Grouper Call of Sept. 14, 2022

Attending

Chris Hyzer, Penn, Chair
Shilen Patel, Duke
Vivek Sachdiva, independent
Chad Redmon, UNC
Carey Matt Black, Purdue
JJ, Unicon
Bert Bee Lindgren, GA Tech
Ryan Larscheidt, UW-Madison
Ben Raplayea, Illinois State U
Jeremiah Haywood, Illinois State U
Anderson Klay, Illinois State U
Drew Aschenbrener, Internet2
Emily Eisbruch, Internet2

Administrivia

Internet2 Intellectual Property Policy
Review AIs Grouper Project Action Items (Google Doc)
Agenda Bash

Grouper Training

Grouper Training coming up Sept 27-30, 2022 https://incommon.org/academy/grouper-school/

Current Work

Vivek

Worked on Jiras
OIDC for Grouper UI, can integrate w OIDC for authentication
Already had an OIDC external system
This is related to the new work:
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=163120202#AuthenticationtoUIandWebServicesinGrouperv2.5+-AddanewpasswordviagshforUI

- This wiki page is OK as is
- https://spaces.at.internet2.edu/display/Grouper/OIDC+authentication+to+Grouper+Web+Service

Added a few new things
Can externalize
Like for web service, get opaque token from an app and use that to authenticate
For Grouper 2.7, you can do lightweight OIDC
Unicon authentication approach may be more full featured, more heavyweight, includes CAS etc
Can install apache in Grouper container
If using Shib and OIDC, should be able to simply configure OIDC for grouper
There are always edge cases, timeouts etc
For complex use cases, we will steer people to Unicon approach
We have a Docker container being used for testing
JJ also has some doc he is updating

Provisioning tests - LDAP , 2 or 3 are failing, will fix today
Adding midPoint provisioner
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=207651606
midPoint will be like SQL but simpler
Use generic SQL provisioner? Could be another direction
Q: will this be single threaded?
Sequence number issue when things happen very fast
(Chris has been working on provisioner being multi threaded)
Timestamps
Can involve edge cases
Chris will discuss this will midPoint group
Carey: what about bi directional flow Grouper and midPoint

Ryan Larscheidt shared issue

looking to provide a seamless transition from "current summer student, future fall student" to "past summer student, current fall student" on the term changeover boundary.

A simplified scenario is below, with (A), (B), and (C) standing in for Group UUIDs.

Before fall semester start, a student might be members of the following groups; (C) is a populated by the loader, looking for Current groups:

(A) Current Summer Students in L&S

(B) Future Fall Students in L&S

(C) All Current Students [via (A)]

To reduce processing churn, we pause processing in Grouper and run a script after midnight on the first day of fall semester to rename the groups, which results in these memberships for the user:

(A) Past Summer Students in L&S

(B) Current Fall Students in L&S

(C) All Current Students [via (A)]

When we turn the loader back on, because deletes happen first, (A) is removed from (C) before (B) is added, so the user loses all the memberships / eligibility granted to All Current Students.

—--

Discussion

What would help would be an addition before the deletes
Why did we do removes before adds?
Because of licensing, if you add a bunch of people, you can add with too many people provisioned
Attribute based access control will help this issue
Doing things transactionally is hard
Shouldn’t be removing and adding in same loader job
Add first will help solve
Potentially we create an “add before delete” option
Loader can cause issue with composites
GRP-4352 loader should add before remove
JJ: Caution on changing the default behavior
Chris: if we do change default behavior, we will have an upgrade step where you can put it back