Grouper Call of March 15, 2023

Attending 

  • Chris Hyzer, Penn, Chair
  • Vivek Sachdiva, independent  
  • Shilen Patel, Duke
  • Chad Redman, UNC
  • Gabor Eszes, Univ of Virginia
  •  Gail Lift, University of Michigan
  • Chris Hubing, Internet2
  • Emily Eisbruch, Internet2

DISCUSSION

Administrivia

New Action Items from this call


  • AI Chris Hyzer -  add extra language to upgrade steps wiki: be careful with DDL and adding a new table
  • AI Chad reach out to JJ on sharing the materials/doc on auth to SAML


Administrivia



Grouper training went well in early March

  • Not dealing with the installer helped
  • Get rid of the component that builds the container 
  • Rough edges have been smoothed out
  • UI and daemon are getting polished 
  • We get good questions from training


Grouper V4 was released

  • Grouper v4 release  is the stable no-enhancement version of v2.6.
  • A few issues were mentioned on Slack and have been addressed
  • Going through the provisioning start withs and diagnostics
  • Goal: Start with will work without further config on next screen
  • Hope to have common use cases covered
  • Have diagnostics button working
  • Use descriptive doc on provisioning screens
  • Shilen is working on LDAP
  • Vivek working on Web Services
  • Roles - UNCG said they need a default role
  • Hope to add a quick solution until roles are fully implemented


Grouper v5

  • Basic ABAC implementation
  • Hope to have released by next call
  • Show progress later


Current Work


Vivek


Shilen

  • Issue with new columns required, but not all instances upgraded at same time
  • Make a DDL change and then there is a time lapse
  • AI Chris add extra language to upgrade steps wiki: be careful with DDL and adding a new table
  •  For v5 potentially add more internal IDs for tables ,


  • Wrapped up removing SOAP, created a wiki page, links to a tarball
  • Updated database migration


  • Looking at Start Withs https://spaces.at.internet2.edu/x/-p8bDQ

 

Chris


Working on ABAC

  • Goal is to have attributes on users available; policy group is a script based on that
  • Need a use case around how to handle loader
  • Fewer basis groups probably 
  • Gabor: 
    • UVA use case: looking at how to implement basis groups
    • Where does evaluation happen? In some other system and push result to Grouper?  In Grouper , everything was group centered.  Hope to use booleans, Push subset of results into Grouper groups
    • Chris Hyzer: must meticulously organize the attributes
    • Then ABAC script uses the attributes


  • Test sets up data attributes, uses sample data
  • In future will use data provided by Gail, U-Mich
  • When test runs, it queries tables based on config
  • Uses sub scriptlet
  • Uses configuration
  • Data fields with aliases
  • Privacy realms not yet implemented
  • Map column back to ABAC attributes
  • Complex searching is available
  • Needs to translate into SQL
  • Now full sync gets everything, that won’t scale long term
  • Idea for membership table in ABAC
    • Put in special category any groups referenced from ABAC
    • Put into flattened table
    • Such as to handle grace periods; Grace periods at group level
    • When you started, when you left a group
    • Current state table of groups of interest
    • One row for each user and group
    • Use change log consumer and demon
    • Not full history, rather most reason history for each person
    • Row level attribute
    • Joining w groups table is too “expensive”
    • No way to get quick point in time data
    • Have an easier point in time table to query?
    • Point script to which groups or attribute it references
    • Processed script dependency
    • Instantly know which group to recalc for which users
    • Previous issue w membership table: performance and space and keeping it up to date
    • Have a lightweight module for that
    •   Database structures will change in v7


  • How do JEXL scripted groups relate to ABAC?
  • Chris Hyzer: we will have a way to configure data fields and rows and sync from the providers. Then they will be available in the same JEXL scripted groups. 
  • Will JEXL scripts need to be re-written? No
  • What works now will continue to work
  • We will add an incremental, and a way to do grace periods
  • We may replace composites, make them a simple scripted group
  • Visualize the scripts
  • UI to build JEXL scripts would be nice, this is value add, nice to have
  • Examples and analysis helps
  • Easy GSH templates


Getting Ready to release Grouper v5

  • For Grouper v5, we need to take out Apache and Shib from the container 
  • Handle Unicon contrib
  • Configure OIDC in Grouper or use Unicon SAML (we need more doc on that), or install Apache and Shib SP
  • Hoping UMICH and U Virginia will kick tires for v5


  • Question on removing Apache
  • Then need to work in tomcat
  • It assumes only one context : Grouper
  • Two contexts to point to same directory is a solution
  • Did not have to copy the whole directory
  •  Can use derived image with Apache
  • Should we have multiple contexts as an option?
  • Worried about the daemon
  • Shilen: keep it simple
  • Chris Hyzer will research in Tomcat


Release Plans

  • Hope to release Grouper v5 , with ABAC, for non production use in about 2 weeks
  • There were a lot of commits in V4 before we started v5.
  • Be sure all merged correctly
  • Going forward, will try to cherry pick every commit in order from v4
  • Important to get them in v5 in order
  • Use Git Log to see the order
  • Commit to v4 and cherry pick to v5, maybe that’s the wrong order?
  • Hoping for few commits to v4
  • Working in v4 for the “start withs” and diagnostics
  • Authentication using SAML is supported in v4. Not sure if there is a doc on that. JJ worked on that. One institution is using it
  • V17, library did not work
  • AI Chad reach out to JJ on sharing the materials more widely on auth to SAML

ISSUE ROUNDUP


Jiras in past two weeks

Grouper wiki updates in past two weeks

  

  • No labels