Notes: Grouper Call of Wed. 18-Nov-2015
Attending:
Chris Hyzer, Penn, Chair
Jim Fox, U. Washington
Marwan Shaher & Pregash Devasagayam (UC Boulder),
Misagh Moayyed, Unicon
Shilen Patel, Duke
Bert Bee-Lindgren, Georgia Tech
John Gasper, Unicon
Emily Eisbruch, Internet2
Action Items from Nov. 18, 2015 call
[AI] (Jim) investigate how many messages Azure can handle
[AI] (Shilen or Chris) need to refactor hibernate customizations so they can be built/deployed in grouper namespace.
[AI] (Chris) add to agenda for next call: renaming packages of external jars in client (and installer?)
[AI] (Jim) Draft a more detailed process for security concern handling
Action Items from Nov 4, 2015 call
Discussion
Current work tasks
Duo changelog consumer, messaging changelog consumer - Chris
1. https://spaces.internet2.edu/display/Grouper/Grouper+messaging+built+in
2. https://spaces.internet2.edu/display/Grouper/Grouper+Duo+integration
Use case: Use Duo’s authorization abilities (Group(s?) associated with an integration)
Chris will be implementing this DUO feature on at Penn
Will run full Daemon every hour or so
Q: is this for authorization in Duo?
A: yes, for SSH, VPN etc.
===============
Messaging work - Chris
Chris is working on this and it’s coming along.
Hope to be sending messaging out of the changelog
Permissions for topics and queues,
Can link them together
Pull a set of messages and tell messaging system to mark as done
there is a timeout feature
Basically one table in Grouper to manage this
This is a simple implementation
For more robust : turn on Active MQ
May have involved a DDL change? not sure
Grouper Loader - Shilen
Quartz API change
DDL is working for hsqldb (starting with that)
DDL Utils issue is solved
Next: on startup see if there are jobs that must be removed (changelog or group sync or LDAP jobs etc)
Then Shilen will commit this work and check on other databases
Be sure DDL Utils is adding schema effectively
PSPNG - Bert
structured changelog consumer propotype provisioner
processed them
Start batch does pre work
then individual entries churn thru
then end batch (when all the changes get implemented)
If this is followed, it is fast to process changes very quickly
Bert did this for AD first
entitlement based provisioning
then other object classes out of AD
Focusing on membership provisioning right now, attributes coming after memberships
For Azure: how many messages at once?
Jim not sure , will find out
[AI] (Jim) investigate how many messages Azure can handle
SQS: only ten at a time
Two use cases:
-users with dozen of entitlements
-adding a new group where there are dozens of members going into same group
Jim: Amazon increased size of messages that can be sent
You may want to also look into:
https://wiki.evolveum.com/display/midPoint/Architecture+and+Design#ArchitectureandDesign-ProvisioningSubsystem
Building and packaging -Misagh
https://spaces.internet2.edu/pages/viewpage.action?pageId=87755940
Can Build w Gradle effectively
Several modules now build
now working on the Grouper web app and Grouper UI
to build a war that is functional via Gradle
Regarding the jar issue, Misagh has removed every jar from repo , except two
all but 2 being removed from Maven repositories
Hibernate jar uploaded to sonatype in our namespace?
grouper ui and ws need to make a warfile?
what is required to add a module?
Gradle branch in internet2
There is Gradle branch on github
some checking to do on modules not in maven - what should be their fate?
[AI] (Shilen or Chris) need to refactor hibernate customizations so they can be built/deployed in grouper namespace.
War file build process:
-Misagh: Theoretically, provide just a war file
-Chris: What about config files/jsps/etc?
-Bert: What about keeping config files outside of war? Chris wrote email Nov 12 “Grouper Newbie Question”
--Deployment could unzip packaged war, merge external configs, repackage
External Jars/Bits (eg, cas, duo, etc libs):
-Part of grouper tarball, or could be packaged into war file (in WEB-INF/xyz)
1. https://spaces.internet2.edu/pages/viewpage.action?pageId=87755940
· Vivek: WS
Issue roundup
· Non standard jars
· Tomcat 7/8 patch
· Grouper newbie questions
· LDAP loader addIncludeExclude on SIMPLE job
· Question about JVMs and keeping config files in sync
Grouper
in Multiple Environments: Use ant to make changes to default files
Common newbie problem
· Security XSS concern
Email came in yesterday. Chris create patch, Vivek sanity checked it
Instead of selective announcement, decided to send announcement to grouper-users so everyone had an equal chance of addressing problem. Particularly appropriate because the word is out once there is a github commit.
Problem had some mitigations (users needed to have permission to add attributes to groups)
There aren’t often security concerns within Grouper.
Perhaps learn from Shibboleth process, so we don’t have to be creative each time
-[AI] (Jim) Start drafting a more detailed process for security concern handling
· Security form on confluence removed (submit to grouper-core?)
· grouper_aval_asn_efmship_v view
· convertAdMemberDnToSpecificValue pull request (AI chris to merge back)
· grouper and mailing list discussion
Let list server keep track of opt-outs (mailman, others?)
· pull request merging and formatting (use standard, only change code you need to change)
· loader performance woes [Dozen groups took ~18 minutes] (AI add logging strategy to next dev call)
Would better logging help?
· sync grouper with duo
· selective provisioning to ldap with attribute (AI for Bert to followup)
Else
-renaming packages of external jars in client (and installer?): [AI: Chris to put on agenda for Next Call]
Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
