Grouper Call of Feb. 14, 2024

Attending 

• Chris Hyzer, Penn, Chair
• Chad Redmond, Unicon
• Jim Beard, Unicon
• Vivek Sachdiva, independent
• Shilen Patel, Duke
• Carey Black, Purdue

• Liam Hoekenga, UMich

• Gail Lift, UMich

• Kellen Murphy, Univ of Virginia

•  Daniel Fisher, Va Tech

• Drew Aschenbrener, Internet2

Administrivia

•  Internet2 Intellectual Property Policy
  
• Review AIs  Grouper Project Action Items (Google Doc)
  
•  Agenda Bash
  

New Action Item from this call 

• AI Daniel  - will review  LDAP external system page in Grouper wiki for config issues   

https://spaces.at.internet2.edu/display/Grouper/Grouper+LDAP+external+system

and send to Chris

The doc must work for both new and older Grouper versions. Chris will make the doc work for both v4 and v5

Administrivia

• Internet2 Intellectual Property Policy
• Review AIs  Grouper Project Action Items (Google Doc)
•  Agenda Bash

Grouper Doc team mean recently

• See record of pages being updated here: https://spaces.at.internet2.edu/display/GrintDev/Grouper+documentation+pages+to+update

Grouper Training prep work for march 12-15, 2024 is ongoing 

•  https://incommon.org/academy/grouper-school/

Current Work

Vivek

• Vivek is working on a Grouper rules screen for Grouper v5
• So you can see, add, edit and delete rules
• It’s complex, and that is why it has not been done yet
• Good progress being made
• Rules can be assigned to groups and folders, sometimes to attribute definitions for permissions
• Need to work on the exact privileges needed to view and edit rules
• Each rule may impact other things, so you need to be able to see other things
• To edit a rule, you need admin and must be in the rules editor population
• All the things you are using in the rule you need privileges on
• If dealing with things in your own folder, you will be able, but if you are dealing with things in a reference group folder, you will need permissions
• Rules have built-ins and have expression language
• There is a concept of check type, what happens when the rule gets fired
• When rule fires, there is a condition
• result is what the rule does
• If rule is daemonable, it will run on the daemon
• Still need to figure out details of how folder permissions will work
• View on folder is not super private
• Using a power users group can be helpful
• Proposed direction: if you can view a rule it will generally show you the components of that rule
• When adding the rule, if putting in a group name you don’t have access to, this won’t be allowed
• We will honor the read and update privileges
• To know if someone is removed, you need read on that, etc
• May reduce the Grouper sysadmin needs for creating rules
• Comment: this work will be helpful

Shilen

• Work on stopping daemons, handling timestamps
• Next: changing maintenance jobs to be “other” jobs

Chris

• Working  on new release with
• Virginia tech request for roles in Groups
•      Mostly implemented
•      Still working on getting unit tests to work
•      DDL changes are needed
•      To make roles work, we needed 2 more tables  
•      Sync dependency
•     Captures groups used in a user translation
•     Running daemons on multiple servers, the static caches are not good enough
•     So we have a new static cache, it’s a lightweight table using UUIDs 
•     
• DDL
• There are 3 ways to get DDL in grouper
  • 1.   Clean install
  • 2.   Haven’t been up to the version where DDL was introduced and you are upgrading
  • 3.  You did get the DDL update and the new v4 DDL introduced after that
    • Want to edit with new DDL
    • Use an upgrade task
    • It will detect if you have the latest DDL
    • If you have updated DDL it does nothing
    • Otherwise it performs surgery
      
      
• Suggested to put more info in upgrade steps
• With views it’s hard to do an upgrade task
• This should be documented better
• Anyone with suggestions on better, clearer info to present, please send them to Chris
  
  
• Deactiviate SCIM provisioned users as opposed to deleting them, some SCIM endpoints can’t delete
  
  
• Would be nice to know how many sites are running more than one daemon
  
  
• Chris worked on unit tests

Daniel: 

• Touch base on patch for configuration for handlers in page results client for LDAP searches
  •    There was problem in V5 w AD and getting attributes from LDAP more than 1500 (or 1000?)
  •    Something in ldaptive needed a patch
  •     Shilen   can test in AD
  •    Chris will incorporate that 
• Daniel is looking into an issue related to timeouts
• Default behavior should change in how it’s handling timeout in ldaptive
• Liam noted it would help if Grouper documentation covers adjusting timeout and references how to tune appropriate ldaptive settings

• AI Daniel  - review  LDAP external system page in Grouper wiki for config issues   
  • https://spaces.at.internet2.edu/display/Grouper/Grouper+LDAP+external+system
  • and send to Chris. The doc must work for both new and older Grouper versions, Chris will make it work for both v4 and v5

• Ldaptive doc is here https://spaces.at.internet2.edu/display/Grouper/vt-ldap+to+ldaptive+migration+for+LDAP+access
• Put all properties in external system wizard is not practical
• Liam: Adding new properties in configuration screen, there is an issue of the properties not being editable
• Chris: how many properties are there?
• Maybe 20
• Could be an advanced ldaptive customize option
• UMich added some items for AD

 Snapshots etc.

• When pulling the Grouper 5 branch, the POM says 5.0.0.snapshot
• All new branches have a snapshot with .0.0 
• Need something in POM that is not dynamic
• Need a version
• Daniel will tag so there is a stable version
  
  
• Re profiling ldaptive, looking for memory issues - Shilen and Chris will talk about this
• Something to run in v4 and v5
• Memory is an issue discussed on Grouper Slack, especially large LDAP jobs 
• Hope to make things in Grouper take less space. In v7 we will redo the DDL
• Moving from Java 8 to Java 17 could have had an impact

Issue Roundup

Wiki updates

• Grouper Duo admin roles

• Grouper membership report on multiple groups with end date

• Planning Guide - Grouper Installation & Deployment

• Externalize and encrypt grouper passwords morphString morph

• Grouper custom template via GSH impersonate example

• Grouper custom template via GSH role mapper

• Getting Started with Grouper

JIRAS 

• GRP-5309
• Privileges tab to have priv items in More tab
• GRP-5308
• Provisioning entities not filtering objectClass when Select All Entities is false
• GRP-5307
• Provisioner case sensitive compare wants to change value only differing in case
• GRP-5306
• Provisioners should log DNE errors as SUBJECT_ERROR with unresolvable count
• GRP-5305
• add a provisioning group roles method as poc
• GRP-5304
• do not flush ehcache controller when clearing caches if it is not alive
• GRP-5303
• underlying database connection issues are masked in logs in certain circumstances
• GRP-5302
• add tables and indexes for provisioning dependencies for group roles and user attributes based on groups
• GRP-5301
• Messaging Provisioner add messaging type AWS SQS FIFO
• GRP-5300
• make a ui method to attest groups easily in gsh
• GRP-5299
• add membership requirements and rules to the trace membership
• GRP-5298
• Minor typo on the GSH Template configuration page
• GRP-5297
• duo commands class should have helper method for raw json
• GRP-5296
• add ability for duo to return webauthncredentials and store in loaded table
• GRP-5295
• scheduler check daemon is null
• GRP-5294
• Typo: "Problem with ldap conection"

Next Grouper call:  Wed. Feb 28, 2024