Grouper Call of July 5, 2023
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Chad Redman, Unicon
- Kellen Murphy, University of Virginia
- Brennan Cox, University of Virginia
- Liam Hoekanga, University of Michigan
- Gail Lift, University of Michigan
- Bert Bee-Lindgren, Georgia Tech
- Carey Black, Purdue
- Chris Hubing, Internet2
- Emily Eisbruch, Independent
Mark your Calendar:
Internet2 TechEx is Sept. 18-22, 2023 in Minneapolis
DISCUSSION
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Discussion
Base CAMP is Online July 10-14, 2023
- both Chris and Chad will present at both Base CAMP Grouper sessions
New Action Items from this call:
- Chris Hyzer - fix app is timing out situation raised by Chad
- Chris Hyzer - update coding standards around use of names per discussion on july 5th Grouper call https://spaces.at.internet2.edu/display/Grouper/Grouper+developers+coding+standards
- Chris Hyzer - look into permissions around ABAC scripts, making them more fine-grained per UVA use case
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Mark your Calendar:
Internet2 TechEx is Sept. 18-22, 2023 in Minneapolis
Base CAMP is coming up Online July 10-14
- both Chris and Chad will present at both Base CAMP Grouper sessions
Discussion
Release of Grouper 5.2.0.
There are 2 upgrade steps from 5.2.0
Add internal id to pit tables - groups/members/fields
Dont validate abac scripts to UI works, will add back later
Fix breadcrumbs for entity data fields
Fix issue with abac queries where the dictionary internal ids are not right
See the release notes: https://spaces.at.internet2.edu/display/Grouper/v5+Release+Notes
Provisioning framework SCIM2 provisioner at Atlassian cloud
Here is an example of configuring the provisioning framework for Atlassian (including external system), and some advanced features:
- Shows how to use the JEXL script editor in the UI
- Provisions Grouper Local Entities which represent users in Atlassian who are not in your IdP. Not sure we will do that, but nice to know we can
Below are docs and movies
https://spaces.at.internet2.edu/display/Grouper/Grouper+SCIM2+Atlassian+cloud+provisioner
https://www.youtube.com/watch?v=WrWiFaA3B8w
https://spaces.at.internet2.edu/display/Grouper/Grouper+Atlassian+cloud+SCIM2+external+system
- Mostly this just worked, which was great
- Can use local entities and assign email addresses and provision
- Chris opened some JIRAs to improve the way local entities are provisioned
- Jexl script tester will be helpful, otherwise you need to know the API
Chris Hyzer updated this page: Grouper ABAC with scripted groups
Rocky Linux plan (Chris Hubing)
- Internet2 approach: Wait and see
- RedHat war on distribution
- Moved away from Centos
- Stopped distributing on GIT
- With containers, you don’t have to care too much what’s under the hood
- Thought Rocky had advantages, but not set in stone
- Supporting ARM, also an improvement in container architecture
- REFERENCE:
- The original Redhat post: https://www.redhat.com/en/blog/furthering-evolution-centos-stream
- A further Redhat explanation: https://www.redhat.com/en/blog/red-hats-commitment-open-source-response-gitcentosorg-changes
- Rocky’s response (including its initial mitigations around Redhat’s move re: its distribution of source code): https://rockylinux.org/news/keeping-open-source-open/
- The original Redhat post: https://www.redhat.com/en/blog/furthering-evolution-centos-stream
Current Work
Vivek
- Worked on connecting GSH templates w ABAC loader scripts
- https://spaces.at.internet2.edu/display/Grouper/Grouper+custom+template+via+GSH
- Template enables creating the ABAC / JEXL script
- Will not show up in GSH templates dropdown
- Only shows up if a group is marked as ABAC
- Select pattern to get list of available patterns
- Template admin configures
- WIll make this customizable, explain what attributes are available
- There will be an analysis screen
- Question:
- Are permissions tied to ability to edit the loader?
- (update on a group)
- Or can they be more fine grained?
- UVA use case: Some users should be able to build loader but not to generate a JEXL script (operations team vs engineering team)
- AI Chris Hyzer: will look into permissions around ABAC scripts, making them more fine-grained per UVA use case
- After the call, Chris Hyzer updated this page: Grouper ABAC with scripted groups
Shilen
- Worked on this: GRP-4799
Add internal id to pit tables - groups/members/fields - Mysql install issue, Shilen fixed this
- Will look at data provider for LDAP for ABAC
- Currently set up for SQL
- For LDAP we would ask the user what the LDAP query would be
- What attributes they want
- Attribute could be connected to a data field or could be a packed value
- Might be a scripted option for packed?
Chris
- Design for Grouper dependency caching
- https://spaces.at.internet2.edu/display/Grouper/Grouper+dependency+SQL+caching
- Looking at incremental updates for scripted groups
- Hope to add tables to track dependencies in Grouper
- Table for dependency type and table for dependency
- When someone edits an ABAC script, the logic looks at the dependencies and makes adjustments
- Matt: deal with English names or internal identifiers?
- Subject to renames and move object issues
- Then need to rewrite descriptions
- Maybe scripted groups should not hold English names, but instead the internal identifiers
- Then have UI display that shows English name
- Chris Hyzer: two options: store things as system name OR use an internal ID
- We decided last time we discussed this was to store things as the friendly name, to be helpful when people do export or look at it
- AI Chris will update coding standards around use of names https://spaces.at.internet2.edu/display/Grouper/Grouper+developers+coding+standards
- Example of exporting the config
- Could store things as friendly name and keep track of the friendly name for when we rename things, we do adjustment
- Right now JEXL scripts can break with renames
- Dependency table, and rename logic, is helpful
- Question: owner versus dependent, owner type needs to be clear
Chris worked on various JIRAs
- Opened Jiras for local entities
- Issue with Grouper 5 now fixed
- Breadcrumbs of data field screens were missing entires, fixed now
- Scripts were validated against group memberships, need better validation, couldn’t use edit screen, now disabled and will be added back later
- Request from Harvard that non sysadmin have some limit , similar to the ABAC use case discussed on this call. Chris added hook in Grouper properties. See this wiki page: Do not allow non sysadmins to add EveryEntity to groups or privileges
- Upgraded Tomcat , new container setting.
Chad
- Issue around composites
- Doesn’t batch
- AI Chris Hyzer - Fix app is timing out situation raised by Chad
Issue Roundup
Jiras in past two weeks
- GRP-4826
provisioner provisions local entities as groups
GRP-4825
add a jexl script test for subject cache attribute translation
GRP-4824
local entity identifier should go in subjectIdentifier1
GRP-4823
cannot assign entity identifier to local entity in ui
GRP-4822
fix issue with abac queries where the dictionary internal ids are not right
GRP-4821
Fix breadcrumbs for entity data fields
GRP-4820
dont validate abac scripts to UI works, will add back later
GRP-4819
add built in hook to restrict non sysadmins from adding EveryEntity to group memberships or privileges
GRP-4818
allow source IP address filtering on tomcat ports
GRP-4817
sql sync has issues when source and database columns differ by case when using * for columns
GRP-4816
sql sync should handle multiple source records with same key
GRP-4815
sql sync should handle null character when going to postgres
GRP-4814
sql sync does not work with keywords
GRP-4813
numeric sql sync from oracle to postgres issue
GRP-4812
allow millis in timestamps for scim
GRP-4811
revert new tomcat default for max parameter count back to 10k
GRP-4810
tomcat 8.5.90 does not listen on 0.0.0.0 for ajp
GRP-4809
Add first and last name to duo start with
GRP-4808
Set sync values to zero if going negative
GRP-4807
Add proxyUrl, proxyType for Google
GRP-4806
documentation for box
GRP-4805
remove proxy port for box
GRP-4804
javadoc for v4
GRP-4803
upgrade tomcat to 8.5.90
GRP-4802
mysql install fails in v5
GRP-4801
show membership history in v5 throws stack
GRP-4800
WS GshTemplateExec returns success even though GshTemplateExecOutput.isSuccess=false
GRP-4799
Add internal id to pit tables - groups/members/fields
GRP-4798
error creating stem on fk_grouper_st_v_pr_st
GRP-4797
full sync timestamp not showing up on screen
Wiki Updates
- Grouper dependency SQL caching
- Grouper Atlassian cloud SCIM2 external system
- Grouper SCIM2 Atlassian cloud provisioner
- v5 Upgrade instructions from v5
- v4 Release Notes
- v4 Upgrade instructions from v4
- Grouper container documentation for v2.5
- v5 Release Notes
- Release steps for new container build
- Generated javadoc and site reports
- Specsheet
- Do not allow non sysadmins to add EveryEntity to groups or privileges
Grouper Users Email List
- [grouper-users] error gsh grouper docker 4.1.7, Mathieu HETRU, 06/13/2023
- Message not available
- Re: [grouper-users] error gsh grouper docker 4.1.7, Mathieu HETRU, 06/13/2023
- [grouper-users] grouper 4.1.7 after cas sso i got ajaxError, Mathieu HETRU, 06/13/2023
- Re: [grouper-users] grouper 4.1.7 after cas sso i got ajaxError, Murphy, Kellen J. (wfx6yz), 06/13/2023
- Re: [grouper-users] grouper 4.1.7 after cas sso i got ajaxError, Mathieu HETRU, 06/13/2023
- Re: [grouper-users] grouper 4.1.7 after cas sso i got ajaxError, Mathieu HETRU, 06/13/2023
- [grouper-users] azure guest user membership, Chris Leung YW, 06/20/2023
As of July 5, 2023, Emily emailed Mathieu Hetru and Chris Leung suggesting the Grouper Slack channel is the best place to get support
Next Grouper Call: Wed. July 19, 2023