When upgrading from Grouper v5 to another v5 container, this wiki will consolidate all the steps needed to perform that upgrade.
When upgrading from Grouper v4 to v5, also see v5 Upgrade Instructions from v4 for additional instructions which must be applied first.
See information on Grouper Versioning here
Note, these are in reverse order, so go from bottom to top
Date | Upgrading from version | Upgrading to Version | Note for version | Importance | Jira | Step needed if... | Description | |
---|---|---|---|---|---|---|---|---|
2024/11/26 | ALL | ALL | 5.14.0 | Important | If you run Grouper | Upgrade tasks are now improved. Make sure Grouper starts without errors. | ||
2024/11/26 | ALL | ALL | 5.14.0 | Important | If you run Grouper | It is now assumed your Grouper DB user can run DDL. Enable it to run DDL if it cannot. DDL changes are in this release. Note, if you are going to 5.14.0 version, you should manually run the DDL in this jira at any point before upgrading | ||
2024/10/07 | ALL | ALL | 5.13.0 | Not important | If you run Grouper | Note: you do not need the attribute sqlCacheableGroup anymore for jexl scripted groups. We will probably remove these in the future. | ||
2024/10/07 | ALL | ALL | 5.13.0 | Medium important | GRP-5717 | If you run Grouper | If your DB credential cannot do DDL then add tables manually from Jira Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added. Look at the job message to confirm that there were no issues adding the DDL. | |
2024/09/11 | ALL | ALL | 5.12.2 | Not important | You want to use Playwright browser automation for UI sanity testing | |||
2024/09/11 | ALL | ALL | 5.12.2 | Important | You use Grouper WS | Set this variable in the WS container: GROUPERWS_URL_WITH_CONTEXT_NOSLASH=https://myws.inst.edu/grouper-ws Test swagger after build: https://myws.inst.edu/grouper-ws/docs | ||
2024/09/04 | v4 | ALL | 5.1.0 | Medium important | You have jexl scripted groups created in v4 | Component groups of the jexl loader script will need a cache attribute set before running the full sync. In addition, if you have GSH templates created in v4, to be able to edit the loader group in the UI, new template property "template type" will need to be set on all templates. See the Jira for detailed instructions, and a gsh script to do a mass attribute setting for all component groups. | ||
2024/08/26 | ALL | ALL | 5.12.0 | Medium important | You use Grouper | If your grouper credential cannot do DDL, see the Jira and run the DDL manually. Otherwise, after Grouper starts or the OTHER_JOB_upgradeTasks job runs, the DDL will be added. Look at the job message to confirm that there were no issues adding the DDL. | ||
2024/08/26 | ALL | ALL | 5.12.0 | Important | You run commands in the OS during container build or run | The OS was upgraded from Rocky 8 (which is not unsupported) and Rocky 9. See the Jira for notes but some things are a little different | ||
2024/02/28 | 5.7.1 | 5.8.0-5.11.3 | 5.8.0 | Important | You have one or more Recent memberships loader groups, and the CHANGE_LOG_consumer_recentMemberships job is failing | Run this gsh script to fix
| ||
2024/07/30 | ALL | ALL | 5.9.2 | Important | You have an AWS provisioner | The AWS target throws a 400 if there is an active flag on SCIM group create. In the Group section of the config, you must set "include active on group create" to false | ||
2024/07/16 | ALL | ALL | 5.11.2 | Medium important | If you have SCIM provisioners | The provisioner will now select memberships from the target of SCIM provisioners. To keep the old behavior, change the membership CRUD configuration to not select memberships. Run the full in readonly mode and check what will be changed in the debug object logs. | ||
2024/06/27 | ALL | ALL | 5.11.0 | Medium important | If you run Grouper | If your DB credential cannot do DDL then add tables manually from Jira Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added. Look at the job message to confirm that there were no issues adding the DDL. | ||
2024/06/27 | ALL | ALL | 5.11.0 | Medium important | If you have an SQS external system | Enter in the secret key for sqs in your external system and save, if you
You need to add the region to the external system | ||
2024/06/27 | 4.9.3+ / 5.7.0+ | ALL | 5.11.0 | Medium important | GRP-5450 | If you have httpClientReuse=true in grouper.properties | You can remove that setting as the bug there was fixed. | |
2024/06/25 | ALL | ALL | 5.10.2 | Medium important | If you allow colons in passwords through basic auth | Read the documentation and set an environment variable to allow passwords to end in colons | ||
2024/03/19 | ALL | ALL | 5.9.0 | Not important | You run Grouper | Tomcat was upgraded, make sure any tomcat things work in UI/WS, including logs, SSL, authentication, etc | ||
2024/03/10 | ALL | ALL | 5.8.1 | Medium important | If you use the provisioning framework and have too much memory allocated to your daemon | Try bumping down your daemon memory to 16g (16g in container and 13g heap) and see if you still have memory problems. | ||
2024/03/05 | ALL | ALL | 5.8.3 | Medium important | If you use Grouper | Group sync jobs (full sync push/pull involving another Grouper instance) are now run using otherJobs. This applies if you have grouper.properties configs that start with "syncAnotherGrouper" and if you have daemon jobs that start with "MAINTENANCE__groupSync__". If so, then go to the Daemon Jobs screen in the UI and add a daemon job for each group sync. The daemon type is "Group sync another Grouper full sync". The Jira has a screenshot of this. | ||
2024/03/03 | ALL | ALL | 5.8.2 | Medium important | If you use Grouper | Config property changeLog.enabledDisabled.queryIntervalInSeconds renamed to otherJob.enabledDisabled.queryIntervalInSeconds. See Jira and adjust the value of the new property if you're not using the default. | ||
2024/03/03 | ALL | ALL | 5.8.2 | Not important | You run Grouper and use the daemon screen | Note that the change log temp daemon and composite change log consumer run continuously. | ||
2024/03/03 | ALL | ALL | 5.8.2 | Not important | You run Grouper and have any rules | |||
2024/02/27 | 5.7.1 | ALL | 5.8.1 | Medium important | You use self signed certs for tomcat | See Jira and adjust env vars | ||
2024/02/27 | ALL | ALL | 5.8.1 | Medium important | Your grouper credential cannot do DDL | See the Jira and run the DDL | ||
2024/01/01 | ALL | ALL | 5.7.0 | Important | If you have existing data fields or rows | You need to edit them and add a description | ||
2024/01/01 | ALL | ALL | 5.7.0 | Medium important | If you expect tomcat access logs to be in /tmp (previous default), they are not in /opt/grouper/logs | Set this variable: GROUPER_TOMCAT_LOG_ACCESS_DIRECTORY=/tmp | ||
2023/12/27 | ALL | ALL | 5.7.0 | Medium important | If you customize the server.xml for tomcat SSL, remote IP valve, or rewrite valve | Remove your custom server.xml and use the env variables | ||
2023/12/27 | ALL | ALL | 5.7.0 | Medium important | If you set this in grouper.properties
| Remove it | ||
2023/11/26 | ALL | ALL | 5.6.0 | Medium important | If you have a MidPoint provisioner and do not have foreign keys with cascade delete | Either drop the MidPoint tables and use the new DDL, or add cascade delete to the foreign keys on the attribute and membership tables | ||
2023/11/26 | ALL | ALL | 5.6.0 | Medium important | You use LDAP | Test your LDAP subject source, loaders, and provisioners, as Ldaptive has been upgraded | ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you use the zoom provisioner / loader | A 3rd party library was updated for security, test your integration. Note set this
| ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you use the OIDC for UI/WS authentication | A 3rd party library was updated for security, test your authentication | ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you use the legacy (non provisioning framework) box provisioner | A 3rd party library was updated for security, test your provisioner or upgrade to the | ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you use the legacy (non provisioning framework) google apps provisioner | A 3rd party library was updated for security, test your provisioner or upgrade to the | ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you use Grouper | JSON marshalling changed to be higher performance and less likely to
Report any issues you have if you have to revert | ||
2023/11/20 | ALL | ALL | 4.9.0, 5.6.0 | Medium important | If you LDAP loaders of type: list of groups or groups from attributes, and grouper-loader.properties:
| You can now specify any stems to be the top stem, or you can | ||
2023/11/04 | v2.5.0-v2.5.68, | ALL | 4.5.0 | Not important | If you were affected by the authentication bypass vulnerability and installed the remediation | |||
2023/10/21 | ALL | ALL | 5.2.0 | Important | If you use Grouper | Follow all v4 upgrade instructions | ||
2023/10/04 | ALL | ALL | 5.4.0 | Important | If you use deprovisioning | This defaults to true to veto deprovisioned users from being added to groups. If you dont want want, set to false in grouper.properties grouperHook.MembershipVetoIfDeprovisionedHook.autoRegister = true | ||
2023/07/04 | ALL | ALL | 5.2.0 | Important | If you use Grouper | Look at DDL changes and apply the updates manually | ||
2023/07/04 | ALL | ALL | 5.2.0 | Important | If you use Grouper | Follow all v4 upgrade instructions | ||
2023/03/30 | ALL | ALL | 5.0.3 | Important | If you use Grouper | DDL updates (Note: these are significant. You need to stop all updates when starting the daemon and running the upgrade task daemon) | ||
2023/03/28 | ALL | ALL | 5.0.3 | Important | If you use Grouper SOAP WS | SOAP is no longer in the Grouper container, you can install it in your image derived from Grouper (not recommended), or refactor your WS clients | ||
2023/03/28 | ALL | ALL | 5.0.3 | Important | If you run a process in the container other than the built in processes (e.g. sshd) | The supervisor is no longer in the Grouper container. If you start a process in your image derived from Grouper, you can install supervisor in your image derived from grouper, or make other arrangements | ||
2023/03/28 | ALL | ALL | 5.0.3 | Important | If you use SAML in the UI | The Shib SP is no longer in the Grouper container. You can either switch to OIDC, use the Unicon authn SAML, install the shib SP in your image derived from Grouper, or use a sidecar SP container Remove any SP environment variables passed to the container | ||
2023/03/28 | ALL | ALL | 5.0.3 | Important | If you use Apache in the grouper container | Apache is no longer in the Grouper container. You can either use tomcat, install apache in your image derived from Grouper, or use a sidecar apache container. Remove any Apache environment variables passed to the container |
If you want to run v5 locally, you can do something like this (change port, version, database url if not on mac):
$ docker run --name postgres -e POSTGRES_PASSWORD=pass -d -p 5432:5432 postgres:14 $ docker exec -it -u postgres postgres psql # CREATE USER grouper PASSWORD 'pass'; # CREATE DATABASE grouper; # GRANT ALL PRIVILEGES ON DATABASE grouper TO grouper; # \q
docker run -d -p 8081:8080 --name my-grouper \ -e GROUPER_UI_GROUPER_AUTH=true \ -e GROUPER_SELF_SIGNED_CERT=true \ -e GROUPER_AUTO_DDL_UPTOVERSION='v5.*.*' \ -e GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES='0.0.0.0/0' \ -e GROUPERSYSTEM_QUICKSTART_PASS=pass \ -e GROUPER_UI=true \ -e GROUPER_DATABASE_URL="jdbc:postgresql://docker.for.mac.localhost:5433/grouper?currentSchema=public" \ -e GROUPER_DATABASE_USERNAME=grouper \ -e GROUPER_DATABASE_PASSWORD=pass \ i2incommon/grouper:5.0.3 ui