Grouper Call 30-May-2018
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redmond, UNC
- Carey Black, The Ohio State University
- Vivek Sachdiva, independent
- Emily Eisbruch, Internet2
Action Items: Grouper Project Action Items (Google Doc)
New action items
[AI] (Chad) will check to be sure new UI can use external path
The upcoming Grouper 2.4 release
- working on installer and config files
- Update the gsh.sh file (copy old to tmp dir or wherever installer copies old files)
- Jar file name changed for hsqldb
- Use a wildcard for version. This could be in the readme file,
- Don’t get rid of override, use base files
OSU uses script to send email, Carey may capture this in a JIRA ( gsh has STDOUT that is not helpful for cron jobs to send email from STDOUT from processes GRP-1815)
- Attribute def name screen is done
- Working on role inheritance
- Perhaps as you type in, the role will start showing up
- Duke and U Penn have some cases w three hundred or more attribute names.
- May need to revisit this screen for such a use case
- Chris and Vivek will chat soon to focus on these features
- Vivek is waiting on a few items re deprovisioning, such as attribute definition names.
- has changed API but has not tested yet. Goal is to make a call for folders, names, attribute definitions, etc.
- Chris will complete some tasks around deprovisioing
- A future enhancement is to add deprovisioning reason text area. Vivek will comment out now.
- Vivek will set up message re “This User Already Deprovisioned”
- Perhaps separate Deprovision button from Remove Access Button, so there will be 2 buttons.
- Checkbox only if NOT in group. “Remove access” for all users
- Now the deprovisioning is top priority
- Vivek will work on Roles Inheritance after the 2.4 release.
- was migrating LITE UI to legacy folder https://spaces.internet2.edu/x/X4b
- Mostly refactored. But stuck on External Users Interface. There are some hard coded URL patterns. Determining what groups you need to be in.
- Chad and Chris will talk about this offline,
- Hope to get this removal of LITE UI complete for Grouper 2.4 release
- Chad working on content type for web services.
- There was an old ticket.
- Only accepted text/x-json. now will accept an array of types, either text/x-json or application/json. Output will default to application/json but can be configured in ws.properties.
- This work is in the Grouper 2.4 branch
- Getting warning w xstream in web services
- Chad will look into this.
- [AI] (Chad) will check to be sure new UI can use external path
Grouper Release Steps:
Be sure to track when a step is accomplished
Global Summit 2018 in San Diego
- Grouper tutorial on Sunday and Grouper BOF and session on deprovisioning went well
Splunk issue on the email list on May 26, 2018. With Grouper system what are people dumping to their Security information and event management (SIEM) system.
Splunk is aggregate “dumping ground” for data.
At UNC: some experience with this.
Sending Audit Table view to SIEM can be helpful.
There was a Grouper event log. Gotten away from Event log, But there are other logs such as Grouper web service log.
Chad thinking about sending
Issues of what has access to what and when did that change?
Grouper memberships and access policies.
Grouper Deployment Guide is structured by folders but could use attributes instead.
For example, to have a change log to look for policy changes and create a log.
Create a SIEMed attribute. Then look at what was created and decide if it needs to go to SIEM.
Highest level composite of folder trees. Also include lowest level non composites to see why someone was added or removed from a group. Perhaps don’t need so much data from “the middle”.
Also include internal group info.
Possible approach: Create a large file and have Splunk ingest that file.
This will be a good contrib. Or a good UnConference topic.
TIER API call today at 3pm ET - talking about Lafayette’s provisioning engine.
It has python in it and this is could be an issue .
Chad will hope to listen in to the 3pm call.
Message bus requirement could be an issue for OSU. Wish change log consumer was a stream. Not sure about the delay . Perhaps some change log consumers can process the temp change log, such as for immediate memberships. Flattened changes and point in time.
Chad: best if there’s more segregation in the input to handle groups and attributes I DON’T want.
Chris: can do this w Grouper messaging. Maybe Grouper messaging is better than change log consumer.
Chris: one approach is to use logic to do needed operations and hook that up as a change log consumer to provide a notification. Keep things in Java
Let’s discuss this more in future
Gettes: full sync issue.
Next Grouper Call: Wed June 13, 2018