Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Chad Redmon, UNC
- Carey Black, Purdue
- Vivek Sachdiva, Independent
- Jonathan Johnson (JJ) , Unicon
- Emily Eisbruch, Internet2 (scribe)
DISCUSSION
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Grouper School, Feb 8 - 11, 2022
- Started pre week exercises
- Students have their VMs
- https://incommon.org/academy/grouper-school/
- Chris and Chad will be busy with training next week
- Unicon
- JJ: Unicon is interested in Grouper training syllabus, to better understand what is NOT covered, in case of inquiries
- Chris: Grouper training covers everything in main feature set
- In depth provisioning training is not in scope for standard Grouper Training
Current Work
Vivek
- Working on Duo provisioning
- Translation, Validation
- Connection is working
- Will work on local test server
- Creating new tables
- Hope to finish by this weekend
- Hope to commit for next release
- If Duo roles don’t work for the release, it’s ok
- Want to get provisioning into the release
- Have memberships ready for inserts by default
- No reason not to do that in LDAP (Have membership attributes computed ) when inserted
- Currently if required field on object and does not exist on the other side, it could get deleted
- Potentially could have phased delete, in future
- Have made some UI changes for provisioner, for SQL and read only situation
- Did some work on propagation attributes
- For Duo role provisioner, must specify users email address
- Can't use subject API attribute
- Grouper sync member has metadata
- Question , do we need metadata on memberships?
- Edit metadata on membership? Maybe in future
- Internet2 is migrating from PSPNG to new provisioning framework
Shilen
- Member table, subject identifier 1 , 2 and email
- Going thru change log
- Updated the loader
- If loading based on subject identifier, now checks the additional columns
- Next , adjust the provisioning? Already done?
- Chris: Take email from member table, have it for provisioning entity object so can translate
- Subject ID column in Grouper Sync member table
- Should have a config for which identifier do you want to use
- Shilen: makes sense, allow a config to specify which column gets added to sync table
- Use dropdown, SubjectID 0 1 2 or email
- Subject source wizard is also important
- AI Shilen – work on subject source wizard
- Hope to include in Grouper 2.6.6
- Add a subject source and see what it does
- Add upgrade step on release steps on about Subject ID config
Chris
- ABAC groups and JEXL script
- Grouper attribute based access control with JEXL script loaded groups
- Georgia Tech has a use case for this
Why do we need this feature?
|
- Go to a group, edit the loader
- If no loader config
- For JEXL script, there is doc on the UI explaining options
- Update the composite type?
- Replace composites? Good direction
- Need to add unit tests
- For validation, it will evaluate if JEXL is valid
- JEXL does not give good error messages
- Entity attribute resolver
- Affiliation table
- Chad may work on visualization for this after Grouper training
- Only using group names, not UUIDs
- Chris: need dependency graph
- eg, If 4 dynamic groups are foundational to the other 6
- Prevent circular references perhaps
Chad fixed two issues:
- If doing just gsh in the container, per the wiki, it pipes everything to the TEE command
- That exit code is always zero
- Suggestion to use gsh templates
- gsh and gsh.sh are not exactly the same
- Chad fixed the issue in the container. Will see the improvement in 2.6.6
- Ampersand in group name issue, it was getting escaped. Chad fixed this also.
Issue Roundup
Jiras in past two weeks
- GRP-3791
first pass of jexl scripted groups for ABAC: attribute based access control
GRP-3790
provision policy groups unavailable
GRP-3789
loader should clean up empty folders
GRP-3788
do not set alternate names by default on moves
GRP-3787
types do not inherit properly
GRP-3786
disable subject caching from ui if few results returned
GRP-3785
handle changed netIds in provisioning
GRP-3784
add readSelf group privilege
GRP-3783
upgrade to log4j2
GRP-3782
ldap logs should mention the ldap external system id
GRP-3781
add option to not provision groups with no members
GRP-3780
grouper provisioning diagnostics fails on missing group dn. This is groupAttributes where memberships are subjectIds. Full sync works but diag fails
GRP-3779
gsh script in container with error doesn't exit with non-zero
GRP-3778
restrict access to subject attributes by group
GRP-3777
add option for provisioner to translate and manipulate memberships before create groups or entities
GRP-3776
exporting group memberships should not overwrite existing attribute names like entityid
GRP-3775
do not do incremental provisioning if the last full had failsafe issue (until approved)
GRP-3774
do not do incremental loaders if the last full had failsafe issue (until approved)
GRP-3773
Subjects when id has html entity fail to add through add member combo box
GRP-3772
add a way to export provisioning config
GRP-3771
dont join to grouper_field in hib3membershipDao if not needed or used or joined in where clause
GRP-3770
remove add members button from add members screen (just have add)
Grouper Emails in past weeks
- [grouper-users] ldap subject source issue, pchantry, 01/26/2022
- Re: [grouper-users] ldap subject source issue, Philippe CHANTRY, 01/26/2022
- Re: [grouper-users] ldap subject source issue, Philippe CHANTRY, 01/26/2022
- Re: [grouper-users] ldap subject source issue, Hyzer, Chris, 01/26/2022
- Older item:
- [grouper-users] Need help in connecting external ldap server, Malathi Deenadayalan, 12/24/2021
Grouper wiki updates in past two weeks
- Grouper Training Environment developer notes
- Grouper attribute based access control with JEXL script loaded groups
- Grouper provisioning SQL memberships example, group name and subject ID
- v2.6 Upgrade Instructions from v2.6
- GrouperShell (gsh)
- Grouper data structure improvements v3.0