...
- Chris Hyzer, Penn, Chair
- Chad Redmond, Unicon
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
- Bert Bee Lindgren, GA Tec
Liam Hoekenga, UMich
- Gail Lift, UMich
Kellen Murphy, Univ of Virginia
- Ioannis Igoumenos, Athens Greece
Drew Aschenbrener, Internet2
- Emily Eisbruch, Internet2
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
- Internet2 Intellectual Property Policy
New Action Item from this call
- Chris - document provisioning group roles https://todos.internet2.edu/browse/GRP-5305
- Chris - add Rules UI to Grouper roadmap https://spaces.at.internet2.edu/display/Grouper/Grouper+Product+Roadmap
- Shilen - update wikis to include stop daemon info
Grouper Doc
- team is making progress
- See record of pages being updated here
Grouper Training
- prep work for March 12-15, 2024 is ongoing
- https://incommon.org/academy/grouper-school/
Grouper Releases
- Two new Grouper releases are out.
- There’s a lot in these releases
- Found memory issue with the provisioner, Thread local issue, there will be new standards for using thread locals
- Ldaptive issues should be addressed in v5 latest release
- Re-did how memberships and composites work
- Changelog temp runs continuously
- Adds sub job records so you can see the progress
- SCIM changes
- Unscheduling Daemon jobs has been improved Stopping daemon jobs
- Restriction of deleting built in objects
- AI - Chris - document provisioning group roles https://todos.internet2.edu/browse/GRP-5305
- AI - Shilen - update wikis to include stop daemon info
- Moving forward, we try to only change bugs in Grouper v4
- Chad and Chris discussed issue around release updates, Maven, Authentication plug-in does not push to the release, need to do snap shot builds.
Grouper Release v5.8.1
We are proud to announce the release of Grouper v5.8.1. There are two upgrade instructions from v5.7.1. See the release notes: https://spaces.at.internet2.edu/display/Grouper/v5+Release+Notes
- Stopping daemon jobs
- Fix memory issue with provisioner
- Composite changes - move membership inserts and deletes to daemon
- SCIM fixes (can manage "active" status instead of delete, adjust scim emails, allow group updates)
- Can provision group roles and user roles in real time and incremental
- Note: in v5 (not v4) you can stop daemons which are long running (processing information). Just unschedule it from the UI.
Current Work
Vivek
- Rules UI
- Shared demo on how to set up Grouper rules
- Most users will pick a pattern
- Patterns based on rules listed on the wiki
- Can add more patterns later
- You need to run GSH currently
- Inherited privileges have their own UI
- Should that even be a pattern?
- Everything that’s a rule can be shown as a pattern on the UI
- Not everything is applicable for folders
- Multiple type of firing for a rule
- Fires immediately
- Not fires immediately:
- change log consumer or
- daemon
- Discussion of Start with versus Pattern terminology
- For privileges on rules, we had to make decisions..
- Must have create or admin on a folder to see rules
- To edit rules you need admin on the folder, suggestion to change this to sysadmin
- Chris will poll on the Grouper slack channel to get community preferences on default privileges
- Question: could rules have bad consequences, such as the “remove” rule clearing out everything under a folder?
- AI Chris - add Rules UI to Grouper roadmap https://spaces.at.internet2.edu/display/Grouper/Grouper+Product+Roadmap
Shilen
- For v5, converting maintenance jobs to “other” jobs
- One is the rules job
- Clean logs
- Built in messaging daemon
- Cleaning messages
- Enable / disabled job, need an upgrade task, one of the configs changes
- external subject calc field, got rid of it
- Question about keeping the old or not…
- GRP-5316 Convert builtinMessagingDaemon MAINTENANCE job to OTHER_JOB
- GRP-5315 Convert cleanLogs MAINTENANCE job to OTHER_JOB
- GRP-5314 Convert enabledDisabled MAINTENANCE job to OTHER_JOB
- GRP-5322 Convert rules MAINTENANCE job to OTHER_JOB
- GRP-5321 Remove job MAINTENANCE_externalSubjCalcFields
- Shilen still needs to convert daily report
- Next Shilen will work on group sync, maintenance job looking at sync group configs, would need to set up multiple other jobs, work will be needed to convert
- Now there is a maintenance job for each group sync
- There are not a lot of Grouper sync cases
- Shilen will change code and there will be an upgrade task
- Other work: When you merge composite into v5, some new columns are needed for stop daemon. Shilen will add
- Shilen will update wikis for scripted groups
- Sub job check box in UI, have it checked by default
Chris
- For each rule pattern, going through the wiki and making updates
- Need to update screenshots in the doc
- Will be working on prep for upcoming Grouper Training
- Daniel has a non snapshot ldaptive
- Postgress was updated
- Chris worked on various Jiras
Chad
- Customer using legacy JDBC subject source
- No value in JDBC1 versus JDBC2
- Materialized view is a good idea
- Starting with Grouper v7 or v8, hope to get the data in Grouper
- Chad working on JIRAs
- https://todos.internet2.edu/browse/GRP-5307 (case sensitivity) Chris will look at this
-
Provisioning entities not filtering objectClass when Select All Entities is falseJira server Internet2 Todos serverId 41535fda-c361-37c9-8be7-ec53b22e3110 key GRP-5308
Matt: question re integration with Midpoint so Midpoint could deliver a data source like in infrastructure instead of subject source?
Chris: yes we will work on that.
Issue Round up
JIRAs in past 2 weeks
show better provisioning group counts
fix external auth build in v4 and v5
update postgres driver to 42.7.2
jwt does not work with ws.security.prependToUserIdForSubjectLookup
allow updating of group names in scim
Convert rules MAINTENANCE job to OTHER_JOB
Remove job MAINTENANCE_externalSubjCalcFields
look at performance of readonly queries
warning message for disabled dates too soon to work
table names for quartz should be adjusted for case sensitive mysql
Convert builtinMessagingDaemon MAINTENANCE job to OTHER_JOB
Convert cleanLogs MAINTENANCE job to OTHER_JOB
Convert enabledDisabled MAINTENANCE job to OTHER_JOB
fix memory issue with provisioner
fix container certs for openshift
Wiki Updates in past 2 weeks
- v5 Release Notes
- v4 Release Notes
- v5 Upgrade instructions from v5
- v4 Upgrade instructions from v4
- Grouper customize SSL certificate
- Composite changes
- Grouper v2.5 container SSL trust management
- Grouper diagnostics
- Grouper rules pattern - Remove invalid membership due to group 2
- Getting Started with Grouper
- Grouper book - Connecting to a subject source
- Create a new group
- Assign someone to be able to create new folders or groups within a parent folder
- Grouper enabled and disabled dates
- Grouper rules pattern - Veto in folder if not eligible due to group
- Grouper rules pattern - Veto if not eligible due to folder
- Grouper rules pattern - Remove invalid permissions due to folder
- Grouper rules pattern - Send email after new membership
- Grouper rules pattern - Send email due to disabled date
- Grouper rules pattern - Inherited privileges on certain groups
- Grouper rules pattern - Reassign folder privileges if from group
- Grouper rules pattern - Reassign attribute definition privileges if from group
- Grouper rules pattern - Inherited privileges on attribute definitions
- Grouper rules pattern - Assign attribute to folder
- Authentication to the Grouper UI
- Grouper custom template via GSH used by daemon for CSV report
- Grouper Duo admin roles
- Grouper Duo provisioning (v2.5 provisioning framework)
Grouper Users email list (none)
...