Attending
- Chris Hyzer, Penn, Chair
- Chad Redmon, UNC
- Vivek Sachdiva, independent
- JJ, Unicon
- Drew Aschenbrener, Internet2
- Emily Eisbruch, Internet2
DISCUSSION
- Agenda bash
New Action Items
- AI Chris respond to: [grouper-users] Group is not marked as provisionable, Staubach, Maximilian, 06/09/2022, issue may be in provisioning configuration…
- AI JJ make a wiki about UNICON dev environment, and running a UI from a MAVEN command
InCommon Base CAMP, June 2022
Chad presented one hour talk, same as last year, basics of access management , whey you don’t want individual lists, you want groups, hierarchies, went thru a demo, same demo as the GTE Grouper Training Environment.
Chris talked on Grouper Provisioning Framework . Same example as in the recent movie.
Issue Roundup
Vivek
- Worked on adding Daemon control options to the log screen
- Drop down added to daemon logs view to perform various operations
- Grouper provisioning, related to Azure
- Discussions w Jeff from UNC
- LDAP provisioning: there is a test case where entities not making it to LDAP target, Vivek is looking into that
Chad
- Will update 2 wiki page
- how to customize the UI page and External subjects page
- Current doc is lite UI specific
- Chad also needs to update Quickstart? Wiki page
- Grouper / Misc/ test data
- We can remove the quickstart directory at this point
Chris
- Taking a few days off
- Team please attend to Grouper Slack
- Provisioning
- Looking at matching and search attributes
- Config for database cache fields
- Would be helpful to be able to cache entire representation of target
- Code to take target representation, put into JSON, if it fits in the field that is good, or if not it abbreviates
- Part that needs work, is to hook up with the screen
- Option for “entire object”
- In translation of each attribute, instead of marshaling it from a certain bucket, get it from the cached object, (target cached object or Grouper cached object)
- Can now cache DN or UUID, but it would be better to cache the whole object
- For additional comparisons
- In search and matching, for full sync, it gets all data, it will try to match based on matching attribute, then tries the 2nd matching attribute, if it can’t find anything, it will see if attribute is cached, if it is , it will use the cached value and find deletes, subject attributes that change, etc.
- On incremental or recalc, it will do same thing on search
- The search DOA says find this group , find this entity, use this search attribute and use this value
- Chris changed the SQL DOA and the LDAP DOA. we need to change the other DOAs
- Some DOAs can only search by certain things
- We need to put some validation around this
- With the changes, the engine should be more reliable
- Chris had long call w Liam and folks at Penn State around provisioning issues
- Thanks to everyone testing
- We need to do some tuning and put out notifications
- We are going in the right direction
- Hope to get 2.6? out
- LIAM’s issue where subject identifier changes
JJ
- Would appreciate new Grouper 2.5 version
- AI Chad will look at new Grouper 2.5 version for JJ / Unicon
- Follow Release steps on the wiki
- https://spaces.at.internet2.edu/display/Grouper/Release+steps
- Chad will improve release steps wiki as needed
- JJ finished OSGI work for Grouper 2.6.10
- There is a pull request,
- Shut down is not included
- So there will be another pull request
- Not much time for OSGI starting, plug ins can take time
- Need to shut down at end of every test
- Verified SAML OIDC basic JOT, all working in 2.6, CAS not working due to JAVA 9 in code, need to fix that or upgrade JAVA. JJ will tell folks using CAS that they must use SAML
- AI JJ will make a wiki about UNICON dev environment, and running a UI from a MAVEN command
- Working on authentication
Drew
- Working on provisioning framework, around entitlements, and entities
- Template for application structures, using GSH templates
- We had a different architecture for templates
- There are examples of GSH templates for application structures
- Existing application template is close to what is needed, just missing one thing: different naming convention for objects to build for security
- Chris: we could make a config for that and the template would work
- Drew will work with GSH template to address the current needs, or will make a jira if needed
- Chad: GSH templates are more flexible than previous legacy template approach
Jiras in past two weeks
GRP-4124
problem with multiple rules on the same group
GRP-4123
grouper should complain if multiple groups have the same overrideDN for the same provisioning target
GRP-4122
if matching id is retrieved from target (e.g. dn, or uuid), then it should create before through required error
GRP-4121
groups to not update object class are updating object class
GRP-4120
grouper provisioner entity attribute value cache auto-USDU
GRP-4119
provisioning activity log not decompressing log messages
GRP-4118
provisioning activity headers typo
GRP-4117 (DONE)
remove unneeded cross joins from membership queries
GRP-4116
change object to other entity attributes
GRP-4115
flat group attributes ldap membershipDN provisioner error on add member diagnostics
GRP-4114
subject identifier 2 does not show up in start with for ldap
GRP-4113 (DONE)
search for groups on multiple attributes and past values
GRP-4112
fix call to getMemberships with proper parameter
GRP-4111
simplify azure group types
GRP-4110
match groups on multiple attributes and past values
GRP-4109
if there is a target side cache, and grouper is synced to the target, then update the cache
GRP-4108
improve logging on entity/group search/matching attribute configuration
GRP-4107
allow update to sql provisioning attribute table foreign key to main group/entity table
GRP-4106
make the sql provisioner transctional
GRP-4105
chmod on cacerts not working for /opt/grouper/certs/client/
GRP-4104
anchor certs need to be copied to /etc/pki/ca-trust/source/anchors before running anchor cert command
GRP-4103
create a string representation of provisioning objects
GRP-4102
incremental gets stuck on group member of group in groupOfNames
GRP-4101
change log to change log temp export from new grouper, change to every 15, and two entries
GRP-4100
add entity to group in config should make it default in diagnostics
GRP-4099
daemon summary should have drop down for run, edit, etc
GRP-4098
add links at top to navigate to sections in provisioning
GRP-4097
click on a link in provisioning configuration to jump to another section (e.g. cache section)
GRP-4096
review diagnostics dao stuff if allowed to delete
GRP-4095
cache 2 usdu entity shows up when not selected
GRP-4094
entity cache type says group attribute not entity
GRP-4093
document entity attribute value cache confing is below group config
GRP-4092
document ldap_dn for provisioning
GRP-4091
document search filters for groups and entities in ldap provisioning
GRP-4090
update groups default true in provisioning
GRP-4089
clarify membership attribute in provisioning
GRP-4088
clarify dn attribute in provisioning
GRP-4087
explain rdn value a little more in provisioning docs
GRP-4086
Trace memberships timeline should show states for additional groups found in events
GRP-4085
resolve subject without cache from provisioning and ui
GRP-4084
if a membership add happens in group, it should not count as an update in the daemon counts
GRP-4083
look at default for update groups crud, should default to true
GRP-4082
entitlement by group provisioner lists update count when not
GRP-4081
entity attributes with group name does not fill in membership value
GRP-4079
folder create and privs not showing in folder audits
GRP-4078
convert messaging endpoints to be external systems
GRP-4077
add elfilter to messaging changelog consumer screen
GRP-4076
Move OSGI initialization to GrouperStart
GRP-4075
allow configuration in ldap to truncate part of the group name
GRP-4074
look at provisioning screen to see why lots of logs slows down
GRP-4073
an update to a group membership in p
Grouper Emails in past two weeks
- AI Chris respond to: [grouper-users] Group is not marked as provisionable, Staubach, Maximilian, 06/09/2022, issue may be in provisioning configuration…. Needs a follow up from Chris
- Re: [grouper-users] Help needed in installing the grouper v2.5.60 container with maturity level 0 manually, Varun Vudatha, 06/09/2022, a user followed up
Grouper wiki updates in past two weeks
Next Grouper Call: Wed July 6, 2022