Child pages
  • Grouper Call 8-June-2011
Skip to end of metadata
Go to start of metadata

Minutes: Grouper Call 8-June-2011

Attendees

Tom Barton, University of Chicago (chair)
Gary Brown, Bristol   
Chris Hyzer, University of Pennsylvania
Shilen Patel, Duke   
Jim Fox, University of Washington  
Lynn Garrison, Penn State
Ann West, Internet2
Steve Olshansky, Internet2  
Emily Eisbruch, Internet2 (scribe)  

New Action Items

[AI] (Shilen) will talk with uPortal folks about Grouper uPortal integration, and will keep Jean Marie in the loop.

[AI] (Chris) will investigate putting the OpenConext Teams UI on the Grouper demo site.

[AI] After the allow / deny work is committed, (Shilen) will look at the affect on point in time

[AI] (Shilen) will update Jira 338 regarding move/copy attributes  

[AI] (Gary) will address the Admin UI privilege issue (JIRA 608) if his time allows

Carry Over Action Items

[AI] (Everyone) provide information on the Grouper 2.0 highlights wiki page. https://spaces.internet2.edu/display/Grouper/Grouper+highlights+2.0

[AI] (Everyone) review JIRA issues in preparation for Grouper 2.0
<https://bugs.internet2.edu/jira/browse/GRP#selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel>

[AI] (Chris) will implement member search and sort in the Lite UI  

[AI] (Chris) will put attribute framework UI work on demo site

[AI] (Rob) will follow up with Danno on obtaining the server for the Continuous Integration Environment.

[AI] (TomZ and Chris) will discuss/work on LDAP Grouper Loader for importing groups. JIRA 442

[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.

Reminder:   Agendize Grouper UI strategy

*** Grouper 2.0 Release: Code freeze on Friday, July 8 ****

DISCUSSION

Grouper Survey

    • Survey is being planned to gather information on the Grouper user base.
    • The Grouper survey will be send to the Middleware-Announce list, the Grouper-user list (it has 217 subscribers) and other lists.  
    • A link to the survey will be posted on the Grouper website
    • SteveO is at looking at data on who has downloaded Grouper code, to be sure these institutions are invited to complete the survey. (Many, but possibly not all, will be on the Grouper-users list)
    • Discovering who downloaded the Grouper code involves searching through logs.
    • SteveO is planning to look at logs back to the Grouper 1.5 release
    • A single institution could be running Grouper on behalf of many sites / institutions, so the survey will ask about that
    • Question related to discovering who uses Grouper...Should there be a "phone home" in Grouper 2.0 ? IRODS does this. Shibboleth does not. Risk of negative reaction.

Grouper-uPortal Project

    • Shilen is the Grouper project's point person for the integration with uPortal.
    • Interested institutions include ESUP Portail, U Geneva, and U-W Madison
    • The integration is partly done, but there may be more items to complete. Shilen will talk with Jen and Eric.
    • TomB noted that Jean Marie Thia's group is now doing some work with the ESUP Portail group.

    • [AI] (Shilen) will talk with uPortal folks about Grouper uPortal integration, and will keep Jean Marie in the loop.

Openconext & Self-serve group management UI

    • The SURFnet OpenConext  project is being rolled out now.
    • OpenConext uses Grouper for access management, as described in the section on "Teams" here: https://wiki.surfnetlabs.nl/display/OpenConext/Features
    • To review the Teams UI, see https://wiki.surfnetlabs.nl/display/conextsupport/SURFteams
    • Chris will determine if the OpenConext Teams UI can be added to the Grouper demo site.

[AI] (Chris) will investigate putting the OpenConext Teams UI on the Grouper demo site.

Permissions Data Model and Inheritance Algorithm

https://spaces.internet2.edu/display/Grouper/Grouper+permissions+allow+and+deny2

    • Chris got endorsement at ACAMP from key interested parties about  the proposed allow / deny algorithm
    • It was realized that the data model is good and the "deny" is more of an "inheritance filter " than a "deny"
    • "Deny" will be called "disallow"
    • There will be a UI that explains WHY things happen, what are the factors for inherited assignments
    • Chris is thinking about how the allow/disallow will impact point in time
    • Possible that the flattened notifications could get more complicated.
    • When something happens, more than just a SQL query will be needed. Some Java code may be needed.

[AI] After the allow / deny work is committed, (Shilen) will look at the affect on point in time

Move/Copy & Attributes

    • There was an email thread about how new attributes are impacted by move and copy.
    • For a move, things work fine, but we need to make a few changes to the way copy is handled.

    • Chris noted that rules can be based on an object ID or an object name.
    • At some point (could be after Grouper 2.0 release?) we should look at rules and what happens to them with a move or copy
    • Would you want  a rule to continue to work for a copy?
    • Chris: if copying a folder to another folder, you'd want to copy the attribute definitions and names.... but if there's a group, would you want to copy the attribute assignments and definitions?  Most likely yes.
    • Filtering rule assignments would seem to make sense.
    • We should write down use cases and document the pros and cons of different approaches.

[AI] (Shilen) will update Jira 338 regarding move/copy attributeshttps://bugs.internet2.edu/jira/browse/GRP-338

Privilege Inheritance in the Admin UI (ie, grouper's privs)

    • Gary noted a UI issue with the way the naming interfaces work
    • If privileges are derived from several different places, methods returning those privileges in the API only return one instance of the privileges
    • This leads to difficulty managing the assignment or removal of privileges
    • possible solution: add new methods in APIs to return a collection of all privileges by all paths from which that they originate, similar to what happens in membership API now.
    • Q: TomB: Should we have Grouper's privileges be managed by Grouper's permission objects?
    • A: Chris: if we were to start over, yes that would make sense
    • Chris noted that in the Grouper 2.0 UI, there will be a workaround for the issue Gary raises.
    • Gary will look at fixing this issue.
[AI] (Gary) will address the Admin UI privilege issue (JIRA 608) if his time allows

User Audit Use Case

There was a question on the Grouper-Users list pertaining to audit of indirect memberships.https://lists.internet2.edu/sympa/arc/grouper-users/2011-05/msg00054.html

    • Helpdesk receives inquiry about how an indirect member gained or lost a privilege
    • Chris noted that when point it time auditing is implemented --  in Grouper 2.0 ---  this will be solved.
    • It will work like this: Point in time record has a context ID. The context ID will point to the user audit. User audit has complete info.
    • Issue: sites will not want the user audit table to grow forever
    • Best approach will NOT be to delete everything before a certain date
    • Better idea is to retain the most recent activity for any member, no matter how far back

    • Q: Jim: Is it possible to do occasional point in time, if you are not interested in having it happen in seconds? Could you work back thru user audit? I all info included?
    • A: Shilen: yes, all membership adds and deletes are in there, all management actions are in the user audit records.
    • Jim may be interested in developing this user audit approach in the future.

Next Grouper-dev call: Wed. 22-June-2011 at noon ET

  • No labels