Grouper Working Group Notes of Oct. 13, 2021
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Emily Eisbruch, Internet2
Discussion
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper Training in late Sept 2021
- Positive was mostly positive
- Doing a lot of attendee’s showing screens and troubleshooting
- People liked this, Especially with the container
- Changed structures of the Grouper Training Environment, next training we should be sure everything is accurate
InCommon and Geant CAMP week, Oct 4-8, 2021
Grouper Slides
- Chris did excellent presentation, showing use cases for access management
Shilen
- did a presentation on linking of SSO , generated conversation afterwards
- How O365 integration is done using a custom Shim for SAML conversion, not using ADFS
- Less conversation on Grouper than at previous CAMPs perhaps
OK getting rid of HSQL? (YES)
- Vivek and Shilen say yes
- Develop using Postgres
- Potential Approaches
- Container could come w postgres installed and run it for quickstart
- Or
- Could download and install postgres in container, would not work for people who are proxying
- Or
- Get rid of quickstart option
- Use GTE (demo) approach
- Quickstart serves purpose
- Tell users to download postgres
- Or can make a sub-image if you don’t want to install
- One less thing to test every time we change DDL
Current Work
Vivek
- JWT RSA authentication to Grouper Web Service from trusted authority
- Authentication to UI and Web Services in Grouper v2.5+
-
- Working on Local Entity
- Can create public private key
- Comments: looks good.
- How many days worth of logs to keep?
- For troubleshooting
- Make parameter in grouper properties for how long logs are kept
- Good first pass
- Good if client provides example
- Using cryptography
- Self service authentication to web service
- Will save people time
- Have group of people allowed
- This is enabled by default
- Can be disabled potentially
- Include as an upgrade instruction so people can turn it off
- Security office at Duke prefers using centralized credentials
- Vivek: question about deleting and child table, and cascade
- Chris: delete from child table
- Extract logic from daemon
- Not our standard now to use cascade, revisit that for Grouper 3.0
- We should be consistent now
- Vivek will update some wording: Replace key / delete key and settings
Azure Provisioning Connector
- Illinois was working on Azure connector
- Submitted enhancements
- Interested in kicking tires on provisioner
- Vivek: look at their configs
- Need to have a call
- Need to Update the wiki and Add screenshots
Chris
- Worked on some JIRAS, including issues discussed at Grouper training
- Swagger is now OpenAPI
- See Chris's work here: Web Services OpenAPI
- Comment: this work will be helpful
- Hosting will be on demo server and it will also be in your app
- Overhead of running this is not bad
- Took away ability to actually make calls
- Can add that back potentially
- Not sure how authentication will work
- Don’t want this on the demo server
- Might want it on a deployment
- Can test on a deployment that has authentication
- Penn Zoom Deprovisioning
- Penn Grouper with Zoom
- Will need to implement in new provisioning framework
- Syncs to table of Zoom users, not all users are resolvable
- Can do queries on users
- Can have reports and GSH templates to help Zoom provisioners
- Can remove non human users
- Map email address to user
Provisioning : be sure we are escaping everything
- Stack trace , started at 20K, can get below 4k using
- Method called exception without dups , exception without packages,
- Shaves off size
- Then Gzip if needed
Grouper daemon "other job" GSH script to delete unresolvable subjects
- Useful for incremental daemons
- Subject IDs , tries to resolve them
- Same logic as failsafe
Shilen
- Issues related to LDAP provisioner
- Uppercase vs lowercase
- Fixed
- Character in group name that required escaping, fixed
- Rename a folder w same name but different case, fixed
Issue Roundup
Jiras in past two weeks
GRP-3662
improve low level logging for provisioning target commands
GRP-3661
make more efficient stack traces
GRP-3660
escape html for provisioning error messages
GRP-3659
add textarea for provisioning error messages
GRP-3658
the UI under "my groups" shows groups the user doesnt have READ on but does have OPTIN or OPTOUT on... the WS should be consistent
GRP-3657
add database to report CSV config
GRP-3656
report with bad cron gives error but still partially saves
GRP-3655
add customizable headers to CSV reports
GRP-3654
add file upload to GSH import
GRP-3653
zoom loader should sync users to a table
GRP-3652
grouper deprovisioning should not fail if membership remove doesnt do anything, and shouldnt show disabled memberships
GRP-3651
dont allow config keys with "secret" or other things that mean password
GRP-3650
load zoom user data into a table for processing
GRP-3649
add ability to have attachments in grouper emails
GRP-3648
ran recent memberships full loader multiple times and it finds adds but they dont get applied?
GRP-3647
add a lookup table for view params (i.e. "etc" is configurable and doesnt work with "inst:etc"
GRP-3646
obliterate stem had error
GRP-3645
add swagger to grouper WS
GRP-3644
Make it harder to accidentally delete an attribute definition that is in use
GRP-3643
Notification feed functionality to address long-running UI operations
GRP-3642
grouper report is too large, limit number of unsuccessful jobs
GRP-3641
Visualization: If sibling count greate
Grouper Emails in past two weeks
- [grouper-users] Grouper 2.4 webservice to get members of a group filtered on point in time from and to, Siju Jacob, 09/29/2021
- Re: [grouper-users] Grouper 2.4 webservice to get members of a group filtered on point in time from and to, Andrew Jason Morgan, 09/29/2021
- [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local
- timezone, David A. Kovacic, 10/04/2021
- Re: [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local timezone, Michael Porter, 10/04/2021
- Re: [grouper-users] Trying to configure Grouper's Quartz scheduler to use the local timezone, Edward Rynes, 10/05/2021
- [grouper-users] grouper getting crashed always., Malathi Deenadayalan, 10/07/2021
Grouper wiki updates in past two weeks
- Grouper daemon "other job" GSH script to delete unresolvable subjects
- Grouper provisioning strategy
- Grouper custom template via GSH zoom deprovisioning
- Grouper daemon "other job" GSH script to delete unresolvable subjects
- Penn Zoom Deprovisioning
- Penn Grouper with Zoom
- Grouper Zoom provisioning
- Web Services OpenAPI
- Grouper Product Roadmap
- Externalize and encrypt grouper passwords
- v2.5 Release Notes
- Grouper custom template via GSH role mapper
- Grouper LDAP provisioner v2.5 use case Michigan
- Grouper LDAP provisioner v2.5 use case PA
- Get Memberships
- Find Groups