22-June-2022

Attending 

• Chris Hyzer, Penn, Chair
• Chad Redmon, UNC
• Vivek Sachdiva, independent  
• JJ, Unicon
• Drew Aschenbrener, Internet2
• Emily Eisbruch, Internet2

DISCUSSION

•  Internet2 Intellectual Property Policy
  
• Review AIs  Grouper Project Action Items (Google Doc)

• Agenda bash
  

New Action Items

• AI Chris   respond to: [grouper-users] Group is not marked as provisionable, Staubach, Maximilian, 06/09/2022, issue may be in provisioning configuration… 
• AI JJ  make a wiki about UNICON dev environment, and running a UI from a MAVEN command  

 InCommon Base CAMP, June 2022

Chad presented one hour talk, same as last year, basics of access management , whey you don’t want individual lists, you want groups, hierarchies,  went thru a demo, same demo as   the GTE   Grouper Training Environment. 

Chris talked on Grouper Provisioning Framework .  Same example as in the recent movie.

Issue Roundup 

Vivek

• Worked on adding Daemon control options to the log screen
• Drop down added to daemon logs view to perform various operations
• Grouper provisioning, related to Azure
• Discussions w Jeff from UNC 
• LDAP provisioning: there is a test case where entities not making it to LDAP target, Vivek is looking into that

Chad

• Will update 2 wiki page 
•  how to customize the UI page and External subjects page
• Current doc is lite UI specific
  
  
• Chad also needs to update Quickstart? Wiki page
• Grouper / Misc/ test data
• We can remove the quickstart directory at this point  

Chris

• Taking a few days off
• Team please attend to Grouper Slack
  
  
• Provisioning
• Looking at matching and search attributes 
• Config for database cache fields
• Would be helpful to be able to cache entire representation of target
• Code to take target representation, put into JSON, if it fits in the field that is good, or if not it abbreviates 
• Part that needs work, is to hook up with the screen
• Option for “entire object”
• In translation of each attribute, instead of marshaling it from a certain bucket, get it from the cached object, (target cached object or Grouper cached object)
• Can now cache DN or UUID, but it would be better to cache the whole object
• For additional comparisons 
• In search and matching, for full sync, it gets all data, it will try to match based on matching attribute, then tries the 2nd matching attribute, if it can’t find anything, it will see if attribute is cached, if it is , it will use the cached value and find deletes, subject attributes that change, etc.
• On incremental or recalc, it will do same thing on search
• The search DOA says find this group , find this entity, use this search attribute and use this value
• Chris changed the SQL DOA and the LDAP DOA. we need to change the other DOAs 
• Some DOAs can only search by certain things
• We need to put some validation around this
• With the changes, the engine should be more reliable
• Chris had long call w Liam and folks at Penn State around provisioning issues
• Thanks to everyone testing
• We need to do some tuning and put out notifications
• We are going in the right direction
• Hope to get 2.6? out
•  
• LIAM’s issue  where subject identifier changes

JJ

• Would appreciate new Grouper 2.5 version
• AI Chad will look at new Grouper 2.5 version for JJ / Unicon
•   Follow Release steps on the wiki 
•   https://spaces.at.internet2.edu/display/Grouper/Release+steps
• Chad will improve release steps wiki as needed
  
  
• JJ finished OSGI work for Grouper 2.6.10
• There is a pull request,
• Shut down is not included
• So there will be another pull request
• Not much time for OSGI starting, plug ins can take time
• Need to shut down at end of every test
  
  
• Verified SAML OIDC basic JOT, all working in 2.6, CAS not working due to JAVA 9 in code, need to fix that or upgrade JAVA.  JJ will tell folks using CAS that they must use SAML
• AI JJ will make a wiki about UNICON dev environment, and running a UI from a MAVEN command  

• Working on authentication

Drew

• Working on provisioning framework, around entitlements, and entities
• Template for application structures, using GSH templates
• We had a different architecture for templates
• There are examples of GSH templates for application structures
• Existing application template is close to what is needed, just missing one thing: different naming convention for objects to build for security
• Chris: we could make a config for that and the template would work 
•  Drew will work with  GSH template to address the current needs, or will make a jira if needed
• Chad:  GSH templates are more flexible than previous legacy template approach

Jiras in past two weeks

• 
  GRP-4124
  problem with multiple rules on the same group
  
  
  
• 
  GRP-4123
  grouper should complain if multiple groups have the same overrideDN for the same provisioning target
  
  
  
• 
  GRP-4122
  if matching id is retrieved from target (e.g. dn, or uuid), then it should create before through required error
  
  
  
• 
  GRP-4121
  groups to not update object class are updating object class
  
  
  
• 
  GRP-4120
  grouper provisioner entity attribute value cache auto-USDU
  
  
  
• 
  GRP-4119
  provisioning activity log not decompressing log messages
  
  
  
• 
  GRP-4118
  provisioning activity headers typo
  
  
  
• 
  GRP-4117 (DONE)
  remove unneeded cross joins from membership queries
  
  
  
• 
  GRP-4116
  change object to other entity attributes
  
  
  
• 
  GRP-4115
  flat group attributes ldap membershipDN provisioner error on add member diagnostics
  
  
  
• 
  GRP-4114
  subject identifier 2 does not show up in start with for ldap
  
  
  
• 
  GRP-4113 (DONE)
  search for groups on multiple attributes and past values
  
  
  
• 
  GRP-4112
  fix call to getMemberships with proper parameter
  
  
  
• 
  GRP-4111
  simplify azure group types
  
  
  
• 
  GRP-4110
  match groups on multiple attributes and past values
  
  
  
• 
  GRP-4109
  if there is a target side cache, and grouper is synced to the target, then update the cache
  
  
  
• 
  GRP-4108
  improve logging on entity/group search/matching attribute configuration
  
  
  
• 
  GRP-4107
  allow update to sql provisioning attribute table foreign key to main group/entity table
  
  
  
• 
  GRP-4106
  make the sql provisioner transctional
  
  
  
• 
  GRP-4105
  chmod on cacerts not working for /opt/grouper/certs/client/
  
  
  
• 
  GRP-4104
  anchor certs need to be copied to /etc/pki/ca-trust/source/anchors before running anchor cert command
  
  
  
• 
  GRP-4103
  create a string representation of provisioning objects
  
  
  
• 
  GRP-4102
  incremental gets stuck on group member of group in groupOfNames
  
  
  
• 
  GRP-4101
  change log to change log temp export from new grouper, change to every 15, and two entries
  
  
  
• 
  GRP-4100
  add entity to group in config should make it default in diagnostics
  
  
  
• 
  GRP-4099
  daemon summary should have drop down for run, edit, etc
  
  
  
• 
  GRP-4098
  add links at top to navigate to sections in provisioning
  
  
  
• 
  GRP-4097
  click on a link in provisioning configuration to jump to another section (e.g. cache section)
  
  
  
• 
  GRP-4096
  review diagnostics dao stuff if allowed to delete
  
  
  
• 
  GRP-4095
  cache 2 usdu entity shows up when not selected
  
  
  
• 
  GRP-4094
  entity cache type says group attribute not entity
  
  
  
• 
  GRP-4093
  document entity attribute value cache confing is below group config
  
  
  
• 
  GRP-4092
  document ldap_dn for provisioning
  
  
  
• 
  GRP-4091
  document search filters for groups and entities in ldap provisioning
  
  
  
• 
  GRP-4090
  update groups default true in provisioning
  
  
  
• 
  GRP-4089
  clarify membership attribute in provisioning
  
  
  
• 
  GRP-4088
  clarify dn attribute in provisioning
  
  
  
• 
  GRP-4087
  explain rdn value a little more in provisioning docs
  
  
  
• 
  GRP-4086
  Trace memberships timeline should show states for additional groups found in events
  
  
  
• 
  GRP-4085
  resolve subject without cache from provisioning and ui
  
  
  
• 
  GRP-4084
  if a membership add happens in group, it should not count as an update in the daemon counts
  
  
  
• 
  GRP-4083
  look at default for update groups crud, should default to true
  
  
  
• 
  GRP-4082
  entitlement by group provisioner lists update count when not
  
  
  
• 
  GRP-4081
  entity attributes with group name does not fill in membership value
  
  
  
• 
  GRP-4079
  folder create and privs not showing in folder audits
  
  
  
• 
  GRP-4078
  convert messaging endpoints to be external systems
  
  
  
• 
  GRP-4077
  add elfilter to messaging changelog consumer screen
  
  
  
• 
  GRP-4076
  Move OSGI initialization to GrouperStart
  
  
  
• 
  GRP-4075
  allow configuration in ldap to truncate part of the group name
  
  
  
• 
  GRP-4074
  look at provisioning screen to see why lots of logs slows down
  
  
  
• 
  GRP-4073
  an update to a group membership in p

Grouper Emails in past two weeks

• AI Chris   respond to: [grouper-users] Group is not marked as provisionable, Staubach, Maximilian, 06/09/2022,  issue may be in provisioning configuration…. Needs a follow up from Chris

• Re: [grouper-users] Help needed in installing the grouper v2.5.60 container with maturity level 0 manually, Varun Vudatha, 06/09/2022,       a user followed up

Grouper wiki updates in past two weeks

• Grouper logging dynamic configuration

• v2.5 Release Notes

• Grouper v2.5 container SSL trust management

• Install the Grouper v2.5 container maturity level -1 quick start v2.6.5+

• Grouper rules use case - Email notification on flattened membership add to group

• Install docker postgres database

• Specsheet

• Documents & Presentations

• Grouper provisioning glossary

Next Grouper Call: Wed July 6, 2022