Grouper Developers Forum

[Emily Eisbruch <>]

Draft Minutes: Grouper-dev Call 26-Oct-2011

Attending

Tom Barton, University of Chicago (chair)  

Shilen Patel, Duke
Chris Hyzer, U. Penn
Tom Zeller, Unicon

Jim Fox, University of Washington
Steve Olshansky, Internet2

New Action Items

[AI] (All) Review Jira issues for the next release and ensure they are properly fleshed out.

Carry Over Action Items

[AI] (Emily) work with Shilen and Chris on a wiki documentation page with descriptions/recommendations on ongoing operational tasks. Then possibly send a pointer to the Grouper-users list asking for additions. (In progress at https://spaces.internet2.edu/display/Grouper/Ongoing+Administration+Tasks  )

[AI] (TomZ) will review the Grouper LDAP Loader doc and provide feedback to Chris, possibly with lessons learned from LDAPPC work. 
https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP

[AI] (TomZ) will update JIRA to reflect the priorities  

[AI] (Rob) will follow up with Danno on obtaining the server for the Continuous Integration Environment.  

[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.

DISCUSSION

- TomB will not be available for the Grouper-dev call on Wed., Nov. 9 --- Chris volunteered to lead this call.

- Thank you to Gary for his email on UI accessibility issues:

https://lists.internet2.edu/sympa/arc/grouper-dev/2011-10/msg00091.html

Grouper v2.0.1 Release

Grouper v2.0.1 is ready.

There are 6 JIRA items fixed in the 2.0.1 release:

https://bugs.internet2.edu/jira/secure/IssueNavigator.jspa?reset=true&jqlQuery=project+%3D+GRP+AND+fixVersion+%3D+10521

 

Chris and SteveO will work together on the release notes, on updating the software download page, and on other steps as specified on the Release Steps page of the wiki:

https://spaces.internet2.edu/display/Grouper/Release+steps

The hibernate upgrade work will be in the upcoming Grouper 2.1 release

On-going Administration Tasks Wiki Page

https://spaces.internet2.edu/display/Grouper/Ongoing+Administration+Tasks

Thank you to Shilen who added content to the new wiki page documenting ongoing Grouper Admin. tasks, such as  pruning these logs:

-change log 

-daemon logs

-user audit logs

-point in time logs

Additional information that should be added:

- Using rules to send notifications by email  (Shilen will add this)

- Setting up XMPP notification  (Shilen will add this)

- Pruning the registry, for example to delete old course groups (Chris will add  this)  

- Set up Nachos to check the web service status page  to be sure the daemons are running (Chris will add this)

- Be sure your logs email you so you can see when people have errors (Chris will add this)

- Set up a recurring meeting in Outlook that says "Go change a Confluence group and be sure the XMPPs are still going across" (Chris will add this)

- Check the daily Grouper Loader report (Chris will add this)

Supporting New Grouper Deployments  

- TomB noted that there may be about 60 potential new Grouper deployments in the pipeline

- Discussions have started about how to provide support, including a plan to develop a training program and materials

-  There is an effort to encourage commercial partners, such as  UNICON, to provide consulting support

- Potential sites who may be candidates for consulting relationships at some point in the future could include University of Wisconsin - Madison and PSU.

- Should the Grouper project team be  expanded? TomB thinks this would make sense.

 

Grouper v2.1 Planning

  . Real-time incremental LDAPPCNG (TomZ is working on this)

  . LDAP Grouper loader (done)
  . Grouper entities in namespace   (done)
  . Hibernate upgrade   (done)
  . Grouper WS/client group/s item finder sorting/paging   (done)
  . Subject attribute WS security  (Chris will do)
  . Always available readonly client  - ( Chris might do)
  . Grouper WS attr/permission expansion - ( Chris might do)
  . uPortal integration update  -- (Shilen got some info from partners in France, but no coding work done yet)
  . Unix GID management  --( Chris is not doing this )

 - Permissions notification (Shilen will do)  JIRA 611

[AI] (All) Review Jira issues for the next release and ensure they are properly fleshed out.

https://bugs.internet2.edu/jira/secure/IssueNavigator.jspa?reset=true&jqlQuery=project+%3D+GRP+AND+fixVersion+%3D+10520

Progress on Real-time incremental LDAPPC-NG for Grouper 2.1

- TomZ has rewritten parts of the plugin to Shib, to support provisioning based on the change log 

- has rewritten the test harness

- assumption that people will not use JDBC source

- now will work on configuring the jobs to run in real time as well as full synch

- must look at Loader jobs to figure that out

- it makes sense to use the Grouper demo as a test environment 

- Need to revisit the Grouper demo setup, could take a day

 There are 4 connectors to plug into Shib Attribute Resolver:

-  groups

- members 

- stems  

- change log

Right now can't plug into an IdP

-- LDAPPC-NG uses the change log consumer "wiring" to read changes off the change log

- There is a limited mechanism to filter the things you want to see

- Aiming for simple at first.

- There may be some tweaking based on Penn State's feedback, or feedback from others once the demo site is ready

- To start, we will support adding or removing a group, membership or stem 

- After that we will look at supporting more advanced items like permissions

Q: What about renames to groups and stems, will those get provisioned?

A: Was going to do renames in the next phase, after 2.1 most likely

- Need to be sure deployments can operate reasonably w 2.1

- Maybe a daily full sync will be sufficient to handle any renames?

- Most likely, a full sync would remove the old group and add the new one, and this is not good for provisioning to AD 

- LDAPPC did not handle group and stem renaming

- Is it worth folding renaming into the Grouper 2.1 release?  

- TomZ will investigate how group/stem renaming provisioning would work

- After getting the demo site working with LDAPPC-NG, TomZ will start working with Penn State on testing in their environment

Grouper Entities

https://spaces.internet2.edu/display/Grouper/Grouper+user+managed+entities

Chris reviewed the work on Grouper user managed entities 

- These are similar to groups, but with no members

- there is a type of Group attribute for "Entity"; so now a group can be of type Group, Role or Entity

- Entity can be used to represent a schema

- non-grouper-admins can create and manage these entities

- VIEW and ADMIN are the only privileges that can be assigned

- assigning READ, UPDATE, OPTIN, OPTOUT to an entity, will produce an error

- Grouper entities have a subject source different than the grouper subject source (though similar).

- there is a subject identifier attribute, which must have prefix of the folder to ensure uniqueness

- Shilen will add this to renaming mechanism, so if a stem is renamed then the entity is renamed

- you are not constrained by the allowable characters in Grouper for that extension; can contain any characters including colons

- must be fully qualified by folder structure so it's unique

Q:: Doesn't the entity naming scheme make it tough to rename a stem ? Wouldn't it be easier to compute that part of the subject identifier?

A: Chris: this approach avoids namespace conflicts 

Next Grouper Call: Wednesday, 9-Nov-2011 at noon ET. 

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook