Grouper Call of Sept. 14, 2022
Attending
- Chris Hyzer, Penn, Chair
- Shilen Patel, Duke
- Vivek Sachdiva, independent
- Chad Redmon, UNC
- Carey Matt Black, Purdue
- JJ, Unicon
- Bert Bee Lindgren, GA Tech
- Ryan Larscheidt, UW-Madison
- Ben Raplayea, Illinois State U
- Jeremiah Haywood, Illinois State U
- Anderson Klay, Illinois State U
- Drew Aschenbrener, Internet2
- Emily Eisbruch, Internet2
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
Grouper Training
- Grouper Training coming up Sept 27-30, 2022 https://incommon.org/academy/grouper-school/
Current Work
Vivek
- Worked on Jiras
- OIDC for Grouper UI, can integrate w OIDC for authentication
- Already had an OIDC external system
- This is related to the new work:
- https://spaces.at.internet2.edu/pages/viewpage.action?pageId=163120202#AuthenticationtoUIandWebServicesinGrouperv2.5+-AddanewpasswordviagshforUI
- This wiki page is OK as is
- https://spaces.at.internet2.edu/display/Grouper/OIDC+authentication+to+Grouper+Web+Service
- Added a few new things
- Can externalize
- Like for web service, get opaque token from an app and use that to authenticate
- For Grouper 2.7, you can do lightweight OIDC
- Unicon authentication approach may be more full featured, more heavyweight, includes CAS etc
- Can install apache in Grouper container
- If using Shib and OIDC, should be able to simply configure OIDC for grouper
- There are always edge cases, timeouts etc
- For complex use cases, we will steer people to Unicon approach
- We have a Docker container being used for testing
- JJ also has some doc he is updating
- Provisioning tests - LDAP , 2 or 3 are failing, will fix today
- Adding midPoint provisioner
- https://spaces.at.internet2.edu/pages/viewpage.action?pageId=207651606
- midPoint will be like SQL but simpler
- Use generic SQL provisioner? Could be another direction
- Q: will this be single threaded?
- Sequence number issue when things happen very fast
- (Chris has been working on provisioner being multi threaded)
- Timestamps
- Can involve edge cases
- Chris will discuss this will midPoint group
- Carey: what about bi directional flow Grouper and midPoint
Ryan Larscheidt shared issue
looking to provide a seamless transition from "current summer student, future fall student" to "past summer student, current fall student" on the term changeover boundary.
A simplified scenario is below, with (A), (B), and (C) standing in for Group UUIDs.
Before fall semester start, a student might be members of the following groups; (C) is a populated by the loader, looking for Current groups:
(A) Current Summer Students in L&S
(B) Future Fall Students in L&S
(C) All Current Students [via (A)]
To reduce processing churn, we pause processing in Grouper and run a script after midnight on the first day of fall semester to rename the groups, which results in these memberships for the user:
(A) Past Summer Students in L&S
(B) Current Fall Students in L&S
(C) All Current Students [via (A)]
When we turn the loader back on, because deletes happen first, (A) is removed from (C) before (B) is added, so the user loses all the memberships / eligibility granted to All Current Students.
—--
Discussion
- What would help would be an addition before the deletes
- Why did we do removes before adds?
- Because of licensing, if you add a bunch of people, you can add with too many people provisioned
- Attribute based access control will help this issue
- Doing things transactionally is hard
- Shouldn’t be removing and adding in same loader job
- Add first will help solve
- Potentially we create an “add before delete” option
- Loader can cause issue with composites
- GRP-4352 loader should add before remove
- JJ: Caution on changing the default behavior
- Chris: if we do change default behavior, we will have an upgrade step where you can put it back
Shilen
- Will look at the IntelliJ issue.
- Related to issues w Eclipse
- ID index for members
- Need to update provisioning to look at that
- Related to midPoint provisioner and ID Index
- Hibernate work, need a few days for testing after merging
Chad
- SCIM
- Unicon project to potentially rewrite SCIM
- The SCIM server is using a Penn State library for J2EE
- Needs TomEE
- No easy workarounds, cant swap out libraries
- Chad explored this for a few hours
- Ping Identity SCIM library, not documented but could guess at whats needed
- Fields coming across ,
- for JSON and SCIM – closer to standard w Ping identity than w Penn State
- Not sure how much it’s being used
- Reachable task if we want to do this
- It’s a roadmap item, needed for Grouper 2.7
- Will add a few jars
- Chris: Hard to always update 3rd party jars, but it’s worth adding these jars
- Chad, has heard that SCIM interface w midPoint doesn’t work
- AI Chad ask list if people are using SCIM
- In Grouper 2.7 we will have ?
- Worked with IntelliJ issue
- Chad helped U Hawaii with issue
- [grouper-users] Change delimiter for multivalued attributes returned by WS?, Baron Fujimoto, 09/06/2022
- Re: [grouper-users] Change delimiter for multivalued attributes returned by WS?, Baron Fujimoto, 09/09/2022
Chris
- Working on threads to increase speed
- Batching in Azure should be working as expected
- Every operation of Azure should happen 20 at a time
- You can already batch membership adds by 20
- All will be threaded
- Will be good to get rid of hibernate
- Chris now has a computer w ARM processor
- Need to get Grouper image working on ARM
Issue Roundup
Jiras in past two weeks
GRP-4350
error creating stems
GRP-4349
new local entity screen should have "entity id" not "group id"
GRP-4348
add view for change log temp
GRP-4347
make dinkel ldap for arm processors
GRP-4346
batch group set inserts on object create
GRP-4345
WsGetGroupsLiteResult with no found groups should return empty list
GRP-4344
allow gsh to run on arm processors
GRP-4343
remove outdated groovy-all dependency
GRP-4342
Create GrouperUtil.join() method that works on Collections
GRP-4341
fix table indexes in batch
GRP-4340
allow table index to reserve multiple ids at once
GRP-4339
grouper loader should remove memberships from groups instead of delete groups as an option
GRP-4338
moves in bushy LDAP should create OUs
GRP-4337
GroupFinder builder missing method for assignIdIndexes() and addIdIndex()
GRP-4336
make sure the full provisioner dnOverride-only retrieves the correct groups
GRP-4335
add threads to provisioning
GRP-4334
add oidc to grouper ui
GRP-4333
add grouper_members id_index column
GRP-4332
add id_index to the members table
GRP-4331
provisioning sync member table get source id populated with subject id
GRP-4330
Make ChangeLog Consumer queue/backlog size available via web request
GRP-4329
cannot remove provisionable because override DN is required
GRP-4328
if group.deleteMember WS remove the future enabled date if there
GRP-4327
add container variable GROUPER_LOG
Grouper Emails in past two weeks
- [grouper-users] Change delimiter for multivalued attributes returned by WS?, Baron Fujimoto, 09/06/2022
- Re: [grouper-users] Change delimiter for multivalued attributes returned by WS?, Baron Fujimoto, 09/09/2022
Grouper wiki updates in past two weeks