Grouper Developers Forum

["Jessica Bibbee" <>]

Fall 2007 Internet2 Member Meeting
Town & Country Resort and Convention Center
Monday, October 8, 2007 - San Diego, CA

Signet/Grouper Combined Working Group Meeting
10:30am - 12:00pm PDT 
Location: San Diego Room

*Attendees*
Tom Barton, U. Chicago (chair, Grouper)
Lynn McRae, Stanford U. (chair, Signet)
Dave Donnelly, Stanford U.
Heather Flanagan, Stanford U.
James Cramton, Brown U.
Susan Neitsch, Texas A&M U.
Rob Banz, UMBC
Celeste Copeland, Duke U.
Klara Jelinkova, Duke U.
Shilen Patel, Duke U.
James Dalziel, Macquarie U.
Milan Sova, CESNET
Nicole Harris, JISC
Mike Austin, U. Vermont
Brian Gilmore, U. Edinburgh
Ray Ford, U. Montana
Brent Putman, Georgetown U.
Leif Johansson, Stockholm U.
Roland Hedberg, Umeå U.
Brendan Bellina, USC
Asbed Bedrossian, USC
John-Paul Robinson, UAB
Alan Brenner, Ithaka
Keith Hazelton, U. Wisconsin-Madison
Jim Fox, U. Washington
RL "Bob" Morgan, U. Washington
Ann West, EDUCAUSE/Internet2
IJ Kim, Internet2
Renee Frost, Internet2
Michael Gettes, Internet2
Steve Olshansky, Internet2
Lisa Haanpaa, Internet2
Jessica Bibbee, Internet2 (scribe)

Roadmap-driven *Agenda*
1. API
2. Advisory Committees
3. The 'A' list (large items)
     A1. Extension hooks (grouper, signet)
     A2. Notification of changes (grouper, signet)
     A3. Web service interface (groups, privs)
     A4. History & audit (grouper)
     A5. Rule-based actions (grouper, signet)
     A6. I2MI integration
     A7. XML import/export for metadata mgmt and integration (signet)
4. The 'B' list (smaller items)
     B1. Namespace transition support (grouper)
     B2. Non-resolvable Subject deletion utility (grouper, signet)
     B3. Subject API v1.0
     B4. Improve Ldappc (groups, privs)
     B5. Simpler UI (Grouper, signet)
5. Feedback on Priorities

*Discussion*
{Tom} led the Group through a discussion of development items on the Signet/Grouper Roadmap, focusing on prioritization, effort required, and urgency.

-The "A" List- 
{Tom} took a vote on the larger development items from List 'A'. Thirteen of those in attendance had a maximum of 3 votes to cast among the 7 items, show in descending order of preference:
           A1. Extension Hooks  (Signet/Grouper) – 14 votes
           A2. Notification of Changes (Signet/Grouper) – 12 votes
           A3. Web Service Interface (groups/privileges) – 8 votes
           A5. Rule-based Actions (Grouper) – 4 votes
           A4. History & Audit (Signet/Grouper) – 1 vote
           A7. XML import/export (Signet) – 1 vote
           A6. I2MI Integration – 1 vote (defaulted if/once A1-A3 are addressed)

-A1. Extension hooks (Signet/Grouper)-
Creating extension hooks would implement an infrastructure within Grouper & Signet that would enable independent extension of key internal events. Both pre- and post-processing hooks will be provided for each "primitive API operation".

-A2. Notification of changes-
This item would enable the propagation of group, membership, or privilege changes to the infrastructure and consuming applications. It would include support for email notification of changes, providing updates to pertinent users. Notification of changes would also address (near) realtime & incremental provisioning needs.

An example of this would the Signet/Grouper "listeners", displaying rules capabilities.

-A3. Web Service Interface-
The Working groups have expressed a strong interest in web service capabilities, as many applications will depend on such a feature. An interface would build on the XML import/export architecture to define functional services that could be wrapped as a Web (
e.g., SOAP) service interaction. This would ultimately provide for wider integration of group & privilege services into applications and enterprise integration infrastructure. In order for this to happen, the developer team will need to work with the community to determine an appropriate subset of the APIs to be exposed through a set of endpoints.

The attendees suggested differentiating between work done on API capabilities and that for rolled-up operations. They requested suitable facades for managing access, as well as sufficient code for building simpler and/or embedded UIs. 

-A4. History & audit (Grouper)-
The Working Group still needs to gain clarity on types of audit requirements to be supported by Grouper and whether their support should be enabled per group, per naming stem, or categorically. This aspect will build on the hooks or change notification infrastructure.

In the future, there are plans to develop an EDDY agent capable of sending events into an external infrastructure that supplies persistence and analysis services.

-A5. Rule-based actions (Signet/Grouper)-
For Signet, there will be support for automatic activation of privileges once prerequisites are met, and automatic revocation of privileges when conditions are not met, typically based on changes in a person's status and affiliation.

As this relates to Grouper, there will be support for automatic deactivation or reactivation of groups and memberships.

-A6. I2MI integration-
{Tom and Lynn] detailed their view of the most immediate I2MI integration needs:

- There is a need to identify/implement a framework, in which combinations of I2MI components (Grouper API, Grouper UI, Signet, Ldappc, and Subject source adapters) can be easily integrated (not just in a single JVM). This is largely an issue of managing configuration and 3rd party libraries.

- To the greatest extent possible, the development teams need to ensure that I2MI components use 'same means for achieving same ends', using the same configuration files for common purposes. This will eliminate confusion over differing practices and will lay the groundwork for faster builds and simpler configurations.

- The Signet/Grouper developers will provide a demo Subject database common to all quickstart or demo packages.

-A7. XML import/export for metadata management and integration (Signet)-
{Dave} shared that this work is indeed underway and is nearing completion. This piece will include utility wrappings to support command-driven and scripted interactions. There will also be support for handling assignment & privileges changes that result from metadata changes.

The attendees requested that the API and web services are set as constraints for this work. They expressed a need for a simpler UI for administration tools and configuration management. Other desired items include packaging for execution of other containers and a continued need for contributed documentation.

-----

The following Roadmap items will enhance use of Signet and Grouper and complement the above items, if with slightly less urgency:
    B1. Namespace transition support (Grouper)
    B2. Non-resolvable Subject deletion utility (Signet/Grouper)
    B3. Subject API v1.0
    B4. Improve Ldappc (groups, privileges)
    B5. Simpler UI (Signet/Grouper)

There was a request for more graphical description of the implications of groups, e.g., for better understanding by the end user. The Group also noted a need for a more established infrastructure for developing the Grouper UI. Many of these issues relate to both Signet and Grouper, and should aim to provide a single solution where both could benefit.

-B1. Namespace transition support (Grouper)-
The hierarchy of naming stems in a deployment will change over time. Although the XML Import/Export tool supports prune & graft, large changes may take longer than desired and could be disruptive. The ability to logically "move" or "copy" a group or a selection of groups from one naming stem to another would be superior.

-B2. Non-resolvable Subject deletion utility (Signet/Grouper)-
Members of the Working Group have expressed concern over deleted subjects. For example, a utility is needed that would enable deletion of memberships or privileges held by subjects no longer resolvable in any subject source. Just as there are 'rules', this was expressed more correctly as an 'un-rule'.

-B3. Subject API v1.0-
Work continues on the Subject API in coordination with the Signet/Grouper projects. Still needed are a finalization of the definition of v1.0 of the Subject API and enhancement of the JNDI and JDBC reference implementations accordingly. They will restructure how source adapters are configured and initialized to completely decouple the reference implementation from 3rd party implementations (especially to change the current role played by the SourceManager in this regard).

-B4. Improve Ldappc (groups, privileges)-
Another I2MI component in need of work is the LDAP Provisioning Connector.  The Signet/Grouper projects will incorporate a strategy for computing the difference between LDAP and Grouper that does not rely so heavily on querying LDAP, 
e.g., by maintaining a database of essential LDAP info that is used to compute the difference. This would be useful during an interim period until Grouper can originate changes, at which point it would be optimal for Ldappc to be modified to propagate these changes.

Alternatively, the developers could instead wait until the "A2. Notification of Changes" task is complete and then adapt Ldappc to propagate changes to groups and memberships.

The developers plan to provide a configurable capability for assembling values of a privilege attribute.

-B5. Simpler UI (Signet/Grouper)-
Members of the Working Group have requested that the developer teams provide a simpler UI, *one* designed to be used by all members of a campus community, as a companion to the original, which is more appropriately used by a technical administrator. By the meaning of *one*, the attendees specified that there should not be a focus on a *single* UI, but that it should allow for multiple implementations in an easy-to-roll-out manner. 

The developers plan to make the simpler UI a client of the "Group service interface", so that it also serves as an example of the latter's use.

----

Feedback is most welcomed, and may be directed to the Signet-dev and/or Grouper-dev AT 
internet2.edu mailing lists.

The next Grouper Working Group call will be held on Wednesday, October 17, 2007 at 12pm EDT. The next Signet Working Group call will be held on Friday, October 26, 2007 at 11am EDT.

-- 
Jessica Bibbee, Technical Analyst
Internet2

mobile: +1-734-255-6644

The Internet2 Dynamic Circuit Network:
Unleash your interdomain imagination
http://www.internet2.edu/network/dc/