Grouper Working Group Notes of Dec. 22, 2021
Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redmon, UNC
- Vivek Sachdiva, Independent
- Emily Eisbruch, Internet2
DISCUSSION
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
New Action Item
- AI Chris will research the clean up step after a Grouper sub image probe that removes broken files related to old LOG4J versions
Administrivia
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Current Work
Vivek
- Worked on GSH template
- Now can set up on groups
- By default it is set to false
- Added show folders option, can select multiple
- Now can set up on groups
- Better interface with IPv6
- Provisioning for Google
- It was in a separate module
- Will support for groups and members provisioning
- Using same approach as using for other targets
- Vivek is using the client, there will be a mock service
- Google client SDK will be a dependency
- Adding SDK libraries gets untenable
- We don’t want to add every client ever to the Grouper API or Daemon
- Better to roll our own clients
- This is how midPoint handles this
- OSGi could be helpful as a solution?
- Being used less than in the past perhaps
- Issue is segregating the libraries, to avoid complexity
- Use REST API if possible
- Run different provisioners in different daemons?
- Not sure that’s a good path
- It’s nice to have one daemon
- Not sure that’s a good path
- Rolling REST clients is easiest solution
- Just use client library
- Goal: use raw HTTP instead of library
- Vivek will start w directory API
- It’s working w client
- Then cloud API and REST calls
Chris
- Stem Privileges
- Almost done, running tests
- Two tables
- One Table tracks when user has made a request for new privileges
- Stem View Privilege Table , has memberID , stem UUID
- Can query to insert or delete what’s needed for users
- Can check a table to see if you have access to stem
- Want to do minimal query work
- Load testing? Or just release it?
- Shilen: we’ve seen issues with mySQL
- Chris: we’ve seen it with big deployments on every database
- Will only do group adds and stem adds in same thread as calling thread
- Only needs to wait for 2 small queries
- Only happens if you have not logged in during last week
- Chris can put in test environment
- Auto set privileges on folders is not recommended
- M Gettes and C Hubing working on multi architecture Google image
- Images will be slightly larger
- Log4J issues
- 4 digit build numbers, people are OK with them
- Carey has concerns
- Issue of how much should be included in containers
- Want to minimize container size, but need to compromise
- Process where you just have tomcat
- Sysadmins do scans looking for file name, too many layers
- They look at images on the host
- Some files are only needed for the build
- Images depending on images
- Use sub images as a solution?
- Issue with overlays
- They exist on the host
- Inherent to Docker
- Jar dependencies should not be there
- AI Chris will research the clean up step after a Grouper sub image probe that removes broken files related to old LOG4J versions
- Vulnerable versions , it’s a house cleaning thing
- Decision : container version not always same as library version
- If we need a security fix we will add a 4th?
- 4 digit build numbers, people are OK with them
Shilen
- USDU work
- Incremental if no subject ID issue solved
- Provisioning issue re propagation not working correctly if ? assigned to folder not group, That has a separate JIRA
- Still putting fixes in Grouper 2.5?
- Maybe
- Can cherry pick it
- If it is low risk and a bug, OK to fix
- USDU fixes
- When USDU runs deleting attributes for unresolvable, that is now fixed
- Delete date issue … got stuck in the UI… that is fixed
- Other USDU issues also fixed
Chad
- LOG4J
- Chris worked in container
- Chad getting dependencies working
- Upgrade to LOG4J2
- Grouper web services was using internal multi class logging solution
- There is 1.2 compatibility API
- Issue: in Grouper util, it looks at the ? , in LOG4J2 those are internal classes, not easy to get to
- Need to rip that out
- TomEE has its own logging that we are replacing
- Issue with HSQL
- Swap log4J into docker until Tomee has stable log4J
- Exclude log4J1
- Moving away from Log4J in long term, perhaps
- This will be decided for Grouper 3.0
- Will involve migrating Jar files and making a few fixes
- Configuring with the UI will be helpful
- Want to check things without rebuilding
- Build with Jenkins
- Chris Hubing set up something on test bed server
- Created local Docker compose with local Jenkins
- Could build on i2MIdev
Issue Roundup
Grouper wiki updates in past two weeks
Emily’s questions on wiki, need to follow up on at next call
v2.6 Upgrade Instructions from v2.6 ........ Is the first sentence correct? References 2.5 , not 2.6
When should we move the Grouper Provisioning Framework documentation out of “Development Items”????
Grouper provisioning framework
What is difference between these two wikis:
And
Grouper SQL provisioner in v2.6
Grouper web services - authentication - self-service JWT
Unresolvable Subject Deletion Utility (USDU)
Grouper container v2.6 change JVM
Grouper entity attribute resolving
Grouper utility classes (DRAFT)
Jiras in past two weeks
- GRP-3738
Allow binary secrets to be stored securely in grouper
GRP-3737
Provisioning attribute propagation fails when policy type is assigned to folder
GRP-3736
Remove old command line USDU
GRP-3735
update loader status description
GRP-3734
GSH templates should be available to show on groups (instead of just folders)
GRP-3733
Support IPv6 Source IP address Filtering in configuration UI
GRP-3732
delete old change log consumer entries
GRP-3731
dont check types table after a certain ddl version or upgrade step version
GRP-3730
Deleting a group should delete the attribute assignments for the member object associated with that group
GRP-3729
entitlement does not get removed
GRP-3728
Update USDU to populate subjectResolutionEligible
GRP-3727
GSH Templates: Allow a gsh template to be used by more than one certain folder
GRP-3726
auto ddl message should be adjusted in 2.6
GRP-3725
config page should show container version and grouper version
GRP-3724
log4j security problem
GRP-3723
add GROUPER_JAVA_HOME env variable
GRP-3722
add container option to not put hardcoded java_home in bashrc
GRP-3721
USDU doesn't process members without memberships but with subjectResolutionDeletedDb=F and subjectResolutionResolvableDb=F
GRP-3720
USDU should remove attribute assignments of members marked as deleted
GRP-3719
"groups i manage" should show read/update groups
GRP-3718
SQL provisioning
GRP-3717
improve performance of property configuration in the UI
GRP-3716
refactor container unit tests for new quickstart
Grouper Emails in past few weeks
- [grouper-users] OWASP_CSRF token issue, Carl Waldbieser, 12/02/2021
- Re: [grouper-users] OWASP_CSRF token issue, Hyzer, Chris, 12/10/2021
- [grouper-users] News from the Grouper Project, Emily Eisbruch, 12/08/2021
Next Grouper Call: Wed. Jan. 5, 2022