Grouper Developers Forum

[Emily Eisbruch <>]

Notes: Grouper BOF at Internet2  2015 Technology Exchange in Cleveland

Oct 6, 2015

Please see slides for this BOF here:

https://spaces.internet2.edu/download/attachments/14517786/grouperBofTechEx2015.pdf

Welcome from Chris Hyzer, University of Pennsylvania, Grouper Project Chair

New Team Members (see slides)

Release of Grouper 2.2.2

• Fewer minor releases due to patches

• Still have them due to package managers and clear patch slate (yearly?)

• We will try to only maintain 2.2.2 in the 2.2 branch, please upgrade

• Includes ~47 patches and other fixes (54 jiras)

• If you are on a patched version of 2.2.1 this is low risk

•  upgrade to 2.2.2 to get new patches 

Discussion

Michael Gettes: CMU requests capability to inhibit renaming of groups.

In CMU GAP code, doing a group rename w LDAP is complex

Want to  prevent it at the UI layer , it’s easier

Support both global setting and setting via an attribute on a group or folder.

Grouper Roadmap

https://spaces.internet2.edu/display/Grouper/Grouper+Product+Roadmap

TIER packaging and Standard AUTHZ will be in Grouper 2.3

April release date for Grouper 2.3

Q: only test and verify in Tomcat 6?

Misagh: Tomcat 7 works fine,

there’s a bug in Admin UI but we have found a fix for that

Misagh: For deploying Grouper,we are considering Dockerized Grouper deployment

to automate a base image

so you don’t have to know about Tomcat 7 vs Tomcat 8

MichaelG: sounds good

Q: TIER packaging is Docker containers?

Chris: it’s being discussed and there is a lot of buzz around Docker

right now we have ANT scripts

we have the Grouper installer, which is one JAR that can do multiple things

===

Java 8 support?

Chris: Tomcat versioning… Java 8 might be supported for Grouper 2.3

Use case for provisioning, some outputs  are flat (no stem) and others are bushy

hard to configure

Dave agrees that is a problem

In the DN you want OU?

Need ones that don’t have hierarchy for Posix based groups\

But to provision for POSIX (flat) have to copy all to flat format

makes resolver long

lots of cut and paste needed

Chris:  improving Grouper provisioning is on the roadmap. See here

===

Chris: There have been many requests on lists for tweaks to Grouper

recently the Grouper team has done many patches

but now the Grouper Team need to focus on new development.

Some enhancements will have to wait so we can focus on Grouper 2.3

===

TIER

http://www.internet2.edu/vision-initiatives/initiatives/trust-identity-education-research/

for standardized API, the TIER project we will start with the work done by the CIFER-API effort

will not replace Grouper web service so it still will be possible to use web service

===

MichaelG: the Grouper loader is  heavyweight ; it can take a long time

ScottK: deployment tries to run loader every minute

MichaelG: CMU runs Loader every 30 minutes and it takes 15 or 20 minutes to run

CMU does file based differencing outside of Grouper, then uses web services

doing singleton changes that way – versus loading a lot into a table?

Chris: it does not load into a table…it does adds and subtracts

frequency: it runs by default every minute

Grouper has multiple nodes

we want one ordered event queue to come out of that using timestamps

By default that runs every minute; you can make it more real time if you want

the heavyweight part is if you do a whole class list or org list

you may not have many changes, but it will still look at all

thinking about - just look at one member

or use a ? table to do incremental changes instead of a complete batch

Yes Grouper Loader  could be enhanced

if you add or delete a loader job you must bounce your loader process

want to be able to make changes dynamically w out bounce

also it assumes all changes are resolvable

but if loader manages things that are unresolvable right now it fails; we hope to change that

Q: where does Grouper Loader run?

A: where you want it to; you specify one place, but we want it to be able to run on multiple loads

That is on the Grouper roadmap under "Improve Loader"

Misagh: what about creating a loader job in the new UI?

you can create it in the ADMIN UI…

Chris: for SQL you use ADMIN UI

LDAP: use New attrib Framework w LITE UI

on roadmap, this will be moved so you can manage old school attributes and types in NEW UI

and just like rules, loader is a specific thing

so when you edit a loader job, it can do validation

====

New to Grouper, can you have regular users not see all the UI types?

The Grouper LITE UI can be confusing

Right now you can turn them on or off

Chris: it’s in the config, please send email about this to the Grouper users list if you have questions

Feedback about getting Grouper running?

Jeffrey Crawford: Had trouble finding doc on how to Shibbolize access to Grouper.
NOTE:  the documentation on this (from Newcastle) that was hard to find is now linked to from the top of this page

Lafayette went from zero to Grouper pilot in 3 months

REMINDER

Please help out the Grouper community by setting up a Grouper Contrib page for your deployment here and keeping it updated. Questions on doing this? Email

 

Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749