Grouper Call of Jan. 3, 2024
Attending
- Chris Hyzer, Penn, Chair
- Chad Redmond, Unicon
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Jim Beard, Unicon
- Carey Black, Purdue
- Kellen Murphy, UVA
- Carey Matt Black, Purdue
- Chris Hubing, Internet2
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Grouper Blog for early 2024, started here:
- Blog to focus on listserve management at Penn and GSH templates
Current Work
Vivek
Working on Team Dynamics provisioner
- Will make labels more user friendly
- This is perhaps not as smooth as some of the provisioners
- Significant throttling at server side
- Hard coded to run in one thread
- Response to a throttling call is sometimes not expected
- Text in body
- Can get error and response is still there
- Throttling can be an issue
- Due to throttling, Full syncs could take a while
- Incremental should be OK
- On server side, you can go to UI and delete, but can’t delete from web service, can only disable a group
- Can have 2 groups with same name in TeamDynamix
- But this creates an error in Grouper,
- We are doing the minimum for TeamDynamix
- Want to facilitate authorization provisioning
- For complex use cases, Use Midpoint or another approach
Data Dictionary Grouper data field dictionary
- Use case from TechEx
- When TeamDynamix work is done we will take another pass at this
- Issue: description doesn’t wrap
- Can give examples at row and field level
- This is a good first pass
- Added data owner and how to get access
- Description is a mandatory field
- Question : where is main field for describing data field?
- AI: Chris - update the data field documentation so it is more user friendly not geared to developers Grouper data field dictionary
- Scripted Groups or data fields
- Better to use the terminology of scripted groups.
Shilen
- Worked on composite changes, if you add or remove a member in UI and it involves a composite, it will give a different message saying may take time to propagate
- Making sure loader logs work property
- Making sure it does not cause issues with diagnostics
- Will go through unit tests and look at performance
Chris
- Released Grouper 4.10.0, 4.10.1 and 4.10.2 (has team dynamics and tomcat container enhancements)
- Released Grouper 5.7
- Tomcat
- Can run Tomcat without apache now
- SSL for tomcat works
- uses key file and chain file
- Access logs for tomcat need remote IP
- This builds on work done at UVA
- Access log valves, perhaps not needed
- Don’t need load balancer logged, can just take client
- Better to use remote IP
- Kellen may slack Chris about WebXML
- New self signed cert, 20 year
- Apache expires in 5 years
GRP-5240 subjob error in scheduler check daemon cant find log mapWhen you run a quickstart in Grouper, it will use self signed cert for tomcat
New scheduler Daemon, will look at jobs that started but are not running and set them to error and append a message to description
tomcat log4j2.xml was not working correctly after pipes removed
- GRP-5229
- History: we wanted to get rid of supervisor D, but had multi processes going on and people wanted to use splunk
- Issue with pipes,
- tomcat should send to standard out rather than using pipes
- Chad: Grouper environment would be helpful. Format in Log4J, go to standard output
- The closer to normal Docker container, the better
- Kellen / UVA: has everything going to standard error
- This is for debugging
- Chris Hubing: match log format to current format to accommodate splunk users
- Expect people to use log4j as we package it, with our defaults
- Chris Hyzer will look at having tomcat write the grouper logs, the access logs, the Catalina logs, the local host logs to standard out and try to match the format it used to be.
Chris worked on GRP-5195
- v4 grouper_loader_log_indexes
- Upgrade task and DDL should not be sequential integers, should be labels
Grouper custom template via GSH web service membership counts
- Chris worked on GRP-5196
- gsh template WS should be able to read and write arbitrary JSON
- Now more sensible inputs and outputs for web services
- Want a JSON response to go to the client
- JSON inputs now allows a new WS input attribute in GSH template exec request
- Input name value instead of name value pairs
- Can make a more sensible request
- WS output field under exec result,
- Can edit from GSH template
- Should use maps and not jackson
- Put in ws output
- Can have arbitrary JSON for the client
- It gets presented to GSH template as a map
- This creates a good custom web service
- Can use bean structure
- Arbitrary input and output
- Use bean class for input and to mirror JSON
- Also bean class for output
- JSON needs to match bean structure
- Chris created documentation for v1 and for v2
- See documentation linked from here https://spaces.at.internet2.edu/x/nwHtE
New feature - dynamic dropdowns
- GRP-5217
- add dynamic form elements (e.g. drop downs) to GSH V2 templates
- Hoping for more powerful GSH UI templates
- Chad: this seems to address the issue where you run a template, create new app, want to edit the app, and editing the app is a challenge. Have a dropdown where it auto populates.
More on GSH Templates
- If you have a query loaded dropdown
- Such as dropdown that is dynamic, tells you work you need to do
- You submit template and it does that work
- Used to be it did not redraw template screen
- But dropdown might be impacted by work template did
- NOW when you submit a template it will redraw the screen
- (If it’s not longer than 15 seconds)
- Chris and Chad will look at changes to provisionable screen
Hope to make it easier to use
Issue Roundup
Jiras
- gsh templates v2 should support gshReturn
- GRP-5241
- dont exclude jetty from grouper poms that depend on the api
- GRP-5240
- subjob error in scheduler check daemon cant find log map
- GRP-5239
- add annotation to all jobs which do not have it: @DisallowConcurrentExecution
- GRP-5238
- when printing rule, include the owner id
- GRP-5237
- if a rule has a daemon shouldnt then throw the rule details in exception
- GRP-5236
- add documentation of GSH example to assign attributes on group attribute assignments
- GRP-5235
- Data field dictionary
- GRP-5234
- first pass at team dynamix tdx provisioner
- GRP-5233
- add team dynamix tdx external system
- GRP-5232
- in container remove the ROOT and examples webapps
- GRP-5231
- add rewrite valve for tomcat so / redirects to /grouper (or whatever the UI context is)
- GRP-5230
- container should expose ports 8080 and 8443 even if not used by tomcat so they could be
- GRP-5229
- tomcat log4j2.xml was not working correctly after pipes removed
- GRP-5228
- allow configurable tomcat access log folder, set default to /opt/grouper/logs
- GRP-5227
- default tomcat 8080 and 8009 to be off, can set back to on
- GRP-5226
- add keys folder in container with right permissions for SSL key
- GRP-5225
- add long lasting self signed cert for tomcat
- GRP-5224
- add tomcat remote IP valve env vars for running v5 behind a load balancer
- GRP-5223
- add https ssl tls for tomcat when running without apache
- GRP-5222
- Non-root error for provisioning edit from provisioner row action (editProvisioningOnGroup2)
- GRP-5221
- add RemoteIpValve setting to tomcat
- GRP-5220
- gsh does not start
- GRP-5219
- Need jexl script test for provisioningEntityWrapper.isInGroup('...')
- GRP-5218
- new json marshaler is strict on invalid properties
- GRP-5217
- add dynamic form elements (e.g. drop downs) to GSH V2 templates
- GRP-5216
- V2 GSH template tests should be able to test wsInput and wsOutput
- GRP-5215
- V2 GSH templates should self register
- GRP-5214
- on GSH template wizard do not show run template folder or group if switched off
- GRP-5213
- GSH template v2 tests does not report the number of tests correctly
- GRP-5212
- should be able to call gsh template WS without an owner group or folder
- GRP-5211
- gsh template ws validation error should return error
- GRP-5210
- when there is a GSH template (or other things run in Grouper e.g. script daemons), print line number and line of failure
- GRP-5209
- adjust scim emails
- GRP-5208
- Paging config history with a filter clears the filter on next page
- GRP-5207
- add option to send report as attachment of email
- GRP-5206
- add email addresses to report config
- GRP-5205
- email to local entities with display extension
- GRP-5204
- with entity link, if not in target, look up the user again
- GRP-5203
- add status diagnostics daemon success threshold to daemon screen somewhere
- GRP-5202
- gsh template
Wiki updates
Grouper custom template via GSH web service membership counts - V2 - bean inputs with test
Grouper custom template via GSH web service membership counts
Grouper custom template via GSH web service membership counts - V2 - json inputs
Grouper custom template via GSH web service membership counts - V1 - json inputs / outputs
Grouper custom template via GSH web service membership counts - V1 - arbitrary inputs map
Grouper custom template via GSH web service membership counts - V2 - basic
Grouper-Users emails - none
Next Grouper Call: Wed. Jan 17, 2024