Grouper Developers Forum

[Emily Eisbruch <>]

**Grouper Call 24-June-09**

 

 *Attending*

 

Tom Barton, U. Chicago (chair) 

RL “Bob” Morgan, University of Washington 

Jim Fox, University of Washington 

Gary Brown, Bristol  

Bob Landsparger, Michigan Tech 

James Cramton, Brown 

Shilen Patel, Duke 

Chris Hyzer, U. Penn 

Tom Zeller, U. Memphis 

Steve Olshansky, Internet2    

Emily Eisbruch, Internet2 (scribe)  

**New Action Items**

[AI]  (Shilen) and (Jim) will create a wiki page on handling entitlements to minimize publishing of group information.

[AI] (Jim) will put LDAP source adapter info from U-W on wiki.

[AI] (Gary) will enter a new JIRA issue related to GRP-295 and the removal of membership.

[AI] (Chris) will add use cases and framework to the attribute framework wiki page.

https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Attributes

[AI] (Chris) will contact Bert re contributing privilege management use cases.

 

**Discussion**

Report from CAMP and Advanced CAMP in Philadelphia

     

At CAMP, June 15-17, the focus was on access management. A lot of discussion centered on the work going on at MIT w perMIT, a non-group based privilege management system. Also there was much interest in the plans to add privilege management capabilities to Grouper. 

https://spaces.internet2.edu/display/CAMPJune2009/CAMP+Access+Management

At Advanced CAMP, June 16-17,  the topic was Identity Services for Higher Ed Open/Community-Source Projects. People brought their difficult IdM issues and structures. 

https://spaces.internet2.edu/display/ACAMPIdSummit/Background+Material+for+Advanced+CAMP+Attendees

There is interest in wider participation in the MACE-paccman working group to focus on terminology and models.

**Collaborations discussed at CAMP and Advanced CAMP**

- Eric Westfall of Kuali and TomB agreed that in September, some KIM and Grouper representatives will discuss integrating Grouper as a service behind the Kuali KIM interfaces.

- Jonathan Markow and TomB discussed again the previously mentioned agreement for  Gary to offer advice / be a resource to the ESUP-Portail effort to redo their uPortal  groups interface based on Grouper. 

http://www.esup-portail.org/display/ESUP/Bienvenue+sur+le+site+du+consortium+ESUP-Portail+!

- It could be beneficial to have a commonly reusable widget for group user interfaces and applications, a widget for selecting groups from a groups store. Suggestion to work with Fluid to design a such a widget. RL “Bob” mentioned there has been discussion on Sakai email list about the group selection widget concept.  

-  It would be good for COmanage to have a simple Grouper interface.  Maybe Fluid widgets would work. Need further conversation with the COmanage team. Gary is willing to be a resource for this effort.

In summary, many of the connections made at the CAMPs in Philadelphia may impact the Grouper agenda over time.

**Exposing Groups Through Shibboleth**

Chris said that at CAMP it seemed few campuses were exposing groups thru Shibboleth, due to concern about security issues inherent in sharing group information.  However, Duke has integrated Group and Shib in a secure way. Penn is also trying to do this securely, so it’s possible to provide certain group info to certain service providers. 

TomB commented that the issue of how to protect sensitive group info applies to interfacing Grouper with LDAP as well as with Shib. We don’t want to pass around all of a person’s group memberships, the way Windows does.

Jim said that University of Washington converts group info into entitlements, so that group details are not exposed.

[AI]  (Shilen) and (Jim) will create a wiki page on handling entitlements to minimize publishing of group information.

**LDAP Source Adapter**

Thanks to University of Washington for the efforts on the new LDAP source adapter.  This could eventually replace the old LDAP source adapter. Jim noted that it uses certificate and keys in PEM format rather than keystores. Jim also noted that the LDAP library supports a properties file and it is not clear whether two config files are better than one.

[AI] (Jim) will put LDAP source adapter info from U-W on wiki.

**JIRA 295 (“group gets lost in ui on membership delete”) – is it really fixed?**

https://bugs.internet2.edu/jira/browse/GRP-295

Chris reported that Jira 295 is fixed, but the fix is a kluge. Eventually it should be redone.

Gary noted that there is still an issue of some parameters not being preserved.

[AI] (Gary) will enter a new JIRA issue related to GRP-295 and the removal of membership.

**Highly Available Grouper Web Services**

Chris, Jim, Niels, and TomB  discussed highly available web services on the Grouper-dev list:

https://mail.internet2.edu/wws/arc/grouper-dev/2009-06/msg00034.html

Chris noted that this is a long-term issue to address some of the shortcomings of LDAP.  Once privilege management is implemented in Grouper it will be difficult to export all privileges to LDAP. 

Options are:

1. Replicated databases 

or 

2. Have Grouper do something with notification: either replicating databases within Grouper or using a data structure in memcache or in memory .

RL “Bob” observed that the issues are not specific to groups. Web services for course information etc. has same requirements. 

Terracotta is not seen as being a viable solution. 

TomB commented that there are two valid perspectives:

Perspective 1. Applications (such as Grouper) should take as little as possible onto themselves, relying instead on other infrastructure layers in which a problem has been solved. This perspective is most appropriate for organizations with larger, more capable IT staffs.

Perspective 2. The application (such as Grouper) should deliver more services internally. This is most appropriate for sites that don ‘t have all the infrastructure and so they it provided in the application.

It's important to be sensitive to both perspectives, though TomB promotes general purpose infrastructure (perspective 1). 

**Attribute Framework**

There is a lot of metadata related to an attribute, such as

what type of object an attribute can be used on, the security of who can read it and write it, etc.

Chris proposes to separate that metadata (AttributeDef) from the name of attribute (AttributeName) so an attribute configuration can be reused.

It’s important to keep use cases in mind. Rob’s use cases from CAMP are quite complex.

Chris will describe how proposed Grouper access management would work on the Penn payroll and CMU billing use cases (these are use cases outlined on the MACE- paccman wiki).

[AI] (Chris) will add use cases and framework to the attribute framework wiki page.

https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Attributes

[AI] (Chris) will contact Bert re contributing privilege management use cases.

Next Call: Wed. 8-Jul-09, Noon ET

TomB will be unavailable. There will be a stand-in chair for the call. 

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1734-352-4996 | mobile +1-734-730-5749

ESCC/Internet2 Joint Techs
July 19-23, 2009 - Indianapolis, Indiana
http://jointtechs.es.net/indiana2009/