Summary
Lots has changed in v5. You should prepare v4 and make changes in v4 before going to v5.
- Tomcat is a single process in the container, there is no apache, shib, supervisor, logpipes
- Adjust UI authentication in v4, and run tomcat as a single process in the container. You can either
- Use the built-in OIDC
- Use the Unicon authentication plugin that does SAML
- Install apache/shib/supervisor in your derived image
- Run an authentication container separate from Grouper and reverse proxy
- You might want to set GROUPER_TOMCAT_REMOTE_IP_VALVE=true, read the docs, there are other related settings too
- Make sure you only have traffic from the load balancer or external web server and not allowed directly to tomcat (if shouldnt be allowed)
- Adjust UI authentication in v4, and run tomcat as a single process in the container. You can either
- Migrate from legacy provisioners to the provisioning framework
- pspng
- googleapps
- grouperAtlassianConnector
- grouper-azure
- grouper-box
- grouper-duo
- grouperKimConnector
- grouper-shib (use SQL or LDAP)
- If someone is using SOAP (there are logs to alert you if so), migrate to REST
Upgrade from v4 to v5
- Change this property in grouper.hibernate.properties, run the container, it will upgrade your database
- GROUPER_AUTO_DDL_UPTOVERSION=5.*.*
- You can run this to see if you have everything, do not run the generated script though
- gsh.sh -registry -check -runscript
- Make sure ports are listening as expected, e.g. if you expect AJP 8009 you need to set the env variable: GROUPER_TOMCAT_AJP_PORT=8009. If you do not want tomcat ssl to listen, set GROUPER_TOMCAT_HTTPS_PORT=false
- The patch level pointer for the upgradeTasks daemon job currently does not get reset to zero when upgrading from v4 to v5. Before running the OTHER_JOB_upgradeTasks job, find group etc:attribute:upgradeTasks:upgradeTasksMetadataGroup, edit attribute assignment upgradeTasksVersion and set the value to 0.
- Make sure the OTHER_JOB_upgradeTasks daemon runs successfully. This needs to run in order for other daemon jobs to work, like the cleanLogs or the grouperLoaderJexlScriptFullSync job.
- Custom Java
- You should check to see if your Java still compiles until 2.5. It should, but check anyways. Tweak it if you need to or ask for advice on slack. You might want to rebuild anyways.
- There are no logpipes in the logging anymore, if you customized logging, make sure you use the std out/err appender and not e.g. <AppenderRef ref="logpipe_grouper_daemon"/>
This gets you to v5.X.X. Now look at the v5 upgrade steps and see which ones apply to you
See Also