In a patch in Grouper 2.4, Grouper will be able to have reports. This will start simple and we can add more features
High level description
- Configure a report on a group or folder
- This report will have a cron that will run like loader jobs run
- Reports consist of a SQL to run in a database, generating a CSV file
- The output of the report will be encrypted and stored to storage
- Users can be notified by email that the report exists
- When the login they can download the most recent report
- This will have Grouper reverse proxy the report from storage, unencrypt it, and deliver it to the user
- Reports will be automatically deleted after 30 days or if there are more than 100 instances of a report
Configuration
The configuration will follow the same attribute structure as other Grouper modules like attestation and deprovisioning
Attribute definitions for config
Definition | Assigned To | Purpose | Value | Cardinality |
---|---|---|---|---|
reportConfigDef | folder, group | identify a report config | marker | Multi assign |
reportConfigValueDef | folder assignment, group assignment | name/value pairs | string | Single assign, single valued |
Attribute names for config
Name | Definition | Value |
---|---|---|
reportConfigMarker | reportConfigDef | <none> |
reportConfigType | reportConfigValueDef | Currently only SQL is available |
reportConfigFormat | reportConfigValueDef | Currently only CSV is available |
reportConfigName | reportConfigValueDef | Name of report. No two reports in the same owner should have the same name |
reportConfigFilename | reportConfigValueDef | e.g. usersOfMyService_$$timestamp$$.csv $$timestamp$$ translates to current time in this format: yyyy_mm_dd_hh24_mi_ss |
reportConfigDescription | reportConfigValueDef | Textarea which describes the information in the report. Must be less than 4k |
reportConfigViewersGroupId | reportConfigValueDef | GroupId of people who can view this report. Grouper admins can view any report |
reportConfigQuartzCron | reportConfigValueDef | Quartz cron-like schedule |
reportConfigSendEmail | reportConfigValueDef | true/false if email should be sent |
reportConfigEmailSubject | reportConfigValueDef | subject for email (optional, will be generated from report name if blank) |
reportConfigEmailBody | reportConfigValueDef | optional, will be generated by a grouper default if blank body for email, support \n for newlines, and substitute in: $$reportConfigName$$, $$reportConfigDescription$$, $$subjectName$$ and $$reportLink$$ The link note: the $$reportLink$$ must be in the email template if it is not blank |
reportConfigSendEmailToViewers | reportConfigValueDef | true/false if report viewers should get email (if reportSendEmail is true) |
reportConfigSendEmailToGroupId | reportConfigValueDef | if reportSendEmail is true, and reportSendEmailToViewers is false), this is the groupId where members are retrieved from, and the subject email attribute, if not null then send |
reportConfigQuery | reportConfigValueDef | SQL for the report. The columns must be named in the SQL (e.g. not select *) and generally this comes from a view |
reportConfigEnabled | reportConfigValueDef | Use logic from loader enabled, either enable or disabled this job |
Attribute definitions for instance (a report that was run)
This attribute is assigned to the same owner as the config attribute (e.g. the same group/folder)
Definition | Assigned To | Purpose | Value | Cardinality |
---|---|---|---|---|
reportInstanceDef | folder, group | identify a report that was run | marker | Multi assign |
reportInstanceValueDef | folder assignment, group assignment | name/value pairs | string | Single assign, single valued |
Attribute names for instance
Note: the ID is the attribute assign id of the marker (this is passed in URLs/emails etc)
Name | Definition | Value |
---|---|---|
reportInstanceMarker | reportInstanceDef | <none> |
reportInstanceStatus | reportInstanceValueDef | SUCCESS means link to the report from screen, ERROR means didnt execute successfully |
reportElapsedMillis | reportInstanceValueDef | number of millis it took to generate this report |
reportInstanceConfigMarkerAssignmentId | reportInstanceValueDef | Attribute assign ID of the marker attribute of the config (same owner as this attribute, but there could be many reports configured on one owner) |
reportInstanceMillisSince1970 | reportInstanceValueDef | millis since 1970 that this report was run. This must match the timestamp in the report name and storage |
reportInstanceSizeBytes | reportInstanceValueDef | number of bytes of the unencrypted report |
reportInstanceFilename | reportInstanceValueDef | filename of report |
reportInstanceFilePointer | reportInstanceValueDef | depending on storage type, this is a pointer to the report in storage, e.g. the S3 address. note the S3 address is .csv suffix, but change to __metadata.json for instance metadata |
reportInstanceDownloadCount | reportInstanceValueDef | number of times this report was downloaded (note update this in try/catch and a for loop so concurrency doesnt cause problems) |
reportInstanceEncryptionKey | reportInstanceValueDef | randomly generated 16 char alphanumeric encryption key (never allow display or edit of this) |
reportInstanceRows | reportInstanceValueDef | number of rows returned in report |
reportInstanceEmailToSubjects | reportInstanceValueDef | source::::subjectId1, source2::::subjectId2 list for subjects who were were emailed successfully (cant be more than 4k chars) |
reportInstanceEmailToSubjectsError | reportInstanceValueDef | source::::subjectId1, source2::::subjectId2 list for subjects who were were NOT emailed successfully, dont include g:gsa groups (cant be more than 4k chars) |
Changes to group or folder drop down
Under folders or groups, in the more actions, should be "Reports", which goes to View reports screen
View reports screen
This is the default screen. Drop down with the following options:
- View reports
- Edit reports
Screen shows
- For all the configured reports, see if the current user can view them (wheel group or in the reportViewers group for the report), and if so, list the reports there, one line per report, with a link to the report page, and a link to the latest report download
- If there are no reports available, display a message "There are no reports you are allowed to view"
- Column for report name (clickable to report screen)
- Column for if enabled or not
- Column for last timestamp it was run (from report instance attribute)
- Column for status (SUCCESS?) (from report instance attribute)
- Column for number of rows in report (from report instance attribute)
- Column for cron schedule (from report config attribute)
- Column with drop down to download most recent report, view most recent report instance, report (report screen), report logs, enable/disable (group admins or wheel only)
Edit reports screen
- Only for wheel group
- Can pick a report to edit or can add a new. Like the deprovisioning edit
- Drop down same as view reports screen
Report screen
- Can see if wheel user or in the reportViewers group for the report
- Show the report name and description
- Show table with most recent 100 entries with columns (from report instance attributes)
- Report name (same for each row)
- Timestamp (sorted descending)
- Download report link
- View report details link (goes to report instance screen)
- Status
- When the report run
- How many rows in report
- Show the settings in read only mode
- In right of screen have one actions drop down: download most recent report, view reports (report screen), report logs, enable/disable (group admins or wheel only), delete report (group admins or wheel only)
Report instance screen
- Clickable from Report screen or drop down in some of the report screens or from email to user
- Dropdown on right of screen: Download most recent report, view reports (report screen), report logs, enable/disable (group admins or wheel only)
- Show timestamp
- Show the report name and description
- Download link (if status SUCCESS)
- Show report instance attributes
- Friendly size of unencrypted report (e.g. 150kb or 1.5mb, there is a commons file utils method to generate this)
- Filename
- Row count
- Download count
- List of subject names that were emailed successfully (comma separated)
- List of subject names that were emailed unsuccessfully (comma separated)
- (only to wheel users) First 3 chars of encryption key (mask with commons util method with asterisks: b4W****************)
Report logs screen
- Clickable from Report screen or drop down in some of the report screens
- Can see screen if wheel user or in the reportViewers group for the report
- Show list of most recent 100 report logs from grouper loader log table
- Should be a table that looks like the grouper loader log screen
- Should have exception stack if there was an error
Report
The report will take the SQL and columns and make a CSV with all the results. Chris has this logic and will commit it in the branch. This will be delivered as a download from browser
Report emails
If reports are being configured to be emailed, then the configured or default email will be sent. Note, the actual report will not be attached in the email for security reasons. A link to the report instance screen will be in the email.
Report storage
In 2.4 we dont want to add a new table to store files, so for people who want to use this feature the only option will be AWS S3 buckets with the report encrypted. We can add more storage options later
The deployer will need an AWS account, the free level might suffice
Need to configure the AWS creds in grouper.properties
Configure the AWS S3 bucket location
Inside there Grouper will create "folders" (not really folders but the way S3 does)
$baseBucket$/reports/YYYY/MM/DD/group__$groupName$__$groupId$__report__$reportInstanceId$.csv
- $groupName$ is the group system name
- $groupId$ is the group UUID
- $reportInstanceId$ is the attribute assign id of the marker for the instance of the report
- This is the encrypted CSV report
$baseBucket$/reports/YYYY/MM/DD/group__$groupName$__$groupId$__report__$reportInstanceId$__metadata.json
- This is the JSON of the report instance attribute values
- Do NOT include the encryption key
- This exists so we can see metadata about each report, e.g. size, without downloading it
Report encryption
- 16 char alphanumeric encryption key will be generated for each report
- Use the rijndael algorithm like password encryption
To delete a report instance, delete the metadata and report data from storage. If not it will be deleted eventually with a clean up daemon
When a report is deleted, delete all the metadata and report data from storage. If not it will be deleted eventually with a clean up daemon
There are no direct links to reports, and they are encrypted anyways. The only way to download reports is through the Grouper UI (or API), by authorized users. This is a reverse proxy to the report storage.
Overall report daemon
The overall report daemon should go through storage, and
- Look for reports that have more than 100 instances, and delete the older ones (reports and metadata)
- Look for reports older than 30 days and delete (reports and metadata)
FAQ
- As a grouper admin, how do I get the correct SQL?
- We will publish a lot of examples and increase the number of views Grouper has
- Can I join to external person tables to get extra attributes
- Absolutely, if you can ETL the data to your grouper database or maybe join over DB link then you will have extra attributes. If people need LDAP attributes we can discuss that
- Note: columns in the report could also be group memberships (e.g. enrolled in MFA? enrolled in Duo push? required to be in MFA? etc)
To Do later
- Errors in report should be logged and throw error but maybe also store error in txt report (not sent out or available except to admins)
- Add diagnostics to test that a report is setup correctly
- Add paging to report instance list
- Configure how long reports are stored
- Screen in a user's subject screen that shows all the reports they have access to
- Centralized report dashboard
- Have a config option to "run now" (allows report viewers to run now)
- This would send a message to a daemon to run so it doesnt run in the UI
- Like Loader "run now"
- Allow another report type which runs off membership list (not straight SQL)
- Allow non admins to configure?
- Allow more columns to be added (join other database tables if allowed)
- Add another output type for JASPER report (PDF, etc)
- Support excel
- Add ability to display a CSV in the JSP in an HTML table
- Add metadata to make it clickable?
- Support more storage options, e.g. database with blobs (needs to wait until 2.5)
- Allow fields to be added from an LDAP filter
- Add the daily Grouper report to run like this (dont email)
- Email batching per user (user gets a weekly digest about their reports)?