11-May-2022

Attending 

• Chris Hyzer, Penn, Chair
• Shilen Patel, Duke
• Chad Redmon, UNC
• Vivek Sachdiva, independent  
• Andrew Costa, U of Nebraska
• Drew Aschenbrener , Internet2
•  Chris Hubing, Internet2
• Emily Eisbruch, Internet2

DISCUSSION

•  Internet2 Intellectual Property Policy
  
• Review AIs  Grouper Project Action Items (Google Doc)

• Agenda bash
  

Current Work

Grouper Training May 17  - 20, 2022

Chris and Chad working on preparing for Grouper Training

https://incommon.org/academy/grouper-school/

   Administrivia

•  Internet2 Intellectual Property Policy
  
• Review AIs  Grouper Project Action Items (Google Doc)
  
• Agenda bash
  

•   Chris Hubing: SQL Provisioning issue
  
•   Chris Hyzer: Provisioners are in holding pattern
  
•    Once we get the next Grouper release out, then more progress on provisioners. 
  
•  
  

Grouper Training May 17 - 20, 2022

Chris and Chad  working on prep

https://incommon.org/academy/grouper-school/

Current Work

Vivek

• Provisioning Configuration
  
• we made the start with scaffolding screen (swiss army knife)
  
• Asking questions specific to a particular provisioner
  
• But there  are many combinations people can fill in on the start with scaffolding screen
  
• And we use that to prepopulate the Provisioning screen
  
• There is a lot to do
  
• Need viable product for Grouper 2.69
  
• Need to release, even if not perfect
  
• U of Nebraska is excited about testing Grouper 2.69
  
• Focus on Azure functionality
  
• Eager to test
  
• Matt: GUI is coming along
  
•   Not sure about provisioner language shift
  
•   Use of word Entity can be confusing
  
•   See Grouper provisioning glossary
  
•   Are subjects the same as entities?
  
•   Not exact same
  
•    https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+glossary
  
• Chad: need to explain some things on the wiki page, hard to explain everything on UI
  
• Drop down for provisioning type, may need wiki to explain what the types are
  
•     Chris: those things should be externalized and explained 
  
• Good you can create Daemon jobs from provisioner screen
  
•    Chris: need to work on the implementation of that
  
• Drew: likes the diagnostics tools
  
• Shilen: looks good.  re SQL patterns, wiki page for LDAP shows all the patterns, descriptions on each one. Could be useful to have more of a description.  
  
• Chris: could be in text on screen
  
• Or use documentation link
  

• Search and matching config still needs to be finished
  
• Then do testing – Big effort
  
• Work with Vivek to get more of the Start With Scaffolding done
  

Shilen

• Point in time membership trace
  
• For troubleshooting why a person is in a group, for example
  
• Proposal : Events within 90 seconds are same cluster
  
• Like rules and hooks, do things based on other things
  
• Group things, so you can see the chain of events
  
• Create cluster of events
  
• Change log defaults to one minute
  
• Make in configurable
  
• Context on data can be helpful
  
• AI - May 11 2022  Shilen and Chris will discuss point in time membership trace
  
• Would be helpful to see Point in time versus audit records
  
• For user audit, what should permissions be?
  
•   Read on the group should be required, can discuss more later
  

Chris 

• Doing Prep for Grouper training next week.  
  
• 33 people signed up for training
  

• MichaelG is doing SQL sync, Chris working on that a bit
  
• Met with U Missouri around TLS connection issue
  
• trusted roots that are up the trust chain from SSL certs
  
• Put that in anchors
  
• Root command must be run
  
• If container runs as root it works
  
• If using OpenShift need open CI trust
  
• If doing client certs, use a different approach
  
• Grouper container documentation for v2.5
  
• Grouper v2.5 container SSL trust management
  
  
  
• Container issues
  
•   Grouper in future -  plan Tomcat only?
  
•   There are many container flags
  
•    Depending on config files to have certain variable
  
•  
  
• Provisioning config has two sections
  
• Entity Attribute Cache (4 buckets)
  
• Translation script option
  
• Mapping
  
• Need to work on logic for copy back
  
• Using cache value,  or using the Grouper value
  
• For example NETID is renamed and it’s cached, what to do
  

 Chad

• Upgrading the image to Grouper 2.68 went well
  
• Changes for LOG4J took some work
  
• To prevent permissions errors (Chad deleted file entries)
  
• Seeing folder attribute assignments in menu were not showing for non admins
  
• GSH commands issue due to a renamed class GRP 4024
  
• GRP-4024
  Application and policy templates through the API gives error
  
• Chris will remind Vivek
  

Issue Roundup 

Jiras in past two weeks

GRP-4032

container httpd config error format is after the include

• 
  GRP-4031
  look at the introspection endpoint for OIDC Connect (e.g. UI authn)
  
• 
  GRP-4030
  make a template example to disable daemon jobs
  
  
  GRP-4029
  clean up grouper image after removing log4j, so its not in the intermediate files on system scans
  
• 
  GRP-4028
  ability for container to add ssl client cert for java
  
• 
  GRP-4027
  provision to target where user previous existed then is removed (membertoid2)
  
• 
  GRP-4026
  ability for container to add ssl anchor cert for OS/java
  
• 
  GRP-4025
  Removing recent membership config doesn't remove settings
  
• 
  GRP-4024
  Application and policy templates through the API gives error
  
• 
  GRP-4023
  in subject source config ldap the only option is subtree scope
  
• 
  GRP-4022
  add attestation report widget on home page
  
• 
  GRP-4021
  maybe have data owners as drop down and searchable groups by data owner
  
  GRP-4020
  add zoom external system
  
• 
  GRP-4019
  refactor matching and search attribute configuration
  
• 
  GRP-4018
  provisioning config indent hide/show
  
• 
  GRP-4017
  provisioning sql specific column labels and descriptions
  
• 
  GRP-4016
  refactor subject link and cache
  
• 
  GRP-4015
  move subject link to the entity attribute cache section
  
• 
  GRP-4014
  move attribute value cache from entity attribute section to entity2 section
  
• 
  GRP-4013
  move attribute value cache from group attribute section to group2 section
  
• 
  GRP-4012
  Provisioner UI: Name field is set to drop down when the attribute name is EL-based.
  
  
• 
  GRP-4011
  Grouper UI queries root folder twice
  
  
  
  

Grouper Emails in past two weeks

       No new

Grouper wiki updates in past two weeks

• Princeton University Grouper Page
  
• Grouper Product Roadmap
  
• Grouper container documentation for v2.5
  
• Grouper v2.5 container SSL trust management
  
• Grouper Training Environment
  
• Grouper custom template via GSH
  
• v2.6 Upgrade Instructions from v2.6
  
• Grouper provisioning v2.6.9 refactor
  

Next Grouper Call : Wed May 25, 2022