Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redman, University of North Carolina Chapel Hill
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
- Jeff Williams, UNCG
- Steve Zoppi, Internet2
- Emily Eisbruch, Internet2
Discussion
- https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper Training Online
- Registration is open for Grouper School Feb 9-12, 2021
- https://incommon.org/academy/grouper/
Poll on Grouper Slack: Question 1. What category of term should it be? conveys "human managing members" conveys "the usual thing non-admin people do with groups" Question 2. Favorite "human managing members" term (vote for up to three)? ad hoc handcrafted handpicked manual non-auto Question 3. Favorite "the usual thing non-admin people do with groups" term (vote for up to three)? elemental key normal primary prime primitive regular simple standard |
Current Work Tasks
- Vivek - working on types
- Ad hoc type ( change this term?)
- Intermediate type
- Intermediate is by default checked.
- Limit is display 2000 groups
- Message will say “you are seeing a subset”
- Must figure out name for ad hoc groups
- Chris: See Grouper Slack post on naming and vote for your favorite
- Ad hoc does not come into play w provisioning
- Policy types do come into play
- Could filter intermediate groups from provisioning targets
- Shilen: would be good to make UIs look better
- Perhaps fewer check boxes?
- Whoever is making policies would be using this screen, not the average user
- Chris: in provisioning config, do you want to filter types to be provisioned?
- We track if something is provisioinable using attributes on a group, those attributes flow down from folder
- Two ways to go: attributes that flow from folder to group, OR use a query to get groups of interest.
- If marked as provisionable with attribute, don’t mark with groups by type
- OR
- If folder is provisionable it filters down to the groups
- Tradeoffs: if we try to keep the provisioning attributes correct then query for provisioning is simpler, but must carefully manage the provisioning marker,
- Shilen: if the attribute is not managed correctly, then why have it, could be too confusing
- Point is so you don’t have to go up the folder structure to find out what is provisioned
- There is also a new feature for provisioning metadata
- We need to add some generic configuration into framework to say “do you want to restrict Grouper results based on type?”
- answer impacts how the attributes get propagated
- Could get an error saying “you need to mark this as a policy group”
- Agree do provision should be propagated and set correctly.
- Shilen: checking for validation is also relevant
- Chris: need to solve problem of keeping things in sync
- Do provision flag should take types into consideration
- Allow users to create their own types?
- Could there be logic for any attribute on the group, not just types?
- Vivek: change how provision to propagates down, Vivek and Chris will talk about details after this call
- Custom Metadata
- https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+custom+metadata
- Mark as Public private , similar to Azure use case
- You may want to have custom translation on an object, specific to that group or folder, instead of for everything in the provisioner
- “If” statement would not be needed
- JSON object has Variable names and valued from the UI
- Is this provisionable, is this a unified group, public / private, what is the translation,
- To test this, using the LDAP provisioner
- For every provisioner, do I need to add the extra metadata
- Stored in JSON and propagated to groups
- Solves issue of DN structure on folder, this can be a can of worms
- Would be good to have flexibility to change any of the fields
Chris:
- Configuration/ Validation wiki https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+configuration+validation
- Validations should not be fatal for config to run necessarily, but could provide errors messages
- Mock Services Framework https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+mock+services
- If there is a service that can be easily implemented (mocked) to test the provisioning DAO, implement in the Grouper Mock Services
- In Grouper hibernate file, you can pick
- IS US or
- IS WS or
- IS MOCK SERVICES
- New servlet , needs to be secure , but not really, can’t do much
- Each of the objects would have their own tables
- Can do source IP address filtering
- Have example of copying from the UI
- Creating simple tables using DDL utils
- Access token and it expires
- For users in Azure there a flags it supports
- Turn on Tomcat w IS MOCK SERVICES to be true
- Explain how to implement provisioner
- Helps with paging issues
- Chad had inherited the Azure work from Unicon
- So had fine tuned what they had
- Retrofit library was a pain, this is better
- This new approach is good
- Shilen: this looks great
- Grouper team: please review this in the app Azure folder
- Azure provisioner is looking good.
- There is no get all memberships web services
- Can iterate thru groups, but that could be wasteful
- We should have a flag in provisioner to handle this
- Can you retrieve all memberships?
- Duke has a lot of groups in Azure
- Put an attribute on group in azure, then use a filter
- Carey: naming issue, starting w “mock”
- Chris: can’t start w “grouper”
- Not controlled by Grouper DDL utils
- Prefix requirement
- These might only be for internal developers
Steve Z
- Thanks for the work during 2020, a challenging year
- Sharp uptick in interest in Grouper and Grouper integration
- Shows up in CSP, Collaboration Success Program
- Community appreciates all the progress made around Grouper
- For 2021, there will be increased focus on integration (gluing things together) : Grouper Shib, COmanage, etc
- Component architects discussions talk through the implications of changes around one component and how it impacts other components
- Looking at the “right boundaries”
- Larger institutions have capacity to absorb changes in the environment
- Smaller institutions have their own challenges
- More interaction coming in 2021 w the Cloud Services community
- There are tradeoffs
- Chris: the questions facing us in 2021 are exciting, regarding staying in lanes, working with other teams
- We will focus work, perhaps half on provisioning and connections , and half on Grouper internals
- Script for policy groups, templates,
- Hope for Grouper 2.6 release in next 6 months
- Chris: There is a blog on Grouper provisioning coming along, we will ask the whole team to review it
- Steve: with middleware there are always boundary issues
- Finding deployment profiles to suit more complex institutions down to less complex institutions is important
- We can’t address every need on the spectrum
- We are trying to define 3 primary deployment profiles
- Hoping to simplify and confine
- Some organizations are taking a hit in the IAM staffs due to COVID
- Organization sent a person to training, wanted to solve simple use case, did not want to go thru all the reference groups, Chris helped them after training. The setup was not trivial. Want to make things easier.
- SteveZ: Should we put these scenarios into a training module?
- Internet2 will be working with Grouper and COmanage in 2021 to solve Internet2 use cases
- Value chain can be created
- Chris: has shared with Erin, idea of institutions subscribing yearly to Grouper Training,
- Grouper team would come up w 12 Canvas LMS modules on what’s new to Grouper,
- Grouper team would develop new content to make that worthwhile
- SteveZ: this is being discussed
- Want to contextualize InCommon School course content apart from the solution
- "If you want to accomplish this, take these courses"
Issue Roundup
Jiras in past two weeks
ldap provisioner validate string dn configured for groups and entities (if appl)
add "intermediate" type to grouper
azure provisioner (NG) with no extra libraries
handle group/entity creates where id is assigned by target and is the search attribute
add searchAttribute flag to provisioner attributes/fields
If external system test has multiple errors, UI only shows latest one
When importing members into a group, OK button on the progress screen does not work
add provisioning configuration validation
allow stems, groups, members, memberships to have provisioning metadata
when filling out the provisioning form
Grouper Emails in past two weeks
- Re: [grouper-users] Grouper to Grouper sync question, Hyzer, Chris, 12/23/2020
- Re: [grouper-users] [EXT]Re: Grouper to Grouper sync question, Tim Darby, 12/23/2020
Grouper wiki updates in past two weeks
Grouper Slack in past two weeks
Benjamin R We are working on setting up a proof of concept instance of Grouper and need it to be able to run loader jobs against an Oracle Database. Is there a best practice for getting the driver loaded into the image?
Chris Hyzer Arizona has a provisioner pull (loader) use case that we will work on in addition to the Michigan LDAP use case...
Jon M is there a way or plans to make a way to stop someone from opening a Root session in GSH? (say, a config option that makes only only people in wheel able or something?) ... I thought I remembered talk about it, but I can't find any docs and I think I might be hallucinating as usual.
James B Has anyone run in to issues with GetSubjects WS call when looking up someone by an identifier?
Chad R For those looking to use this for OpenShift, what components would you need to run in the container? …
Chris Hyzer
While we are working on the new "intermediate" type….
Erin Murtha
Grouper training is coming up in February!
Jeffrey C
Anyone know what the default subject record caching timeout is? We had a record get an email update is updated in LDAP but grouper keeps showing the old one when someone looks up the record.
Chad R
A wiki has been started for workarounds to run Grouper in OpenShift. It is a work in progress, so comments welcome! https://spaces.at.internet2.edu/display/Grouper/Grouper+container+running+on+OpenShift
Next Grouper Call: Wed Jan. 20, 2021