When upgrading from Grouper v2.5 to another v2.5 container, this wiki will consolidate all the steps needed to perform that upgrade
Note, these are in reverse order, so go from bottom to top
Date | Upgrading from version | Upgrading to Version | Note for version | Importance | Step needed if... | Description | Jira |
---|---|---|---|---|---|---|---|
2023/11/04 | v2.5.0-v2.5.68 | ALL | 2.5.69 | Not important | If you were affected by the authentication bypass vulnerability and installed the remediation | ||
2021/09/02 | ALL | ALL | 2.5.55 | Medium important | You use Grouper | Go to the daemon screen after upgrade and click "More actions → Schedule jobs" | |
2021/09/01 | ALL | ALL | 2.5.55 | Not important | You want to prevent deletion of attribute names through the UI | New optional UI property uiV2.attributeDefName.preventDeleteInUi can be set to true, so that if an admin accidentally tries to delete an attribute name, it will show an error instead of deleting all the assignments and the attribute name. Either WS or GSH can still be used to delete and attribute name | GRP-2852 |
2021/09/01 | ALL | ALL | 2.5.55 | Not Important | You have a custom UI depending on the Lite UI JSP templates or other Struts v1 | Until 2.5.55, custom JSP tag definitions were packaged with the Docker container, while the Java libraries they depended on were not, thus causing startup errors. In GRP-3346 these *.tld files were moved to the legacy directory (folder grouper-misc/grouper-legacy-ui in the source repository). If you have a custom image incorporating the Admin UI jsp pages, you may need to update jsp templates, and include new files in your image (download from Github or your local Git copy):
| GRP-3346 |
2021/07/28 | ALL | ALL | 2.5.53 | Not important | You get an error viewing grouper loader list of groups loader config | Run this from GSH edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType() | |
2021/05/27 | ALL | ALL | 2.5.52 | Important | You use Grouper | There is a new status URL outside of the normal /grouper or /grouper-ws path. If you do not need this, you should disable it. If nothing specified, there is a new status path: /status_grouper/status If you don't want this, set: -e GROUPER_APACHE_STATUS_PATH=none If you want it something different, do this: -e GROUPER_APACHE_STATUS_PATH=/status2_grouper/status | |
2021/05/27 | v2.5.* | ALL | 2.5.52 | Important | If you use Grouper | DDL updates | |
2021/05/26 | v2.5.51- | v2.5.52+ | 2.5.52 | Not important | If you use the Grouper feature "Custom UI" | You need to convert the configuration to config files from attributes (contact Chris for specifics) | |
2021/05/26 | v2.5.* | ALL | 2.5.52 | Not important | If you are using the new provisioning framework | There have been changes to the way indirect provisionable data is stored. Run the following using GSH to clean up old assignments: edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningService.deleteInvalidIndirectProvisioningAssignments() | |
2021/05/16 | ALL | ALL | 2.5.52 | Not important | If you have a servlet or filter mapped to other URLs than are built in to Grouper (not common) | Register extra CSRF urls (dynamic content) in grouper-ui.properties | |
2021/04/28 | ALL | ALL | 2.5.49 | Not important | If you have change log consumers or message producers that expect "type" attributes (e.g. policy) to be applied when group is created (and not a minute afterwards) | The inherited metadata for grouper types, attestation, provisioning, and deprovisioning are now handled in daemons which do full syncs (daily) and each minute an incremental sync. So after a group is created, it takes a minute for "policy" to be inherited from an ancestor folder for example. | GRP-3385 |
2021/04/28 | ALL | ALL | 2.5.49 | Important | You want special characters in object extensions besides underscore and dash and do not have a regex configured | Grouper now ( by default if not other extension regex validation specified ) restricts creating new objects with special chars (besides underscore and dash) | |
2021/04/26 | ALL | ALL | 2.5.49 | Medium important | You want to allow objects with same name and different case | Grouper now ( by default ) restricts creating new objects with same name and different case (e.g. "ref:test" and "ref:Test") To restore previous default set these settings in grouper.properties to false: grouperHook.StemUniqueNameCaseInsensitiveHook.autoRegister = false grouperHook.GroupUniqueNameCaseInsensitiveHook.autoRegister = false grouperHook.AttributeDefUniqueNameCaseInsensitiveHook.autoRegister = false grouperHook.AttributeDefNameUniqueNameCaseInsensitiveHook.autoRegister = false | |
2021/03/30 | ALL | ALL | 2.5.49 | Not important | If you use container STDOUT logging (not to host files, not overridden log4j.properties) | Review this commit to see if you want to resurrect any log4j.properties settings that were removed | |
2021/03/27 | ALL | ALL | 2.5.47 | Not important | If you use Grouper | Refactor grouper.properties email settings. See Jira for details | |
2021/03/17 | ALL | v2.5.44 | 2.5.45 | Not important | If you configured a GSH template in 2.5.44 | Pull up the template in the editor wizard, and make sure there are no invalid entries. Save. Pull up a random folder and group in UI and make sure they display. | |
2021/03/07 | ALL | v2.5.* | 2.5.45 | Not important | If you use Grouper | MySQL and Postgres database drivers were updated. If it is not working, then you need to delete the driver in a container hook script and overlay the previous version in the lib dir | |
2021/02/22 | ALL | ALL | 2.5.43 | Important | If you have an LDAP external system which uses TLS | The TLS flag in LDAP external systems now defaults to false instead of true. If you don't have this set and you are using TLS, set it to true. You can setup a test filter in the external system and test it from the UI. If you have this as "false" explicitly, you can remove that config since the new default is false. | |
2021/02/19 | ALL | v2.5.* | 2.5.43 | Not important | If you have any GSH or SQL script daemons | Add in grouper-loader.properties for each GSH/SQL other job daemon specifying if it is a script or a file, e.g. | |
2021/02/01 | ALL | v2.5.* | 2.5.41 | Medium important | If you use SSL in your container with apache | After upgrading make sure SSL is working and make sure the container file /etc/httpd/conf.d/ssl-enabled.conf is ok Review the 2.5.41 new env vars for container | |
2021/1/27 | All | v2.5.* | 2.5.40 | Important | If you use Grouper | If you were using SELF_SIGNED_CERT=true, change to GROUPER_SELF_SIGNED_CERT=true Look at the output when the container starts and see if there is an error and if so adjust the env vars you pass to the container | |
2021/1/27 | All | v2.5.* | 2.5.40 | Important | If you use Grouper | DDL updates | |
2020/12/07 | All | v2.5.* | 2.5.38 | Important | If you use Grouper | DDL updates | |
2020/10/20 | All | v2.5+ | 2.5.36 | Not important | If you want to make sure inherited privs get converted correctly | Either run the Upgrade Task daemon or let it run, then query for inherited privilege rules that arent owned by GrouperSystem, there should be none. Use the application template, after that still should be none. | |
2020/10/20 | ALL | v2.5.* | 2.5.36 | Medium important | If your IdP timeout is not 10 hours | The default tomee session timeout is now 10 hours instead of 30 minutes in the UI. And 1 minute instead of 30 minutes in the WS. Change this default in your UI to your IdP SSO length with container env var: GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES | |
2020/10/20 | All | v2.5.* | 2.5.36 | Important | If you use Grouper | Look at the startup logs for the container to make sure there are no errors, and make sure file customizations still work | |
Date | Upgrading from version | Upgrading to Version | Note for version | Importance | Step needed if... | Description | Jira |
2020/09/16 | v2.4+ | v2.5.39 (included in .40+) | 2.5.35 | Important | If you have configuration in the database | You will not see history for existing DB configs until you run the SQL in your DB, see jira. | |
2020/07/21 | All | v2.5.* | 2.5.33 | Important | If you use Grouper | DDL updates | |
2020/07/21 | v2.5.25+ | v2.5.* | 2.5.33 | Probably not important | If you have a recent membership group configured | After upgrade, run the "Upgrade Tasks" daemon, or wait an hour. If you have used "recent memberships" you will see the attributes moved from the source group to the target group. | |
2020/07/21 | All | v2.5.* | 2.5.33 | Important | If you use LDAP and are interested in pool validation | This defaults to validate connections periodically instead of on checkout for performance reasons. See Jira for details. The default is now to check pool every 30 minutes, you probably want to set something lower. | |
2020/07/21 | v2.5.* | v2.5.* | 2.5.33 | Not important | If you are expecting apache indexes to be on (previous default) | Set the container env var to get previous behavior: GROUPER_APACHE_DIRECTORY_INDEXES=true | |
2020/07/21 | All | v2.5.* | 2.5.33 | Might be important | If you are putting configs in the DB and want to import externalized text config to DB: grouper.text.en.us.properties | Import that file to the DB and remove from container overlay or mount | |
2020/07/21 | All | v2.5.* | 2.5.33 | Important | If you overlay the server.xml and not use ENV vars to configure | You need to make sure the ajp connector will work: secretRequired="false" address="0.0.0.0" allowedRequestAttributesPattern=".*" | |
2020/07/21 | v2.5.25+ | v2.5.* | 2.5.33 | Important | If your loader query or group_loader query in the group: etc:attribute:recentMemberships:grouperRecentMembershipsLoader is not a simple select from a view | Delete that group, restart grouper (any service), see the group recreated with the correct query. Make sure it is scheduled and run the loader job once. | |
2020/07/21 | All | All | 2.5.33 | Might be important | Basic auth passwords (e.g. WS) cannot contain colons | Change those passes, or look at this Jira to support colons in passes (and not usernames) GRP-3163 | |
2020/05/13 | v2.5.* | v2.5.* | 2.5.29 | Not important | If you care about the log prefix of logs or need to revert to old behavior | -e GROUPER_LOG_PREFIX=grouper Log prefix. By default it is "grouper-ui' for ui-only container. grouper-ws for ws-only. grouper-scim for scim-only. grouper-daemon for daemon-only. Or "grouper" if not set to something else. | |
2020/05/13 | v2.5.* | v2.5.* | 2.5.29 | Not important | If you use any of these env vars in your Dockerfile or container: RUN_APACHE, RUN_SHIB_SP, RUN_TOMEE, RUN_HSQLDB, SELF_SIGNED_CERT | Add prefix GROUPER_ to them | GRP-2776 |
2020/05/13 | v2.5.* | v2.5.* | 2.5.29 | Important | If you are overlaying or replacing text in files that can use new env vars, use those | Review v2.5.28 changes on container documentation page . | NA |
Date | Upgrading from version | Upgrading to Version | Note for version | Importance | Step needed if... | Description | Jira |
2020/05/05 | v2.5.* | v2.5.35 | v2.5.27 | Important | If you overlay the grouper.xml or grouper-www.conf, and not from the shell hook method | You should patch these files correctly from the shell script hook | |
2020/05/05 | All | v2.5.* | v2.5.27 | Important | If you use GSH scripts | If you have cron'ed GSH scripts or run GSH script manually, the error handling changed, which might affect how these complete. See Jira | GRP-2732 |
2020/05/05 | All | v2.5.* | v2.5.27 | Not important | If you have usdu or badMembership in your grouper-loader.properties config | Some jobs were split out to have single purpose daemons, see Jira for details | |
2020/05/05 | All | v2.5.* | v2.5.27 | Not important | If you use WS or UI diagnostics URL (/status) and do not want group names in diagnostics output | You can report an abbreviated list for diagnostics if you like | |
2020/05/05 | v2.4+ (container) | v2.5.* | v2.5.27 | Important | If you use /opt/grouper/lib directory in container | We used to copy this directory to /opt/grouper/grouperWebapp/WEB-INF/lib, but no longer. Mount or copy to the right place. See Jira for details. | |
2020/05/05 | v2.5.25+ | v2.5.* | v2.5.27 | Not important | If you dont want a temporary diagnostics error | You might want to run the recent memberships loader job manually after upgrading so you don't get diagnostics errors of a daemon that hasn't run | |
2020/04/21 | All | v2.5.* | v2.5.23 | Probably not important | If you have dbUrl in subject.properties | Database connections in grouper are configured in grouper-loader.properties, move it there. See Jira for details | |
2020/04/21 | All | v2.5.* | v2.5.23 | Probably not important | If you use vt-ldap | If you know that you use the vt-ldap interface, or if you search your configs for "vt", follow the instructions in the Jira. Only ldaptive is supported now. | |
2020/04/21 | All | v2.5.* | v2.5.23 | Important | If you have morph string secret configured in external file from morphString.properties encrypt.key = /some/path/morph.secret | Carefully inspect your morphString.properties and see if there is a newline in your secret file path: /some/path/morph.secret If so, then set this in morphString.properties encrypt.trimWhitespaceFromMorphSecretFile = false | |
2020/04/21 | All | v2.5.* | v2.5.23 | Not important | If you configured the workflow schedule | Search for "workfow" in grouper-loader.properties, change to "workflow" | |
2020/04/21 | All | v2.5.* | v2.5.23 | Not important | If you use grouper jars outside of container | You can remove base properties files in classpath | |
2020/04/08 | v2.4 | v2.5.* | v2.5.22 | Upgrade instructions from v2.4 to v2.5 |