...
Date | Upgrading from version | Upgrading to Version | Note for version | Importance | Jira | Step needed if... | Description | ||||
---|---|---|---|---|---|---|---|---|---|---|---|
2024/03/19 | ALL | ALL | 4.12.0 | Not important | You run Grouper | Tomcat was upgraded, make sure any tomcat things work in UI/WS, including logs, SSL, authentication, etc | |||||
2024/03/10 | ALL | ALL | 4.11.0 | Medium important | If you use the provisioning framework and have too much memory allocated to your daemon | Try bumping down your daemon memory to 16g (16g in container and 13g heap) and see if you still have memory problems. | |||||
2024/03/03 | ALL | ALL | 4.11.1 | Not important | You run Grouper and use the daemon screen | Note that the change log temp daemon and composite change log consumer run continuously. | |||||
2024/03/03 | ALL | ALL | 4.11.1 | Not important | You run Grouper and have any rules | ||||||
2024/02/27 | 4.10.3 | ALL | 4.11.0 | Medium important | You use self signed certs for tomcat | See Jira and adjust env vars | |||||
2024/02/27 | ALL | ALL | 4.11.0 | Medium important | If you use Grouper | If your grouper credential cannot do DDL, see the Jira and run the DDL manually. Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added. Look at the job message to confirm that there were no issues adding the DDL. | |||||
2024/01/01 | ALL | ALL | 4.10.2 | Medium important | If you expect tomcat access logs to be in /tmp (previous default), they are not in /opt/grouper/logs | Set this variable: GROUPER_TOMCAT_LOG_ACCESS_DIRECTORY=/tmp | |||||
2023/12/27 | ALL | ALL | 4.10.0 | Medium important | If you set this in grouper.properties
| Remove it | |||||
2023/12/27 | ALL | ALL | 4.9.3 | Medium important | If you patched GSH templates in 4.9.0 or 4.9.1 | Remove the patch | |||||
2023/12/27 | ALL | ALL | 4.10.0 | Medium important | If you use Grouper | If you have extra indexes on grouper_loader_log, you can remove them. If your DB credential cannot do DDL then add indexes manually from Jira Otherwise, after the OTHER_JOB_upgradeTasks job runs, the DDL will be added. Look at the job message to confirm that there were no issues adding the DDL. | |||||
2023/11/26 | ALL | ALL | 4.7.0 | Medium important | If you have a MidPoint provisioner and do not have foreign keys with cascade delete | Either drop the MidPoint tables and use the new DDL, or add cascade delete to the foreign keys on the attribute and membership tables | |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you use the zoom provisioner / loader | A 3rd party library was updated for security, test your integration. Note set this
| |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you use the OIDC for UI/WS authentication | A 3rd party library was updated for security, test your authentication | |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you use the legacy (non provisioning framework) box provisioner | A 3rd party library was updated for security, test your provisioner or upgrade to the | |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you use the legacy (non provisioning framework) google apps provisioner | A 3rd party library was updated for security, test your provisioner or upgrade to the | |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you use Grouper | JSON marshalling changed to be higher performance and less likely to
Report any issues you have if you have to revert | |||||
2023/11/20 | ALL | ALL | 4.9.0 | Medium important | If you LDAP loaders of type: list of groups or groups from attributes, and grouper-loader.properties:
| You can now specify any stems to be the top stem, or you can | |||||
2023/11/04 | v2.5.0-v2.5.68, v4.0.0-v4.7.2 | ALL | 4.8.0 | Not important | If you were affected by the authentication bypass vulnerability and installed the remediation | ||||||
2023/10/04 | ALL | ALL | 4.7.0 | Important | GRP-4946 | If you use provisioning | If you provision based on attribute (e.g. netId or eppn), and the provisioner cannot work if the value is | ||||
2023/10/04 | ALL | ALL | 4.7.0 | Important | GRP-5005 | If you want database connection pool size to differ based on UI/WS/daemon | You can set the env var in container for DB pool size: GROUPER_DATABASE_CONNECTION_POOL_SIZE You can allow the daemon to use more connections than UI/WS. For instance, the daemon should probably have For instance, if you have 500 connections max at DB, and 2 daemon, 2 ui, and 2 ws, might want to set var for | ||||
2023/09/08 | ALL | ALL | 4.6.0 | Important | GRP-4932 | If you have SSL certs in /etc/pki/java/cacerts (if your SSL if not in trusted roots) | You can be doing one of three things with SSL certs:
Test anything that uses certs added to Java after upgrade (e.g. connections to SQL, LDAP, WS, etc outbound from Grouper) | ||||
2023/07/25 | ALL | ALL | 4.5.0 | Not important | GRP-4843 | You use GSH templates | If you want a run button from the misc → GSH template screen, edit the template and pick the group or folder it should run from default | ||||
2023/07/04 | ALL | ALL | 4.4.0 | Not important | GRP-4816 | You use SQL sync | Multiple source records with same key in SQL sync will cause daemon error (you can configure to ignore this if expected) | ||||
2023/06/27 | ALL | ALL | 4.4.0, 4.3.0 | Important | GRP-4803 | You customize any tomcat config files | The tomcat version changed so make sure any patches or edits or overrides to the tomcat server.xml config files are correct | ||||
2023/06/27 | ALL | ALL | 4.3.0 | Important | GRP-4805 | You use a box external system with a proxy and not default port | Set the proxy URL in the external system instead of the host and port | ||||
2023/06/06 | ALL | ALL | 4.2.0 | Important | GRP-4768 | You use Grouper | If your database can support 500 connections for each node in your env, then you do not need to do anything.
| ||||
2023/05/05 | ALL | ALL | 4.1.6 | Medium important | You use Grouper | Upgrade the grouper_memberships_lw_v (manually). Note this is for performance, so this is optional | |||||
2023/04/26 | ALL | ALL | 4.1.4 | Not important | If you do not want diagnostics to fail for a day | Run the daemons: syncAllPitTables, syncAllSetTables | |||||
2023/03/26 | ALL | 4.1.1 or older | 4.1.2 | Important | If you lock down UI configuration to ipv6 without a mask, or multiple ipv6 comma separated | Will work in 4.1.2+. Before this version, use one network and use a net mask. Or use ipv4. | |||||
2023/03/26 | ALL | ALL | 4.1.1 | Important | GRP-4657 | If you have provisioners | In order to help with renames, and delete/create same provisionable grouper object: For entities and groups, you should probably cache your search/match attribute in addition to the "link" cache (e.g. ldap_dn for ldap or id for web service)
| ||||
2023/03/26 | ALL | ALL | 4.1.1 | Not important | If you want auto-ddl configured correctly | This is not necessary, but if you set auto-ddl in grouper.hibernate.properties to 4.999.999 per previous instruction, you can now set to 4.*.* | |||||
2023/03/26 | ALL | ALL | 4.1.1 | Not important | If you want the previous default behavior where all users will see some attributes in etc folder | Reconfigure if you want the previous behavior. Recommended not to do this. You should probably assign READ/UPDATE privs on those attributes for power users only | |||||
2023/03/13 | ALL | ALL | 4.0.3 | Important | If you reference cacerts or other trust store files or folders in your Dockerfile or configuration (e.g. rabbitmq external system) | If you reference cacerts or other trust store files or folders, the path changed in java17, if you have something like
Change it to
| |||||
2023/03/13 | ALL | 4.0.3- only | 4.0.1 | Important | If you have auto ddl configured in grouper.hibernate.properties | Note, do not change this if upgrading to 4.1.0+ Change auto DDL to
| |||||
2023/03/10 | ALL | ALL | 4.0.1 | Not important | GRP-4619 | If you have a provisioner translation that checks for nulls in a terniary operator, e.g.
| Reconfigure to check for nulls per jira | ||||
2023/03/01 | ALL | ALL | 4.0.1 | Important | Check your derived image build and make sure it works with Rocky linux. It is intended to be a drop in replacement | ||||||
2023/03/01 | ALL | ALL | 4.0.1 | Important | You have a subimage or scripts that use the tomee directory | GRP-4567: either make a symlink from /opt/tomcat to /opt/tomee, or change your scripts to point to /opt/grouper/tomcat Change ENV container vars from TOMEE to TOMCAT | |||||
2023/03/01 | ALL | ALL | 4.0.1 | Important | You have a custom provisioner | The API and capabilities changed slightly, please discuss with Chris on slack | |||||
2023/03/01 | ALL | ALL | 4.0.1 | Not important | You use the legacy SCIM WS (not provisioning!) | This has been rewritten and needs to be adjusted from clients. We are not aware of anyone using this | |||||
2023/04/28 | ALL | ALL | 4.0.1 | Important | You mount the log directory to the container or use uids and gids somewhere from the container | The tomcat user uid in the container is 996 (was 998), and the group is now 994 (was 997). You might need to adjust the uids/gids or adjust permissions | |||||
2024/01/19 | ALL | ALL | 4.0.1 | Important | You use kerberos for WS authn | Java 17 has stricter encryption types. If authentication is having issues you might either need to change the passwords of old credentials to a newer encryption type, or allow old encryption types in the /etc/krb5.conf. Add something like this:
|
...