Grouper Developers Forum

[Emily Eisbruch <>]

Grouper Call 10-Nov-2010

*Attending*

Tom Barton, U. Chicago, Chair

Gary Brown, Bristol

Shilen Patel, Duke 
Tom Zeller, U. Memphis 
Jim Fox, U. Washington
Keith Hazelton, U. Wisconsin-Madison
Steve Olshansky, Internet2 

Emily Eisbruch, Internet2 (scribe)   

*New Action Items*

[AI] (Chris and TomZ) will examine Grouper XML structures and explore how to standardize them for use in provisioning.
[AI] (TomZ) will create a wiki page enumerating activities related to connectors.
[AI] (TomZ) will develop a proposal for a Working Group to focus on provisioning.
[AI] (SteveO) will follow up with Ann KW re doing an inventory of pages in the Grouper wiki space
[AI] (SteveO) will investigate using a link checker tool to analyze the Grouper wiki.
[AI] (Gary) will send a note to Rob and the Grouper-users list regarding using pointers to or incorporating existing Grouper intro material in the Grouper book
[AI] (Jim and Chris) will discuss the high availability web services

*Carry Over Action Items*

[AI] (TomZ and Chris) will discuss/work on LDAP Grouper Loader for importing groups.
JIRA 442
[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.https://spaces.internet2.edu/display/GrouperWG/GrouperBook  
[AI] (TomB) will explore new international participation for work on the Grouper UI.
[AI] (Rob) will look at issues relating to testing the ESB Connector and contact Chris about moving the ESB work to the web services project.

DISCUSSION

FMM Meeting Debrief

Sessions related to Grouper at the 2010 FMM included:

• Grouper Working Group

http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001464&event=1159

• Using Grouper: Grouper Case Studies

http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001386&event=1159

• Delegated Access Control in AD Using Grouper (netcast available)

http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001376&event=1159

 "Pretty Good HA" for Grouper Web Services

In the Grouper Case Studies track session, Jim presented the U-W approach of deploying Grouper with high availability (HA) for Grouper web services. It is a wise strategy to rely on LDAP for high volume, high availablty read operations. It would be good if that was easier to implement that approach with Grouper "right out of the box."

Jim: Does everyone using Grouper using Apache? It seems that in the Shib world they've moved away from Apache, and they suggest use of TomCat.

TomB: Should the approach be a wrapper around Grouper WS or an application built with the Grouper client?

Jim: Makes most sense to build this around the Grouper WS. That way the client does not have to change anything, they automatically get the HA. There is still the issue of getting LDAP updated.

It's on the roadmap that LDAPPC-ng will be providing the needed service with low latency. So a good approach is that Grouper WS will have the necessary features for HA and LDAPPC-ng will be deployed with updates based on the change log. This is not what is typically thought of in terms of HA (multiple instances of Grouper WS, etc. ), but HA is needed in Grouper WS mostly for reads, so this simpler solution should be effective.

[AI] (Jim and Chris) will discuss the high availability web services.

Grouper and AD

The "Delegated Access Control in AD Using Grouper" presentation by Shilen and Rob was very good. Are there implications for the Grouper project? Can we make available the code for managing ACLs within AD from an external source?

Shilen: Yes, the code will be made available.

TomB: There is a need to manage the privileges within Grouper (like who can see the members of  a certain group), and to have that expressed in a system to which groups are being provisioned.

Shilen: Duke has a use case where the need is to take access privileges in Grouper and have them mapped into AD and maybe into the Sun directory as well.

Jim:  An issue is that not everyone has the sophisticated ACL system of the Grouper directory, therefore much capabilitiy can be lost when Grouper exports to other systems.

TomB: Hard to solve that problem in general. But we can make models, provide documentation.

Is there anything in the tooling that Rob is releasing that would it make sense to incorportate it into LDAPPC-ng?

Yes, it would be reasonable to ship a simple default way to provision permissions to common targets. TomZ is looking forward to getting code samples from Rob, Shilen, Jim and others. The idea is to make the code less site-specific and share it with the community. TomZ wants to talk to sites who have done work related to Windows Live; this is relevant to U. Memphis.

The hope is to build up a collection of connectors that LDAPPC-ng could take advantage of. An ultimate goal is to make this work more pluggable, by defining an API. But the first step is for contributors to share their code, so we can see the business logic. Later we can develop an API to plug into.

What would the API have to do? What contract would it have to implement?

TomZ: It's the SPML to targets code. A short-term solution is to extend the existing classes. That's a starting point, being used a Memphis. But may not be the best way in the long-term.

The first step in integrating a connector would be an SPML message structure to convey that info. Then the SPML message would get parsed to Java.

TomZ needs to represent the permission and attribute framework in SPML in a text way. That's part of the changelog as well. Chris has defined a web service format for these things. It could make sense to either reuse the web service XML for SPML or change the web service stuff to be more like SPML

[AI] (Chris and TomZ) will examine Grouper XML structures and explore how to standardize them for use in provisioning.
[AI] (TomZ) will create a wiki page enumerating activities related to connectors.

New Working Group For Provisioning?

At FMM, TomZ spoke with folks interested in provisioning software solution.  Should we spin up a separate project?  If there was a separate project it might help to get more people involved. Chad and Carston have expressed interest. Also, Unicon has expressed interest in the provisioning work. Would this be a topic for MACE-Dir? Moving from provisioning institution owned DSAs to cloud based services?

Keith suggested that TomZ should craft a short description/ writeup.  Maybe MACE-Dir is the best place, but there needs to be  a writeup for MACE and perhaps MACE-Dir to discuss.

[AI] (TomZ) will develop a proposal for a Working Group to focus on provisioning.

Need to state objective and deliverable, describe indications of interest from the community, and describe willingness of community to get work done.

Wiki Status

There have been some issues with the move to the new, reorganized wiki space. SteveO reported that the issues are being addressed.

It would be good to do  an inventory of pages in  the new wiki space to be sure some pages haven't been lost.

[AI] (SteveO) will follow up with Ann KW re doing an inventory of pages in the Grouper wiki space
[AI] (SteveO) will investigate using a link checker tool to analyze the Grouper wiki.

Grouper eBook/Guide

Everyone should review and provide feedback to Rob on his Grouper documentation.

https://spaces.internet2.edu/display/Grouper/Getting+Started+with+Grouper

Gary mentioned that it would be good to  reuse material that has already been developed.

[AI] (Gary) will send a note to Rob and the Grouper-users list regarding using pointers to or incorporating existing Grouper intro material in the Grouper book

Next call is Wed. Nov. 24 at noon ET 

Note: Add to the agenda for a future call : Discuss a stem set table to reflect the structural relationships among stems.

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook