Child pages
  • Grouper Call 18-Nov-2015
Skip to end of metadata
Go to start of metadata

  

Notes: Grouper Call of  Wed. 18-Nov-2015  

Attending:

Chris Hyzer, Penn, Chair

Jim Fox, U. Washington

Marwan Shaher & Pregash Devasagayam (UC Boulder),

Misagh Moayyed, Unicon

Shilen Patel, Duke

Bert Bee-Lindgren, Georgia Tech

John Gasper, Unicon

Emily Eisbruch, Internet2


Action Items from Nov. 18, 2015 call 

[AI] (Jim) investigate how many messages Azure can handle

[AI] (Shilen or Chris) need to refactor hibernate customizations so they can be built/deployed in grouper namespace.

[AI] (Chris) add to agenda for next call: renaming packages of external jars in client (and installer?)

[AI] (Jim)  Draft a more detailed process for security concern handling 

Action Items from Nov 4, 2015 call 

  • Chris to handle wiki updates

  • Bert to follow up on bulk sync email.   


Discussion

Current work tasks

 Duo changelog consumer, messaging changelog consumer  - Chris

1.       https://spaces.internet2.edu/display/Grouper/Grouper+messaging+built+in

2.       https://spaces.internet2.edu/display/Grouper/Grouper+Duo+integration

Use case: Use Duo’s authorization abilities (Group(s?) associated with an integration)

Chris will be implementing this DUO feature on at Penn

Will run full Daemon every hour or so

Q: is this for authorization in Duo?

A: yes, for SSH, VPN etc.

===============

Messaging work  - Chris

Chris is working on this and it’s  coming along. 

Hope to be sending messaging out of the changelog

Permissions for topics and queues,

Can link them together

Pull a set of messages and tell messaging system to mark as done

there is a timeout feature

Basically one table in Grouper to manage this

This is a simple implementation

For more robust : turn on Active MQ

May have involved a DDL change? not sure


Grouper Loader - Shilen

Quartz API change

DDL is working for hsqldb (starting with that)

DDL Utils issue is solved

Next: on startup see if there are jobs that must be removed (changelog or group sync or LDAP jobs etc)

Then Shilen will commit this work and check on other databases

Be sure DDL Utils is adding schema effectively


PSPNG - Bert

structured changelog consumer propotype provisioner

processed them 

Start batch does pre work

then individual entries churn thru

then end batch (when all the changes get implemented)

If this is followed, it is fast to process changes very quickly

Bert did this for AD first

entitlement based provisioning 

then other object classes out of AD

Focusing on membership provisioning right now, attributes coming after memberships

For Azure: how many messages at once?

Jim not sure , will find out

[AI] (Jim) investigate how many messages Azure can handle

SQS: only ten at a time

Two use cases:

-users with dozen of entitlements

-adding a new group where there are dozens of members going into same group

Jim: Amazon increased size of messages  that can be sent

You may want to also look into:

https://wiki.evolveum.com/display/midPoint/Architecture+and+Design#ArchitectureandDesign-ProvisioningSubsystem 


Building and packaging -Misagh

https://spaces.internet2.edu/pages/viewpage.action?pageId=87755940

Can Build w Gradle effectively

Several modules now build

now working on the Grouper web app and Grouper UI

to build a war that is functional via Gradle

Regarding the jar issue, Misagh has removed every jar from repo , except two

all but 2 being removed from Maven repositories

Hibernate jar uploaded to sonatype in our namespace?

grouper ui and ws need to make a warfile?

what is required to add a module?

 

  • build.gradle for local

    • all dependencies required for building

  • grouper parent settings.gradle file to add it in there

 

Gradle branch in internet2

There is Gradle branch on github

some checking to do on modules not in maven - what should be their fate?

[AI] (Shilen or Chris) need to refactor hibernate customizations so they can be built/deployed in grouper namespace.

War file build process:

-Misagh: Theoretically, provide just a war file

-Chris: What about config files/jsps/etc?

-Bert: What about keeping config files outside of war? Chris wrote email Nov 12 “Grouper Newbie Question”

--Deployment could unzip packaged war, merge external configs, repackage


External Jars/Bits (eg, cas, duo, etc libs):

 

-Part of grouper tarball, or could be packaged into war file (in WEB-INF/xyz)


1.       https://spaces.internet2.edu/pages/viewpage.action?pageId=87755940

 

·         Vivek: WS


 Issue roundup

 

·        Non standard jars

·        Tomcat 7/8 patch

·        Grouper newbie questions

·        LDAP loader addIncludeExclude on SIMPLE job

·        Question about JVMs and keeping config files in sync

 

Grouper in Multiple Environments: Use ant to make changes to default files

Common newbie problem

 

·        Security XSS concern

 

Email came in yesterday. Chris create patch, Vivek sanity checked it

 

Instead of selective announcement, decided to send announcement to grouper-users so everyone had an equal chance of addressing problem. Particularly appropriate because the word is out once there is a github commit.


Problem had some mitigations (users needed to have permission to add attributes to groups)

 

There aren’t often security concerns within Grouper.


Perhaps learn from Shibboleth process, so we don’t have to be creative each time

-[AI] (Jim) Start drafting a more detailed process for security concern handling 

·        Security form on confluence removed (submit to grouper-core?)

·        grouper_aval_asn_efmship_v view

 

·        convertAdMemberDnToSpecificValue pull request (AI chris to merge back)

 

·        grouper and mailing list discussion

 

Let list server keep track of opt-outs (mailman, others?)


·        pull request merging and formatting (use standard, only change code you need to change)

 

·        loader performance woes [Dozen groups took ~18 minutes] (AI add logging strategy to next dev call)

 

Would better logging help?

·        sync grouper with duo

 

·        selective provisioning to ldap with attribute (AI for Bert to followup)

 

Else

-renaming packages of external jars in client (and installer?): [AI: Chris to put on agenda for Next Call]

 

 

 

 


 

  • No labels