Grouper Developers Forum

[Emily Eisbruch <>]

*Grouper Call 22-Jul-09**

 

 *Attending*

Tom Barton, U. Chicago (chair)

Gary Brown, Bristol   

Shilen Patel, Duke  yes

Chris Hyzer, U. Penn 

James Cramton, University of Arizona 

Tom Zeller, U. Memphis 

Emily Eisbruch, Internet2 (scribe)   

*New Action Items*

[AI] (TomZ) will continue to develop the next generation Ldappc and check in his work by August 19.

[AI] (Gary) will check how queries are working with respect to user audit and report issues to Chris.

*Carryover Action Items*

[AI] (TomZ) and (Bert) will email Chris their use cases.

**Discussion**

*Ldappc – next generation status, time frame*

https://wiki.internet2.edu/confluence/display/GrouperWG/LDAPPC+1.5.0+Example+Configuration

TomZ reported that he has decided to do a substantial rewrite based on SMPL2, rather than just add the relevant Shibboleth Attribute Resolver parts into the previous Ldappc. Configuration and code will be completely redone, based on Spring Framework.

TomZ hopes to have the new Ldappc ready to be checked in by Aug 19. If it is not done by then, he will review the status with the group decide what parts of new work to include in the Grouper 1.5 release.

[AI] (TomZ) will continue to develop the next generation Ldappc and check in his work by August 19.

James commented that University of Arizona has experienced some performance issues with groups and would be interested in exploring the new Ldappc. They could possibly help with testing.

What about end-to-end testing for the new Ldappc?  This has been found to be complicated in the past. TomZ hopes to run the new Ldappc locally to be sure it works.

*Membership Changes and Namespaces Transition*

Shilen is working through membership changes and the web services aspect of namespaces transition.

*User Audit* 

Chris reported that he completed the user audit work for Grouper 1.5 and Gary then worked on the UI aspects. Gary is looking into two possible issues:

1.  When querying records based on Group ID or Stem ID, the result wasn’t always as expected. Gary will try to document that for Chris to investigate.

2.  If on a subject summary page and viewing actions performed by subject, there are some limits related to memberID (act-as memberID if entry point was via web service or Grouper session ID if entry was via gsh). Chris suggested delaying addressing the gsh/memberID issue until the Grouper 1.6 release.

 [AI] (Gary) will check how queries are working with respect to user audit and report issues to Chris.

An audit record is generated to indicate if an XML import occurs. Is there also an audit record created for an XML export? Chris will add XML export to the list for user audit 

Gary would appreciate feedback on the audit log work that’s in CVS.

*Plans for UI*

For a version after Grouper 1.5, the plan is to increase audit log reporting capabilities. Should there be another option on the left navigation bar for audit reports?

Possible items to be audited:

- XML imports and exports

- stem, group or subject related actions

- creating group types

- Items in attribute framework - metadata

- Creation of attribute definition

- Creation of names assigned to groups

- pages  requested via the UI

- use of  web service

- Grouper loader information (it’s now in a different table.  Chris can move it to same auditing table)

It was noted that currently if UI or web services is used to make a change, then API is auditing it.  

With web services, there may be an option to audit or log the whole transaction, how long it took, and a fragment of the XML to help for debugging... though that raises the issue of log getting quite large

What about auditing actions like Ldappc and other things outside of Grouper? In general, what kinds of actions should be in the audit table in Grouper database? Examples:

Grouper UI  - We might want to do that as a core component of the toolkit. But its being scoped toward a narrow usership. Hold off for now.

Web Services -  should web services audit info be in the Grouper database or be associated with the web services instance? 

Ldappc – Audit the access that is happening. That’s done in an Ldaapc log. But how acceptable is that log compared to what the new audit capabilities will provide?

If the Grouper Admin UI is part of a central toolkit, we might want an Ldappc dashboard exposed there somehow. 

There should be a distinction between auditing and logging. If it’s a logging item, put it in auditing table temporarily or not at all. Customized logging inside Grouper could mean being drawn into ongoing maintenance for things not central to our purpose.  Would like to outsource that function if possible.

There is a record created in the Grouper Loader log for every job that runs. The daily Grouper report will show how many jobs succeeded and how many failed. You get that every morning. It gets deleted.

*Attribute Framework*

Chris created a cleaner wiki page for the Grouper Attributes Design. 

https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+attributes+design

Chris noted the gsh commands shown on this page are just examples. 

Q: Can a role can be added to a group?

A: If we give ability to add a role to a group, it won’t have to do with permissions. It will be to add people to roles so there does not have to be a group for every role.

Q: Is there an easy way to turn a group into a role?

A: Just give it a role type

A group is a collection of subjects. But a role is application specific. The reason to turn a group into a role is if there is a group that is application specific and one wants to assign privileges.

Effects of turning a group into a role (i.e. adding a type to it)

1. can assign a privilege to the role

2. can assign a priv to person in the role

3. can make a role hierarchy so a role can inherit privileges from another role

Privilege Management has 3 hierarchies.

1.   Member of group and that group is member of a role

2.   Role hierarchy where privileges are assigned to a role and and role is a parent of another role.  

3.   Privilege set. You can have privilege resources in a hierarchy. 

We will store hierarchy of structure, but not the effective memberships.  This is the new style of how effective memberships will be handled in the registry. That results in a reduction in # of membership rows. This will increase Grouper write performance. It was noted that Brown had problems with this behavior in previous grouper versions: it took hours for super users who were not admin to add to a group.

Chris suggested that since we used the word "privilege" in Grouper, we should use "permission" for new concept being implemented with attributes. Save this discussion for the future.

Q: Can hierarchical inheritance be from more than one source?

A: Yes.

Next Call: Wed. 5-Aug-09, Noon ET 

Tom will be unable to attend. Gary will run the call.

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Fall 2009 Internet2 Member Meeting, October 5-8
Hosted by the University of Texas at San Antonio and LEARN
http://events.internet2.edu/2009/fall-mm/