Grouper Call of Jan. 31, 2024
Attending
- Chris Hyzer, Penn, Chair
- Chad Redmond, Unicon
- Jim Beard, Unicon
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
- Daniel Fisher, Va Tech
- Chris Hubing, Internet2
Drew Aschenbrener, Internet2
- Steve Zoppi, Internet2
- Emily Eisbruch, Internet2
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
New Action Items from this call
- Chris Hyzer - put the idea of changing the Group Screen to show higher level info in a Jira and/or on the Grouper roadmap
- Chris Hyzer – post more source code for the UPenn email use case, per community requests
- Shilen - check that Grouper doc on composites is up to date. The developer doc is here: https://spaces.at.internet2.edu/display/Grouper/Composite+changes Are there items/implications that should be in the main Grouper wiki?
Grouper Blog Published, January 2024
- https://incommon.org/news/happy-new-year-from-the-grouper-project/
- It links to Penn email list use case on the wiki : https://spaces.at.internet2.edu/display/Grouper/Penn+email+list+provisioner
- This example from UPenn includes loading, syncing, daemons, GSH templates. Many features of Grouper put together to manage a use case, people have asked for source
- AI Chris – post more source code for the UPenn email use case, per community requests
Grouper Training
- March 12-15, 2024, online
- https://incommon.org/academy/grouper-school/
- New self-paced training in 2024.
- Advanced topic for Grouper self-paced training:
- Provisioning?
- GSH templates? Could GSH Template be a walk thru guide, as UI element? This will open possibilities in how to “walk thru” things in Grouper. Requires API knowledge
- GSH daemon?
- GSH?
- Loader?
- Subject sources (not used often enough)?
- Data fields (too soon)?
- ABAC (too soon)?
- SCIM provisioner
- Comments on big picture in Trust and Identity in 2024
- We are at an important junction
- 2023 was good for training and other outreach
- Grouper stands alone, no other products do what Grouper does
- Commercial sector addresses our space poorly
- Efforts to address Grouper documentation are valuable and appreciated
- Progress has been made in weeding out old Grouper doc
- In 2023, Internet2 engaged a firm Second Muse to coordinate development of InCommon Futures Report
- Also Internet2 developed new 5 year plan
- Community's perception has evolved
- Used to be the projects would develop whatever ideas the community came up with
- Now there is an expectation that Internet2, the catalysts and the projects (such as Grouper), will help make up for situation where institutions are losing some of the their institutional memory on HOW TO DO things around identity management
- Complexity of use cases is increasing
- Number of people experienced enough to address use cases is decreasing
- Internet2/InCommon component architects meet every 2 weeks. Chris Hyzer and Chris Hubing join those calls
- 2024 Statement of Work Guidance
- 2024 Statements of Work - Guidance (Final) - Google Docs
- Grouper team members, please read 2024 Statement of Work Guidance
- Priorities include quality code, documentation, ease of use,
- This year telemetry (understanding who is using the products) becomes even more important,
- consistent packaging
- Documentation must be completed concurrent with release
- Question: Tradeoff between offering and “selling” doc and training
- Doc and training complement each other
- Gray line between: how much to do in video versus in written material
- Want a reasonable balance between written doc for reference doc for practitioners implementing, and want non technical documentation so people can understand how Grouper can address their use cases
Current Work
Vivek
- Provisioning - effort to make things provisionable is done in v4 and will be moved to v5
- Will be easier to set up provisioners on groups and folders
- View in one screen and see why something is provisionable
- Will try to default new features to v5 moving forward
- Screens to view and edit rules
- Currently managing rules using attribute assignments
- Grouper rules patterns
- Under folder options, you can choose rules
- This shows rules referenced with this folder
- A rule attached with a folder
- Actions column on left of screen
- Wizard, behaves like a “start with” for provisioning, you select a pattern, you get more options
- Eventually rule gets added
- In Provisioning there are many options and you can’t go back to start with
- For rules, it’s more simple, so if you can edit the rule using the wizard
- You can also edit it as a custom rule
- Just getting started on this work
- Vivek is making good progress
- Carey: things get buried under a menu button or tab
- Some things would be good to elevate / surface to a higher level, such as a rule on a group
- How to generically represent all the properties of a group that a user might need to manage
- Chris Hyzer: Eventually the main group screen will not show members but will show the higher level info
- CHRIS AI: Put the idea of changing Group Screen to show higher level info to Jira and/or roadmap
- Membership requirements are easier way to do what a rule does.
- Do we need to review this doc re rules and membership requirements? https://spaces.at.internet2.edu/display/Grouper/Access+Management+Features+Overview
Shilen
- Composites work is done
- Gets added to change log
- Is the documentation up to date? Shilen will check
- AI Shilen check that Grouper doc on composites is up to date
- https://spaces.at.internet2.edu/display/Grouper/Composite+changes
- Ability to stop a daemon in v5+
- Working on: Disable on daemon screen in UI should try to stop a currently running daemon
- Race conditions… date of when disabled, in case you enable job and it terminates, keep timestamp of last check, Shilen will add that
- Sometimes daemons are disabled but you run in Java instead of scheduling..
- If not scheduled it won’t be disabled
- List should be things running and have a table in quartz of what's disabled?
- Shilen will look at that
Chris
- Membership requirements screen adjustments
- ABAC aliases
- GrouperSession work
- Did GrouperTest used to create a root session? Do we want it to be that way going forward? DB connection issue?
- Startup and not being able to delete built in groups
- SCIM disable users
- Group attribute for roles (like entity isInGroup)
Penn Use Case - Chris presented an advanced use case from Penn, showing course grained authorization
Survey
- Chris Hubing has a survey on topics like Source Code Management (SCM) and Build/Test/Deploy Automation that he would like Grouper community members to respond to Grouper Interview
Issue Round up
JIRAS
- GRP-5294
- Typo: "Problem with ldap conection"
- GRP-5293
- Provide a view to the container logs via the UI
- GRP-5292
- Stopping daemon jobs
- GRP-5291
- fix unit tests for TestComposite
- GRP-5290
- fix unit test TestGrouperVersions
- GRP-5289
- add a reference from the root session back to the parent session so the parent session weak reference does not get garbage collected
- GRP-5288
- gsh template v2 tests with drop down and logged in subject were failing
- GRP-5287
- grouper unit tests were assigning wrong name for readonly and update only admin groups
- GRP-5286
- log in loader if display name is blank
- GRP-5285
- only log built in creation in check config on the first run
- GRP-5284
- when extension is invalid put the character that is in valid in the error message to narrow down the troubleshooting
- GRP-5283
- auto created loader group descriptions should auto-update too
- GRP-5282
- in the container dont sed to port -1
- GRP-5281
- logger null in grouper config
- GRP-5280
- gsh template tests fail if there is a query based on user
- GRP-5279
- Browse Folders "sync" button should expand the folder that is finally selected
- GRP-5278
- deprovisioning screen lists memberships that are not active
- GRP-5277
- GSH template V2 test not handling GrouperUtil.gshReturn (non-zero?)
- GRP-5276
- Template V2 GshTemplateTestExec should know its own configId, shouldn't need to explicitly define it
- GRP-5275
- Import config copy/paste not working due to missing CSRF header
- GRP-5274
- Allow dashes in ConfigIds
- GRP-5273
- if a group is being emailed to, and there are no members, there is an obfuscated error
- GRP-5272
- enabled/disabled daemon should audit as such, it says "loader" which is confusing
- GRP-5271
- When entitlement string changes in an LDAP usersWithEduPersonEntitlements provisioner configuration, the old entitlement values are not removed.
- GRP-5270
- Add Loader unresolved subject errors to the UI, similar to DNE errors for provisioners
- GRP-5269
- if not selecting readers from app template, fails with "need to select parent actions for child actions"
- GRP-5268
- Composite changes - move membership inserts and deletes to daemon
Grouper Wiki updates
- Grouper rules patterns
- Grouper rules pattern - Add created groups to another group
- Grouper rules pattern - Add disabled date on invalid membership
- Grouper rules pattern - Add disabled date on invalid membership due to group
- Grouper rules pattern - Add disabled date on invalid permissions
- Grouper rules pattern - Add disabled date on membership
- Grouper rules pattern - Add member to group if added to another group
- Grouper rules pattern - Add self-READ privilege to new groups
- Grouper rules pattern - Assign attribute to folder
- Grouper rules pattern - Assign attribute to group
- Grouper rules pattern - Forever membership
- Grouper rules pattern - Inherited privileges on attribute definitions
- Grouper rules pattern - Inherited privileges on certain groups
- Grouper rules pattern - Inherited privileges on folders
- Grouper rules pattern - Inherited privileges on groups
- Grouper rules pattern - Reassign attribute definition privileges if from group
- Grouper rules pattern - Reassign folder privileges if from group
- Grouper rules pattern - Reassign group privileges if from group
- Grouper rules pattern - Remove invalid membership due to folder
- Grouper rules pattern - Remove invalid membership due to group
- Grouper rules pattern - Remove invalid membership due to group (no daemon)
- Grouper rules pattern - Remove invalid membership on another group
- Grouper rules pattern - Remove invalid permissions due to folder
- Grouper rules pattern - Remove invalid permissions due to group
- Grouper rules pattern - Send email after membership remove
- Grouper rules pattern - Send email after new membership
- Grouper rules pattern - Send email due to disabled date
- Grouper rules pattern - Send email due to permissions disabled date
- Grouper rules pattern - Send email membership add due to folder
- Grouper rules pattern - Send email when group member invalid due to folder
- Grouper rules pattern - Veto if new membership is not a group
- Grouper rules pattern - Veto if not eligible due to folder
- Grouper rules pattern - Veto if not eligible due to group
- Grouper rules pattern - Veto if too many members
- Grouper rules pattern - Veto in folder if not eligible due to group
- Grouper rules pattern - Veto permission if not eligible due to group
- Attribute based access control (ABAC) with scripted groups
- Grouper entity data fields for ABAC
- Grouper book - Key questions to consider
- v4 Release Notes
- Grouper daemon "other job" GSH script to assign group privs to groups with naming convention
- Grouper custom template via GSH - V2
- Grouper custom template via GSH testing the Grouper health
- GrouperShell (gsh)
- Penn email list provisioner
Grouper-User emails (none)
- Slack, not email, is recommended for Grouper support
Next Grouper Call: Wed Feb 14, 2024