Versions Compared

Old Version 55

changes.mady.by.user ben.rappleyea.2@at.internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user ben.rappleyea.2@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can also integrate through LDAP.  In the cloud an option is through azure.


Outdated connector

To do a full reconcile on the new 2.2.1+ grouper atlassian conector, run this:

...

Note, in the system settings for Jira/Confluence, you can check the checkbox for external user management, or external password management.  Note that these affect more than just if users can update their profile, external user management means you cant edit groups or memberships from the UI anymore...

Modules

There are 4 modules to this connector:

...

external authentication: allows web server plugin authentication

External authenticator

If you use shib or cosign or some web server plugin for authentication, there are other ways to integrate with confluence, but this jar has a way too. Just set this in the seraph-config.xml

...

https://server.school.edu/jira/secure/Dashboard.jspa?backdoorNetId=rwilson

Migrate Jira groups and memberships

First step should be when exporting stuff from old jira to new, look at group names, and search and replace the old names to new names of groups you want to rename.  e.g. if there is a space of invalid char, you could replace with a dash or underscore or whatever you want to do.  Then import.

...

Once you are migrated, keep a backup of groupbase and membershipbase, and truncate those tables

Migrate Confluence groups and memberships

Generate a GSH script for groups

...

Code Block
subject = findSubject("atlassianPenngroups/medley.isc-seo.upenn.edu");
grouperSession = GrouperSession.start(subject);
addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "jsmith");
addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "asmith");
addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "bsmith");
addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "csmith");
addMember("test:school:ait:apps:atlassian:groupsConfluence:some_other_confluence_group", "asmith");

sdf

Logging

The connector has excellent logging, each method will log in DEBUG mode, including if it was cached, and how long the method call took.  Change this in the log4j.properties of jira/confluence

...

Not, in the logs above, you see the wrapper providers, if you want to see how atlassian handles things, configure the atlassian default connector to be the provider in the grouper.client.properties, and configure the osuser.xml to point to the grouper wrapper, and it will print to the logs (INFO level) what the atlassian connector (or other connector) is doing.

Access provider

The atlassian root folder in grouper is where the atlassian groups are sandboxed.  I believe you could have descendants in that folder, put a group name in atlassian with a colon in it, but I havent tried it.  The access provider allows you to add / remove memberships from the Atlassian (e.g. Jira) admin console, or from Grouper.  You can create/delete groups in the atlassian UI also.  Note, obviously the WS user that atlassian uses needs access to the all the relevant groups.

Profile provider

This allows users id's, names, and emails to be retrieved from Grouper.  Note that if there is a user in Atlassian that is not resolvable in Grouper, that you would need to add it to the grouper.client.properties file as an autoadd user.  Note that users cannot be added/edited/deleted from the Atlassian admin console since Grouper does not control that.

Unit tests

Every method of the profile interfaces are unit tested.  To get these to work, you need to enter information in the grouper.client.properties (described above).  You can run these tests against a real installation and it will not negatively affect anything (shouldnt do this in prod though unless you are careful (smile) )

Caching

Atlassian calls methods frequently, so the connector does a lot of caching.  The default is to cache for 10 minutes.  If the write action is performed in Atlassian admin console, the caches are cleared.  Otherwise it could take 10 minutes for Grouper actions to propagate to Atlassian (or however you configure in grouper.client.properties). Note that if you have lots of groups, and lots of members, the cache refreshes can take some time (5-20 seconds?) For this reason you could have a long cache timeout, and use XMPP notifications for real time updates.

...

Note, in the config above, there is a failsafe cache. This means that the last successful call to Grouper is cached, and stored until it times out or until another successful call. So if Grouper is down, and Jira/Confluence is not restarted, it should be fine. Note that the calls to Grouper are batched so if there is a group query, all groups and memberships are retrieved.

XMPP notifications for real time updates

If you want to set the cache timeout to something long (1 day?), then you can enable XMPP notifications from the grouper-loader server to the jira or confluence system. Note, when a message comes from Grouper, the grouper.client.properties specifies a number of seconds to buffer the request. The cache clear will take place normally in the background so users will not notice. Also, there is a croned full refresh that happens in the background so users do not notice a delay. Here is an example of the grouper.client.properties config (note: you need grouper client 1.6.4+, if it is not released, you can build it from SVN or ask the Grouper team for a build of it):

...