Grouper Working Group Session Monday, 5-Oct-09
Internet2 Fall Member Meeting, San Antonio, Texas
•Welcome, IP, agenda bash
• Community news
• University of Washington UI demo
• Effective memberships & performance of v1.5 schema
• Moving & copying groups and folders
• Audit overview & request for partners
• Attribute framework overview & request for partners
• Simpler UI
• New Ldappc
• Global convergence of group tools (suggested during agenda bash)
*UW Grouper UI demo*
Jim Fox presented the Grouper UI being developed at University of Washington (UW). This is a demo of work in progress. Actual service at UW is still LDAP based.
- UI is based on RESTful Group webservice, used by UW.
- In the past, prior to the decision to use Grouper, there hasn't been an underlying registry of groups, LDAP was being used.
- The web services has two resources: group resources and member resources.
- In addition to allowing UW people, it accepts EPPNs from other sites.
- The UI allows users to find groups and create groups.
- It doesn't use the concept of stems, but groups can have children.
- Attributes allow a group to be part of an email distribution list.
- Normally IDs are used to search for a member. It's also possible to look for someone based on last name.
Q: Is there a subject adapter for DNS type subjects?
A: If the subject recognizes it as a DNS, then it returns it as a subject.EPPN is recognized as EPPN.
Q: What were the compelling restraints with relying on LDAP ?
A: Relational database allows more attributes. Also, there are difficulties with using the same location as a repository and then also as the place to store internally used attributes that are not to be seen by the outside world.
*New Lite Grouper UI*
Chris Hyzer demonstrated the new Grouper Lite UI he has been developing.
- It's AJAX based and includes paging component.
- Advanced button allows more advanced features.
- Can delete in batches, as with current UI
- Can import and export all members of a group (or all member data) from or to a spreadsheet, such as Excel, using CSV file. This can be handy for bulk adds.
- Can add part of user name and it will search based on that.
TomB presented the Grouper roadmap. (For more details, see pages 3-4 of http://www.internet2.edu/presentations/fall09/20091005-grouper-barton.pdf)
1.5 Namespace transition support
1.5-1.6 Attribute framework
1.5+ Notification of changes
1.5+ Simpler UI
1.5.1 -1.6 Ldappc NG
1.6 Role management interface
1.6 Kuali Rice integration
1.6 uPortal integration
On-going Community, Solicit and publicize community
sourced extensions and commercial services.
TomB asked for feedback on the balance and priorities in the roadmap and received general approval of the plan.
The working group is looking for partners - people who have real use case.
*Integration of Grouper with other Open Source Projects*
Planning is underway for integrating Grouper with both Kuali Rice and uPortal.
Discussions with the Kuali Rice leadership will occur during this FMM.
Integration of Group with uPortal was a topic at the recent Jasig Unconference.
Ldappc is undergoing a rewrite, using the Shibboleth attribute resolver as the new code base. It's a Shib packaging for Grouper.
TomZ used the bicycle as a metaphor for the new Ldappc. See page 47 at:http://www.internet2.edu/presentations/fall09/20091005-grouper-barton.pdf
There is a Spring frame, the Shibboleth Attribute resolver is the crank that passes attributes, the wheels are SPML2. The system is based on SPML in and SPML out, and there is a layer to write to the target resource which can be LDAP or something else.
TomZ is running and debugging the new Lcappc at U-Memphis.
The experimental Ldappc will ship with Grouper 1.5 but it's optional to implement it.
*Global Convergence of Group Tools*
Ken noted that there are software development activities related to Group Management in several countries. Is there a need for setting suggested standards to increase consistency of what is expected from a potential adopter?
Should we be setting up standards for handling authentication and authorization, in a way that will smooth the way for the next developers of a group management approach?
One issue is that the word Group that has many connotations -- some people think of Unix groups or LDAP groups.
It would be a good start to find some common representations of groups.
Are groups sufficient or do some organizations really want externalized access management but not group management?
Ken stated his take-away from the conversation is that there is not a lot of concern around the issue of interaction between group products. However, going to application developers with a consistent story is a point of sensitivity.
** Track Session Demos **
There will be demos in the Track Session tomorrow on:
- using the attribute framework
- using attributes for priv management in web
- using attributes for data management.
See slides from the Tuesday 6-Oct-09 Track Session on "What's New with Grouper 1.5" at https://spaces.at.internet2.edu/download/attachments/10060005/grouperWhatsNew.ppt