grouper-dev - [grouper-dev] Notes from Grouper BOF at Internet2 Technology Exchange in Cleveland, Oct. 6, 2015
Subject: Grouper Developers Forum
[grouper-dev] Notes from Grouper BOF at Internet2 Technology Exchange in Cleveland, Oct. 6, 2015
- From: Emily Eisbruch <>
- To: Grouper Users <>, "" <>
- Subject: [grouper-dev] Notes from Grouper BOF at Internet2 Technology Exchange in Cleveland, Oct. 6, 2015
- Date: Wed, 14 Oct 2015 19:46:13 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Spamdiagnosticoutput: 1:0
Notes: Grouper BOF at Internet2 2015 Technology Exchange in Cleveland
Oct 6, 2015
Please see slides for this BOF here:
Welcome from Chris Hyzer, University of Pennsylvania, Grouper Project Chair
New Team Members (see slides)
Release of Grouper 2.2.2
Michael Gettes: CMU requests capability to inhibit renaming of groups.
In CMU GAP code, doing a group rename w LDAP is complex
Want to prevent it at the UI layer , it’s easier
Support both global setting and setting via an attribute on a group or folder.
TIER packaging and Standard AUTHZ will be in Grouper 2.3
April release date for Grouper 2.3
Q: only test and verify in Tomcat 6?
Misagh: Tomcat 7 works fine,
there’s a bug in Admin UI but we have found a fix for that
Misagh: For deploying Grouper,we are considering Dockerized Grouper deployment
to automate a base image
so you don’t have to know about Tomcat 7 vs Tomcat 8
MichaelG: sounds good
Q: TIER packaging is Docker containers?
Chris: it’s being discussed and there is a lot of buzz around Docker
right now we have ANT scripts
we have the Grouper installer, which is one JAR that can do multiple things
Java 8 support?
Chris: Tomcat versioning… Java 8 might be supported for Grouper 2.3
Use case for provisioning, some outputs are flat (no stem) and others are bushy
hard to configure
Dave agrees that is a problem
In the DN you want OU?
Need ones that don’t have hierarchy for Posix based groups\
But to provision for POSIX (flat) have to copy all to flat format
makes resolver long
lots of cut and paste needed
Chris: improving Grouper provisioning is on the roadmap. See
Chris: There have been many requests on lists for tweaks to Grouper
recently the Grouper team has done many patches
but now the Grouper Team need to focus on new development.
Some enhancements will have to wait so we can focus on Grouper 2.3
for standardized API, the TIER project we will start with the work done by the CIFER-API effort
will not replace Grouper web service so it still will be possible to use web service
MichaelG: the Grouper loader is heavyweight ; it can take a long time
ScottK: deployment tries to run loader every minute
MichaelG: CMU runs Loader every 30 minutes and it takes 15 or 20 minutes to run
CMU does file based differencing outside of Grouper, then uses web services
doing singleton changes that way – versus loading a lot into a table?
Chris: it does not load into a table…it does adds and subtracts
frequency: it runs by default every minute
Grouper has multiple nodes
we want one ordered event queue to come out of that using timestamps
By default that runs every minute; you can make it more real time if you want
the heavyweight part is if you do a whole class list or org list
you may not have many changes, but it will still look at all
thinking about - just look at one member
or use a ? table to do incremental changes instead of a complete batch
Yes Grouper Loader could be enhanced
if you add or delete a loader job you must bounce your loader process
want to be able to make changes dynamically w out bounce
also it assumes all changes are resolvable
but if loader manages things that are unresolvable right now it fails; we hope to change that
Q: where does Grouper Loader run?
A: where you want it to; you specify one place, but we want it to be able to run on multiple loads
That is on the Grouper roadmap under "Improve Loader"
Misagh: what about creating a loader job in the new UI?
you can create it in the ADMIN UI…
Chris: for SQL you use ADMIN UI
LDAP: use New attrib Framework w LITE UI
on roadmap, this will be moved so you can manage old school attributes and types in NEW UI
and just like rules, loader is a specific thing
so when you edit a loader job, it can do validation
New to Grouper, can you have regular users not see all the UI types?
The Grouper LITE UI can be confusing
Right now you can turn them on or off
Chris: it’s in the config, please send email about this to the Grouper users list if you have questions
Feedback about getting Grouper running?
Jeffrey Crawford: Had trouble finding doc on how to Shibbolize access to Grouper.
Lafayette went from zero to Grouper pilot in 3 months
Emily Eisbruch, Work Group Lead, Trust and Identity
office: +1-734-352-4996 | mobile +1-734-730-5749
- [grouper-dev] Notes from Grouper BOF at Internet2 Technology Exchange in Cleveland, Oct. 6, 2015, Emily Eisbruch, 10/14/2015
Archive powered by MHonArc 2.6.16.