Grouper Call of May 8, 2024
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey lack, Purdue
- Gail Lift, University of Michigan
- Chris Hubing, Internet2
- Emily Eisbruch, Independent
DISCUSSION
Administrivia
InCommon Basecamp is June 3-7, 2024 (online only)
Current Work
Vivek
- Did privilege related work for Grouper Rules
- Ready for release within next 2 weeks
- “Fires when“ conditions
- Need inherited read on folders
- If you can read the ref or basis group folder, then you can use that in a rule
- To see a Grouper folder , if it’s not a ref or basis folder, if you have any type of view on the folder you will see that folder
- This will make the folders show up more frequently for people
- If it's not a ref or basis folder you are allowed to see them
- Enhanced JEXL script for setting up loader on groups
- Now when you set up loader w JEXL script, you can use arrays also
- Use of quotes can be an issue
- When you define data fields, it’s a string or number, some conversion happens
- The script is in attribute grouper JEXL script.
- We plan to add JEXL script 2 and JEXL script 3, to allow having larger scripts
- Gail needs 80
- Oracle’s limit is 1000
- Hope to add ability to do ranges
- Can we add date / time stamp logic?
- We don’t have that but could add it
- Question on JEXL , there is a lengthy example, will this need to be adjusted for real data? So people don’t assume those groups exist? Same issue with attribute names. Should be very generic so it does not look real
- Carey: Built in help for Grouper UI, wish it were more extensible; Could it allow local development of content? Link to local…
- Gail: would be nice to have local text that points to a web page, with several pages of samples. (example: “Here’s how to put all teaching faculty on your list”)
- Kellen: Diffing versions would be useful
- PennGroups has nice internal documentation
- SCIM requests from Michael G.
- Worked on new rule based on what Bert posted
- If you are removed from a folder you set an end dat in the future
- Will add a pattern for that
Shilen
- Had success in addressing performance and memory issues
- Now a LDAP provisioner that previously took 32 gig of memory takes only 16 gigs
- There may be more room for improvement but this cuts in by half!
- An issue now fixed: data copied from one data structure to another, data was not discarded in efficient manner
- Reduction in getting duplicate data was implemented
- Data was getting copied too many times
- Got good memory management best practices for coding large feeds
- AI Shilen will add to Grouper coding standards wiki page re good memory management. https://spaces.at.internet2.edu/display/GrIntDev/Grouper+developers+coding+standards
- Shilen did a performance snapshot with use cases with less data
- Seemed OK
- AI Shilen will review with Chris (via screen share) performance snapshot of use cases with less data
Chris Hyzer
- Something to start thinking about:
- Bert asked on Slack for better membership requirements for groups
- Good to think about this as a next effort
- We have rules
- A problem: you have a group, and you want to say if not an employee, take them out this group
- You need 2 rules
- Remove from this group when removed from employee
- Veto if not eligible
- Some users may get confused regarding which group the rule goes on
- Would be nice to click a checkbox and it does all that for you
- Configure as a lifecycle event
- Could be part of attestation
- Need a structure to identify the events
- Use a lifecycle event table perhaps
- Have a button in a folder or group for membership eligibility, maybe built on rules, maybe not
- https://spaces.at.internet2.edu/display/Grouper/Grouper+membership+eligibility+requirements
- Carey: need a rule that uses ABAC logic
- ABAC fills the group but the rule would be a guard against the membership changing over time
- Only people who meet the qualification are in the group
- Chris Hyzer: a manual approval may be needed
- Carey: best to express the rule as an ABAC equation
- Chris Hyzer; ABAC can be overwhelming, this could be a screen with check boxes
- Gail: a bunch of checkboxes are good, but if there are lots of choices it can be an issue
- A lot to think about
- Shilen: having a separate screen could be easier for users
Grouper Training
- How should Grouper Training evolve?
- Ideas:
- Have some asynchronous trainings
- For end users, how to use Grouper (not loader, not provisioning)
- Have advanced training on subscription basis
- Make modules for topics like
- loaders
- GSH templates
- provisioning
- Kellen: likes modular training
- Some things need to be done by help desk and by operations team
- Some things are done by the Engineering team
- It will take burden off the Engineering team of there is Grouper modular training
- Idea is that current Grouper training will be maintained but modules will be added for more depth
- Time spent on containers (about 3 hours) during current trainers may or may not be ideal.
- Suggestion to break out the container topic into a DevOps training.
- Carey: never done Grouper Training, Fan of self service model, where you come to class to get clarification of things you already learned on your own
- Chris Hyzer: First part of Grouper training is self service, attendees are supposed to do work ahead of time
- Welcome ideas and feedback
Issue Roundup
JIRAS
- GRP-5419
- remove wssec from soap web services
- GRP-5418
- add abac row array value any in list
- GRP-5417
- ldap pool validate time period by default should be 5 minutes
- GRP-5416
- java.lang.OutOfMemoryError: Required array length 2147483639 + 11 is too large
- GRP-5415
- allow multiple number attribute values or'ed together for non row assignments
- GRP-5414
- allow multiple string attribute values or'ed together for non row assignments
- GRP-5412
- WsRestGetSubjectsRequest with multiple subjectIdentifiers specified collapsing SUBJECT_NOT_FOUND results.
- GRP-5411
- add slf4j log4j to grouper so logging from ldaptive can happen
Grouper wiki updates in past 2 weeks
Grouper Role and Permission Management
Organizing services in Grouper
Grouper Hooks
Grouper provisioners
Planning Guide - Grouper Installation & Deployment
Grouper - Import to SQL
Grouper UI - Create a new folder
Grouper UI - Navigation using tree
Monitoring and Reporting
Grouper glossary
Migrate to containers - example
Grouper Container running as non-root
Customizing the Grouper UI
UI Terminology
(plus more)
Next Grouper Call: Wed. May 22, 2024