Grouper Call of Dec. 21, 2022

Attending 

  • Chris Hyzer, Penn, Chair
  • Vivek Sachdiva, independent  
  • Chad Redman, UNC
  • Carey Black, Purdue
  • Chris Hubing, Internet2
  • Emily Eisbruch, Internet2

 

Administrivia

 New Action Items

  • AI Carey  provide suggestions in writing  to Chris  re data source, attribute framework and data rows
  • AI Emily research first action item from Nov 30 for Chris H re wiki and external systems DONE

Grouper at Tech Ex 2022 in Denver

Grouper BOF went well

Slides:


  •  For 2.6
  • polish provisioning framework
    Vivek working on testing jexl expressions
  • Caching full objects, tie in w attribute framework
  • Figure out re roles and lists
  • Remove SCIM
  • Maybe remove SOAP, with option to add back



For v5 

  • Rocky LINUX
  • Remove apache and shib w advice how to add back
  • Tomcat as single process
  • Upgrading Java so we can use Unicon authentication
  • ABAC


  • Grouper V6 will be non enhancement version of V5
  • Grouper V7 is major rewrite of database


  • Chad: In v5, other library updates?
  • Using both JEXL 2 and JEXL 3? 
  • Chris Hyzer: Three different types of JEXL
  • Different parts of Grouper use different JEXLs
  • Expression, script and template
  • Nice to switch from expression to scripts, can do multi line things, declare variables, more options
  • Getting read of JEXL 2 would be good
  • Most is backwards compatible


  • Do a full refresh of whatever we can


  • Hibernate is  tough one
  • Getting SOAP out makes it easier


  • Groovy has more features, classes
  • Newer  versions  of Groovy only work with Java 11
  • There is no Groovy All
  • Chris Hyzer: If we go to Java 17 and more recent Tomcat,
  • We are using a tomcat feature, done in 8.5
  • Can take a jsp fragment and run that but not from a web request.
  • Our whole UI is based on that.
  • Not sure a way to do that in a newer Tomcat.
  • Need to find out.
  • Nice to have release of v5 out by end January 2023, 
  • Could be too ambitious




ACAMP Grouper Sessions, Scribing notes


 

  • Chris showed progress on ABAC

 

  • There is interest in  group based ABAC
  • If entity is group or subject it can have attributes
  • Grouper attribute based access control with scripted groups
  • https://spaces.at.internet2.edu/display/Grouper/Grouper+attribute+based+access+control+with+scripted+groups
  • ABAC policy script either returns groups or recognizes parts of the policy are group based and uses that in the mat
  • Example: Script that says I want these types of courses but not those types of courses
  • Mark as group output
  • Example : Want groups with this attribute minus groups with that attribute minus the lockout people
  • Groups have attributes you can use in scripts

 

  • Talked about Domain specific language for policy stuff?
  • JJ is interested
  •  Will stick with JEXL and parse that.
  • DSL that translates to JEXL
  • Simplify the language to be human readable
  •  
  • Chad: Do we need JEXL execution? Or just parse?
  • Use any syntax we want? 
  • Chris Hyzer: it is parsing the JEXL
  • Into an object model
  • Could re-create that
  • Use XML or JSON?
  • JEXL mostly used for admins
  • But end users using this will be power users


  • Also mentioned at TechEx, can we have query builder to put this in hands of normal users to do things.  Let institutions think about what types of scripts they will have an make GSH like templates.  These are the inputs, this is how it constructs the scripts, Org based policy or student based policy. It asks you questions like “do you want students on leave?” 
  • Permissions and access controls will be important
  • Will need to translate the object model into SQL.
  • Queries that go to the database, otherwise too much stuff in memory


  • Talked about logging

 

Current Work

Vivek

  • Grouper data field and subject source next generation
  • Configuring entity data fields
  • Privacy realms
  • Similar attribute security for certain groups 
  • Data Rows


  • Question: what's the difference between attribute and data row?
  • Answer: rows have metadata
  • Can have an affiliation row, for example
  • Chad: what about  a loader that could convert attribute framework values to data fields?  Term switch issues, what groups are relevant for new term. If this is driven by Grouper attribute framework then they can just be tagged
  • Suggestion for global attributes
  • Would be good to have it built in
  • Merge concepts of attribute framework and entity data
  • Want to store this data , make this more dynamic?
  • Want to keep the data in new tables stored efficiently, 
  • Consistent JEXL variables
  • Attribute framework is heavy weight, queries not too efficient
  • Feed in a data provider query  (source)
  • AI Matt/Carey  provide suggestions in writing  to Chris  re data source, attribute framework and data rows



  • Vivek  also working on script testing 
  • Debugging tool for JEXL scripts
  • Two modes for Jexl
    • Non existent variable to null
    • OR
    • Will through an exception
  •  Makes things complicated (it sucks)
  • Idea, have another JEXL run in lenient mode, instead of strict mode
  • Add warning that if you are not caching there could be a problem
  • Reminder of need to do null checking
  • Need doc on how to mock up subject source
  • Add examples for group translations
  • Think about pull from properties


Chris 

  • It was brought up at TechEx , when you add a user to a group, and not inserting users  it will fail
  • Chris is adding a bean to the data structure that's  like a provisioning state to hold things  


Chad

  • Created a  ticket for issue: when you put things in up local or opt the group or slash route, it changes the permissions

 

Issue Roundup 

 

Jiras since Nov 30 Grouper call 

 

 

Grouper Emails in past two weeks

  none

 

Grouper wiki updates in past two weeks

 


 

Next Grouper Call: Wed Jan. 4, 2023

  • No labels