grouper-users - [grouper-users] Grouper Working Group Face-to-Face Meeting at Internet2 2011 SMM, 18-April-2011
Subject: Grouper Users - Open Discussion List
List archive
[grouper-users] Grouper Working Group Face-to-Face Meeting at Internet2 2011 SMM, 18-April-2011
Chronological Thread
- From: Emily Eisbruch <>
- To: Grouper Dev <>,
- Subject: [grouper-users] Grouper Working Group Face-to-Face Meeting at Internet2 2011 SMM, 18-April-2011
- Date: Fri, 29 Apr 2011 10:46:46 -0400
Grouper WG at 2011 SMM – Monday, April 18, 2011 [60 in attendance] Slides are linked from http://events.internet2.edu/2011/spring-mm/agenda.cfm?go=session&id=10001766&event=1035 Note: Thank you to Dean Woodbeck for preparing these minutes. Questions/topics - Update on LDAPPC NG evolution Grouper v 2.0 time frame/highlights • point-in-time audit demo • member sort/search • attribute UI • upgrading to 2.0 • invite external users • syncing groups between Groupers • Atlassian connector LDAP provisioningWhat's New with Grouper - Shilen Patel Member searching and sorting • Problems: Grouper has limited info on subjects. Unable to effectively sort members of a group without performance hit. Unable to quickly/easily search for people in a group. • Solution: Grouper 2.0 allows up to 5 attributes for sorting and 5 attributes for searching for each subject. Sort/search attributes are updated when subjects are resolved in Grouper. • Security – each sort and search field can be configured to restrict access based on a group. Useful if attributes contain private info. • Fixes the performance issues sorting/searching. • Can put multiple items in the search column Point in time auditing • Query the state of Grouper at a specific point in time • Memberships: Was person X a member of group Y on a given date? Who were all the members of a group on date X or between date X and date Y? • Permissions: Did person X have read permission on resource Y at a given date? • Attributes: What attributes were assigned to a group in the past and what were the attribute values? Demo of member search/sort in UI • Shilen did a demo of the search/sort Demo of point in time auditing using web services • Shilen did a demo of the point in time auditing – looked at queries that show whether or not someone is a member of a certain group • Can specify a “from” date or a “to” date or both on whether someone in a group What’s New with Grouper - Chris Hyzer • Attribute framework UI. Ajax UI. Creates, edits, assigns attributes. For Grouper 2.0. • Attributes and actions • Attribute privileges • Attribute names • Groups and roles • Attribute assignments (to do) • Permission assignments (to do) • Upgrade from Grouper 1.6 • March 2011 -- Penn upgraded from Grouper 1.6 to 1.7 • Grouper 1.7 was an internal Grouper release with point-in-time, rules, external subjects • upgrade took five hours (including testing) • performed upgrade on a Friday night at 5 pm. • No significant downtime required for read-only services • Disabled Nagios monitoring on WS • Set UI/WS to read-only mode • Turn off daemons, LDAP sync • Backup membership lite view to a table • Backup DB schema • See details on Penn's upgrade at https://spaces.internet2.edu/display/Grouper/Upgrade+notes+from+Grouper+1.6+to+1.7 • Penn’s Secure Space – to support external users • Secure Space is built on Grouper – three groups per space – admins, users, readonly • Grouper client/WS caches the list of groups for the user • uses InCommon for single sign-on • EPPN required for external users • External users self-register their name, email, institution • Installed Shib Discovery Service, customized: -Support channel-Easy for Penn users -Recommend Protect Network for users who don't have an InCommon account which releases EPPN. • Chris did a demo of the Penn Secure Space system Q: Have you thought about adding Google or OpenID – users are more familiar with this than Protect Network? A: At Penn we are starting with Protect Network. • Group sync to another Grouper • map the folder/group from one Grouper to the folder/group in another Grouper • only one side needs to make configurations • Three types of syncing – push, pull , push_incrementaion • Uses Grouper web services • Only external members are synced • Example on Grouper demo server. See https://spaces.internet2.edu/display/Grouper/Grouper+demo+site • Atlassian – Grouper connector • Map a root folder for Confluence or Jira • Create/delete groups from Atlassian, although sometimes there are issues • XMPP messaging from Grouper to Atlassian for real time updates LDAPPC NG - Lynn Garrison LDAP Provisioning • Group Mgmt • 62 standing groups – provisioned once, incremental update daily • course groups – 18746 for spring– provisioned once, incremental update daily • delegate – 9700 – managed with web application (depts. Use for listservs, secure space) • hybrid/nested – 2000 • Architecture team looks at environment and recommends to production team what to use. • Current environment: • Linux (CentOS) – Oracle express database, LDAP subject source using software from U-Wash, Shib attribute resolver • AIX (version 6.1 POWER7) - LDAP • Requirements from Penn State • Performance -Groups – 18 minutes to create group of 31000 members. 45 min to provision to LDAP (just do that once). Native LDAP – 40 min to provision to LDAP-Need real-time provisioning -Incremental provisioning -Creation of groups from existing LDAP LDAPPC NG -- Tom Zeller • want speed – turns out caching is key • need to tune cache – making it larger is a good thing • if want cache smaller, need to have ways for people to cache easily • When tried to identify areas to improve speed, looked at identifiers – both ends (input to Grouper – out from LDAPPC NG). • Maybe should get rid of API and draw from IdP? Emily Eisbruch, Technology Transfer Analyst Internet2 office: +1-734-352-4996 | mobile +1-734-730-5749 Visit our website: www.internet2.edu Follow us on Twitter: www.twitter.com/internet2 Become a Fan on Facebook: www.internet2.edu/facebook |
- [grouper-users] Grouper Working Group Face-to-Face Meeting at Internet2 2011 SMM, 18-April-2011, Emily Eisbruch, 04/29/2011
Archive powered by MHonArc 2.6.16.