Grouper Call of Aug. 31, 2022
Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Vivek Sachdiva, independent
- Chad Redmon, UNC
- Carey Matt Black, Purdue
- JJ, Unicon
- Drew Aschenbrener, Internet2
- Jeremiah Haywood and Ben Raplayea, Illinois State U
- Emily Eisbruch, Internet2
New Action Items from this call
- Shilen - write script to take in source ID and delete member rows and references to those member rows , include: note: warning these are the consequences of running this script
- Chad -Add link to Dependency Check report on Build steps page.
- Chris -Verify Postgres driver version, this is related to GRP-4322
Bump postgresql from 42.4.0 to 42.4.1 in /grouper-parent #189
DISCUSSION
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Grouper Training
- Grouper Training coming up Sept 27-30, 2022 https://incommon.org/academy/grouper-school/
MidPoint Grouper integration
- meetings have been held this week
- Decision to go in database direction
- Will discuss later in call
Current Work
Vivek
- GSH Template, dropdown w numeric fields, there was an error, Vivek fixed
- Changed Clear Cache button, only cache buckets are cleared instead of whole row, including incremental sync
- Client secret issue
- Provisioning issue, delete from Grouper side, and recreate w same name within a week, Grouper gets confused. Important fix
GRP-4303
problem deleting and recreating group in azure - GRP-4316
add member web service should remove enabled/disabled dates if already there - Vivek working on Azure APIs, trying to use batch APIs to make them faster
- Azure provisioner is considered slow
- You can batch APIs together in Azure
- Can take disparate Azure web service calls and you can put them together 20 at a time into one web service call
- Can put dependencies on them, they will run and you get JSON responses
- You get status for each one
- It’s like a reserve proxy.
- Take DOA for Azure, make singular plural and use batches
- Idea of adding threading to provisioning framework
Shilen
- Fix to bad membership finder
- Issue: composite group disabled, it will still try to adjust memberships for it, fixed now
- Upgrading hibernate to latest version compatible w Java 8
- In separate branch now, will merge into 2.6 branch after next release and do additional testing
- Will work on other bug fixes
Hibernate
- In Grouper 2.7 and 3.0, should we upgrade hibernate to something no backward compatible? Or move away from Hibernate.
- Carey: What about reducing support on other databases? Might be good to have fewer things to focus on.
- Chris: We are down to 3
- Build DDL up from scratch should make it easier for all 3 databases to compute and lead to fewer performance issues
- Shilen: maybe we should strongly recommend postgress
- Chris: we have complicated queries
- In Grouper 3.0 we will simplify and hoping these 3 databases will all perform well and we won’t have to worry.
- We have lessons learned, like don’t put views on top of views
- After we release Grouper 3.0, we can revisit
Member Table when you remove a subject source?
- Subjects moved from one source to another?
- Yes, moved from Peoplesoft view to separate table out of midpoint
- ChrisH: SourceID , doesn’t matter, this is the type of users
- Provide a GSH script to select from members table and do member delete
- AI Shilen write script to take in source ID and delete member rows and references to those member rows , include: note: warning these are the consequences of running this script
Chad
- OWASP has a scanner to look for vulnerability and dependencies . New report under project reports . Dependency Check report. See after Sept 3
- AI Chad Add link to Dependency Check report on Build steps page.
- Links to Java doc are hard to find
- Chris: Grouper 2.6.16 release is coming up
- We will need to backport some things
- Maven Build used to run unit tests, could take 5 hours for a commit
- Chad had changed Maven config to skip tests
- Now made that a parameter
- GRP 4253
- https://todos.internet2.edu/browse/GRP-4253
- Need a translation script
- Bug fix for stem finder
- Working on Grouper Training, coming up in a few weeks
- Don’t need a new release for training
Docker File and Container
- Long and medium term plan for Grouper container
- https://spaces.at.internet2.edu/pages/viewpage.action?pageId=243073606
- Change from Centos to rocky linux. For Grouper 2.7
- Will have centos in parallel
- To be released by Tech Ex, December 2022
- Michael G is leading charge on rocky linux.
- rocky linux is more lightweight and more stable
- Will change process for container
- More of Docker recommended architecture
Chris
- Command lines were difficult to parse , now fixed, prepended to command logs?
- Changed rule behavior, everything will be under ACT AS, discussed on last Grouper call
- GRP-4317
container cp -ra does not work on openshift with different user - AI Chris Verify Postgres driver version, this is related to GRP-4322
Bump postgresql from 42.4.0 to 42.4.1 in /grouper-parent #189
Membership Requirements
- Grouper membership eligibility requirements
- To enforce membership eligibility, you can use a composite, rules, JEXL scripted groups, or you can use this new feature. You can link an attribute with an eligibility group so that immediate memberships (not effective, composite, loaded) will be veto-ed or removed when users are no longer eligible.
- For manual groups
- Suggestion to change to architecture of rules.
- People want a rules UI
- Want an easy way for course-grained eligibility requirements
- People using this might not know what group to use
- Eligibility requirement
- Attribute that’s a marker on folder or group
- Allow certain people to assign that attribute
- concept of power user, potentially
- Have a config to link that attribute to that eligibility group
- From Grouper edit screen, clone capability to folder edit screen
- New table to store when a module has removed members
- Can have a report on that table , or have a GSH script to reinstate if removed in error
- Name Value Pairs, email the managers, here is a grace period, etc.
- Add a type for exclude groups
- Chad, this approach can address issues he had in past
- Shilen: question around checking multiples
- And / Or options
- Please think about this as an improvement, but not the end state
- Experimental step towards something more full featured
- All rules around eligibility should not be needed after this is developed
- Majority of rules are around eligibility
- Shilen: Reference groups get complicated; Hard to describe them in 3 or 4 words
- Link to reference group
- Description on the edit group, can have tool tip or a link
- When we make this its own UI, things will be clearer
- In the wiki, explain this is course-grained, remember issues around temps, people on leave, etc.
Matt:
- Two different features rolled into one. Perhaps divide them
- Once concept is limitation of being able to add people
- Other, when criteria change over time, they get deprovisioned from the group
- It’s a separate process
- We have deprovisioning process in Grouper
- So focus on the features should be enhance the limit on add
- That is what is not there
- Is Bob eligible to be added at this time?
- Chris: assuming add and remove criteria is same
- Matt: Perhaps can only be in group for 24 hours
Issue Roundup
Jiras in past two weeks
GRP-4327
add container variable GROUPER_LOG_TO_PIPE=true
GRP-4326
flat ldap dn should be there
GRP-4325
provision to ldap, delete from ldap, run full, error
GRP-4324
if you assign provisioning on folder, with policy groups true, it changes the drop down for provisionable to false. also changes the drop down for ONE or SUB...
GRP-4323
added and improved french translations (provisioning) #191
GRP-4322
Bump postgresql from 42.4.0 to 42.4.1 in /grouper-parent #189
GRP-4321
add confirm popup for enabled/disable/delete on daemon jobs...
GRP-4320
membership requirements enforce eligibility by folder
GRP-4319
add target object cache to grouper provisioning
GRP-4318
provisioning logging stores invalid postgres data
GRP-4317
container cp -ra does not work on openshift with different user
GRP-4316
add member web service should remove enabled/disabled dates if already there
GRP-4315
changeLogTempToChangeLog daemon error
GRP-4314
null pointer in provisioning sync integration
GRP-4313
make sure batch sizes in azure provisioner are the max they can be
GRP-4312
add threads to provisioner actions
GRP-4311
escape backslash in config export so it can be imported (try regex)
GRP-4310
Duplicate entry in grouper.textNg.en.us.base.properties
GRP-4309
change default rule api from groupHasNoImmediateEnabledMembership to groupHasNoEnabledMembership
GRP-4308
append intanceid and type to command log for provisioning
GRP-4307
add createIfNotExist to member finding internal method to make things more clear
GRP-4306
provisioning ui screens should not blow up if there is an invalid config...
GRP-4305
disabled group breaks bad membership finder
GRP-4304
add servername to apache configs in container
GRP-4303
problem deleting and recreating group in azure
GRP-4302
should be able to pick azure group type metadata from folder
GRP-4301
update shib from image in grouper
GRP-4300
dont log client secret in azure command log
GRP-4299
Provisioning Framework should produce "Audit data" about what it does to external systems.
GRP-4298
change group/entity clear provisioner button to clear cache buckets only
GRP-4297
add manager role to provisioner to do
Grouper Emails in past two weeks
none
Grouper wiki updates in past two weeks
Grouper provisioning internal object model and technical design
Grouper attribute framework attributes editable in group edit screen
Next Grouper Call: Wed., Sept. 14, 2022 at 11:30am ET