Grouper Developers Forum

[Emily Eisbruch <>]

Attending:

Tom Barton, U. Chicago, Chair

Steven Carmody, Brown

Chris Hyzer, Penn

Shilen Patel, Duke

Gary Brown, Bristol

Michael Girgis, University of Chicago

Tom Zeller, Unicon

Jim Fox, U. Washington

Steve Olshansky, Internet2

Emily Eisbruch, Internet2, scribe

*New Action Items*

[AI] (Chris) will email the list about the discussion on the call around the "LDAP Loader - Sandbox Access to Registry" topic

[AI] (Michael) will try to recreate demo server access error he experienced earlier (DONE)

https://lists.internet2.edu/sympa/arc/grouper-dev/2012-06/msg00007.html

[AI] (TomZ) will ping PSU to confirm whether performance issues are now resolved and post the response on the list.

[AI] (Jim and Shilen) each email the list with thoughts on error handling and defining provisioning failure

[AI] (Michael) add into to the Grouper UI Redesign wiki on audiences, tasks and UI requirements. Then email the Grouper-dev list to review.

*Carry Over Action Items*

[AI] (Shilen) will review and comment on the issue of "Managing Unix Commands with Grouper Permissions"
https://spaces.internet2.edu/display/Grouper/Managing+unix+commands+with+Grouper+permissions+example

[AI] (Chris) upgrade the Grouper demo to the latest Grouper version 2.1

[AI] (Michael) will look into conducting user interviews

[AI] (TomB) follow up with ScottK about cloning approaches.

[AI] (TomB) will connect TomZ with the U. Chicago Drupal use case on the topic of representing/provisioning role/perm info.

[AI] (TomZ) add info to the wiki regarding doing testing on provisioning  

[AI] (TomZ) will look into representing/provisioning role/perm info: how should it be "provisioned"? Or should all consumers call back into Grouper?

[AI] (TomZ) will put test data in the Grouper demo to show using an LDAP source.

[AI] (TomZ) will review the Grouper LDAP Loader doc and provide feedback to Chris, possibly with lessons learned from LDAPPC work. 
https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP 

[AI] (Emily) Initiate an overall Grouper Features table with brief descriptions and links to documentation NOT DONE

[AI] (Rob) will follow up with Danno on obtaining the server for the Continuous Integration Environment.  

[AI] (Everyone) review Rob's chapters and give him feedback on the Grouper Users List.

====

DISCUSSION

LDAP Loader Restricted Access to Registry

https://bugs.internet2.edu/jira/browse/GRP-803

Chris added the ability to "sandbox" off where  the LDAP loader can put  groups in the registry.

The benefits are:

Benefit  #1 : Validate loader configuration to be sure it does right thing.

Prevents a situation where you accidentally put things where you don't want them to be in the registry

or where you affect groups you don't want to manage

Chris: We could also have dry-run GSH command that will show what a SQL or LDAP loader job would do without actually doing it.  TomB thought this dry-run option sounds like a good idea.

Benefit #2: Prevents orphans:   If everything goes into one folder, then

as groups are deleted from LDAP you know which ones to delete from Grouper.

Otherwise there is nothing that remembers and there can be orphan groups

Question: Which way should be the default (restricted registry access or open access)  ?

Right now, the default is the restricted (sandboxed ) registry access

JimF Shilen: good idea to constrain registry access as the default

TomB: There  are cases where we don't want groups in all one place

Chris: you can reference the groups somewhere else after putting them into one (sandboxed) folder structure

[AI] (Chris) will email the list about the discussion on the call around this "LDAP Loader - Sandbox Access to Registry" topic.

====

Demo Server

Chris has upgraded the demo server to Grouper 2.1

Michael at U-Chicago was having trouble accessing the demo server on Monday, then this was solved.  

[AI] (Michael) will try to recreate demo server access error he experienced earlier (DONE)

https://lists.internet2.edu/sympa/arc/grouper-dev/2012-06/msg00007.html

====

Grouper 2.1.1. Release

How soon can we release Grouper 2.1.1?

TomZ: Would like to confirm with PSU that performance issues have been resolved.

[AI] (TomZ) will ping PSU to confirm whether performance issues are now resolved and post the response on the list.

Chris has finished one of the three COmanage requests and is working on the next.

This work is related to batching attribute assignments. Could be stopped if the release is ready to go.

Will the Jasig/Sakai meeting the week of June 11 affect the release? 

Friday June 22 is a good target for the 2.1.1. release.

- so wrap up a few days in days in advance

- we have a call on Wed. June 20

Emily remind TomB to agendize the Grouper 2.1.1. release on June 20

====

Define Failure on Provisioning

https://bugs.internet2.edu/jira/browse/GRP-799

https://lists.internet2.edu/sympa/arc/grouper-dev/2012-05/msg00035.html

Is there a way to stop the real time provisioning if there are 
problems with the LDAP server?

Michael at CMU stated "We moved to testing real time provisioning 
with openldap. During the provisioning testing, the file system became full 
and ldap updates started returning errors. "

Sites may have different responses depending on what happens in the provisioning process. 

We need a proposal on how to think about that

Which failures should be retried once? or which should be retried indefinitely?

Jim: In most cases, a retry either will work or not; retrying multiple times would not help.  

 It is different with  OpenLDAP versus Microsoft LDAP service

Shilen: Wouldn't want to halt/ block the provisioning process just because one subject does not exist in the LDAP. 

Chris -- the SQL Loader originally blocked unresolvable subjects. That was painful. Now there's a switch that says whether blocking should occur.  Would recommend this approach, so as not to halt the whole process.

[AI] (Jim and Shilen) each email the list with thoughts on error handling and defining provisioning failure

======

Grouper UI Planning

https://spaces.internet2.edu/display/Grouper/Grouper+Wiki+Home

Michael and Chris had a productive Webex session reviewing the Grouper Demo

Michael noted it would be helpful to have documentation that summarizes all functions that the UI must account for.... a checklist / requirements document, so new wireframes include all the functionality that's needed.

Michael found it was hard to just use the lite UI, could not find groups, so went to the Admin UI

StevenC noted that at Brown there is a use case where it's not desirable to have the UI available to certain users.  It is important to hide the "plumbing" 

https://lists.internet2.edu/sympa/arc/grouper-dev/2012-06/msg00005.html

[AI] (Michael) add into to the Grouper UI Redesign wiki on audiences, tasks and UI requirements. Then email the Grouper-dev list to review.

Next Call: Wed. 20-June-2012 at noon ET

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook