Versions Compared

Old Version 55

changes.mady.by.user Chris Hyzer (upenn.edu)

Saved on

compared with

New Version 56

changes.mady.by.user Chris Hyzer (upenn.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

When upgrading from Grouper v2.6 to another v2.6 container, this wiki will consolidate all the steps needed to perform that upgrade

Note, these are in reverse order, so go from bottom to top

DateUpgrading from versionUpgrading to VersionNote for versionImportanceJiraStep needed if...Description
2022/11/17ALLALL2.6.18Important

GRP-4500

If you use Oracle

If you have oracle, add this index if it is not already there:


Code Block
CREATE INDEX member_eligible_idx ON grouper_members (subject_resolution_eligible);


2022/11/09ALLALL2.6.18Important

GRP-4470

If you use Grouper

DDL updates

2022/11/01ALLALL2.6.17Important

GRP-4426

If you use /run/secrets/grouper* filesThese files are no longer copied from /run/secrets to 

/opt/grouper/grouperWebapp/WEB-INF/classes so change configs to get passwords from /run/secrets.  Make sure the tomcat user has access to those files, maybe chgrp to root

2022/10/03ALLALL2.6.17Medium important

GRP-4373

If you use Grouper

After all of your Grouper nodes (daemon, UI, WS) in an environment are updated to 2.6.17+,

  1. Disable the change log temp to change log daemon (or turn off daemon nodes)

  2. run the following 2 lines in GSH to sync up Group Sets in point in time data.  (make sure daemon is not running at same time)

    Code Block
    new SyncPITTables().processMissingInactivePITGroupSets();

new SyncPITTables().processMissingActivePITGroupSets();


  3. If you don't have easy access to GSH, you can alternatively run the OTHER_JOB_syncAllPitTables daemon job once using the Grouper UI under Miscellaneous → Daemon jobs.   If you run this make sure #1 is still done
  4. Enable the change log temp to change log daemon (or turn on daemon nodes)
2022/09/22ALLALL2.6.16Medium important


If you chown or chmod in Dockerfile

The file owner is tomcat.root for files in image.  Might want to call this instead of chown/chmod

Code Block
/opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root


2022/09/22ALLALL2.6.16Medium important

GRP-4360

If you use WS OIDCReconfigure the OIDC external system.  Some settings were merged from
grouper.properties in other locations.  Ask Slack for details if you have issues
2022/09/22ALLALL2.6.16Important


If you use GrouperDDL updates
2022/08/11ALLALL2.6.14Important

GRP-3784

If you use GrouperThere is now a grouper.membership.allowSelfRead global setting in grouper.properties.  If you set it to true (default false), then any group a subject can VIEW, they can see if they are in the group or not (without reading other subject's memberships).  It is recommended to set this to true to make Grouper more intuitive unless if would be a security issue or would confuse users.
2022/07/26ALLALL2.6.14Important

GRP-4232

If you use GrouperDDL updates - add columns grouper_loader_log.job_message_clob and job_message_bytes
2022/07/26ALLALL2.6.14Not important

GRP-4223

If you use Groupercsrfguard was upgraded significantly.  Click around and import and export and do any UI edge case tasks to make sure the csrf protection does not impede legitimate actions
2022/07/26ALLALL2.6.11Not important

GRP-4204

You use rabbitmqCheck rabbitmq integration, the library was upgraded
2022/07/042.6.6ALL2.6.10Not important

GRP-4139

You use OSGI (e.g. the new built in authn)

Add this to grouper.properties in config file or database:

Code Block
# only enable osgi if you use it
# {valueType: "boolean", defaultValue: "false", order: 3000}
grouper.osgi.enable = true


2022/06/07ALLALL2.6.9Important


If you use the Grouper provisioning frameworkSetup a meeting with someone on the Grouper team to step through upgrading your provisioner
2022/05/05ALLALL2.6.9Important

GRP-4026

GRP-4028

If you have SSL anchor certs or client certs in the containerThere is a new experimental strategy for this, please see Jiras for details
2022/08/06ALLALL2.6.8Important
If you use GSH templates have have folderShowType of certainFolder

Change config value from "certainFolder" to "certainFolders"
Change config value from "certainFolderAndDescendants" to "certainFoldersAndDescendants"
Change config value from "certainFolderAndOneChildLevel" to "certainFoldersAndOneChildLevel"

2022/03/02ALLALL2.6.8Not importantGRP-3883If you use templates and you do not store config in the database, and you use them in 2.6.5, 2.6.6, or 2.6.7 and you have this grouper.properties suffix configured "folderUuidsToShow"Change "folderUuidsToShow" to "folderUuidToShow"
2022/03/01ALLALL2.6.8ImportantGRP-3868If you use GrouperDDL updates - add grouper_prov_duo_user table
2022/03/01ALLALL2.6.8Medium importantGRP-3889If you have a SQL provisioner with provisioning frameworkLots of improvements to SQL provisioning.  Before upgrade I would export your SQL provisioner config.  Then upgrade, and go edit the config, and make sure it looks ok, and save.  Then compare the old and new and see if anything changed and adjust that.  Run the provisioner and make sure it works.
2022/02/26ALLALL2.6.7ImportantGRP-3864If you use Grouper

Run the OTHER_JOB_syncAllPitTables daemon
2022/02/25ALLv2.6.7.1+v2.6.7.1Medium importantGRP-3860If you customize logging with a log4j.properties overlay or additional properties

Either convert to log4j2.xml, or put additional loggers/appenders in /opt/grouper/grouperWebapp/WEB-INF/classes/log4j2.additionalLoggers.xml.txt / log4j2.additionalAppenders.xml.txt

Code Block
<Logger name="edu.a.b.c" level="debug" additivity="false">
    <AppenderRef ref="grouper_error"/>
</Logger>


2022/02/18ALLALL2.6.7ImportantGRP-3832If you use GrouperRun the OTHER_JOB_upgradeTasks daemon, then run the OTHER_JOB_syncAllSetTables daemon
2022/02/16ALLALL2.6.6Important
If you use GrouperDDL updates
2022/01/26ALLALL2.6.6Not important
If you have Grouper processes not run the standard way from container

We are not using the old log4j anymore, so you can pass this system variable to tell log4j2 to use the old properties style config

Code Block
-Dlog4j1.compatibility=true


2022/01/02ALLALL2.6.6Not important

GRP-2190

GRP-3745

GRP-3746

If you care about UI text changes

The term "More" has been changed in the UI to make things less confusing.  You can edit your configs to revert

Loader moved from "More tab" to "Group actions" menu

Group actions menu reorganized

2022/01/02ALLALL2.6.6Important

GRP-3741

GRP-3743

If you use Grouper

Folder security has changed.  People will only see folders if they have a privilege on the folder or an object in the folder or subfolder.  If you don't want this set this in grouper.properties.  Note if you set this to true it should probably be temporary until you have worked out the issues.  Assign stemView privilege to folders so people see them if they don't see them based on privileges.  You could also add power users to a group who can see all folders.

Code Block
# if all folders should be shown only if there is an object inside that the user can see (or a privilege on that folder).
# this has been re-coded and is the new setting.  The old setting "security.show.folders.where.user.can.see.subobjects" is not used anymore
# {valueType: "boolean", required: true}
security.folders.are.viewable.by.all = false

Remove this config from grouper.properties

Code Block
security.show.folders.where.user.can.see.subobjects


2021/10/20v2.6.4ALL2.6.5Important
If you use GrouperDDL updates
2021/10/23ALLv2.6.1+v2.6.1ImportantGRP-3670If you do not want users to use Grouper built-in self service web service credentials


Expand

you should configure in grouper.properties these on upgrade if you want to use this feature or if you want to control who can generate keys

Code Block
# if public private key should be enabled
# {valueType: "boolean", defaultValue: "true"}
grouper.selfService.jwt.enable =
 
# if you fill in a group name here, then only members of this group can manage jwt private keys on the ui
# {valueType: "string"}
grouper.selfService.jwt.groupNameAllowedToManage =  



2021/10/21ALLv2.6.3v2.6.3Not importantGRP-3669If you use postgres or oracle, and you areon version v2.6.3 exactly (rare), and these cols are not nullable


Expand

run this for oracle:

Code Block
ALTER TABLE grouper_password_recently_used MODIFY (jwt_jti null);
ALTER TABLE grouper_password_recently_used MODIFY (jwt_iat null);

run this for postgres:

Code Block
ALTER TABLE grouper_password_recently_used ALTER COLUMN jwt_jti DROP NOT NULL;
ALTER TABLE grouper_password_recently_used ALTER COLUMN jwt_iat DROP NOT NULL;
2021/10/20v2.6.0ALL2.6.1Important
If you use GrouperDDL updates
2021/09/22ALLv2.6.*v2.6.0Medium important
You have auto-ddl set in the grouper config

In grouper.hibernate.properties bump up the auto-ddl version

Code Block
registry.auto.ddl.upToVersion = 2.6.*