When upgrading from Grouper v5 to another v5 container, this wiki will consolidate all the steps needed to perform that upgrade.

When upgrading from Grouper v4 to v5, also see v5 Upgrade Instructions from v4 for additional instructions which must be applied first.


See information on Grouper Versioning here

Note, these are in reverse order, so go from bottom to top

DateUpgrading from versionUpgrading to VersionNote for versionImportanceJiraStep needed if...Description
2024/11/26ALLALL5.14.0Important

GRP-5796

If you run Grouper

Upgrade tasks are now improved.  Make sure Grouper starts without errors.

2024/11/26ALLALL5.14.0Important

GRP-5822

GRP-5792

GRP-5781

If you run Grouper

It is now assumed your Grouper DB user can run DDL.  Enable it to run DDL if it cannot.

DDL changes are in this release.

Note, if you are going to 5.14.0 version, you should manually run the DDL in this jira at any point before upgrading

2024/10/07ALLALL5.13.0Not important

GRP-5717

If you run Grouper

Note: you do not need the attribute sqlCacheableGroup anymore for jexl scripted groups.  We will probably remove these in the future.
Make sure CHANGE_LOG_changeLogTempToChangeLog does not throw errors.  Run this job: OTHER_JOB_sqlCacheFullSync.  It will take a while.  You might want to do the upgrade at night or on the weekend, it will take a while.  Note this will run anyways, so if you do not currently use ABAC its not important to run this manually.  If you do use ABAC things should be fine too, the job will run for uncached groups.
If you get errors you will need to adjust the DDL.  

e.g. mysql: if disabled_on is non nullable, change it to be nullable:

ALTER TABLE grouper_sql_cache_group MODIFY disabled_on DATETIME;


2024/10/07ALLALL5.13.0Medium importantGRP-5717If you run Grouper

If your DB credential cannot do DDL then add tables manually from Jira

Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added.  Look at the job message to confirm that there were no issues adding the DDL.

2024/09/11ALLALL5.12.2Not important

GRP-5665

You want to use Playwright browser automation for UI sanity testing

Set this variable if you want the playwright jar in the lib dir:


GROUPER_PLAYWRIGHT_MOVE_JARS=true 


Install playwright libs in derived image (recommended)


RUN . /usr/local/bin/librarySetupFilesForComponent.sh && setupFilesForComponent_playwrightInstallOsLibsHelper && setupFilesForComponent_unsetAll


Set this variable to install OS libs on startup (must be root, recommend to do derived image instead, takes extra time on startup to install)


GROUPER_PLAYWRIGHT_INSTALL_OS_LIBS=true 
2024/09/11ALLALL5.12.2Important

GRP-5588

You use Grouper WS

Set this variable in the WS container:

GROUPERWS_URL_WITH_CONTEXT_NOSLASH=https://myws.inst.edu/grouper-ws

Test swagger after build: https://myws.inst.edu/grouper-ws/docs
See Jira or Containe

2024/09/04v4ALL5.1.0Medium important

GRP-5674

You have jexl scripted groups created in v4

Component groups of the jexl loader script will need a cache attribute set before running the full sync.

In addition, if you have GSH templates created in v4, to be able to edit the loader group in the UI, new template property "template type" will need to be set on all templates.

See the Jira for detailed instructions, and a gsh script to do a mass attribute setting for all component groups.

2024/08/26ALLALL5.12.0Medium important

GRP-5625

You use Grouper

If your grouper credential cannot do DDL, see the Jira and run the DDL manually.

Otherwise, after Grouper starts or the OTHER_JOB_upgradeTasks job runs, the DDL will be added.  Look at the job message to confirm that there were no issues adding the DDL.

2024/08/26ALLALL5.12.0Important

GRP-5653

You run commands in the OS during container build or run

The OS was upgraded from Rocky 8 (which is not unsupported) and Rocky 9.  See the Jira for notes but some things are a little different
like "yum" is not there anymore.  Check the output of building and running Grouper to see if there are any errors.

2024/02/285.7.15.8.0-5.11.35.8.0Important

GRP-5635

You have one or more Recent memberships loader groups, and the CHANGE_LOG_consumer_recentMemberships job is failing

Run this gsh script to fix

import edu.internet2.middleware.grouper.app.serviceLifecycle.GrouperRecentMemberships
 
def group = GroupFinder.findByName("etc:attribute:recentMemberships:grouperRecentMembershipsLoader", true)
 
GrouperRecentMemberships.setupRecentMembershipsLoaderJob(group)

2024/07/30ALLALL5.9.2Important

GRP-5408

You have an AWS provisioner

The AWS target throws a 400 if there is an active flag on SCIM group create.  In the Group section of the config, you must set "include active on group create" to false

2024/07/16ALLALL5.11.2Medium important

GRP-5548

If you have SCIM provisioners

The provisioner will now select memberships from the target of SCIM provisioners.  To keep the old behavior, change the membership CRUD configuration to not select memberships.  Run the full in readonly mode and check what will be changed in the debug object logs.

2024/06/27ALLALL5.11.0Medium important

GRP-5514

If you run Grouper

If your DB credential cannot do DDL then add tables manually from Jira

Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added.  Look at the job message to confirm that there were no issues adding the DDL.

2024/06/27ALLALL5.11.0Medium important

GRP-3981

If you have an SQS external system

Enter in the secret key for sqs in your external system and save, if you
look for the external system config id in grouper.client.properties, there
a typo you can remove:


grouper.messaging.system.myAwsMessagingSystem.secretyKey

You need to add the region to the external system

2024/06/274.9.3+ / 5.7.0+ALL5.11.0Medium importantGRP-5450

If you have httpClientReuse=true in grouper.properties

You can remove that setting as the bug there was fixed.

2024/06/25ALLALL5.10.2Medium important

GRP-5515

If you allow colons in passwords through basic auth

Read the documentation and set an environment variable to allow passwords to end in colons

2024/03/19ALLALL5.9.0Not important

GRP-5379

You run Grouper

Tomcat was upgraded, make sure any tomcat things work in UI/WS, including logs, SSL, authentication, etc

2024/03/10ALLALL5.8.1Medium important

GRP-5312

If you use the provisioning framework and have too much memory allocated to your daemon

Try bumping down your daemon memory to 16g (16g in container and 13g heap) and see if you still have memory problems. 
Or if you had more than 32g, try 32g container and 28g heap.

2024/03/05ALLALL5.8.3Medium important

GRP-5346

If you use Grouper

Group sync jobs (full sync push/pull involving another Grouper instance) are now run using otherJobs. 

This applies if you have grouper.properties configs that start with "syncAnotherGrouper" and if you have daemon jobs that start with "MAINTENANCE__groupSync__".

If so, then go to the Daemon Jobs screen in the UI and add a daemon job for each group sync.  The daemon type is "Group sync another Grouper full sync".  The Jira has a screenshot of this.

2024/03/03ALLALL5.8.2Medium important

GRP-5314

If you use Grouper

Config property  changeLog.enabledDisabled.queryIntervalInSeconds  renamed to  otherJob.enabledDisabled.queryIntervalInSeconds.  See Jira and adjust the value of the new property if you're not using the default.

2024/03/03ALLALL5.8.2Not important

GRP-5268

You run Grouper and use the daemon screen

Note that the change log temp daemon and composite change log consumer run continuously. 
If you want to see progress show subjobs (checkbox is default checked in v5).  Note you might
see some refactored daemons in error state for a few minutes until things switch over...

2024/03/03ALLALL5.8.2Not important

GRP-5340

You run Grouper and have any rules

2024/02/275.7.1ALL5.8.1Medium important

GRP-5310

You use self signed certs for tomcat

See Jira and adjust env vars

2024/02/27ALLALL5.8.1Medium important

GRP-5302

Your grouper credential cannot do DDL

See the Jira and run the DDL
2024/01/01ALLALL5.7.0Important

GRP-5228

If you have existing data fields or rows

You need to edit them and add a description

2024/01/01ALLALL5.7.0Medium important

GRP-5228

If you expect tomcat access logs to be in /tmp (previous default), they are not in /opt/grouper/logs

Set this variable:  GROUPER_TOMCAT_LOG_ACCESS_DIRECTORY=/tmp

2023/12/27ALLALL5.7.0Medium important

GRP-5231
GRP-5223
GRP-5231

If you customize the server.xml for tomcat SSL, remote IP valve, or rewrite valve

Remove your custom server.xml and use the env variables

2023/12/27ALLALL5.7.0Medium important

GRP-5218

If you set this in grouper.properties

grouper.json.serialize.deserialize.useLegacy =  true

Remove it

2023/11/26ALLALL5.6.0Medium important


If you have a MidPoint provisioner and do not have foreign keys with cascade delete

Either drop the MidPoint tables and use the new DDL, or add cascade delete to the foreign keys on the attribute and membership tables

2023/11/26

ALL

ALL5.6.0Medium important

GRP-5048

You use LDAP

Test your LDAP subject source, loaders, and provisioners, as Ldaptive has been upgraded

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5130

If you use the zoom provisioner / loader

A 3rd party library was updated for security, test your integration.  Note set this
explicitly in grouper-loader.properties, the default will change from true to false.

#  if   reactivating users,  this   will assign a license (user type  2 )
zoom.myConfigId.licenseReactivatedUsers

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5139

If you use the OIDC for UI/WS authentication

A 3rd party library was updated for security, test your authentication

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5140

If you use the legacy (non provisioning framework) box provisioner

A 3rd party library was updated for security, test your provisioner or upgrade to the
provisioning framework

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5141

If you use the legacy (non provisioning framework) google apps provisioner

A 3rd party library was updated for security, test your provisioner or upgrade to the
provisioning framework

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5142

If you use Grouper

JSON marshalling changed to be higher performance and less likely to 
leak memory.  You can use this in grouper.properties to revert to old if you have an issue:

grouper.json.serialize.deserialize.useLegacy =  true

Report any issues you have if you have to revert

2023/11/20ALLALL4.9.0, 5.6.0Medium important

GRP-5082

If you LDAP loaders of type: list of groups or groups from attributes, and grouper-loader.properties:

loader.ldap.requireTopStemAsStemFromConfigGroup =  true   or  default

You can now specify any stems to be the top stem, or you can
use a stem near the loader configured group.  After upgrading, run the diagnostics
or full sync on your loader and make sure the destination stays the same and 
does not change.  Might want to temporarily remove the SQL like string
if applicable so the existing groups do not get deleted.

2023/11/04

v2.5.0-v2.5.68,
v4.0.0-v4.7.2,
v5.0.0-v5.4.0

ALL4.5.0Not important

GRP-5107

If you were affected by the authentication bypass vulnerability and installed the remediation

2023/10/21ALLALL5.2.0Important
If you use GrouperFollow all v4 upgrade instructions
2023/10/04ALLALL5.4.0Important

GRP-4968

If you use deprovisioning

This defaults to true to veto deprovisioned users from being added to groups.  If you dont want want, set to false in grouper.properties

grouperHook.MembershipVetoIfDeprovisionedHook.autoRegister = true
2023/07/04ALLALL5.2.0Important
If you use GrouperLook at DDL changes and apply the updates manually
2023/07/04ALLALL5.2.0Important
If you use GrouperFollow all v4 upgrade instructions
2023/03/30ALLALL5.0.3Important


If you use GrouperDDL updates (Note: these are significant.  You need to stop all updates when starting the daemon and running the upgrade task daemon)
2023/03/28ALLALL5.0.3Important


If you use Grouper SOAP WSSOAP is no longer in the Grouper container, you can install it in your image derived from Grouper (not recommended), or refactor your WS clients
2023/03/28ALLALL5.0.3Important


If you run a process in the container other than the built in processes (e.g. sshd)The supervisor is no longer in the Grouper container.  If you start a process in your image derived from Grouper, you can install supervisor in your image derived from grouper, or make other arrangements
2023/03/28ALLALL5.0.3Important


If you use SAML in the UI

The Shib SP is no longer in the Grouper container.  You can either switch to OIDC, use the Unicon authn SAML, install the shib SP in your image derived from Grouper, or use a sidecar SP container

Remove any SP environment variables passed to the container

2023/03/28ALLALL5.0.3Important


If you use Apache in the grouper container

Apache is no longer in the Grouper container.  You can either use tomcat, install apache in your image derived from Grouper, or use a sidecar apache container.

Remove any Apache environment variables passed to the container


If you want to run v5 locally, you can do something like this (change port, version, database url if not on mac):

$ docker run --name postgres -e POSTGRES_PASSWORD=pass -d -p 5432:5432 postgres:14
$ docker exec -it -u postgres postgres psql
# CREATE USER grouper PASSWORD 'pass';
# CREATE DATABASE grouper;
# GRANT ALL PRIVILEGES ON DATABASE grouper TO grouper;
# \q
    docker run -d -p 8081:8080 --name my-grouper \
           -e GROUPER_UI_GROUPER_AUTH=true \
           -e GROUPER_SELF_SIGNED_CERT=true \
           -e GROUPER_AUTO_DDL_UPTOVERSION='v5.*.*' \
           -e GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES='0.0.0.0/0' \
           -e GROUPERSYSTEM_QUICKSTART_PASS=pass \
           -e GROUPER_UI=true \
           -e GROUPER_DATABASE_URL="jdbc:postgresql://docker.for.mac.localhost:5433/grouper?currentSchema=public" \
           -e GROUPER_DATABASE_USERNAME=grouper \
           -e GROUPER_DATABASE_PASSWORD=pass \
           i2incommon/grouper:5.0.3 ui