Notes from May 18 Grouper BoF at 2016 Global Summit
Slides
from this BOF
Welcome
Intro to Grouper Core Team
- Chris Hyzer (Penn) - Grouper lead, API, WS, and UI, Chair
- Bert Bee-Lindgren (GaTech) - provisioning
- Misagh Moayyed (Unicon) works on Grouper/TIER, initially focused on build/package management
- Vivek Sachdeva (independent) - Grouper web services
- Shilen Patel (Duke) - API and everything else
- Emily Eisbruch (Internet2) - TIER work group lead
Grouper Overview
- Enterprise access management system
- Centralized groups and permissions
- Delegated control
- Share access across applications
- WS
- UI intended for any user to manage a group
- Provisions to LDAP / AD / SAML
- Auditing
- Automatic deprovisioning
Q: how does deprovisioning work in Grouper?
A: If you are removed from group, your access goes away.
Also can use rule, but if you get rehired you have to go thru intake again
Grouper is Participating in the
TIER
(Trust
and Identity in Education and Research) Project
• Requirements and funding from institutions
• Suite of products that can be installed / managed
consistently
• Grouper docker container
• Soon to be a Grouper VM image
• WS API
• Consists of SCIM with TIER extensions
• Leverages Penn States SCIM implementation
• Instrumentation (logging, dashboards, adoption rates, etc)
• And more…
=====
VM image is coming
Working on APIs - adopt SCIM and have TIER extensions
Want to keep the API generic, not Grouper specific
Hope new clients will use the API
Penn State has implemented SCIM; we will leverage that
Looking at Instrumentation
Grouper 2.3.0 - released in April 2016
New Features
- Grouper Loader improvements including schedulingconfiguration to facilitate high-availability changes and,handling unresolvable subjects
- New Web Service operations for attribute definitions,actions, and messaging
- Grouper messaging system with integration to the changelog and ESB
- UI screens for attribute definitions and inherited privileges
- Export to GSH - allows export of Grouper objects to a Grouper Shell (GSH) script
- Folder privileges have been changed to be "admin" and "create" instead of "stem" and "create)
- TIER API "hasMember" operation implemented in the Grouper web services module to support integration and interoperability. Note: this is already out of date
- Provisioning Service Provider Next Generation (PSPNG)
• Simplify configuration
• Increase performance
- Grouper 2.3.0 Provisioning targets
• LDAP groups
• Active Directory groups
• LDAP attributes (entitlements)
• Incremental and full refresh
• Group selection: by folder or group, or both
• Higher-level and higher-performance programming API
Discussion on Grouper 2.3
-
Q: When will see statistics on performance?
-
A: Bert: have done testing, thousands of provisioning per minute
-
Dozens or 100 per second when there is a big backlog
-
Time required for updates depends how much commonality there is in the changes being made
-
One group with many new members = good performance
-
If you must modify many groups, it is slower if you can’t reduce the number of LDAP operations
-
The API trying to take advantage of fetching opportunities
-
Q: how is caching done?
-
Using
EHCACHE in Grouper
-
There are many caches
-
Q: will there be a UI for configuring these caches?
-
A: instrumentation is a higher priority
-
Chris: we are looking at Admin UI screens for configuring sources, loader jobs
-
Hard to edit the properties files,
-
Onboarding
-
Editing the cache file is an XML file but should be moved to the hierarchical config
-
Q: Is there a basis for a more course-grained UI?
-
A: There is not a lot that has major impact on performance
-
But we need a packaging of all this
-
Minimally valued parameters
-
Bert: depends how sensitive you have to be to memory
-
comment: you could calculate a lot of this to come up with simple estimates
-
How do you know when your cache is oversized?
-
Chris: Instrumentation is a TIER priority so we want to work on it
-
Timeframe : Maybe in next 6 months
-
Q: will provisioning config be added to the UI, To interrogate the resource we are provisioning to?
-
A: not talked about yet, need to get features figured out first
-
Eventually we should have a wizard
-
Need to simplify and get feedback on the config files
-
comment: First-time Grouper deployers struggle with configuring sources .xml file
-
Yes that and the loader will be handled by the admin console
-
For conditional configurations, need a wizard to be sure validations are intact
-
Comment: Around instrumentation, the Geant project is doing a similar effort, not yet doing standards and interfaces and schema but they will be doing those. Good for TIER and GEANT to work together. Work with Ann Harding. GEANT Trust and Identity
Services
-
Illinois is 1st time deployer, the config, admin UI , communication interfaces would speed up implementations
-
Stronger focus on getting started docs would help
-
Need to organize and group the docs
-
TIER had been talking about a knowledge base, would help needle in haystack
-
Q: Loader jobs and performance , how to manage that over time?
-
Want to better track over time, how long loader jobs are taking to run
-
To help know how to position things and schedule
-
Grouper Loader will be renamed to Daemons
-
Quartz should be helpful for load balancing
-
Running multiple Daemons will help
-
Real time loader updates are on the
Grouper roadmap
-
Q: will this be multi-threaded?
-
A: Run the daemon in multiple places, if you distribute the job across multiple nodes, this would help speed things
-
Chris: Grouper 2.3 implemented threads in Loader jobs
-
Comment: on performance would like to be able to look at what’s going on
-
Sometimes people remove groups with 250K people in the middle of the day
-
It is in logs, but hard to get to; Instrumenting it visually would be helpful
-
Want to be able to ask
-
“why are things running slowly right now”
-
Can I pause this big operation?
Grouper Roadmap
- TIER packaging
- Revise building and package management (continued)
- UI
-
incorporate more rules
-
wizards for configuration
-
support attributes / permissions / etc
• PSPNG refinements
• Upgrade vt-ldap to ldaptive
• Improve GSH
• TIER SCIM API
• Grouper instrumentation
Provisioning opportunities post Grouper 2.3.0
Grouper Messaging
-
Change log consumer gets ordered sequence of events
-
With messaging you can mark individual messages as complete
-
Can send messages to multiple queues
-
Can pipe everything to messages
-
Can implement a listener to pull things off the messaging queue and mark as complete
-
Most messaging implementations need ordered messages
Automated integration tests
Deprovisioning safety nets
More targets : suggestions?
Community contributions
- Please share your Grouper story on this page (contact
if you need help setting up a wiki page for your deployment)
Grouper Events
Grouper at Apereo Conference, May 22-26, 2016, several sessions, Thanks to Bill Thompson, Lafayette College, for coordination
Grouper IAM Webinar Wed. July 13, 2016 at 2pm ET
- Anyone interested in sharing their Grouper story with the community, please let Chris Hyzer know.
Feedback/ Questions/ Comments
- What about sync messages?
- Full sync option at Penn State
- Request for offering in the provisioning tool mechanism to completely reload from Grouper.
- Now there is just incremental changes from message bus and the other side must keep things in sync
Highlights from this BOF
- Small, medium, large configurations for caches etc
- PSP UI would be useful
- Ann Harding from Geant has been working on instrumentation
- People are interested in loader performance
- UI could mention that operations will be slow or schedule them for later (adding large group to another group)
- Penn State and full sync message,
For Reference:
Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
