Child pages
  • Grouper Call 9-Oct-2013
Skip to end of metadata
Go to start of metadata

Draft Minutes Grouper Call 9-Oct-2013

Attending

Tom Barton, U. Chicago (Chair)
Jim Fox, U. Washington
Bill Thompson, Unicon
Chris Hyzer, U. Penn
Shilen Patel, Duke
Steve Olshansky, Internet2
Emily Eisbruch, Internet2, scribe

New Action Items

[AI] (DaveL) look at GRP 914 and provide an opinion

[AI] (Chris) will talk with the appropraite lists about CSRFGuard project

[AI] (Chris) will merging the 2.1 branch and inform the core group when done

Carry Over Action Items

[AI] (Jim) propose a session on "Scaling the Grouper API" at Advance CAMP (will do in Nov.)

[AI] (Chris) do additional follow-up on the U. Penn Grouper security Analysis, including going through the automated penetration test report.

[AI] (Andrew) let us know what emerges from the Apereo security nßotification process work.

[AI] (Shilen) email the Grouper-users lists to ask who is using the Legacy attributes and ask how they are using them

DISCUSSION

GRP 914 https://bugs.internet2.edu/jira/browse/GRP-914
-PSP improperly handles membership delete from changelog when a group is deleted

[AI] (DaveL) look at GRP 914 and provide an opinion

Grouper V2.2 and Legacy Attribute Migration (Shilen)

Shilen has been making progress on legacy attribute migration. Has made API changes and DDL changes to handle the tables being eliminated in V2.2. Currently doing the hook tests (such as include/exclude and require group).

There was discussion on our last Grouper-dev call about using config files versus database space for mapping. Shilen reported that the plan is to use the attributes for the association between group types and custom fields. Shilen is already implementing this and it's working out well.

The import export issue for the legacy attribute migration is to be decided later on. Then will look at migration process.
 
Chris needs to merge the 2.1 branch before Shilen commits the Attribute Migration Work.
[AI] (Chris) will merging the 2.1 branch and inform the core group when done

New Grouper UI (Chris)

Chris is working on "recently used" aspect of the new Grouper UI.
A user will be able to see recently used groups, members, etc.
Favorites (favorite stems, favorite  groups, etc.) will also be available on the new Grouper UI.
This information is stored as attributes on a membership on a UI users group. https://spaces.internet2.edu/display/Grouper/Grouper+UI+favorites+and+preferences+user+data

Chris has started working on the tree object. https://grouperdemo.internet2.edu/grouper_v2_2/grouperUi

GitHub

The group discussed possible advantages of GitHub.
Decision was to stick with SVN for now, since the current approach is not broken and the transition could require time and effort better devoted elsewhere right now.

CSRFGuard Protect

https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

Chris suggested and the group agreed that Grouper should implement the CSRFGuard approach to prevent Cross Site Request Forgery.

Chris has worked on using CSRFGuard with a Grouper installation.
Chris has ideas of features to contribute back to the CSRFGuard  project.

One issue is that CSRFGuard does not support every browser. For example, it does to support IE8. Decision was to move ahead despite this.

Hope to have CSRFGuard packaged with Grouper V2.2

[AI] (Chris) will talk with the appropraite lists about CSRFGuard project

In other security-related items,
Chris has a long report from the automated penetration test and plans to go through it.

Complex Groups

https://lists.internet2.edu/sympa/arc/grouper-users/2013-09/msg00003.html

There was a thread on the Grouper-Users list in Sept. 2013 about composite groups and possible ways to limit visibility to some groups. Chris noted that one potential approach to complex groups is the include / exclude require group features as explained here: https://spaces.internet2.edu/display/Grouper/Include+exclude+and+require+groups

It was noted that making some groups hidden or not visible to certain users may at times lead to confusion among users.

Next Grouper-dev call: Wed. Oct. 23 at noon ET

  • No labels