Grouper Call of March 15, 2023
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Chad Redman, UNC
- Gabor Eszes, Univ of Virginia
- Gail Lift, University of Michigan
- Chris Hubing, Internet2
- Emily Eisbruch, Internet2
DISCUSSION
Administrivia
New Action Items from this call
- AI Chris Hyzer - add extra language to upgrade steps wiki: be careful with DDL and adding a new table
- AI Chad reach out to JJ on sharing the materials/doc on auth to SAML
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Grouper training went well in early March
- Not dealing with the installer helped
- Get rid of the component that builds the container
- Rough edges have been smoothed out
- UI and daemon are getting polished
- We get good questions from training
Grouper V4 was released
- Grouper v4 release is the stable no-enhancement version of v2.6.
- A few issues were mentioned on Slack and have been addressed
- Going through the provisioning start withs and diagnostics
- Goal: Start with will work without further config on next screen
- Hope to have common use cases covered
- Have diagnostics button working
- Use descriptive doc on provisioning screens
- Shilen is working on LDAP
- Vivek working on Web Services
- Roles - UNCG said they need a default role
- Hope to add a quick solution until roles are fully implemented
Grouper v5
- Basic ABAC implementation
- Hope to have released by next call
- Show progress later
Current Work
Vivek
- Working on stabilizing provisioner
- Working on Start With, with default options, for easier configuring
- https://spaces.at.internet2.edu/x/-p8bDQ
Shilen
- Issue with new columns required, but not all instances upgraded at same time
- Make a DDL change and then there is a time lapse
- AI Chris add extra language to upgrade steps wiki: be careful with DDL and adding a new table
- For v5 potentially add more internal IDs for tables ,
- Wrapped up removing SOAP, created a wiki page, links to a tarball
- Updated database migration
- Looking at Start Withs https://spaces.at.internet2.edu/x/-p8bDQ
Chris
Working on ABAC
- Goal is to have attributes on users available; policy group is a script based on that
- Need a use case around how to handle loader
- Fewer basis groups probably
- Gabor:
- UVA use case: looking at how to implement basis groups
- Where does evaluation happen? In some other system and push result to Grouper? In Grouper , everything was group centered. Hope to use booleans, Push subset of results into Grouper groups
- Chris Hyzer: must meticulously organize the attributes
- Then ABAC script uses the attributes
- Test sets up data attributes, uses sample data
- In future will use data provided by Gail, U-Mich
- When test runs, it queries tables based on config
- Uses sub scriptlet
- Uses configuration
- Data fields with aliases
- Privacy realms not yet implemented
- Map column back to ABAC attributes
- Complex searching is available
- Needs to translate into SQL
- Now full sync gets everything, that won’t scale long term
- Idea for membership table in ABAC
- Put in special category any groups referenced from ABAC
- Put into flattened table
- Such as to handle grace periods; Grace periods at group level
- When you started, when you left a group
- Current state table of groups of interest
- One row for each user and group
- Use change log consumer and demon
- Not full history, rather most reason history for each person
- Row level attribute
- Joining w groups table is too “expensive”
- No way to get quick point in time data
- Have an easier point in time table to query?
- Point script to which groups or attribute it references
- Processed script dependency
- Instantly know which group to recalc for which users
- Previous issue w membership table: performance and space and keeping it up to date
- Have a lightweight module for that
- Database structures will change in v7
- How do JEXL scripted groups relate to ABAC?
- Chris Hyzer: we will have a way to configure data fields and rows and sync from the providers. Then they will be available in the same JEXL scripted groups.
- Will JEXL scripts need to be re-written? No
- What works now will continue to work
- We will add an incremental, and a way to do grace periods
- We may replace composites, make them a simple scripted group
- Visualize the scripts
- UI to build JEXL scripts would be nice, this is value add, nice to have
- Examples and analysis helps
- Easy GSH templates
Getting Ready to release Grouper v5
- For Grouper v5, we need to take out Apache and Shib from the container
- Handle Unicon contrib
- Configure OIDC in Grouper or use Unicon SAML (we need more doc on that), or install Apache and Shib SP
- Hoping UMICH and U Virginia will kick tires for v5
- Question on removing Apache
- Then need to work in tomcat
- It assumes only one context : Grouper
- Two contexts to point to same directory is a solution
- Did not have to copy the whole directory
- Can use derived image with Apache
- Should we have multiple contexts as an option?
- Worried about the daemon
- Shilen: keep it simple
- Chris Hyzer will research in Tomcat
Release Plans
- Hope to release Grouper v5 , with ABAC, for non production use in about 2 weeks
- There were a lot of commits in V4 before we started v5.
- Be sure all merged correctly
- Going forward, will try to cherry pick every commit in order from v4
- Important to get them in v5 in order
- Use Git Log to see the order
- Commit to v4 and cherry pick to v5, maybe that’s the wrong order?
- Hoping for few commits to v4
- Working in v4 for the “start withs” and diagnostics
- Authentication using SAML is supported in v4. Not sure if there is a doc on that. JJ worked on that. One institution is using it
- V17, library did not work
- AI Chad reach out to JJ on sharing the materials more widely on auth to SAML
ISSUE ROUNDUP
Jiras in past two weeks
- GRP-4631
do not match or search on membership attribute - GRP-4630
in provisioning do not allow caching of membership attribute - GRP-4629
validation on rabbitmq when using EL
GRP-4628
allow owners for teams groups in azure provisioning
GRP-4627
null pointer in GrouperProvisioningCompare.compareTargetEntities- GRP-4626
cacerts moved in java17
GRP-4625
auto ddl 4.*.* should work
GRP-4624
digital marketplace provisioner loops against mock
GRP-4623
fix audits for jexl script tester- GRP-4622
do not log env vars in container since could be sensitive
GRP-4621
improve provisioning start with for azure
GRP-4620
version does not show in ui for v4- GRP-4619
check for nulls in jexl scripts - GRP-4618
jexl script tester has error - GRP-4617
add 'run report' to report menu for ad hoc runs - GRP-4616
provisioning: validate that the membership attribute is not cached - GRP-4615
NPE in change log temp processor when adding group set if parent doesn't exist - GRP-4614
scim provisioner 404 should mean object doesnt exist (groups/entities/memberships) - GRP-4613
improve logging on vetos
GRP-4612
Remove xml-apis dependency
GRP-4611
grouper is not logging the correct class/method name- GRP-4610
Run OTHER_JOB_syncAllPitTables and OTHER_JOB_syncAllSetTables daily - GRP-4609
allow resize of left navigation panel
GRP-4608
Loader Jobs with External Unique Ids to Support moving group path- GRP-4607
Container startup scripts to check for tomee mounted files and move them to tomcat - GRP-4606
support auto ddl with .*.* for semantic versioning - GRP-4605
Remove SOAP
Grouper wiki updates in past two weeks
- v4 Upgrade instructions from v4
- Restoring SOAP Web Services in Grouper 5+
- JEXL script tester
- Universal Subject Daemon Utility (USDU)
- v2.6 Release Notes
- v4 Release Notes