In a patch in Grouper 2.4, Grouper will have a reporting capability. This will start simple and we can add more features later.
The configuration will follow the same attribute structure as other Grouper modules like attestation and deprovisioning
Attribute definitions for config
Definition | Assigned To | Purpose | Value | Cardinality |
---|---|---|---|---|
reportConfigDef | folder, group | identify a report config | marker | Multi assign |
reportConfigValueDef | folder assignment, group assignment | name/value pairs | string | Single assign, single valued |
Attribute names for config
Name | Definition | Value |
---|---|---|
reportConfigMarker | reportConfigDef | <none> |
reportConfigType | reportConfigValueDef | Currently only SQL is available |
reportConfigFormat | reportConfigValueDef | Currently only CSV is available |
reportConfigName | reportConfigValueDef | Name of report. No two reports in the same owner should have the same name |
reportConfigFilename | reportConfigValueDef | e.g. usersOfMyService_$$timestamp$$.csv $$timestamp$$ translates to current time in this format: yyyy_mm_dd_hh24_mi_ss |
reportConfigDescription | reportConfigValueDef | Textarea which describes the information in the report. Must be less than 4k |
reportConfigViewersGroupId | reportConfigValueDef | GroupId of people who can view this report. Grouper admins can view any report |
reportConfigQuartzCron | reportConfigValueDef | Quartz cron-like schedule |
reportConfigSendEmail | reportConfigValueDef | true/false if email should be sent |
reportConfigEmailSubject | reportConfigValueDef | subject for email (optional, will be generated from report name if blank) |
reportConfigEmailBody | reportConfigValueDef | optional, will be generated by a grouper default if blank body for email, support \n for newlines, and substitute in: $$reportConfigName$$, $$reportConfigDescription$$, $$subjectName$$ and $$reportLink$$ The link note: the $$reportLink$$ must be in the email template if it is not blank |
reportConfigSendEmailToViewers | reportConfigValueDef | true/false if report viewers should get email (if reportSendEmail is true) |
reportConfigSendEmailToGroupId | reportConfigValueDef | if reportSendEmail is true, and reportSendEmailToViewers is false), this is the groupId where members are retrieved from, and the subject email attribute, if not null then send |
reportConfigQuery | reportConfigValueDef | SQL for the report. The columns must be named in the SQL (e.g. not select *) and generally this comes from a view |
reportConfigEnabled | reportConfigValueDef | Use logic from loader enabled, either enable or disabled this job |
Attribute definitions for instance (a report that was run)
This attribute is assigned to the same owner as the config attribute (e.g. the same group/folder)
Definition | Assigned To | Purpose | Value | Cardinality |
---|---|---|---|---|
reportInstanceDef | folder, group | identify a report that was run | marker | Multi assign |
reportInstanceValueDef | folder assignment, group assignment | name/value pairs | string | Single assign, single valued |
Attribute names for instance
Note: the ID is the attribute assign id of the marker (this is passed in URLs/emails etc)
Name | Definition | Value |
---|---|---|
reportInstanceMarker | reportInstanceDef | <none> |
reportInstanceStatus | reportInstanceValueDef | SUCCESS means link to the report from screen, ERROR means didnt execute successfully |
reportElapsedMillis | reportInstanceValueDef | number of millis it took to generate this report |
reportInstanceConfigMarkerAssignmentId | reportInstanceValueDef | Attribute assign ID of the marker attribute of the config (same owner as this attribute, but there could be many reports configured on one owner) |
reportInstanceMillisSince1970 | reportInstanceValueDef | millis since 1970 that this report was run. This must match the timestamp in the report name and storage |
reportInstanceSizeBytes | reportInstanceValueDef | number of bytes of the unencrypted report |
reportInstanceFilename | reportInstanceValueDef | filename of report |
reportInstanceFilePointer | reportInstanceValueDef | depending on storage type, this is a pointer to the report in storage, e.g. the S3 address. note the S3 address is .csv suffix, but change to __metadata.json for instance metadata |
reportInstanceDownloadCount | reportInstanceValueDef | number of times this report was downloaded (note update this in try/catch and a for loop so concurrency doesnt cause problems) |
reportInstanceEncryptionKey | reportInstanceValueDef | randomly generated 16 char alphanumeric encryption key (never allow display or edit of this) |
reportInstanceRows | reportInstanceValueDef | number of rows returned in report |
reportInstanceEmailToSubjects | reportInstanceValueDef | source::::subjectId1, source2::::subjectId2 list for subjects who were were emailed successfully (cant be more than 4k chars) |
reportInstanceEmailToSubjectsError | reportInstanceValueDef | source::::subjectId1, source2::::subjectId2 list for subjects who were were NOT emailed successfully, dont include g:gsa groups (cant be more than 4k chars) |
Under folders or groups, in the more actions, should be "Reports", which goes to View reports screen. Note we need to harmonize this with Shilen's group and folder reports. Should they share a menu item?
This is the default screen. Drop down with the following options:
Screen shows
The report will take the SQL and columns and make a CSV with all the results. Chris has this logic and will commit it in the branch. This will be delivered as a download from browser
If reports are being configured to be emailed, then the configured or default email will be sent. Note, the actual report will not be attached in the email for security reasons. A link to the report instance screen will be in the email.
In 2.4 we dont want to add a new table to store files, so for people who want to use this feature the only option will be AWS S3 buckets or filesystem with the report encrypted. We can add more storage options later
The deployer will need an AWS account, the free level might suffice
Need to configure the AWS creds in grouper.properties
Configure the AWS S3 bucket location
Configure the path where report files will be stored
Inside there Grouper will create "folders"
$base$/reports/YYYY/MM/DD/$someUniqueId$/$reportFilename$.csv.encrypt
$base$/reports/YYYY/MM/DD/$someUniqueId$/$reportFilename$__metadata.json
Report encryption
To delete a report instance, delete the metadata and report data from storage. If not it will be deleted eventually with a clean up daemon
When a report is deleted, delete all the metadata and report data from storage. If not it will be deleted eventually with a clean up daemon
There are no direct links to reports, and they are encrypted anyways. The only way to download reports is through the Grouper UI (or API), by authorized users. This is a reverse proxy to the report storage.
The overall report daemon should go through storage, and
Audits should be added for reports creation/editing/downloading. No audits for emails sent. These audits should be linked to the group or folder where the report is configured
Grouper Report showing summary of your installation