Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Notes from Grouper BoF at 2016 Global Summit

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Notes from Grouper BoF at 2016 Global Summit


Chronological Thread 
  • From: Emily Eisbruch <>
  • To: "" <>, "()" <>
  • Subject: [grouper-users] Notes from Grouper BoF at 2016 Global Summit
  • Date: Thu, 26 May 2016 19:55:35 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
  • Spamdiagnosticoutput: 1:0


Notes from May 18 Grouper BoF at 2016 Global Summit

Slides from this BOF


Welcome

Intro to Grouper Core Team

  • Chris Hyzer (Penn) - Grouper lead, API, WS, and UI, Chair
  • Bert Bee-Lindgren (GaTech) - provisioning
  • Misagh Moayyed (Unicon) works on Grouper/TIER, initially focused on build/package management
  • Vivek Sachdeva (independent) - Grouper web services
  • Shilen Patel (Duke) - API and everything else
  • Emily Eisbruch (Internet2) - TIER work group lead


Grouper Overview

  • Enterprise access management system
  • Centralized groups and permissions
  • Delegated control
  • Share access across applications
  • WS
  • UI intended for any user to manage a group
  • Provisions to LDAP / AD / SAML
  • Auditing
  • Automatic deprovisioning


Q: how does deprovisioning work in Grouper?

A: If you are removed from group, your access goes away.

Also can use rule, but if you get rehired you have to go thru intake again


Grouper is Participating in the TIER 

(Trust and Identity in Education and Research) Project

• Requirements and funding from institutions

• Suite of products that can be installed / managed

consistently

• Grouper docker container

• Soon to be a Grouper VM image

• WS API

• Consists of SCIM with TIER extensions

• Leverages Penn States SCIM implementation

• Instrumentation (logging, dashboards, adoption rates, etc)

• And more…


=====

VM image is coming

Working on APIs - adopt SCIM and have TIER extensions

Want to keep the API generic, not Grouper specific

Hope new clients will use the API

Penn State has implemented SCIM; we will leverage that

Looking at Instrumentation




Grouper 2.3.0 - released in April 2016

New Features

  • Grouper Loader improvements including schedulingconfiguration to facilitate high-availability changes and,handling unresolvable subjects
  • New Web Service operations for attribute definitions,actions, and messaging
  • Grouper messaging system with integration to the changelog and ESB
  • UI screens for attribute definitions and inherited privileges
  • Export to GSH - allows export of Grouper objects to a Grouper Shell (GSH) script
  • Folder privileges have been changed to be "admin" and "create" instead of "stem" and "create)
  • TIER API "hasMember" operation implemented in the Grouper web services module to support integration and interoperability. Note: this is already out of date

  • Provisioning Service Provider Next Generation (PSPNG)

Simplify configuration

Increase performance

  • Grouper 2.3.0 Provisioning targets

LDAP groups

Active Directory groups

LDAP attributes (entitlements)

  • Other features

Incremental and full refresh

Group selection: by folder or group, or both

Higher-level and higher-performance programming API



Discussion on Grouper 2.3

  • Q: When will see statistics on performance?
  • A: Bert: have done testing, thousands of provisioning per minute
  • Dozens or 100 per second when there is a big backlog
  • Time required for updates depends how much commonality there is in the changes being made
  • One group with many new members = good performance
  • If you must modify many groups, it is slower if you can’t reduce the number of LDAP operations
  • The API trying to take advantage of fetching opportunities
  • Q: how is caching done?
  • Using EHCACHE in Grouper
  • There are many caches
  • Q: will there be a UI for configuring these caches?
  • A: instrumentation is a higher priority
  • Chris: we are looking at Admin UI screens for configuring sources, loader jobs
  • Hard to edit the properties files,
  • Onboarding
  • Editing the cache file is an XML file but should be moved to the hierarchical config
  • Q: Is there a basis for a more course-grained  UI?
  • A: There is not a lot that has major impact on performance
  • But we need a packaging of all this
  • Minimally valued parameters
  • Bert: depends how sensitive you have to be to memory
  • comment: you could calculate a lot of this to come up with simple estimates
  • How do you know when your cache is oversized?
  • Chris: Instrumentation is a TIER priority so we want to work on it
  • Timeframe : Maybe in next 6 months
  • Q: will provisioning config be added to the UI, To interrogate the resource we are provisioning to?
  • A: not talked about yet, need to get features figured out first
  • Eventually we should have a wizard
  • Need to simplify and get feedback on the config files
  • comment: First-time Grouper deployers struggle with configuring sources .xml file
  • Yes that and the loader will be handled by the admin console
  • For conditional configurations, need a wizard to be sure validations are intact
  • Comment: Around instrumentation, the Geant project is doing a similar effort, not yet doing standards and interfaces and schema but they will be doing those.  Good for TIER and GEANT to work together. Work with Ann Harding. GEANT Trust and Identity Services
  • Illinois is 1st time deployer, the config, admin UI , communication interfaces would speed up implementations
  • Stronger focus on getting started docs would help
  • Need to organize and group the docs
  • TIER had been talking about a knowledge base, would help needle in haystack
  • Q: Loader jobs and performance , how to manage that over time?
  • Want to better track over time, how long loader jobs are taking to run
  • To help know how to position things and schedule
  • Grouper Loader will be renamed to Daemons
  • Quartz should be helpful for load balancing
  • Running multiple Daemons will help
  • Real time loader updates are on the Grouper roadmap
  • Q: will this be multi-threaded?
  • A: Run the daemon in multiple places, if you distribute the job across multiple nodes, this would help speed things
  • Chris: Grouper 2.3 implemented threads in Loader jobs
  • Comment: on performance would like to be able to look at what’s going on
  • Sometimes people remove groups with 250K people in the middle of the day
  • It is in logs, but hard to get to; Instrumenting it visually would be helpful
  • Want to be able to ask
    • “why are things running slowly right now”
    • Can I pause this big operation?


Grouper Roadmap 

  • TIER packaging 
  • Revise building and package management (continued)
  • UI

    • incorporate more rules
    • wizards for configuration
    • support attributes / permissions / etc

• PSPNG refinements

• Upgrade vt-ldap to ldaptive

• Improve GSH

• TIER SCIM API

• Grouper instrumentation


Provisioning opportunities post Grouper 2.3.0


Grouper Messaging

  • Change log consumer gets ordered sequence of events
  • With messaging you can mark individual messages as complete
  • Can send messages to multiple queues
  • Can pipe everything to messages
  • Can implement a listener to pull things off the messaging queue and mark as complete
  • Most messaging implementations need ordered messages


Automated integration tests

Deprovisioning safety nets

More targets : suggestions?



Community contributions 

  • Please share your Grouper story on this page (contact if you need help setting up a wiki page for your deployment)


Grouper Events

Grouper at Apereo Conference, May 22-26, 2016, several sessions, Thanks to Bill Thompson, Lafayette College, for coordination


Grouper IAM Webinar Wed. July 13, 2016 at 2pm ET 

  • Anyone interested in sharing their Grouper story with the community, please let Chris Hyzer know.

Feedback/ Questions/ Comments

  • What about sync messages?
  • Full sync option at Penn State
  • Request for offering in the provisioning tool mechanism to completely reload from Grouper.
  • Now there is just incremental changes from message bus and the other side must keep things in sync


Highlights from this BOF

  • Small, medium, large configurations for caches etc
  • PSP UI would be useful
  • Ann Harding from Geant has been working on instrumentation
  • People are interested in loader performance
  • UI could mention that operations will be slow or schedule them for later (adding large group to another group)
  • Penn State and full sync message,  


For Reference:




Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749



  • [grouper-users] Notes from Grouper BoF at 2016 Global Summit, Emily Eisbruch, 05/26/2016

Archive powered by MHonArc 2.6.16.

Top of Page