Grouper Call Aug. 4, 2021
Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Emily Eisbruch, Internet2
New Action Items from this call
- AI Shilen - check with ScottK to see if GRP-3547 Grouper Provisioning - OpenLDAP support for empty member attribute is solved
- AI Shilen -- Create a more user facing LDAP provisioning wiki, explaining how to use new provisioning framework to point to LDAP ( the current wiki is more a development document, need a few examples)
- AI Shilen -- look into provisioning daemon and whether it's still configured
- AI Shien - ask UMICH about performance issues, index, and sync tables
- AI Chris - make a provisioning framework wiki page for generic processes
- AI Chris -look at HTTP proxies
- AI Chris - make a wiki and share with Grouper Slack for renames - Use system name instead of UUID
AI Chris look at GRP-3540 quartz cron should be a required field in daemons (or at least sql sync daemon
- AI Chad - find the notes related to HTTP proxies
- AI Chad - do a GSH template and outline steps for Groovy, Using InteliJ
- AI Chad - follow up w Chris Hubing around GRP-3408
- AI Chad - Add instructions around GRP-3346 for upgrade steps wiki for those using the LITE UI
- AI Vivek tell Shilen when it’s time for Shilen to test
Discussion
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Current Work
Chad
- Worked on two Jiras
- GRP-3346
- Can't find library
- Moved jar files out to legacy project, but left the TLD config in main project
- Chad moved those out
- May break things in LITE UI
- Need an upgrade step, if people are still using the LITE UI
- AI Chad Add instructions around GRP-3346 for upgrade steps wiki for those using the LITE UI
- GRP-2852
- Issue When you delete an attribute assignment, deletes attribute names and un-publishes, now fixed, can’t do this accidentally anymore
- The folder delete says how many things will be deleted, which is a good approach
- Chad tried that, but there is link back to itself
Shilen
- Worked on 2 jiras
- Retrieve memberships
- Not sure if recalc is using this yet or not
- Chris will work on Framework end of this
- GRP-3547 Empty member attribute
- Now in UI you can put empty string as the default value
- Allows it to be blank in target
- AI Shilen - check with ScottK to see if GRP-3547 Grouper Provisioning - OpenLDAP support for empty member attribute is solved
- AI Shilen -- Create a more user facing LDAP provisioning wiki, for using new provisioning framework to point to LDAP, the current wiki is more a development document, need a few examples
- AI Chris, make a provisioning framework wiki page for generic processes
- AI Shien - ask UMICH about performance issues, index, and sync tables
- AI Vivek tell Shilen when it’s time for Shilen to test
Chris
- Azure provisioner
- Grouper sessions passed around to APIs
- GSH APIs have way to run as root or not
- Usually run as user
- Can do a member of control Grouper Session
- Can pass in a subject
- Can’t have more than 1 session open at a time
- GSH APIs will not take the session anymore
- Don’t like to remove methods so still there but you can call without passing a session
- Chad: makes sense
- Azure Provisioner issue is now resolved, after container built it looks OK
- New Grouper Release solves some issues
Vivek
- Provisioning
- Ability to use nesting provisioner
- Framework exists to send provisioning changes to messaging queue
- Can’t select from messaging system; No select membership available
- Made changes on the UI
- Send message to target system
- Messaging only works w incremental sync
- Message format type, you get exact same JSON that change log consumer does
- No reason to do a translation
- If we add another option, we could have mapping
- With unit testing, built in messaging
- Used to store messages
- Taking similar JSON and sending it to config target system
- Fix framework to test all
- Table for “if inputs are these, this is what should happen in terms of recalc logic”
- Grouper provisioning framework recalc logic
- Capability of the DOA is relevant
- If config says Don’t select then no
- There are different recalcs, Recalc can be targeted down to membership level
- Can recalc just a membership and make it right
- Also working on some misc items
- Make provisioning more efficient , optimizing
- Minimize selecting more than we need to from target systems
- Not yet ready for Shilen to do more load testing
- Messaging is done,
- Want to go back to LDAP provisioner
- Some tests were failing
- When that is addressed
- identify adder false?
- Where adder is true, have a unit test ready for each
- In a provisioner, try to simulate
- Do testing around errors and queries
- Make sure recalc was done
- Hope to address the UMICH issues around performance
- there was performance issue fixed by adding an index
- Should we add index or change query
- AI Shien - ask UMICH about performance issues, index, and sync tables
- AI Vivek tell Shilen when it’s time for Shilen to test
- Incremental settings issue
- Removing old Daemon
- Must migrate code
- When you created an object “Run Daemon” would Spider thru ancestors
- Now with incremental Daemon and ful daemon, that old approach is not need
- DECISION , remove the “Run Daemon” button
- AI Shilen look into provisioning daemon and whether it's still configured
- Shilen: messaging does not do selects
- Are sync tables populated?
- Yes, but not caching from target, but we are tracking what we send
- Chris: Vivek did a lot of work around recalc and it’s been worthwhile
- Strengthens the provisioning framework
- What is the future of provisioning for Grouper
- Everything you are provisioning now will be replaced by new provisioning framework
- Messaging is grey area, it’s just the changelog consumer
- Might not replace all existing changelog consumers
- If we add another message format to customize the messages, then people will use this
- Chad: we’d like to use this, message consumer we use now publishes everything, you get a lot of noise
- Chris: this allows picking and choosing
- Can see history of when message was sent to get better auditing
- What do we hold onto and what do we sunset?
- HTTP Proxies, came up on Grouper Slack
- Whatever we are doing for the external system, that framework should pull from the Java system settings
- Chad: For Azure consumer, added HTTP Proxy for the changelog consumer
- Chris: hope there are things we can do for the libraries
- Chad: May be external system specific
- Need proxy for every HTTP situation?
- External access can be shut down and proxies are needed
- AI Chris look at HTTP proxies
- AI Chad find the notes related to HTTP proxies
- AI Chad do a GSH template and outline steps for Groovy
- Using InteliJ
Issue Roundup
Jiras in past two weeks
GRP-3559 Refactor UI templates to not depend on the UI
group.properties should support configuration.autocreate.<all_object_types>.*
GSH Templates should skip the show/hide checks/logic if the template has no 'Jexl for showEl' on any inputs. This is a performance issue
add ability to export non base config (not just db only)
installer should use https for training
Edit membership page shows form fields even if the user does not have update privs
import config should have a text area
Hard to do check..
import config should let you pick the file (not name correctly)
new loader attributes not being created
Grouper Provisioning - OpenLDAP support for empty member attribute
azure provisioner in new provisioning framework
- Beef up renames
- Use system name instead of UUID
- If we rename things, then adjust in the configs
- Going forward, we can refactor old things later
- Look up by both for legacy
- AI Chris - make a wiki and share with Grouper Slack for renames - Use system name instead of UUID
gsh transaction issues with built in shortcuts
Chris will see if called in context of GSH template, if yes, the exception will flow thru
GSH Templates: Show in more actions = FALSE and the item is not shown on the Run Template UI list
Grouper Provisioning - ldap dao retrieveMembership
problem removing attributes with hooks
quartz cron should be a required field in daemons (or at least sql sync daemons)
Chris will look at
option to not send exception stack back to WS client
GRP-3538 grouper should auto create WS group ws.client.user.group.name
update rabbitmq tls version
- Chad looking at this JIRA
- Can Grouper do TLS 1.1 if that is what the server insists on?
- Client connects w running servier
- What if it can’t do TLS 1.2?
- TLS 1.1 is deprecated.
- Vivek looking at the code..
- Should we try to replicate this?
- AI Chad will follow up w Chris Hubing around GRP-3408
- Best if he changes setting
Grouper Emails in past two weeks
none
Grouper wiki updates in past two weeks
- v2.5 Release Notes
- Grouper provisioning framework recalc logic
- Grouper custom templates via GSH - converting an existing GSH script - insert a row in table
- Grouper custom template via GSH
- Documents & Presentations
- Grouper Training Environment developer notes
- v2.5 Upgrade Instructions from v2.5
- Grouper v2.5 container unit tests
- Release steps for new container build
- Grouper Azure provisioner (new provisioning framework)
- Grouper provisioning glossary
- GrouperShell (gsh)
Next Grouper Call: Wed Aug. 18, 2021