Grouper Call of Dec. 21, 2022
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Chad Redman, UNC
- Carey Black, Purdue
- Chris Hubing, Internet2
- Emily Eisbruch, Internet2
Administrivia
- Internet2 Intellectual Property Policy
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda Bash
New Action Items
- AI Carey provide suggestions in writing to Chris re data source, attribute framework and data rows
- AI Emily research first action item from Nov 30 for Chris H re wiki and external systems DONE
Grouper at Tech Ex 2022 in Denver
Grouper BOF went well
Slides:
- https://docs.google.com/presentation/d/1SCKpkd8pE_gs9DQjtAtyR218zFQc2Q3rVnmwQYgJ8k4/edit#slide=id.g1a8bccc8a22_0_55er
- Chris and Shilen presented
- New Version numbers https://spaces.at.internet2.edu/pages/viewpage.action?pageId=41582755
- Roadmap
- Ongoing work
- Training and community contributions
- Need to wrap up 2.6 and call that v4
- ABAC will be v5
- People excited about ABAC
- Need to get a release out
- Need to do container changes
- For 2.6
- polish provisioning framework
Vivek working on testing jexl expressions - Caching full objects, tie in w attribute framework
- Figure out re roles and lists
- Remove SCIM
- Maybe remove SOAP, with option to add back
For v5
- Rocky LINUX
- Remove apache and shib w advice how to add back
- Tomcat as single process
- Upgrading Java so we can use Unicon authentication
- ABAC
- Grouper V6 will be non enhancement version of V5
- Grouper V7 is major rewrite of database
- Chad: In v5, other library updates?
- Using both JEXL 2 and JEXL 3?
- Chris Hyzer: Three different types of JEXL
- Different parts of Grouper use different JEXLs
- Expression, script and template
- Nice to switch from expression to scripts, can do multi line things, declare variables, more options
- Getting read of JEXL 2 would be good
- Most is backwards compatible
- Do a full refresh of whatever we can
- Hibernate is tough one
- Getting SOAP out makes it easier
- Groovy has more features, classes
- Newer versions of Groovy only work with Java 11
- There is no Groovy All
- Chris Hyzer: If we go to Java 17 and more recent Tomcat,
- We are using a tomcat feature, done in 8.5
- Can take a jsp fragment and run that but not from a web request.
- Our whole UI is based on that.
- Not sure a way to do that in a newer Tomcat.
- Need to find out.
- Nice to have release of v5 out by end January 2023,
- Could be too ambitious
- Wolverine Versus Grouper presentation slides from TechEx
- https://internet2.edu/wp-content/uploads/2022/12/techex22-IAM-Wolverine-vs-Grouper-Hoekenga.pdf
- Good presentation on how U Michigan uses Grouper
- Successes with new provisioning framework
- How they do DN override
- ABAC, got people talking about this
- There were other discussions on ABAC at TechEx too
- Trying to be sure the envisioned use cases are covered by v5
ACAMP Grouper Sessions, Scribing notes
- Grouper Deployment Odds and Ends session at ACAMP Unconference
https://docs.google.com/document/d/1tDNwIpxfTz0JPYRf4BRktQX7IhmaguUpJDhXjfcMq2s/edit - Grouper ABAC session at ACAMP Unconference
https://docs.google.com/document/d/1PBV1FbBhhnD2K6fs9Y9tCEXawzbOVdZItuymvyQF8h0/edit
- Chris showed progress on ABAC
- There is interest in group based ABAC
- If entity is group or subject it can have attributes
- Grouper attribute based access control with scripted groups
- https://spaces.at.internet2.edu/display/Grouper/Grouper+attribute+based+access+control+with+scripted+groups
- ABAC policy script either returns groups or recognizes parts of the policy are group based and uses that in the mat
- Example: Script that says I want these types of courses but not those types of courses
- Mark as group output
- Example : Want groups with this attribute minus groups with that attribute minus the lockout people
- Groups have attributes you can use in scripts
- Talked about Domain specific language for policy stuff?
- JJ is interested
- Will stick with JEXL and parse that.
- DSL that translates to JEXL
- Simplify the language to be human readable
-
- Chad: Do we need JEXL execution? Or just parse?
- Use any syntax we want?
- Chris Hyzer: it is parsing the JEXL
- Into an object model
- Could re-create that
- Use XML or JSON?
- JEXL mostly used for admins
- But end users using this will be power users
- Also mentioned at TechEx, can we have query builder to put this in hands of normal users to do things. Let institutions think about what types of scripts they will have an make GSH like templates. These are the inputs, this is how it constructs the scripts, Org based policy or student based policy. It asks you questions like “do you want students on leave?”
- Permissions and access controls will be important
- Will need to translate the object model into SQL.
- Queries that go to the database, otherwise too much stuff in memory
- Talked about logging
Current Work
Vivek
- Grouper data field and subject source next generation
- Configuring entity data fields
- Privacy realms
- Similar attribute security for certain groups
- Data Rows
- Question: what's the difference between attribute and data row?
- Answer: rows have metadata
- Can have an affiliation row, for example
- Chad: what about a loader that could convert attribute framework values to data fields? Term switch issues, what groups are relevant for new term. If this is driven by Grouper attribute framework then they can just be tagged
- Suggestion for global attributes
- Would be good to have it built in
- Merge concepts of attribute framework and entity data
- Want to store this data , make this more dynamic?
- Want to keep the data in new tables stored efficiently,
- Consistent JEXL variables
- Attribute framework is heavy weight, queries not too efficient
- Feed in a data provider query (source)
- AI Matt/Carey provide suggestions in writing to Chris re data source, attribute framework and data rows
- Vivek also working on script testing
- Debugging tool for JEXL scripts
- Two modes for Jexl
- Non existent variable to null
- OR
- Will through an exception
- Makes things complicated (it sucks)
- Idea, have another JEXL run in lenient mode, instead of strict mode
- Add warning that if you are not caching there could be a problem
- Reminder of need to do null checking
- Need doc on how to mock up subject source
- Add examples for group translations
- Think about pull from properties
Chris
- It was brought up at TechEx , when you add a user to a group, and not inserting users it will fail
- Chris is adding a bean to the data structure that's like a provisioning state to hold things
Chad
- Created a ticket for issue: when you put things in up local or opt the group or slash route, it changes the permissions
Issue Roundup
Jiras since Nov 30 Grouper call
- GRP-4541
add knobs for retries
GRP-4540
if not creating entities (or groups) and cant be found, then error should be DNE
GRP-4539
format errors better
GRP-4538
incremental provisioner (e.g. azure) when converting to group sync (over 500 members) will get skipped until full sync
GRP-4537
failure on membership import when session times out
GRP-4536
add a way to include common functions in GSH templates
GRP-4535
Deprecation logs for PSU SCIM requests
GRP-4534
start auto indexes at 1000000 for posix groups
GRP-4533
add request id and correlation id in WS logging
GRP-4532
allow sql loader queries to be brought in by config or other way
GRP-4531
dry run option for loader
GRP-4530
Container startup changes file permissions in /opt/grouper/slashRoot if GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=false
GRP-4529
regex validation does not work for gsh template password inputs
GRP-4528
SubjectFinder() builder can only find one subject, not multiple
GRP-4527
using four digits for versions fails in certain circumstances
GRP-4526
if an exception occurs, check to see if the data is in the right state?
GRP-4521
Deprecation logs for SOAP requests
GRP-4520
add subject source restriction in membership requirements (e.g. only people)
GRP-4519
Provisioning Framework - inability to provision custom attributes to bushy stems
Grouper Emails in past two weeks
none
Grouper wiki updates in past two weeks
- Grouper daemon "other job" to control other daemons
- Grouper daemon "other job" to run a script
- External systems configuration
- Grouper provisioning roles
- GrouperShell (gsh)
- Grouper Box Provisioner
- v2.6 Release Notes
- Grouper attribute based access control with scripted groups
- GrouperShell (gsh) Membership finder (MembershipFinder)
- Grouper provisioning translations
- Grouper data field and subject source next generation
Next Grouper Call: Wed Jan. 4, 2023