.28
sha256:5377471e210206be3
613e11f095da80d702133998
e4c4a54304d552263434ef2


STABLE

Various google provisioner fixes: GRP-2787GRP-2786GRP-2785GRP-2784GRP-2783

GRP-2705: configs in UI show unmasked password for properties not in base config
34 Jiras in total

2 upgrade instructions


2020/05/05i2incommon/grouper:2.5.27
sha256:3bad2b55e0e83092
f74de33e2cccc31290802414
4ecd6f515e7ddc5d1bd46b7b

STABLE

GRP-2723: Grace periods
GRP-2744: Grouper quickstart
GRP-2709: Database migration utility
GRP-2712: Fix attribute def name editing
GRP-2711: Search with magnifying glass doesn't work
34 Jiras in total

Known issues
GRP-2757: Mysql unix needs recent memberships loader job tweak
GRP-2762: grouper-ui.properties config editor in UI problem
GRP-2767: env vars in container that end in _FILE need tweak


6 upgrade instructions


2020/05/04i2incommon/grouper:2.5.26
sha256:65c937260c3914bdb
75d277d8aa08257fa7016b9a
5675188bd3362c4079b14c8

NOT STABLE


Known issues
GRP-2748: Multiple contexts causes issues
GRP-2750:the first upgrade to 2.5.26 doesnt exit if running gsh -registry (kicks off daemon)

None


2020/04/21i 2incommon/grouper:2.5.23
sha256:2d5b05d6cbd006e1
5c28f423757122a8837b20c
38044dfcda524f12fae7d95b4


STABLE

Various Azure provisioner updates: GRP-2691GRP-2670GRP-2668GRP-2669GRP-2671
GRP-2680: "other job" that can run sql or gsh scripts
GRP-2683: Package base properties into their respective jars
GRP-2685: update gantt chart
31 Jiras in total

Known issues
GRP-2712: Attribute def name editing is wrong
GRP-2711: Search with magnifying glass doesn't work

5 upgrade instructions


2020/04/08 i2incommon/grouper:2.5.22
sha256:b675bb410bf873483
497b9b231e7a5db208645e5
8a3a42a8048381a33b79fd19

STABLE

2.5 initial release

Bugs fixed in this version
GRP-2657: grouperClient requires commons-lang
GRP-2654: pspng error on wrong slf4j libraries
GRP-2658: take /opt/grouper/conf and /opt/grouper/lib out of installer
GRP-2661: gsh init fails on gsh.sh -registry -check -runscript -noprompt

Enhancements fixed in this version
GRP-2646: make a new gsh entrypoint if not auto upgrading DDL to run install or upgrade

Known issues
GRP-2712GRP-2711

2.5 DDL changes
2020/04/07i2incommon/grouper:2.5.20
sha256:6b9e4b9272d06bee
aedba25bc4459729c98432e
a5f37b111a57d7fa97c8e78a3

NOT STABLEBugs fixed in this version: GRP-2648GRP-2642GRP-2651, GRP-2556
Known issues with this version:  GRP-2657, GRP-2654GRP-2658


2020/04/05i2incommon/grouper:2.5.19NOT STABLE

Bugs fixed in this version:  GRP-2635, GRP-2636GRP-2638GRP-2637GRP-2641 



2020/04/01i2incommon/grouper:2.5.15NOT STABLE

Enhancements:   GRP-2630, GRP-2634 
Bugs fixed in this version:  GRP-2629 
Known issues with this version:  GRP-2635GRP-2636 



2020/03/31i2incommon/grouper:2.5.14NOT STABLEKnown issues with this version:  GRP-2629

For more information about upcoming plans, see the Grouper Product Roadmap .

Many other fixes and improvements were also made to all components of the Grouper Toolkit: Grouper API, Administrative & Lite UIs, Grouper Web Services, Grouper Client, Grouper Shell, Grouper Loader, PSP, and the Subject API.


Summary

When selecting which Grouper v2.5 container to use (which build number), review the release notes wiki.  You should install the latest stable v2.5.* release (v2.5.43 as of 2021/02/24).  When you do a minor build update in the future, look at this wiki to verify the stability of the version

v2.5 is a minor upgrade from the latest v2.4 container.  Some defaults have changed in the properties files, and the container layout has drastically changed but it should be easy to adjust your docker file.

If you use v2.4 not in a container, then you will have to start using the container.  You don't need orchestration or a container practice in your organization, you can still use the same server you use now, just install docker and use the maturity level 0 advice to run Grouper.  This should not be a barrier to running Grouper.  If you are forbidden from running a container, at your institution and still want v2.5, it is possible to install docker, get the container, copy files out, and remove docker (sounds painful right?  hope you don't have to do that (smile)).

If you are in v2.2.1+, then it is similar to v2.4 not in a container.  The DDL upgrade to 2.5 can run automatically from v2.2.1, but you should follow the "v2.4 Upgrade Instructions from v2.3" for everything except DDL. (and "v2.3 Upgrade from v2.2" if applicable) (Note: you need Grouper v2.5.36+ if you are in 2.2.1)   

If you are in 2.2.0 or before, you need to upgrade to v2.2.1 before upgrading to v2.5 (or notify the Grouper team for advice)

There are a lot of specifics here based on where you are in Grouper, this document will attempt to unravel that.

Upgrade from v2.4 to v2.5

  • If you don't have a morphString.properties, add one to the classpath (e.g. /opt/grouper/conf) and put a random alphanumeric upper/lower 16 char secret in there for all JVMs (UI/WS/daemon/GSH)
  • If you are not using configuration in the database, you should migrate to that
    • You have various envs, dev, test, prod.  In one env, you have various JVMs: UI, WS, daemon, GSH.  Multiply that out and you have a lot of config files.
    • With configuration in the database you don't need those config files and the configuration is in the database and editable from the UI (no need to deploy your container).  So all the JVMs (UI, WS, daemon, GSH) in one env (dev, test, prod) will automatically be consistent.
    • The config files not in the database are: grouper.hibernate.properties, morphString.properties, grouper.text.en.us.properties
    • Take an env (e.g. dev) and look at all the config files of each type (e.g. grouper-loader.properties), consolidate those, and import into the UI, and dont provide that config file anymore
    • This will make config file changes easier (and mostly runtime), you will not have issues when different JVMs are inconsistent (dont need to copy config file to multiple containers)
  • Database upgrade.  There are a few low risk database changes (a few new tables, views, indexes).  Grouper v2.4 will run against a v2.5 registry fyi.  Grouper v2.3 should also.  (disabled groups in v2.5 could be enabled in v2.4-)
    • If Grouper is running the DDL automatically, or you run it from gsh manaually, or you run the script in your DB UI tool or whatever, if it fails part-way through, you need to grab the rest of the DDL scripts (from WEB-INF/ddlScripts) and run the rest manually.  Grouper will not be able to start where it left off and you need to fix it.
    • Views grouper_groups_v or grouper_roles_v will be changed.  Oracle and mysql will replace those views, postgres will drop and create.  If you use Postgres, see if there are any grants to those views and recreate them after DDL upgrade.  For all three see if views or objects select from those views and make sure everything is intact afterwards (keep source of objects that use grouper objects and keep grants of grouper objects)
    • Grouper DDL auto-upgrade.  It is recommended to set this in grouper.hibernate.properties to auto-upgrade the database.  will work from v2.3+ to v2.5 and will auto upgrade from here on in.  Note, your database username that grouper uses needs to be permitted to make DDL changes in its database.  You might need to get the DBAs to adjust that user.  If you set this in grouper.hibernate.properties, turn on the container, and it will upgrade the database automatically.  Any future v2.5 DDL will be backwards compatible with all v2.5.* containers
    • If you want the legacy DDL of manual updates, then turn on the container, and run "gsh -registry -check" and review and run that script.  Some examples for various databases are here.  Compare the generated script with one of these scripts and run against your database.  Note: each time you update your container you should check the release notes page about DDL requirements.  We will be changing DDL with various 2.5 builds periodically.  Auto-DDL is strongly recommended.
  • grouper.base.properties: security.show.folders.where.user.can.see.subobjects = false   by default.  This is the recommended setting.  It means everyone can see all folders whether they have objects inside or not.  If you want the old default behavior, set that in grouper.properties
  • grouper.base.properties.  Do you have the rule that vetoes assignments in folder if subject not in group?  The default in v2.5 (different than v2.4) is to enforce that by change log and daemon.  This is recommended and you probably want this.  But it could remove assignments when you turn Grouper on.  Which is probably what you want
  • Tomcat basic auth and apache basic auth can be replaced.  Do you use tomcat-users.xml or apache user file?  You should switch to Grouper basic auth (note you dont have to switch).
  • Custom Java
    • You should check to see if your Java still compiles until 2.5.  It should, but check anyways.  Tweak it if you need to or ask for advice on slack.  You might want to rebuild anyways.
    • Note that the daemon runs in tomee now, so calls like ClassLoader.getSystemResource... will not work
  • Container changes
    • For your overlays of existing files, look at the new container files, and make sure that the changes you made do not overwrite other things in the file.  e.g. server.xml, grouper-www.conf, web.xml, etc
    • There is no more /opt/tomcat.  It is /opt/tomee now.  It uses Tomcat 8.5 so things should generally be the same, but if you were overlaying files into /opt/tomcat, then you should redo those changes for tomee (diff your overlay with tomee, and make sure you are only changing your changes, not introducing other changes from the old container)
    • If you are doing WS/UI authentication in tomcat (e.g. ldap), you need to merge with the new server.xml and make sure the connector tomcatAuthentication is true (defaults to false now).  Also make sure the web.xml is right
    • There is only one webapp now, not one webapp for UI/WS/SCIM
    • There is no longer a command line daemon
    • If you ran v2.4 in a container, then you will need to adjust your mounts and Dockerfile
    • The path to Grouper is: /opt/grouper/grouperWebapp
    • If used this previous path: /opt/grouper/conf, change to /opt/grouper/grouperWebapp/WEB-INF/classes
    • If used this previous path: /opt/grouper/lib, it will not work.   If the jar is for the UI/daemon/GSH.  e.g. a new change log consumer, use /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon.  If it is a driver that should be in those things and WS and SCIM, then put it in /opt/grouper/grouperWebapp/WEB-INF/lib instead
    • Note: there is no Oracle driver anymore in the container (unless you used installer and agreed to Oracle terms).  You need to download the oracle driver and put in /opt/grouper/grouperWebapp/WEB-INF/lib.  Might want to use this: https://repo1.maven.org/maven2/com/oracle/ojdbc/ojdbc8/19.3.0.0/ojdbc8-19.3.0.0.jar
    • If you used /opt/grouper/grouper.ui, grouper.ws, grouper.apiBinary, grouper.scim, you need to adjust those.  There is one webapp dir in /opt/grouper/grouperWebapp
    • It is recommended to just put files here: /opt/grouper/slashRoot especially for mounting   (will copy the structure to the root dir / in the container)
      • If you do not have a Dockerfile, you only need one mount path to the container 
      • Example for classpath file: /opt/grouper/conf/grouper.hibernate.properties or /opt/grouper/slashRoot/opt/grouper/conf/grouper.hibernate.properties
    • All things run in tomee (not daemon command line anymore).  So this is how to set memory for all envs.  Note, it used to be different for daemon envs, so adjust those accordingly.  Daemon should have 12gigs at least

      ENV GROUPER_MAX_MEMORY="3g"
      
      Test the memory setting in all your containers:
      # ps -ef | grep tom   (get pid)
      # sudo -u tomcat jmap -heap <pid>     (see max heap, should be approx what you expect)
    • If you copy files into the container, you should end your (Dockerfile or whatever) script by setting the owner of the webapp dir

      RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp
  • vt-ldap is no longer supported.  Make sure you are not using it in grouper-loader.properties

This gets you to v2.5.X.  Now look at the v2.5.X upgrade steps and see which ones apply to you


See Also

Release Notes for Grouper 2.5

See Also

Grouper Downloads

Blog on Grouper 2.5 (April 2020)

Blog on Grouper Deprovisioning with Grouper 2.4 (September 2018)

  • No labels