[GRP-5390] mechanism to display differences between file provided properties and db provided properties Created: 25/Mar/24  Updated: 27/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We handle most of our configuration via properties files on the file system.

Actions in the UI can (and do) duplicate those properties in the database.

It would be helpful if the UI (or a gsh function?) could display all of the properties, identify where they come from, and more importantly, when there are conflicts between the versions on the filesystem and those in the GROUPER_CONFIG table



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 27/Mar/24 ]

Maybe a configuration report or something?





[GRP-5392] remove uesrSearchFilter from ldap provisioner config Created: 27/Mar/24  Updated: 27/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 5.9.1, 4.12.1

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5391] Foreign key constraint missing from Oracle upgrade DDL Created: 25/Mar/24  Updated: 26/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Bruce Timberlake Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://github.com/Internet2/grouper/blob/GROUPER_5_BRANCH/grouper/conf/ddl/GrouperDdl_Grouper_45_upgradeTo_46_oracle.sql is missing this command:

 

ALTER TABLE grouper_sql_cache_group ADD CONSTRAINT grouper_sql_cache_group1_fk FOREIGN KEY (field_internal_id) REFERENCES grouper_fields(internal_id);

 

which is present at line 2262 in https://github.com/Internet2/grouper/blob/GROUPER_5_BRANCH/grouper/conf/ddl/GrouperDdl_Grouper_install_oracle.sql

 

We noticed this when upgrading from 4.8.2 to 5.8.2 and running "./gsh.sh -registry -check -deep" as part of our post upgrade testing and validation.



 Comments   
Comment by Gail Lift [ 26/Mar/24 ]

This might be a problem with the checking process – the DDL looks fine, and constraints are present in our DB.





[GRP-5389] jwt puts member_id in wrong column Created: 25/Mar/24  Updated: 25/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jonathan Zhao
1 day ago
Another finding, grouper treats grouper_password.username, rather than grouper_password.member_id as the member_id part in bearer token.
When creating a JWT key from UI, a new row is automatically created in table grouper_password with column "username" and "member_id" set to the same value.
If we change the value of grouper_password.member_id to anything different, the authn still works well;
But if we change the value of grouper_password.username to a different value, the authn fails, and reports error "cannot find public key for ...".
It's very confusing that the member_id in bearer token (also the one in UI) is not saved in column grouper_password.member_id but in column grouper_password.username.






[GRP-5388] show grouper database under external systems Created: 23/Mar/24  Updated: 23/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 23/Mar/24 ]

not editable





[GRP-5387] assignCheckSecurity in MembershipFinder doesnt work Created: 23/Mar/24  Updated: 23/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5384] provisioningEntityWrapper.isInGroup() generic jexl error Created: 20/Mar/24  Updated: 20/Mar/24

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.11.1
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This error can be reproduced when the group referenced does not exist. In this case, however, the group name is correct.

EntityWrapper@104500f5, java.lang.RuntimeException: Error substituting string: 'provisioningEntityWrapper.isInGroup('edu:ExampleEdu:Applications:DUO:duoAliases:duoAlias1') ? gcGrouperSyncMember.entityAttributeValueCache3 : ''',
, script: '${provisioningEntityWrapper.isInGroup('edu:ExampleEdu:Applications:DUO:duoAliases:duoAlias1') ? gcGrouperSyncMember.entityAttributeValueCache3 : ''}', ,
{gcGrouperSyncMember=GcGrouperSyncMember(entityAttributeValueCache2='banderson', entityAttributeValueCache3='.banderson', id='c1d91bc664bc428194f185b4e7b6d4e2', memberId='56113e8fe5814ee6ae1a76c6da5d5689', provisionableDb='T', provisionableStart='2024-03-20 03:28:01.582', sourceId='ldap', subjectId='888236'), grouperTargetEntity=Entity(attr[id]: "", attr[loginId]: "banderson"), provisioningEntityWrapper=EntityWrapper@104500f5, grouperProvisioningEntity=Entity(attr[description]: "Mary Nicholls", attr[email]: "banderson@exampleedu.edu", attr[id]: "56113e8fe5814ee6ae1a76c6da5d5689", attr[idIndex]: 272929, attr[name]: "Nicholls, Mary", attr[subjectId]: "888236", attr[subjectIdentifier0]: <null>, attr[subjectIdentifier1]: <null>, attr[subjectIdentifier2]: <null>, attr[subjectResolutionResolvable]: true, attr[subjectSourceId]: "ldap", recalcObject: false, recalcMships: false)}
	at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguageScript(GrouperUtil.java:11918)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslator.runScriptStatic(GrouperProvisioningTranslator.java:2030)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslator.runScript(GrouperProvisioningTranslator.java:2022)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslator.attributeTranslation(GrouperProvisioningTranslator.java:1568)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslator.attributeTranslationOrCache(GrouperProvisioningTranslator.java:1525)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslator.translateGrouperToTargetEntities(GrouperProvisioningTranslator.java:1121)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionFull(GrouperProvisioningLogic.java:123)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$1.provision(GrouperProvisioningType.java:41)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:77)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:855)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:56)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1091)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19)
	at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:441)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124)
	at edu.internet2.middleware.grouper.GrouperSession.in...






[GRP-5383] take out option to not auto create built in objects Created: 19/Mar/24  Updated: 19/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

tomee;catalina.out;DEV;Release-220110;2024-03-19T13:24:36,694: [localhost-startStop-1] INFO DirectJDKLog.log(173) - [] - Deploying deployment descriptor [/opt/tomcat/conf/Catalina/localhost/grouper.xml]
tomee;catalina.out;DEV;Release-220110;2024-03-19T13:25:06,695: [localhost-startStop-1] ERROR DirectJDKLog.log(175) - [] - ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/grouper]]
at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440) ~[catalina.jar:8.5.90]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198) ~[catalina.jar:8.5.90]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:711) [catalina.jar:8.5.90]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) [catalina.jar:8.5.90]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:661) [catalina.jar:8.5.90]
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:673) [catalina.jar:8.5.90]
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1881) [catalina.jar:8.5.90]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: java.lang.NullPointerException: Cannot invoke "edu.internet2.middleware.grouper.Stem.getName()" because "stem" is null
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkAttribute(GrouperCheckConfig.java:2268) ~[?:?]
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig$8.callback(GrouperCheckConfig.java:4715) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1091) ~[?:?]
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkAttributeDefNames(GrouperCheckConfig.java:3462) ~[?:?]
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:538) ~[?:?]
at edu.internet2.middleware.grouper.misc.GrouperStartup$1.callback(GrouperStartup.java:348) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124) ~[?:?]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1091) ~[?:?]
at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:292) ~[?:?]
at edu.internet2.middleware.grouper.j2ee.CommonServletContainerInitializer.onStartup(CommonServletContainerInitializer.java:34) ~[?:?]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4940) ~[catalina.jar:8.5.90]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[catalina.jar:8.5.90]
... 10 more



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 19/Mar/24 ]

configuration.autocreate





[GRP-5338] creating log pipes twice can fail Created: 03/Mar/24  Updated: 19/Mar/24

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 5.8.2, 4.11.1

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chad Redman
3 days ago
Anyone running on OpenShift and seeing this error?
grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/logpipe
mkfifo: cannot create fifo '/tmp/logpipe': File exists
The container still runs, it just doesn't output anything after the startup. And it's only randomly, maybe 50% of the time. This is with 4.11.0. We weren't seeing this on earlier versions that I know of (edited)



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 19/Mar/24 ]

had to revert this since the fix caused other issues, will fix again





[GRP-5381] WebService Account with stem create privilege cannot create stem at child level Created: 19/Mar/24  Updated: 19/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Blocker
Reporter: Alpha Sanneh Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5380] Upgrade jquery version Created: 19/Mar/24  Updated: 19/Mar/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

jQuery 1.10.2 has known vulnerabilities






[GRP-5378] look at status_grouper to see if works in v5 Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5377] add diagnostics to data provider Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5376] add diagnostics query to data provider query Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5374] add expiration dates to membership export Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5373] if a data field row config id is the same as a data field config id then a corruption occurs Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5370] sql cache group error Created: 15/Mar/24  Updated: 15/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper;grouper_error.log;${ENV};${USERTOKEN};2024-03-15T04:29:00,111: [DefaultQuartzScheduler_Worker-1] ERROR GrouperLoaderJob.execute(363) - [] - Error running up job
java.lang.RuntimeException: Error in loader job: null, status: ERROR, check logs: method: dispatchEventList, eventCount: 4, lastSequenceAvailable: 79022, wrongAttributeName: 1, removeCacheCount: 2, addCacheCount: 1, eventsSkipped: 1, tookMillis: 16Error: java.lang.RuntimeException: Couldn't process any records: type: consumer, finalLog: true, state: sendToPublisher, consumerName: sqlCacheGroup, currentSequenceNumber: null, filterInvalidEventTypesSize: 22, elFilter: event.eventType eq 'ATTRIBUTE_ASSIGN_VALUE_ADD' || event.eventType eq 'ATTRIBUTE_ASSIGN_VALUE_DELETE', skippedEventsDueToExpressionLanguageCount: 669, publisherClass: edu.internet2.middleware.grouper.sqlCache.EsbPublisherSqlCache, exception: java.lang.RuntimeException: sql:  select  from OBJECT;, args: ArrayList size: 4: [0]: 1710449243087000
[1]: etc:sqlCacheable:sqlCacheableListName
[2]: 9776abcbcb8b42359eaa9a781bdcee8d
[3]: 58a626505bc94d368bb6a6ece3a8a099
 
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2433)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1795)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1669)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1644)
	at edu.internet2.middleware.grouper.sqlCache.SqlCacheGroupDao.retrieveNonexistingAttributeAssignments(SqlCacheGroupDao.java:296)
	at edu.internet2.middleware.grouper.sqlCache.EsbPublisherSqlCache.dispatchEventList(EsbPublisherSqlCache.java:157)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:511)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:415)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecordsWrapper(ChangeLogHelper.java:250)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:508)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:558)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob$1.callback(GrouperLoaderJob.java:357)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1091)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:92)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.lang.RuntimeException: Problem attaching param index: 1, param: '1710449243087000'
	at edu.internet2.middleware.grouperClient.jdbc.GcBoundDataConversionImpl.addBindVariableToStatement(GcBoundDataConversionImpl.java:70)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2393)
	... 17 more
Caused by: org.postgresql.util.PSQLException: The column index is out of range: 1, number of columns: 0.
	at org.postgresql.core.v3.SimpleParameterList.bind(SimpleParameterList.java:70)
	at org.postgresql.core.v3.SimpleParameterList.setBinaryParameter(SimpleParameterList.java:144)
	at org.postgresql.jdbc.PgPreparedStatement.bindBytes(PgPreparedStatement.java:1113)
	at org.postgresql.jdbc.PgPreparedStatement.setLong(PgPreparedStatement.java:344)
	at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setLong(NewProxyPreparedStatement.java:197)
	at edu.internet2.middleware.grouperClient.jdbc.GcBoundDataConversionImpl.addBindVariableToStatement(GcBoundDataConversionImpl.java:45)
	... 18 more
, tookMillis: 22
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:603)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:415)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecordsWrapper(ChangeLogHelper.java:250)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$5.runJob(GrouperLoaderType.java:508)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:558)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob$1.callback(GrouperLoaderJob.java:357)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1055)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1124)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1091)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:92)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
 
 






[GRP-5368] run load job should not show for scripted group Created: 14/Mar/24  Updated: 14/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5367] add status page with ddl checks Created: 14/Mar/24  Updated: 14/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5366] moving groups should change jexl script for loaded groups Created: 14/Mar/24  Updated: 14/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5345] allow gsh v2 templates to be used for abac patterns Created: 05/Mar/24  Updated: 13/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5364] allow read-only users to have full access to grouper Created: 12/Mar/24  Updated: 12/Mar/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.11.2, 5.8.6
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes  2 hours ago

is there an ability to create a “read-only” version of the grouper sysadmins?  I add someone to sysadminReadersGroup and sysadminViewersGroup and they can’t view daemons or other config stuff that the sysadmins can see.
4 replies


Chris Hyzer  2 hours ago

thats the intent of those, but we need to make adjustments.  if you want to make a jira and we all agree we can start allowing more part of grouper to be seen by those folks...so for instance daemons, maybe sysadminViewers can see them but not change them?
Shilen Patel  2 hours ago

We recently changed things so that our normal NetID accounts aren't in the sysadmingroup anymore (instead they are in the sysadminReadersGroup) and we have separate privileged credentials that are in the sysadmingroup now.  Anyways, by doing that, I've noticed this issue as well and would also love to see it resolved 






[GRP-5363] add attribute options for findGroups in grouper client Created: 12/Mar/24  Updated: 12/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

[mchyzer@flash pennGroupsClient-2.6.0]$ java -jar grouperClient.jar --operation=findGroupsWs --groupAttributeName=test:testGroupAttrValue --groupAttributeValue=someVal --debug=true






[GRP-5362] make the app template key and friendly name consistent with groups Created: 12/Mar/24  Updated: 12/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5361] NPE trying to view "Unresolvable subjects" in the UI. Created: 11/Mar/24  Updated: 11/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.10.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper-ui;grouper_error.log;dev;nothing;2024-03-11T14:52:27,187: [ajp-nio-0.0.0.0-8009-exec-7] ERROR GrouperUiRestServlet.doGet(372) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectResolution.viewUnresolvedSubjects
java.lang.NullPointerException: Cannot invoke "edu.internet2.middleware.grouper.app.usdu.SubjectResolutionAttributeValue.isDeleted()" because "subjectResolutionAttributeValue" is null,
Problem calling method viewUnresolvedSubjects on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectResolution
at edu.internet2.middleware.grouper.app.usdu.UsduService.getUnresolvedSubjects(UsduService.java:289)
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectResolution$3.callback(UiV2SubjectResolution.java:224)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1002)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1071)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1038)
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectResolution.viewUnresolvedSubjects(UiV2SubjectResolution.java:220)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5784)
at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5735)
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:561)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:533)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:840)



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 11/Mar/24 ]

for grouper_members.subject_resolution_deleted (and eligible and resolvable), do those have default values in your database and do any rows have null values? seems like an upgrade tasks didnt work correctly or rolled back after upgrading and then forward? anyways, if you fix that data issue should be good





[GRP-5354] give a friendly error when setting up composites wrong Created: 08/Mar/24  Updated: 08/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5353] make new test method for google with select entities false and select groups false Created: 08/Mar/24  Updated: 08/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

call that twice, once for full and once for incremental (same test method)






[GRP-5352] google mock service should fetch individual users by email address Created: 08/Mar/24  Updated: 08/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5349] Google mock service can't fetch an individual group Created: 06/Mar/24  Updated: 08/Mar/24

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.11.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When testing incremental provisioning against the Google mock service handler, creating a group results in the error "java.lang.RuntimeException: There are 2 groups found for name: test:testGroup3". The two groups are for other groups that had already been provisioned. The inability to fetch a single group means that incremental provisioning of a group  cannot be accurately tested.

The api call being made is: /groups?domain=example.edu&maxResults=200&fields=nextPageToken,groups(id,email,name,description)&query=name%3D%27test:testGroup3%27

 

This returns back two different groups, neither of which is the one group it specified:

0 = \{ObjectNode@16995} "\{"id":"a6b0e706e54d437fbe50d4c5c777b987","name":"test:testGroup","description":null,"email":"test:testGroup"}"
1 = \{ObjectNode@16996} "\{"id":"f7d8ff131ffe4e01a53b2bbb2c2255c2","name":"test:testGroup1","description":null,"email":"test:testGroup1"}"

The GoogleMockServiceHandler class getGroups() method does not look at any query parameters other than the limit and page. The getGroups() query is always "from GrouperGoogleGroup where email > :pageToken" and will always return every group.
 






[GRP-5308] Provisioning entities not filtering objectClass when Select All Entities is false Created: 08/Feb/24  Updated: 05/Mar/24

Status: In Progress
Project: Grouper
Component/s: None
Affects Version/s: 4.10.3
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

LDAP entity provisioner, is provisioning an attribute that only exists for entities with a specific objectClass. Matching is on uid=subjectId. Debugging shows it's only querying on the uid, and does not use objectClass in the filter, nor does the provisioner exclude found entities later by that criteria.

 

Set up #1: Select all entities at once during full sync = false

Attempt 1: Set objectClass attribute = exampleEduPerson

Result: No effect; debug log shows ldap filter is the member set: `(|(uid=800000000)(uid=900))`

 

Attempt 2: Set Entity search filter: `(&(uid=${targetGroup.retrieveAttributeValue('uid')})(objectClass=exampleEduPerson))`

Result: No effect. Does this mean the "Entity search filter" is never used for anything?

 

Set up #2: Select all entities at once during full sync = true

Attempt 1: Search all filter blank (should default to uid=* and objectClass=...)

Result: Yes, filter is "(&(uid=*)(objectclass=berkeleyEduPerson))"

 

Attempt 2: Set Entity search all filter = `objectClass=exampleEduPerson`

Result: This works; filter is `objectClass=exampleEduPerson`

 

So the only way to filter users by objectClass is to opt to select all entities at once. There doesn't seem to be a way to filter the returned users when not selecting all entities.

At minimum, the help text for the search filter and search all filter should note they are ineffective unless searching all users at once.






[GRP-5334] Entity CRUD is customized but no options are configured (e.g. insertEntities) Created: 01/Mar/24  Updated: 01/Mar/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

this is for scim deactivate instead of delete. dont put this under crud.

workaround is to select true of false for a crud option which matches the default. e.g. set insert entities to true explicitly instead of the default which is true






[GRP-5330] Scheduled time for daemon job is wrong in UI display Created: 28/Feb/24  Updated: 28/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jim Beard Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper version: 4.7.2, UI


Attachments: JPEG File bug-quartz-cron2.jpg     JPEG File bug-quartz-cron.jpg    

 Description   

When I schedule jobs to run every Thursday, the daemon job UI says they will execute on Friday.

The jobs have a quartz cron string of "0 0 10 ? * 5", the UI says they will execute at 10am on Friday.  However they are executing on Thursday.  This was observed when I had them scheduled for "0 0 10 ? * 4" expecting them to execute on Thursday (thats when the UI said they would execute) but they executed on Wednesday instead.  When I use https://www.freeformatter.com/cron-expression-generator-quartz.html to verify the quartz cron string, it says "0 0 10 ? * 5" will execute on Thursday, differing from the UI.  The daemon engine seems to execute at the correct time, the UI just shows the incorrect time.






[GRP-5327] show better provisioning group counts Created: 28/Feb/24  Updated: 28/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black
2 hours ago
When a Grouper group ( with direct and indirect memberships ) are provisioned to a target system why is it "so hard" to manually validate the counts between Grouper and the target system?
Example.
Grouper group has 15863 total members ( as observed from the members table and the "total" at the bottom of the list. )
That group breaks down like this:
1 Direct membership ( a Ref group )
That Ref Group has 23 direct basis groups as members
I had to figure out why only 15838 members were provisioned to the down stream system. <-- !?!?
NOTE: I found 1 "DNE" error (did not find entity) in the provisioner logs.
Wrong math:
15863 (total) -1(DNE) = 15862 (should be in the target, but not the number observed. !!?!?! )
Correct math:
15863 (total) -1(DNE) - 24 ( nested groups) = 15838 actual members in the target system.
Maybe the UI should have a way to display the "user count" that can be sent to the provisioned system at a higher level than
Group Actions --> Provisioning
On the provisioner of interest Actions --> View Details
User count = 15839
With the subtext of "Number of users in group in a particular provisioning target"
The subtext is technically is wrong due to the DNE. Which you have to dig out of other menus/sub screens.....
And maybe show the count that was known to be provisioned too?
So I don't have to "login to the target, and find a way to get the count from it"?



 Comments   
Comment by Carey Black [ 28/Feb/24 ]

Version at time of request is v4.10.3





[GRP-5326] fix external auth build in v4 and v5 Created: 28/Feb/24  Updated: 28/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://jenkins.testbed.tier.internet2.edu/job/internet2/job/grouper/job/4.10.4/4/console






[GRP-5261] updates to scim email 2 not happening Created: 12/Jan/24  Updated: 27/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 4.11.0, 5.8.0

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5320] if delete groups in provisioning is true (not default), and an option selected, then a validation occurs but shouldnt Created: 22/Feb/24  Updated: 22/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5319] look at performance of readonly queries Created: 22/Feb/24  Updated: 22/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Evan Hughes
1 day ago
Does anyone have any advice if a folder with a few policy groups (15) should take around 2.5s to load. Infra is K8S pods with 3000 cpu and 3g of memory for the jvm, DB is Aurora Postgres. Grouper is 4.10.3, with DataDog APM looks like the db is doing 213 sql requests of 'SHOW TRANSACTION LEVEL' for half the time which I assume is c3p0 / hibernate?

Carey Black
23 hours ago
a folder with a few policy groups (N) should take around 2.5s to load.
Do other folders take a very different amount of time?
FWIW: My guess is that the work to resolve the privileges for the UI user on the folder's objects ( itself and nested folders and groups ) is likely what you are observing. And you may find that if you navigate away from the folder and back to it that the 'time to display' is better on re-display than on 'first display'.
I know that the project has moved a lot of the privilege (re-)calculations into jobs. And I think a lot of that is also cached in the UI RAM too. Which is why "redisplay" may be faster than the "first display". (Got to build the cache on first read. )

Carey Black
23 hours ago
If you have multiple UI nodes you likely are already using a sticky session too. ( If not that could also play in to more slowness if you are bouncing across multiple UI nodes between calls. )

Chris Hyzer
21 hours ago
are all your indexes there (do a gsh -registry -deep -check)? Sometimes vacuum analyzing all the indexes helps

Evan Hughes
17 hours ago
Grouper ddl object type 'Grouper' has db/ddl version: 0 (introduced in null) and container/grouperJava version: 44 (introduced in 2.6.18)
Grouper ddl object type 'Subject' has db/ddl version: 0 (introduced in null) and container/grouperJava version: 1 (introduced in 1.4.0)
Grouper database schema DDL requires updates
(should run script manually and carefully, in sections, verify data before drop statements, backup/export important data before starting, follow change log on confluence, dont run exact same script in multiple envs - generate a new one for each env),
script file is:
/opt/grouper/grouperWebapp/WEB-INF/ddlScripts/grouperDdl_20240221_23_09_58_083.sql
Note: this script was not executed due to option passed in
To run script via gsh, carefully review it, then run this:
gsh -registry -runsqlfile /opt/grouper/grouperWebapp/WEB-INF/ddlScripts/grouperDdl_20240221_23_09_58_083.sql

SUCCESS: Database DDL is correct!

Note: Database version for Grouper: 44 (2.6.18)
Note: Java version for Grouper: 44 (2.6.18)
Success: Database version is the same as the Java codebase Grouper version
Success: Table 'grouper_attr_assign_action': Table is up to date. 7 columns, 1 indexes, 1 foreign keys.
Success: Table 'grouper_attr_assign_action_set': Table is up to date. 10 columns, 3 indexes, 3 foreign keys.
Success: Table 'grouper_attribute_assign': Table is up to date. 20 columns, 8 indexes, 8 foreign keys.
Success: Table 'grouper_attribute_assign_value': Table is up to date. 10 columns, 4 indexes, 1 foreign keys.
Success: Table 'grouper_attribute_def': Table is up to date. 28 columns, 3 indexes, 1 foreign keys.
Success: Table 'grouper_attribute_def_name': Table is up to date. 13 columns, 2 indexes, 2 foreign keys.
Success: Table 'grouper_attribute_def_name_set': Table is up to date. 10 columns, 3 indexes, 3 foreign keys.
Success: Table 'grouper_attribute_def_scope': Table is up to date. 9 columns, 1 indexes, 1 foreign keys.
Success: Table 'grouper_audit_entry': Table is up to date. 30 columns, 13 indexes, 1 foreign keys.
Success: Table 'grouper_audit_type': Table is up to date. 20 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_cache_instance': Table is up to date. 2 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_cache_overall': Table is up to date. 2 columns, 0 indexes, 0 foreign keys.
Success: Table 'grouper_change_log_consumer': Table is up to date. 6 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_change_log_entry': Table is up to date. 16 columns, 15 indexes, 1 foreign keys.
Success: Table 'grouper_change_log_entry_temp': Table is up to date. 16 columns, 13 indexes, 0 foreign keys.
Success: Table 'grouper_change_log_type': Table is up to date. 19 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_composites': Table is up to date. 9 columns, 8 indexes, 4 foreign keys.
Success: Table 'grouper_config': Table is up to date. 13 columns, 4 indexes, 0 foreign keys.
Success: Table 'grouper_ddl': Table is up to date. 5 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_ddl_worker': Table is up to date. 5 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_ext_subj': Table is up to date. 16 columns, 2 indexes, 0 foreign keys.
Success: Table 'grouper_ext_subj_attr': Table is up to date. 10 columns, 3 indexes, 1 foreign keys.
Success: Table 'grouper_failsafe': Table is up to date. 11 columns, 2 indexes, 0 foreign keys.
Success: Table 'grouper_fields': Table is up to date. 7 columns, 3 indexes, 0 foreign keys.
Success: Table 'grouper_file': Table is up to date. 9 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_group_set': Table is up to date. 22 columns, 15 indexes, 10 foreign keys.
Success: Table 'grouper_groups': Table is up to date. 21 columns, 17 indexes, 3 foreign keys.
Success: Table 'grouper_last_login': Table is up to date. 4 columns, 4 indexes, 1 foreign keys.
Success: Table 'grouper_loader_log': Table is up to date. 29 columns, 6 indexes, 0 foreign keys.
Success: Table 'grouper_members': Table is up to date. 26 columns, 20 indexes, 0 foreign keys.
Success: Table 'grouper_memberships': Table is up to date. 16 columns, 21 indexes, 7 foreign keys.
Success: Table 'grouper_message': Table is up to date. 11 columns, 6 indexes, 1 foreign keys.
Success: Table 'grouper_mship_req_change': Table is up to date. 8 columns, 4 indexes, 0 foreign keys.
Success: Table 'grouper_password': Table is up to date. 16 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_password_recently_used': Table is up to date. 8 columns, 0 indexes, 1 foreign keys.
Success: Table 'grouper_pit_attr_assn_actn': Table is up to date. 9 columns, 4 indexes, 1 foreign keys.
Success: Table 'grouper_pit_attr_assn_actn_set': Table is up to date. 11 columns, 6 indexes, 3 foreign keys.
Success: Table 'grouper_pit_attr_assn_value': Table is up to date. 12 columns, 8 indexes, 1 foreign keys.
Success: Table 'grouper_pit_attr_def_name': Table is up to date. 10 columns, 6 indexes, 2 foreign keys.
Success: Table 'grouper_pit_attr_def_name_set': Table is up to date. 11 columns, 6 indexes, 3 foreign keys.
Success: Table 'grouper_pit_attribute_assign': Table is up to date. 17 columns, 12 indexes, 8 foreign keys.
Success: Table 'grouper_pit_attribute_def': Table is up to date. 10 columns, 7 indexes, 1 foreign keys.
Success: Table 'grouper_pit_config': Table is up to date. 20 columns, 4 indexes, 0 foreign keys.
Success: Table 'grouper_pit_fields': Table is up to date. 9 columns, 5 indexes, 0 foreign keys.
Success: Table 'grouper_pit_group_set': Table is up to date. 19 columns, 18 indexes, 9 foreign keys.
Success: Table 'grouper_pit_groups': Table is up to date. 9 columns, 6 indexes, 1 foreign keys.
Success: Table 'grouper_pit_members': Table is up to date. 11 columns, 6 indexes, 0 foreign keys.
Success: Table 'grouper_pit_memberships': Table is up to date. 13 columns, 11 indexes, 5 foreign keys.
Success: Table 'grouper_pit_role_set': Table is up to date. 11 columns, 6 indexes, 3 foreign keys.
Success: Table 'grouper_pit_stems': Table is up to date. 9 columns, 6 indexes, 1 foreign keys.
Success: Table 'grouper_prov_duo_user': Table is up to date. 16 columns, 3 indexes, 0 foreign keys.
Success: Table 'grouper_prov_zoom_user': Table is up to date. 15 columns, 4 indexes, 0 foreign keys.
Success: Table 'grouper_qz_blob_triggers': Table is up to date. 4 columns, 0 indexes, 1 foreign keys.
Success: Table 'grouper_qz_calendars': Table is up to date. 3 columns, 0 indexes, 0 foreign keys.
Success: Table 'grouper_qz_cron_triggers': Table is up to date. 5 columns, 0 indexes, 1 foreign keys.
Success: Table 'grouper_qz_fired_triggers': Table is up to date. 13 columns, 6 indexes, 0 foreign keys.
Success: Table 'grouper_qz_job_details': Table is up to date. 10 columns, 2 indexes, 0 foreign keys.
Success: Table 'grouper_qz_locks': Table is up to date. 2 columns, 0 indexes, 0 foreign keys.
Success: Table 'grouper_qz_paused_trigger_grps': Table is up to date. 2 columns, 0 indexes, 0 foreign keys.
Success: Table 'grouper_qz_scheduler_state': Table is up to date. 4 columns, 0 indexes, 0 foreign keys.
Success: Table 'grouper_qz_simple_triggers': Table is up to date. 6 columns, 0 indexes, 1 foreign keys.
Success: Table 'grouper_qz_simprop_triggers': Table is up to date. 14 columns, 0 indexes, 1 foreign keys.
Success: Table 'grouper_qz_triggers': Table is up to date. 16 columns, 12 indexes, 1 foreign keys.
Success: Table 'grouper_recent_mships_conf': Table is up to date. 6 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_role_set': Table is up to date. 10 columns, 3 indexes, 3 foreign keys.
Success: Table 'grouper_stem_set': Table is up to date. 10 columns, 3 indexes, 3 foreign keys.
Success: Table 'grouper_stem_view_privilege': Table is up to date. 3 columns, 2 indexes, 0 foreign keys.
Success: Table 'grouper_stems': Table is up to date. 16 columns, 13 indexes, 3 foreign keys.
Success: Table 'grouper_sync': Table is up to date. 14 columns, 2 indexes, 0 foreign keys.
Success: Table 'grouper_sync_group': Table is up to date. 27 columns, 8 indexes, 1 foreign keys.
Success: Table 'grouper_sync_job': Table is up to date. 14 columns, 1 indexes, 1 foreign keys.
Success: Table 'grouper_sync_log': Table is up to date. 14 columns, 2 indexes, 1 foreign keys.
Success: Table 'grouper_sync_member': Table is up to date. 28 columns, 9 indexes, 1 foreign keys.
Success: Table 'grouper_sync_membership': Table is up to date. 15 columns, 6 indexes, 3 foreign keys.
Success: Table 'grouper_table_index': Table is up to date. 6 columns, 1 indexes, 0 foreign keys.
Success: Table 'grouper_time': Table is up to date. 5 columns, 0 indexes, 0 foreign keys.
Success: View 'grouper_attr_asn_asn_attrdef_v': View is up to date. 23 columns.
Success: View 'grouper_attr_asn_asn_efmship_v': View is up to date. 27 columns.
Success: View 'grouper_attr_asn_asn_group_v': View is up to date. 24 columns.
Success: View 'grouper_attr_asn_asn_member_v': View is up to date. 24 columns.
Success: View 'grouper_attr_asn_asn_mship_v': View is up to date. 28 columns.
Success: View 'grouper_attr_asn_asn_stem_v': View is up to date. 24 columns.
Success: View 'grouper_attr_asn_attrdef_v': View is up to date. 14 columns.
Success: View 'grouper_attr_asn_efmship_v': View is up to date. 20 columns.
Success: View 'grouper_attr_asn_group_v': View is up to date. 16 columns.
Success: View 'grouper_attr_asn_member_v': View is up to date. 16 columns.
Success: View 'grouper_attr_asn_mship_v': View is up to date. 20 columns.
Success: View 'grouper_attr_asn_stem_v': View is up to date. 15 columns.
Success: View 'grouper_attr_assn_action_set_v': View is up to date. 10 columns.
Success: View 'grouper_attr_def_name_set_v': View is up to date. 10 columns.
Success: View 'grouper_attr_def_priv_v': View is up to date. 12 columns.
Success: View 'grouper_audit_entry_v': View is up to date. 45 columns.
Success: View 'grouper_aval_asn_asn_attrdef_v': View is up to date. 28 columns.
...... all success further down
(edited)

Evan Hughes
17 hours ago
@black.123
only single node for the UI currently as theirs 0 users other than the admins of the service

Chris Hyzer
14 hours ago
did you vacuum analyze everything?
New

Evan Hughes
10 hours ago
yup, no significant change, the instance is basically fresh

Chris Hyzer
< 1 minute ago
if you can get by for now we can look at this in a future release. i think the data layer does not know there are readonly queries about to happen when the connection is retrieved from the pool, so it is doing extra overhead in case there is a transaction about to happen. if we can reduce this for the SELECT only SQL calls maybe it would significantly improve the performance? we need to look at it






[GRP-5313] error going to daemon screen Created: 19/Feb/24  Updated: 19/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From demo server just now

Error: sql: select count from grouper_loader_log where job_name = ? and status in ('STARTED', 'RUNNING') and last_updated > ? union all select count from grouper_qz_fired_triggers gqft, grouper_qz_scheduler_state gqss where gqft.job_name = ? and gqft.instance_name = gqss.instance_name and gqss.last_checkin_time > ? union all select count from grouper_qz_fired_triggers gqft, grouper_qz_triggers gqt, grouper_qz_scheduler_state gqss where gqft.trigger_name = gqt.trigger_name and gqt.job_name = ? and gqft.instance_name = gqss.instance_name and gqss.last_checkin_time > ? , args: ArrayList size: 6: [0]: CHANGE_LOG_changeLogTempToChangeLog [1]: Mon Feb 19 19:56:48 UTC 2024 [2]: CHANGE_LOG_changeLogTempToChangeLog [3]: 1708372608298 [4]: CHANGE_LOG_changeLogTempToChangeLog [5]: 1708372608298 , Problem calling method daemonJobs on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Admin






[GRP-5311] ablity to clone an existing GSH template into a new GSH template. ( copy template A into new template B) Created: 17/Feb/24  Updated: 17/Feb/24

Status: Open
Project: Grouper
Component/s: API, UI, WS
Affects Version/s: 4.9.4
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The list of "Miscellaneous > GSH templates" actions buttons should have a "copy to new GSH template" option.

It should open the '.../grouper/grouperUi/app/UiV2Main.index?operation=UiV2GshTemplateConfig.addGshTemplate' UI with all of the values from the template that the copy was started from. ( Except for the Config ID value The use would need to pick a new value for that. )

Maybe an intermediate UI page would be needed to get the user to supply the new Config ID? But I hope that would not be necessary.

This would make it easier to "Clone" and "test a new idea, or change a few things" without needing to destroy/change the original template and all from the UI instead of exporting properties and such.

I guess you might even make a GSH template to list existing GSH templates and prompt the user for the new Config ID and let a GSH template copy the properties from the existing template into a new template via the Grouper properties API? ( I guess that might be another way to achieve this goal. )






[GRP-5296] add ability for duo to return webauthncredentials and store in loaded table Created: 01/Feb/24  Updated: 12/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 12/Feb/24 ]

and tokens. counts





[GRP-5309] Privileges tab to have priv items in More tab Created: 12/Feb/24  Updated: 12/Feb/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.10.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From slack: https://internet2.slack.com/archives/C7V0UQDJ4/p1707755500572869

The privileges tab and the “More” tab to the right of Privileges are mostly all about Privileges.  Could/Should the Privileges tab also display the privileges related items from the More tab?  I have received questions multiple times from people who didn’t know about applying inherited privs simply because it was hidden in the More tab and not within Privileges.  I am NOT suggesting to move the items as this might break local documentation already written.  I am only suggesting to copy the priv related items into the Privileges tab page to increase the likelihood of a user finding what they need on their own.  Thanks for considering this request.






[GRP-5307] Provisioner case sensitive compare wants to change value only differing in case Created: 08/Feb/24  Updated: 08/Feb/24

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

A groupOfNames provisioner, values for ldap_dn and cn are set for case sensitive compare=false. Testing an initial provisioning run for a Grouper group "case_sensitive2", which should be matching an existing LDAP group "CASE_SENSITIVE2". The matching succeeds, but it still wants to update the CN to match the Grouper case. It also wants to update the DN, but this has no effect in LDAP.

Note: The existing LDAP group had no members, so adding the membership also shows up under the ldap mods.

 

2024-02-07 23:42:51.565: Provisioner 'xxx' (v2mo131w) state 'retrieveIndividualTargetMemberships' type 'fullProvisionFull': {state=retrieveIndividualMembershipsIfNeeded, linkGcSyncEntitiesUpdated=1, retrieveTargetMembershipsMillis=0}
...
(v2mo131w): 0. Group(matchingAttrs: LinkedHashSet(1): [0]: [ldap_dn, val: cn=CASE_SENSITIVE2,ou=Groups,dc=example,dc=edu, compareVal: cn=case_sensitive2,ou=groups,dc=example,dc=edu, currentValue: true], attr[cn]: "CASE_SENSITIVE2", attr[ldap_dn]: "cn=CASE_SENSITIVE2,ou=Groups,dc=example,dc=edu", attr[member]: HashSet(1): [0]: , attr[objectClass]: HashSet(2): [0]: top, [1]: groupOfNames)
 
...
 
2024-02-07 23:42:51.566: Provisioner 'xxx' (v2mo131w) state 'compareTargetObjects' type 'fullProvisionFull': {state=compareTargetObjects, provisioningMembershipWrappersWithNoMatch=1, groupUpdatesAfterCompare=2}
...
(v2mo131w): 0. Group(matchingAttrs: LinkedHashSet(1): [0]: [ldap_dn, val: cn=case_sensitive2,ou=Groups,dc=example,dc=edu, compareVal: cn=case_sensitive2,ou=groups,dc=example,dc=edu, currentValue: true], attr[cn]: "case_sensitive2", attr[ldap_dn]: "cn=case_sensitive2,ou=Groups,dc=example,dc=edu", attr[member]: TreeSet(1): [0]: uid=800000000,ou=People,dc=example,dc=edu, attr[objectClass]: LinkedHashSet(2): [0]: top, [1]: groupOfNames, upd cn "CASE_SENSITIVE2" -> "case_sensitive2", upd ldap_dn "cn=CASE_SENSITIVE2,ou=Groups,dc=example,dc=edu" -> "cn=case_sensitive2,ou=Groups,dc=example,dc=edu", ins member "uid=800000000,ou=People,dc=example,dc=edu", del member "", recalcObject: true, recalcMships: true, selectProcessed: true)
 
...
2024-02-07 23:42:51.57: v2mo131w, xxx, fullProvisionFull: INFO: Command log for provisioner 'xxx' - 'v2mo131w', updateGroup: Ldaptive modifyRequest (ucbLdap): [org.ldaptive.ModifyRequest@552734613::modifyDn=cn=case_sensitive2,ou=Groups,dc=example,dc=edu, attrMods=[[org.ldaptive.AttributeModification@441571526::attrMod=REMOVE, attribute=[cn[CASE_SENSITIVE2]]], [org.ldaptive.AttributeModification@1489644585::attrMod=ADD, attribute=[cn[case_sensitive2]]], [org.ldaptive.AttributeModification@1002284252::attrMod=REMOVE, attribute=[member[]]], [org.ldaptive.AttributeModification@184781465::attrMod=ADD, attribute=[member[uid=800000000,ou=People,dc=example,dc=edu]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]
Ldaptive modifyResponse (ucbLdap): [org.ldaptive.Response@528544983::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1]
 






[GRP-5306] Provisioners should log DNE errors as SUBJECT_ERROR with unresolvable count Created: 07/Feb/24  Updated: 07/Feb/24

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If a provisioner has any DNE errors at all, it logs the job as an error. It does not show any number for unresolvable count. You don't know what the issue is without looking at the provisioner View Errors, or in the job message, which doesn't show any error other than the DNE that the user has to assume is the cause of the error.

Jobs should distinguish between stacktrace level errors, versus a successful run that just had some subject problems.






[GRP-5047] DB Connection error at startup not stating actual cause Created: 13/Oct/23  Updated: 06/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Since 4.6.0 (possibly related to changes from GRP-4927), if there is a connection error during Grouper startup, it doesn't show the real error, but instead reports "Problem reading config: 'database:grouper'" and other generic messages. There are multiple stacktraces filling up the log but not adding useful information.

Comparison of log messages:

4.5.5

grouper_1   | grouper.hibernate.properties: file:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
grouper_1   | grouper.hibernate.properties: postgres@jdbc:postgresql://postgres:5432/postgresXXX
grouper_1   | 
grouper_1   | Grouper error: Error connecting to the database with credentials from grouper.hibernate.properties, url: jdbc:postgresql://postgres:5432/postgresXXX, driver: org.postgresql.Driver, user: postgres, org.postgresql.util.PSQLException: FATAL: database "postgresXXX" does not exist
grouper_1   | grouper;grouper_error.log;dev;nothing;2023-10-13T16:55:11,385: [localhost-startStop-1] ERROR SqlExceptionHelper.logExceptions(142) - [] - Connections could not be acquired from the underlying database!

4.6.0 - 4.7.2

grouper_1   | grouper;tomcat;catalina.out;dev;nothing;2023-10-13T16:56:45,152: [localhost-startStop-1] ERROR DirectJDKLog.log(175) - [] - ContainerBase.addChild: start: 
grouper_1   | org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/grouper]]
...
grouper_1   | Caused by: java.lang.ExceptionInInitializerError
...
grouper_1   | Caused by: java.lang.RuntimeException: Problem reading config: 'database:grouper'
...
grouper_1   | Caused by: java.lang.RuntimeException: error
...
grouper_1   | Caused by: java.lang.RuntimeException: Error connection to database to get configuration
...
grouper_1   | Caused by: java.lang.NullPointerException: Cannot invoke "java.sql.Connection.prepareStatement(String)" because "theConnection" is null
...
grouper_1   | grouper;tomcat;catalina.out;dev;nothing;2023-10-13T16:56:45,157: [localhost-startStop-1] ERROR DirectJDKLog.log(175) - [] - Error deploying deployment descriptor [/opt/tomcat/conf/Catalina/localhost/grouper.xml]



 Comments   
Comment by Chad Redman [ 06/Feb/24 ]

Bumping this up. There are no diagnostics at all if there is a database connection issue at startup, and it makes it very hard to debug,





[GRP-5301] Messaging Provisioner add messaging type AWS SQS FIFO Created: 02/Feb/24  Updated: 02/Feb/24

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

AWS SQS and SQS FIFO are slightly different.






[GRP-5300] make a ui method to attest groups easily in gsh Created: 02/Feb/24  Updated: 02/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5299] add membership requirements and rules to the trace membership Created: 02/Feb/24  Updated: 02/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5298] Minor typo on the GSH Template configuration page Created: 01/Feb/24  Updated: 02/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jim Beard Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Version 4.7.2



 Description   

Found a very minor typo on the GSH Template configuration page.  For the element "Externalized text?", the description reads "Selec 'True' if you would like to use externalized text for template name, description, and input labels & descriptions. Default value is 'false'."  "Selec" should be "Select".  

I tried searching Jira tasks to see if this had already been reported or cleaned up, but didn't see it anywhere.



 Comments   
Comment by Jim Beard [ 02/Feb/24 ]

If you want to you can assign this to me and I'll use it to get my feet wet committing into Grouper.  I see there is some development grouper info here: https://spaces.at.internet2.edu/display/GrIntDev/Grouper+Internal+Development+Home

with some branch / git steps here: https://spaces.at.internet2.edu/display/GrIntDev/SCM+Branches

But that page does look a little dated.





[GRP-5297] duo commands class should have helper method for raw json Created: 01/Feb/24  Updated: 01/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5295] scheduler check daemon is null Created: 01/Feb/24  Updated: 01/Feb/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Skipping handleBlockedAndAcquiredStates. Skipping handleErrorState. Skipping handleMissingTriggers. java.lang.NullPointerException: Cannot invoke "java.sql.Timestamp.before(java.sql.Timestamp)" because "startedTime" is null






[GRP-5294] Typo: "Problem with ldap conection" Created: 30/Jan/24  Updated: 30/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5293] Provide a view to the container logs via the UI Created: 30/Jan/24  Updated: 30/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jim Beard Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Sometimes the people working in the UI don't have immediate access to the container where logs are being stored / held, or access is not convenient.  It would be nice if there was a way to access INFO and DEBUG, etc. log statements from the UI.






[GRP-5284] when extension is invalid put the character that is in valid in the error message to narrow down the troubleshooting Created: 26/Jan/24  Updated: 26/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 26/Jan/24 ]

"The folder ID can only contain letters, numbers, underscore, or dash"





[GRP-5283] auto created loader group descriptions should auto-update too Created: 25/Jan/24  Updated: 25/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5282] in the container dont sed to port -1 Created: 24/Jan/24  Updated: 24/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5279] Browse Folders "sync" button should expand the folder that is finally selected Created: 23/Jan/24  Updated: 23/Jan/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.9.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

4.9.3


Attachments: PNG File image-2024-01-22-22-24-11-169.png     PNG File image-2024-01-22-22-24-32-694.png     PNG File image-2024-01-22-22-25-26-874.png    

 Description   

When clicking the "sync button" in the "Browse folder" UI element. The folder that is currently selected in the "work area" should be "opened/expanded" in the Browse Folder display instead of being "closed/collapsed".

incorrect ( current behavior )

New behavior






[GRP-5278] deprovisioning screen lists memberships that are not active Created: 22/Jan/24  Updated: 22/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5277] GSH template V2 test not handling GrouperUtil.gshReturn (non-zero?) Created: 22/Jan/24  Updated: 22/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.10.1
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Set up a gsh template test, setting input values and executing the template. If something is wrong, the v1 template would call GrouperUtil.gshReturn() with a non-zero exit code.

The V2 test throws a stacktrace, but doesn't output or log anything to tell what happened. May capture exceptions, and show the output lines as far as it got?

Invalid test in runLogic(): 'testNormalDryRun'
org.codehaus.groovy.tools.shell.ExitNotification
at edu.internet2.middleware.grouper.util.GrouperUtil.gshReturn(GrouperUtil.java:15067)
at edu.internet2.middleware.grouper.util.GrouperUtil$gshReturn$0.call(Unknown Source)
at MyGshTemplate.fail(Script4.groovy:353)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323)
at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite$StaticMetaMethodSiteNoUnwrap.invoke(StaticMetaMethodSite.java:131)
at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:100)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:224)
at MyGshTemplate.gshRunLogic(Script4.groovy:395)
at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateV2utils.gshRunTest(GshTemplateV2utils.java:214)
at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateTestExec.executeTests(GshTemplateTestExec.java:109)
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Template$3.callLogic(UiV2Template.java:964)
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Template$3.callLogic(UiV2Template.java:956)
at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
 
Error: 1 tests, 1 invalid tests!






[GRP-5276] Template V2 GshTemplateTestExec should know its own configId, shouldn't need to explicitly define it Created: 22/Jan/24  Updated: 22/Jan/24

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: 4.9.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When a gsh V2 template is created, it should know its own configId. Tests in the class should use it by default. You shouldn't need to tell the running template what configId kicked it off. And is manually set it and it runs a different template, is this a feature at all, or something you don't want?

 






[GRP-5274] Allow dashes in ConfigIds Created: 21/Jan/24  Updated: 21/Jan/24

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: 2.5.30, 2.6.0, 5.0.0, 4.0.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2024-01-21-16-41-31-989.png    

 Description   

When creating a provisioner, gsh template, daemon job, etc., the value for the configId is checked for syntax. It only allows /^[a-zA-Z0-9_]+$/, which is alphanumeric or underscore. Was there any technical reason why dashes are disallowed? They are perfectly legal in Java property keys. It's a confusion for users since they usually assume dashes are ok, until they try to save and get the error.

 






[GRP-5272] enabled/disabled daemon should audit as such, it says "loader" which is confusing Created: 19/Jan/24  Updated: 19/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5271] When entitlement string changes in an LDAP usersWithEduPersonEntitlements provisioner configuration, the old entitlement values are not removed. Created: 18/Jan/24  Updated: 18/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Jim Beard Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

tested in grouper 4.5.5



 Description   

 I changed the string value that the provisioner is provisioning as an entitlement.  I notice that after running the full sync on it, both the old and new entitlement values are now placed on the user accounts in LDAP.  The old values are not removed.

Here is the configuration for the provisioner this was observed in:

provisioner.eduPersonEntitlement.addDisabledFullSyncDaemon = true
provisioner.eduPersonEntitlement.class = edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync
provisioner.eduPersonEntitlement.configureMetadata = true
provisioner.eduPersonEntitlement.customizeGroupCrud = true
provisioner.eduPersonEntitlement.deleteGroups = false
provisioner.eduPersonEntitlement.entityAttributeValueCache0entityAttribute = ldap_dn
provisioner.eduPersonEntitlement.entityAttributeValueCache0has = true
provisioner.eduPersonEntitlement.entityAttributeValueCache0source = target
provisioner.eduPersonEntitlement.entityAttributeValueCache0type = entityAttribute
provisioner.eduPersonEntitlement.entityAttributeValueCacheHas = true
provisioner.eduPersonEntitlement.entityMatchingAttribute0name = uid
provisioner.eduPersonEntitlement.entityMatchingAttributeCount = 1
provisioner.eduPersonEntitlement.entityMembershipAttributeName = eduPersonEntitlement
provisioner.eduPersonEntitlement.entityMembershipAttributeValue = groupAttributeValueCache0
provisioner.eduPersonEntitlement.groupAttributeValueCache0groupAttribute = entitlement_string
provisioner.eduPersonEntitlement.groupAttributeValueCache0has = true
provisioner.eduPersonEntitlement.groupAttributeValueCache0source = grouper
provisioner.eduPersonEntitlement.groupAttributeValueCache0type = groupAttribute
provisioner.eduPersonEntitlement.groupAttributeValueCacheHas = true
provisioner.eduPersonEntitlement.hasTargetEntityLink = true
provisioner.eduPersonEntitlement.insertGroups = false
provisioner.eduPersonEntitlement.ldapExternalSystemConfigId = demo
provisioner.eduPersonEntitlement.metadata.0.canChange = true
provisioner.eduPersonEntitlement.metadata.0.canUpdate = true
provisioner.eduPersonEntitlement.metadata.0.formElementType = text
provisioner.eduPersonEntitlement.metadata.0.name = md_entitlementValue
provisioner.eduPersonEntitlement.metadata.0.showForFolder = true
provisioner.eduPersonEntitlement.metadata.0.showForGroup = false
provisioner.eduPersonEntitlement.metadata.0.valueType = string
provisioner.eduPersonEntitlement.numberOfEntityAttributes = 4
provisioner.eduPersonEntitlement.numberOfGroupAttributes = 1
provisioner.eduPersonEntitlement.numberOfMetadata = 1
provisioner.eduPersonEntitlement.operateOnGrouperEntities = true
provisioner.eduPersonEntitlement.operateOnGrouperGroups = true
provisioner.eduPersonEntitlement.operateOnGrouperMemberships = true
provisioner.eduPersonEntitlement.provisioningType = entityAttributes
provisioner.eduPersonEntitlement.selectAllEntities = true
provisioner.eduPersonEntitlement.selectGroups = false
provisioner.eduPersonEntitlement.showAdvanced = true
provisioner.eduPersonEntitlement.startWith = this is start with read only
provisioner.eduPersonEntitlement.subjectSourcesToProvision = eduLDAP
provisioner.eduPersonEntitlement.targetEntityAttribute.0.name = ldap_dn
provisioner.eduPersonEntitlement.targetEntityAttribute.1.name = eduPersonEntitlement
provisioner.eduPersonEntitlement.targetEntityAttribute.2.name = uid
provisioner.eduPersonEntitlement.targetEntityAttribute.2.translateExpressionType = grouperProvisioningEntityField
provisioner.eduPersonEntitlement.targetEntityAttribute.2.translateFromGrouperProvisioningEntityField = subjectIdentifier0
provisioner.eduPersonEntitlement.targetEntityAttribute.3.multiValued = true
provisioner.eduPersonEntitlement.targetEntityAttribute.3.name = objectClass
provisioner.eduPersonEntitlement.targetEntityAttribute.3.showAdvancedAttribute = true
provisioner.eduPersonEntitlement.targetEntityAttribute.3.showAttributeValueSettings = true
provisioner.eduPersonEntitlement.targetEntityAttribute.3.translateExpressionType = staticValues
provisioner.eduPersonEntitlement.targetEntityAttribute.3.translateFromStaticValues = eduPerson
provisioner.eduPersonEntitlement.targetGroupAttribute.0.name = entitlement_string
provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateExpression = \u0024{grouperProvisioningGroup.retrieveAttributeValueString('md_entitlementValue')  +  grouperProvisioningGroup.extension }
provisioner.eduPersonEntitlement.targetGroupAttribute.0.translateExpressionType = translationScript
provisioner.eduPersonEntitlement.updateGroups = false
provisioner.eduPersonEntitlement.userSearchBaseDn = ou=people,dc=internet2,dc=edu

Another organization that I was working with ran into a similar issue with a provisioner they were working on as well.






[GRP-5270] Add Loader unresolved subject errors to the UI, similar to DNE errors for provisioners Created: 18/Jan/24  Updated: 18/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jim Beard Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Provisioner DNE errors can be viewed via the UI.  Loader subject unresolved errors are not available through the UI and have to be found in the logs.  It would be helpful to be able to view them in the UI to determine what data elements are not being identified correctly.






[GRP-5269] if not selecting readers from app template, fails with "need to select parent actions for child actions" Created: 18/Jan/24  Updated: 18/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5267] Analyzing scripted loader when data fields are from import, ""grouperDataRowWrapper" is null" Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 5.7.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Trying to create a scripted group, in which the data fields have been imported rather than created manually. Clicking analyze gives a flash message:

Error: Cannot invoke "edu.internet2.middleware.grouper.dataField.GrouperDataRowWrapper.getGrouperDataRow()" because "grouperDataRowWrapper" is null, Problem calling method editGrouperLoaderAnalyze on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader

 

Java stack trace

grouper;grouper_error.log;${ENV};${USERTOKEN};2024-01-16T01:55:02,725: [ajp-nio-0.0.0.0-8009-exec-2] ERROR GrouperUiRestServlet.doGet(372) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.editGrouperLoaderAnalyze
 
java.lang.NullPointerException: Cannot invoke "edu.internet2.middleware.grouper.dataField.GrouperDataRowWrapper.getGrouperDataRow()" because "grouperDataRowWrapper" is null,
Problem calling method editGrouperLoaderAnalyze on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader
	at edu.internet2.middleware.grouper.abac.GrouperLoaderJexlScriptFullSync.analyzeJexlScriptHtml(GrouperLoaderJexlScriptFullSync.java:209)
	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.editGrouperLoaderAnalyze(UiV2GrouperLoader.java:1924)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5717)
	at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5668)
	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
	at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:682)
	at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:305)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:533)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:840)






[GRP-5266] Scripted group editor has link to Data field dictionary; opens in same window so loses editing Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5265] Data field dictionary needs examples for all types, not just entity.hasAttribute Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 5.7.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Data fields assigned to entities: "Use this in an ABAC scripted group, e.g. ${entity.hasAttribute('aliasName')}" (this is ok)

 

Data row: hr_positions: no documentation; need to guess the syntax or look at the crashplan demo on the wiki

 

Global data fields: "Use this in an ABAC scripted group" (no syntax represented)

 

Data fields assigned to groups: "Use this in an ABAC scripted group" (no syntax represented)

 

 






[GRP-5264] No UI hints how to get data from a data field provider Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 5.7.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

After looking through source code, it seems a full sync and incremental sync needs to be manually created?






[GRP-5263] Can't run scripted group job from loader config, "Cant find grouper loader type of group: <groupName>" Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: daemon, UI
Affects Version/s: 5.7.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  • Create a scripted loader group
  • Run loader process to sync group

Result: flash text:

Error scheduling group to run on the daemon
java.lang.RuntimeException: Cant find grouper loader type of group: test:testGroup






[GRP-5262] Add data provider query, subject source id should be drop down Created: 16/Jan/24  Updated: 16/Jan/24

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 5.7.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Description   






[GRP-5250] Grouper startup checking external dbs should skip disabled ones Created: 08/Jan/24  Updated: 09/Jan/24

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

GrouperCheckConfig.checkGrouperLoaderConfigDbs()

This loops through all the loader configs for databases, and tries to connect. If you want to put something on hold by setting it to disabled, it still tries to connect at startup and log a stacktrace.






[GRP-5246] Tomcat rewrite valve should be opt-in or have a way to opt out Created: 05/Jan/24  Updated: 05/Jan/24

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: 5.7.0, 4.10.2
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Startup function setupFilesTomcat_rewriteValve() sets tomcat to redirect / to /grouper. If you are running a UI, there is no direct way to circumvent it. Maybe a blank rewrite.config file will block it from trying to create one? It may be better to make it somewhat intentional if you want that behavior.






[GRP-5242] gsh templates v2 should support gshReturn Created: 03/Jan/24  Updated: 03/Jan/24

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 03/Jan/24 ]

just return and not gshReturn()





[GRP-5222] Non-root error for provisioning edit from provisioner row action (editProvisioningOnGroup2) Created: 30/Dec/23  Updated: 30/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.5.0, 5.3.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When an ACL group (provisioner.{configId}.groupAllowedToAssign) is configured for a provisioner, and non-root users are put into it, they can edit the provisioning from the Provisioning actions menu. But if there is a provisioner listed, the Actions > Edit provisioning menu item returns an error: "Error: Cannot access provisioning., Problem calling method editProvisioningOnGroup2 on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning".
 
Stacktrace:

grouper_1   | grouper;grouper_error.log;dev;nothing;2023-12-30T04:12:04,309: [http-nio-8080-exec-4] ERROR GrouperUiRestServlet.doGet(372) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning.editProvisioningOnGroup2
grouper_1   | 
grouper_1   | java.lang.RuntimeException: Cannot access provisioning.,
grouper_1   | Problem calling method editProvisioningOnGroup2 on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning
grouper_1   | 	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning.editProvisioningOnGroup2(UiV2Provisioning.java:2132)
grouper_1   | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
grouper_1   | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
grouper_1   | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
grouper_1   | 	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
grouper_1   | 	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5784)
grouper_1   | 	at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5735)
grouper_1   | 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
grouper_1   | 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
grouper_1   | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)
grouper_1   | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1   | 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)
grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)
grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1   | 	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1   | 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
grouper_1   | 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
grouper_1   | 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
grouper_1   | 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
grouper_1   | 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
grouper_1   | 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
grouper_1   | 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
grouper_1   | 	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:617)
grouper_1   | 	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
grouper_1   | 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)
grouper_1   | 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)
grouper_1   | 	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
grouper_1   | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
grouper_1   | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
grouper_1   | 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
grouper_1   | 	at java.base/java.lang.Thread.run(Thread.java:840)






[GRP-5173] update descriptions with examples of ldap resolver in provisioner Created: 04/Dec/23  Updated: 27/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5219] Need jexl script test for provisioningEntityWrapper.isInGroup('...') Created: 27/Dec/23  Updated: 27/Dec/23

Status: Open
Project: Grouper
Component/s: provisioning, UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When testing out whether as script using ${provisioningEntityWrapper.isInGroup('xxx')} works, it needs an instance of GrouperProvisioningTranslator to create the cache map. I don't see a clear way to set this up using the script beans






[GRP-5208] Paging config history with a filter clears the filter on next page Created: 21/Dec/23  Updated: 21/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

1) Go to Config history

2) Add a text filter that matches more than 50 values

3) Click next to go to the next 50 entries

 

Result: The filter is cleared. Confirmed by showing the total number of results on the second page, not the filtered number






[GRP-5207] add option to send report as attachment of email Created: 20/Dec/23  Updated: 20/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5206] add email addresses to report config Created: 20/Dec/23  Updated: 20/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5205] email to local entities with display extension Created: 20/Dec/23  Updated: 20/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5204] with entity link, if not in target, look up the user again Created: 20/Dec/23  Updated: 20/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. if deleted and re-added  quickly dont use the same uuid on incremental



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Dec/23 ]

2023-12-15 09:37:00.862: Provisioner 'AZURE_AD' (vzhhf0yz) state 'end' type 'incrementalPr
ovisionChangeLog': {state=retrieveIncrementalTargetMemberships, exception=java.lang.Runtim
eException: Invalid return code '404', expecting: 200, 429. 'https://graph.microsoft.com/v
1.0/users/5f3e0097-793e-41f7-9698-8639bad7b381/getMemberGroups' {"error":{"code":"Request_
ResourceNotFound","message":"Resource '5f3e0097-793e-41f7-9698-8639bad7b381' does not exis
t or one of its queried reference-property objects are not present.","innerError":

{"date": "2023-12-15T14:37:00","request-id":"0f8d3cbb-d3b4-442a-a33b-150eb0d6aa62","client-request- id":"0f8d3cbb-d3b4-442a-a33b-150eb0d6aa62"}

}}





[GRP-5203] add status diagnostics daemon success threshold to daemon screen somewhere Created: 20/Dec/23  Updated: 20/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Dec/23 ]

add a link to instructions to change it





[GRP-5201] After editing a daemon config, return to daemon details, not the All Daemons page Created: 18/Dec/23  Updated: 18/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When editing and saving changes to a daemon config, the user goes back to the All Daemons page and needs to find the daemon in the list again to get back to it.






[GRP-5200] UI wizard for rules Created: 18/Dec/23  Updated: 18/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Managing rules via creating attribute assignments is tedious. There should be an easier way of setting them up.






[GRP-5191] add a misc report list page Created: 14/Dec/23  Updated: 14/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5190] LDAP_GROUPS_FROM_ATTRIBUTES should optionally treat a missing attribute as a certain value Created: 14/Dec/23  Updated: 14/Dec/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The way the LDAP_GROUPS_FROM_ATTRIBUTES loader is written, it fetches the configured groupAttribute for a row, and loops all the attribute values  to convert into a group name.But if the user does not have the attribute it doesn't process it at all. This means that users can't be put into a group of subjects missing the attribute.

This could be enhanced by adding a new option for "Group attribute default value if null". The code could easy accomodate this by checking for an empty array of values, and create a 1-element array if so.






[GRP-5135] Rewrite container installer as a script Created: 19/Nov/23  Updated: 13/Dec/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The java based installer still works, but there is a lot of complexity to it. It also can't handle snapshots, so the only way to test a container build is by tagging a release. The container installer can be made simpler by having a script in the docker/grouper project, which would be outside of the grouper project so it can be modified separately.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Nov/23 ]

lets discuss





[GRP-4370] Move banner and footer into jsp includes Created: 21/Sep/22  Updated: 13/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The banner in the Index jsp template currently allows only the customization of the logo. Installations may want to add more functionality, like the environment, Grouper version, special notices, etc.

The footer also has hardcoded © {institutionName}; thus the only customization option is the institution name. They may not even want a copyright notice.

If the institution wants more customization than that, the option is to fork the index.jsp page itself (there is a commonHead and commonBottom jsp, but these are for scripts and css). The risk is in technical debt of always watching for jsp changes to merge during upgrades, and of having a broken page if the change was not noticed.

If the banner and footer were extracted and made into separate partials that were included during page build, it would be a smaller risk for the maintainer.

 






[GRP-5189] Attributes in group view/edit shows integer as floating point Created: 13/Dec/23  Updated: 13/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-12-13-00-09-46-495.png     PNG File image-2023-12-13-00-09-58-204.png     PNG File image-2023-12-13-00-12-59-944.png    

 Description   

edu/internet2/middleware/grouper/attr/value/AttributeAssignValueDelegate.java:1638

      case integer:
        Long valueLong = attributeAssignValue.getValueInteger();
        return valueLong == null ? null : Double.toString(valueLong);

Probably should be Long, not Double
 






[GRP-5181] Add jexl to report subject and body; include variables passed from gsh script Created: 08/Dec/23  Updated: 08/Dec/23

Status: Open
Project: Grouper
Component/s: API, reporting
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When getting an email for a report, it would be improved by including more information to it, so the recipient can decide the urgency of viewing the report.For example, including the count of non-compliant members, so staff can see it directly in the email.

It can also be improved by using real jexl variables, and not the $$ syntax which is more limited in expressiveness.

 






[GRP-5177] attestationDaysBeforeToRemind is not a default metadata attribute for attestation Created: 06/Dec/23  Updated: 06/Dec/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 4.x



 Description   

When attestation is configured for a folder/group, the attestation attribute is assigned with a set of metadata attributes included based on user input. AttestationDaysBeforeToRemind is not included, nor is it readily apparent that it is set.

Possible Steps to remediate:
-Add attestationDaysBeforeToRemind to the set of default metadata for attestations
-Add a configurable global default value that is set in grouper.properies and default it to 14 days to coincide with the "less than 2 weeks" note in "Groups that need attestation"
-Update "Groups that need attestation" to factor in the global default when determining what to list.
-Add "Days before reminders are sent" field to "Edit group attestation" that would take user input for the attestationDaysBeforeToRemind
-Add "Days before reminders" column to Attestation Settings -> Folders and Groups with Settings to show the attestationDaysBeforeToRemind value for that object.

-Add "Days before reminders" row to Group Attestation - View attestation settings to display attestationDaysBeforeToRemind.

-Update "Attention: this group's memberships need to be attested soon." to include the number of days before attestation is required".






[GRP-5174] make membershipsave easier (e.g. subjectid) Created: 05/Dec/23  Updated: 05/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5172] Please update built in help to remove deprecated features/language Created: 04/Dec/23  Updated: 04/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Custom group types

has a link to https://spaces.internet2.edu/x/QIbd which describes the feature as deprecated "As of Grouper 2.2".

I think it is safe to remove it from the UI help text now. 

Also I think the term "Entity" has generally been replaced by 'Subject' at this point too.
REF: https://spaces.at.internet2.edu/display/Grouper/Glossary  Those terms should be used as much as possible to be consistent for users.






[GRP-5171] membership disabled dates should show up on screen similar to how you enter in a disabled date Created: 03/Dec/23  Updated: 03/Dec/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

see if we can make things consistent throughout the UI. Note, the timezone is displayed on membership screen, and if that is entered in the disabled screen maybe it can still work as is...






[GRP-5169] LDAP to SQL translation label reads "loaderLdapElUtils can be used, and ldapLookup" which is not correct Created: 30/Nov/23  Updated: 30/Nov/23

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.5.42
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In a LdapToSqlSyncDaemon setup, the description for a translation field reads:

Enter a translation if there is no ldap attribute or if it needs to be adjusted. ldapAttribute_<attributename> (attribute name is lower case). All attributes and extraAttributes can be used. loaderLdapElUtils can be used, and ldapLookup. e.g. ${ldapAttributelastname + ', ' + ldapAttribute_firstname}. Mutually exclusive with 'LDAP attribute name'.

But I don't see anywhere in the source code for the class where loaderLdapElUtils and ldapLookup are added to the EL variable map. If I debug, I only see ldapAttribute__XXX variables.

Also, the text about "Mutually exclusive with 'LDAP attribute name'" is confusing. The LDAP attribute name field doesn't show up when doing a translation, so it's not something users need to worry about.

It does work with the full path to the LoaderLdapElUtils class, since it's a static method. So this works:

${edu.internet2.middleware.grouper.app.loader.ldap.LoaderLdapElUtils.convertDnToSpecificValue(ldapAttribute__XXX)}

When changing the description text, it may also be useful to note that the virtual attribute EntryDn should be available as an attribute name, and ldapAttribute__EntryDn for a translation. This is due to the Dn handler added by default to the LDAP settings.






[GRP-5168] when on a report screen, cannot click on members tab Created: 29/Nov/23  Updated: 29/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-11-29-02-39-28-565.png    

 Description   






[GRP-5136] Remove forked classes in ext and extMore Created: 19/Nov/23  Updated: 28/Nov/23

Status: Open
Project: Grouper
Component/s: API, grouperClient
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Files in an "ext" source directory in grouperClient and grouper-installer are forked classes from external dependency source code, with packages renamed. Was the goal to not have external jars so that a standalone jar could be executable? There are ways in Maven to unpack and repackage required classes from dependencies into a single jar (shade plugin), so this fork method is no longer necessary. It's also a security risk, as the classes are frozen in time from the time they are forked, and are not easily upgraded. They are also not as visible to security scanners, since they are not in their own published jars.

There is also an ext directory in the Grouper api for Apache ddlutils classes. It's possible that was a workaround to fix functionality.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Nov/23 ]

lets discuss this...

Comment by Chad Redman [ 28/Nov/23 ]

v5 branch feature/grp-5136-shade-jars for review





[GRP-5159] add clone access screen to grouper ui Created: 27/Nov/23  Updated: 27/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Andrew Costa
8 minutes ago
Is there a way to clone/copy someone’s access to another user in Grouper? Or more specifically say they are members of several groups that are all under the same parent stem/folder, is there a way to copy access for all the groups under that stem from one user to another

5 replies

Chris Hyzer
6 minutes ago
I do this, get the list of groups, and add them
https://spaces.at.internet2.edu/display/Grouper/Cloning+access+to+another+user
you could also generate a GSH script that assigns...
:+1::skin-tone-2:
1

Chris Hyzer
6 minutes ago
we should add a screen to do this at some point

Andrew Costa
6 minutes ago
I suggesting using a ref group instead of copying access but it sounds like that wont’ work in this case. The user is currently using the option via the UI during the import process to add the users to multiple groups in one go but they were looking for something where they didn’t need to add each group individually






[GRP-3516] ldaptive v2 patch Created: 09/Jul/21  Updated: 26/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 5.6.0

Type: Task Priority: Minor
Reporter: Daniel Fisher (vt.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Chad Redman (unc.edu), Chris Hyzer (upenn.edu), Shilen Patel (duke.edu)

 Description   

Hello devs, I created a branch that contains the code changes needed to migrate ldaptive from v1 to v2. I'm not sure what your plans are in terms of Java 8/11 and Grouper 2.5/2.6, but I thought it would be useful for someone to review those changes. If nothing else it should help from a planning perspective.

https://github.com/dfish3r/grouper/tree/ldaptive-v2

These changes do build successfully but I wasn't able to run the docker based tests on my system. I'd be happy to work through errors if someone is willing to post the output.

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 12/Jul/21 ]

Daniel Fisher (vt.edu) Thanks!  Do we need Java 11 for ldaptive v2?  We generally save major library upgrades for major Grouper upgrades, but I appreciate all the legwork here!   

Comment by Daniel Fisher (vt.edu) [ 13/Jul/21 ]

Good question. I don't publish an official JDK8 jar, but a JDK8 version can be built and published to your own repository. It was meant to provide a path for those needing to test before they could get onto JDK11. 

 

Comment by Daniel Fisher (vt.edu) [ 13/Oct/23 ]

This issue should be closed in favor of:

https://todos.internet2.edu/browse/GRP-5048

 





[GRP-5147] Create api methods to create standard application and policy from template Created: 22/Nov/23  Updated: 22/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Setting up a standard application and policy using the built-in template requires the UI jar, and only works by simulating the checkboxes from the setup. The code below shows how to hack it to work. It's a lot of code. There should be a way to do this from a builder method, and not resorting to UI classes.

import edu.internet2.middleware.grouper.grouperUi.beans.ui.GroupStemTemplateContainer
import edu.internet2.middleware.grouper.grouperUi.beans.ui.GrouperNewServiceTemplateLogic
import edu.internet2.middleware.grouper.grouperUi.beans.ui.GrouperTemplatePolicyGroupLogic
import edu.internet2.middleware.grouper.grouperUi.beans.ui.ServiceAction
 
class HelperMethods {
    static void newApplicationTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
        def stemTemplateContainer = new GroupStemTemplateContainer()
        stemTemplateContainer.templateKey = templateKey
        stemTemplateContainer.templateFriendlyName = templateFriendlyName
        stemTemplateContainer.templateDescription = templateDescription
 
        GrouperNewServiceTemplateLogic templateLogic = new GrouperNewServiceTemplateLogic()
        templateLogic.stemId = parentStem.uuid
        templateLogic.stemTemplateContainer = stemTemplateContainer
 
        List<ServiceAction> selectedServiceActions = []
        if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
            selectedServiceActions = templateLogic.getServiceActions()
        } else {
            Map<String, ServiceAction> allPolicyServiceActionMap = templateLogic.getServiceActions().collectEntries { [it.id, it] }
            selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
        }
        templateLogic.validate(selectedServiceActions)
 
        selectedServiceActions.each {serviceAction ->
            serviceAction.getServiceActionType().createTemplateItem(serviceAction)
        }
        String errorKey = templateLogic.postCreateSelectedActions(selectedServiceActions)
        if (errorKey != null) {
            println "Creating policy group returned error: ${errorKey}"
        }
    }
 
    static void newPolicyTemplate(Stem parentStem, String templateKey, String templateFriendlyName, String templateDescription, List<String> myServiceActionIds = []) {
        // note that this doesn't work < 2.5.56 due to dependence on the UI
        def policyStemTemplateContainer = new GroupStemTemplateContainer()
        policyStemTemplateContainer.templateKey = templateKey
        policyStemTemplateContainer.templateFriendlyName = templateFriendlyName
        policyStemTemplateContainer.templateDescription = templateDescription
 
        GrouperTemplatePolicyGroupLogic policyTemplateLogic = new GrouperTemplatePolicyGroupLogic()
        policyTemplateLogic.stemId = parentStem.uuid
        policyTemplateLogic.stemTemplateContainer = policyStemTemplateContainer
 
        // simulate checking certain boxes in the ui
        List<ServiceAction> selectedServiceActions = []
        if (myServiceActionIds == null || myServiceActionIds.isEmpty()) {
            selectedServiceActions = policyTemplateLogic.getServiceActions()
        } else {
            Map<String, ServiceAction> allPolicyServiceActionMap = policyTemplateLogic.getServiceActions().collectEntries { [it.id, it] }
            selectedServiceActions = myServiceActionIds.collect { allPolicyServiceActionMap[it] }
        }
 
        policyTemplateLogic.validate(selectedServiceActions)
        selectedServiceActions.each { serviceAction ->
            serviceAction.getServiceActionType().createTemplateItem(serviceAction)
        }
        String policyErrorKey = policyTemplateLogic.postCreateSelectedActions(selectedServiceActions)
        if (policyErrorKey != null) {
            println "Creating policy group returned error: ${policyErrorKey}"
        }
    }
}
 
 
List<String> appServiceActionIds = [
        'newAppStem',
        'newAppServiceFolder',
        'newAppPolicyFolder',
        'newAppRefFolder',
        'newAppRefType',
        //'newAppAttributeFolder',
        'newAppSecurityFolder',
        'newAppSecurityType',
        'newAppAdminsGroup',
        'newAppAdminPrivilege',
        'newAppAdminPrivilege2',
        'newAppAdminPrivilege3',
        'newAppReadersGroup',
        'newAppReadersPrivilege',
        'newAppUpdatersPrivilege',
        'newAppUpdatersPrivilege2',
        'newAppReadersGroupMemberOfUpdaters',
]
 
HelperMethods.newApplicationTemplate(appStem,
        "grouper",
        "Grouper",
        "Policies for access to Grouper",
        appServiceActionIds)
 
List<String> policyServiceActionIds = [
        'policyGroupCreate',
        'policyGroupType',
        'policyGroupAllowGroupCreate',
        'allowIntermediatgeGroupType',
        'policyGroupAllowManualGroupCreate',
        'policyGroupAddManualToAllow',
        'allowManualGroupType',
        'policyGroupDenyGroupCreate',
        'denyIntermediatgeGroupType',
]
 
HelperMethods.newPolicyTemplate(policyStem,
        "ui_access",
        "Grouper UI access",
        "Allows access to the Grouper UI",
        policyServiceActionIds
)






[GRP-5146] App template friendly name triggered by typing, not autocomplete Created: 22/Nov/23  Updated: 22/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-11-22-15-10-53-281.png    

 Description   

In the application template, if you start typing in the Key field, the friendly name follows the typing. If there is a history of previous templates, and you chooose one to autocomplete, the friendly name doesn't get updated.






[GRP-5088] Provisioner External entity attributes not working for incrementals Created: 26/Oct/23  Updated: 22/Nov/23

Status: Reopened
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.7.1
Fix Version/s: 5.5.0, 4.8.0

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File grouper-loader (62).properties    

 Description   

The setup for this is:

  • Ldap GroupOfNames
  • Ldap attribute resolver using an alternative ldap, matching uid with subjectId and returning entryDn
  • Not searching entities
  • Entity attribute "dn" is translated "${grouperProvisioningEntity.retrieveAttributeValueString('entityAttributeResolverLdap__entrydn')}" and stored in entity cache
  • Group member field is using the cache

 

Result:

  • Full working fine
  • Incremental clearing out all the members of the group, yet reports it as an add of those members

 

 



 Comments   
Comment by Chad Redman [ 13/Nov/23 ]

Resolved. The actual issue was matching the group by its ldap_dn, when this is a target field. It's not known why this doesn't behave correctly since it's in the cache. The workaround is to calculate the ldap_dn with jexl.

 

Comment by Chris Hyzer (upenn.edu) [ 22/Nov/23 ]

if the dn is the match id, then people who are deleted get added back

Comment by Chad Redman [ 22/Nov/23 ]

Will try to reproduce minimal test case. What I've seen - if the group match is ldap_dn instead of cn, I get the inconsistent behavior with incrementals. Add a user, add another user, delete the users, add a third user ==> all 3 users are in LDAP.





[GRP-5134] Reorganize source directories to be more standard Created: 18/Nov/23  Updated: 18/Nov/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper

  • src/grouper -> grouper/src/main/java
  • src/test -> grouper/src/test/java
  • conf -> grouper/src/main/resources

grouperClient

  • conf -> src/main/resources
  • misc/META-INF -> src/main/resources/META-INF
  • src/java -> src/main/java
  • src/ext/ -> src/main/javaExt
  • src/extMore -> src/main/javaExtMore
  • src/main/assembly -> ??

grouper-ui

  • java/src -> src/main/java
  • java/test -> src/test/java
  • conf -> src/main/resources

grouper-ws/grouper-ws

  • conf -> src/main/resources
  • confForTest -> src/test/resources
  • src/grouper-ws -> src/main/java
  • src/test -> src/test/java

grouper-ws/grouper-ws-java-generated-client

  • conf -> src/main/resources
  • src -> src/main/java
  • test -> src/test/java

grouper-ws/grouper-ws-java-manual-client

  • conf -> src/main/resources
  • src/java-manual-client -> src/main/java

grouper-ws/grouper-ws-test

  • src/test -> src/test/resources

grouper-misc/grouper-installer

  • conf -> src/main/resources
  • testFiles -> src/test/resources
  • src/java -> src/main/java
  • src/test -> src/test/java

grouper-misc/grouper-pspng

  • none

grouper-misc/grouper-box

  • none

grouper-misc/grouper-duo

  • none

grouper-misc/googleapps-grouper-provisioner

  • none

grouper-misc/grouper-azure

  • none

grouper-misc/webapp/grouper-ui-webapp

  • none





[GRP-5131] dont allow config ids with private or pass or other things that autoencrypt... Created: 15/Nov/23  Updated: 15/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 15/Nov/23 ]

maybe look at suffix of property to see if it should be private, dont check entire key

Comment by Chris Hyzer (upenn.edu) [ 15/Nov/23 ]

      if (lowerKey.contains("pass") || lowerKey.contains("secret") || lowerKey.contains("private")) {
        return true;
      }
 
 





[GRP-5127] grouperProvisioningGroup fields not available during delete, gives NPE Created: 15/Nov/23  Updated: 15/Nov/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The only fields available to jexl grouperProvisioningGroup during a delete are id, idIndex, and name. These are not available during a delete, and trying to using another field like displayExtension gives a cryptic error that grouperProvisioningGroup is inaccessible. Either more fields should be available, or the field description should be clarified.






[GRP-5126] If a loader display name has the wrong number of colons, it uses the parent extension twice Created: 15/Nov/23  Updated: 15/Nov/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If a group sql query has a:b:c:d as a group name and a:b:d as the display name, it will set the display name to be something like a:b:b:d. This works for one group (although it's very confusing in the UI), but fails on the second group because it has the same parent stem display name. The loader should just immediately fail if there is at least one colon and they don't match.






[GRP-5120] add visibility easy metadata option for azure Created: 13/Nov/23  Updated: 13/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5115] Report gsh scripts can't be >4000 characters Created: 10/Nov/23  Updated: 13/Nov/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.7.1
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Report type: GSH
Config format: file

ERROR: value too long for type character varying(4000)

UI Error:

Error: org.hibernate.exception.DataException: could not execute batch, Exception in save: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, edu.internet2.middleware.grouper.hibernate.ByObject@1d5c1633, Problem in HibernateSession: HibernateSession (7825b8dd): notNew, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (23194942), Exception in saveOrUpdate: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null, Problem in HibernateSession: HibernateSession (780ecde8): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (23194942), Problem calling method reportOnGroupAddEditSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperReport






[GRP-5118] allow provisionable for small groups Created: 10/Nov/23  Updated: 10/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Kevin Rooney
3:32 PM
Also, we may divide up our ED Group provisioners by size of group. Some of our alumni groups are hundreds of thousands of members. We could let admins set the normal provisioner, but setting a large group provisioner, that would only sync at night or weekends, would have to be set by us, so it could be forced.

Chris Hyzer
4:31 PM
there has been a request to allow setting provisionable for group sizes below a certain amount...

Kevin Rooney
4:38 PM
Makes, sense those big groups wreak havoc on downstream systems if not handled carefully.






[GRP-5117] simplified UI for GSH templates (Security and "return to full UI" feature request) Created: 10/Nov/23  Updated: 10/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.8.0
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I think the use of the of a GSH Template 'simplified UI' should be possible by users who are not generally allowed to use the UI. ( AKA: not in the 'Grouper UI access' group) Instead the GSH templates 'Security run type' config should fully control who can and can not use that GSH's 'simplified UI'.

Also I think the GSH template should support a "return to the full UI" link on the 'simplified UI' for those users who can use the full UI. ( AKA: members of the 'Grouper UI access' group) WHEN the GSH template allows the link to be show in the simplified UI. ( a new config setting in the GSH template setup.)



 Comments   
Comment by Carey Black [ 10/Nov/23 ]

Bonus points if the GSH template also could be optionally configured to "redirect the user to the full UI page that they were on before the GSH template was started".





[GRP-4930] in visualization change the provisioning to the provisioning framework instead of pspng Created: 01/Sep/23  Updated: 09/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chad Redman [ 09/Nov/23 ]

New installations are getting this because they never set up pspng:
 

WARN  RelationGraph.initLookupFields(1438) - [] - Unable to retrieve PSPNG provision_to attribute; results will not include provisioning relationships
edu.internet2.middleware.grouper.exception.AttributeDefNameNotFoundException: Cannot find (or not allowed to find) attribute def name with name: 'etc:pspng:provision_to'





[GRP-5112] md_grouper_allowProvisionableRegexOverride use causes errors when importing from gsh script Created: 09/Nov/23  Updated: 09/Nov/23

Status: Open
Project: Grouper
Component/s: gsh
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

4.8.0



 Description   

Steps to recreate:
-Create folder and assign new framework provisioning.
-use provisionable regex that includes '$'
-export using instructions from here

Attempt to import from gsh and receive:

groovysh_parse: 2: illegal string body character after dollar sign;
   solution: either escape a literal dollar sign "\$5" or bracket the value expression "${5}" @ line 2, column 37.
   attributeAssignOnAssignSave.addValue("{\"md_grouper_allowPolicyGroupOverride\":false,\"md_grouper_azureGroupType\":\"unified\",\"md_grouper_allowProvisionableRegexOverride\":\"groupName not matches ^.:ref:.$\"}");






[GRP-5111] fix newlines in email rules (plain text) Created: 09/Nov/23  Updated: 09/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Graham Ballantyne
  14 hours ago
I'm trying to set up an email notification rule based on the example in the wiki, but my \n s aren't turning into newlines; they're inserted literally into the email body. Any tips?






[GRP-5104] Provisioner retrieve AD objectSid and objectGuid as string instead of binary Created: 02/Nov/23  Updated: 09/Nov/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If you want to use an unchanging id for an AD group to detect renames, you could potentially use objectSid or objectGuid which are unique for each group in AD. However, these are binary values, and Grouper is unable to store them in the cache table. I don't see other good options, unless you use the group idIndex or uuid, but it needs the right kind of object to be able to store the value into a custom attribute.

 

update grouper_sync_group set ... group_from_id3 = 'I`�ɖ?I`�ɖ?H�x���]m�', ... was aborted: ERROR: invalid byte sequence for encoding "UTF8": 0x00 



 Comments   
Comment by Bert Bee-Lindgren (gatech.edu) [ 03/Nov/23 ]

Georgia Tech could populate Grouper's GroupId into a random ad.extensionAttributeNN attribute, but those are used by various groups around GT. Using objectSid or Guid would be much more elegant.

Comment by Chris Hyzer (upenn.edu) [ 04/Nov/23 ]

convert binary to base64?

Comment by Bert Bee-Lindgren (gatech.edu) [ 04/Nov/23 ]

>base64?

That's a really good question!

I was thinking that, too, but then I realized that it won't be directly usable in future searches in Base64, as objectSid=<base64> won't match anything.

 

Here are three choices:

Comment by Daniel Fisher (vt.edu) [ 09/Nov/23 ]

Ldaptive can parse these attribute values into their string representations. These classes have static methods for conversion:

 
String org.ldaptive.ad.GlobalIdentifier.toString(byte[])
byte[] org.ldaptive.ad.GlobalIdentifier.toBytes(String)
 
String org.ldaptive.ad.SecurityIdentifier.toString(byte[])
byte[] org.ldaptive.ad.SecurityIdentifier.toBytes(String)

 





[GRP-5098] Provisioning: Entity Attribute and responsibility for a prefix Created: 27/Oct/23  Updated: 08/Nov/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Critical
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Our Grouper's Ldap-Entity-attribute provisioning share entitlement attributes with other systems. We are having pretty constant problems getting values removed and have tried to raise the level of Grouper responsibility to "Delete if value managed by Grouper." We had hoped that this would scrub extra values from users who were not in the groups provisioned by grouper.

As you might imagine from this Jira, we continue to have problems with extra attributes remaining in our ldap. Chad Redman should be posting a Jira about this.

This Jira is requesting that we be able to define an attribute-value prefix to define value 'ownership.' For example, we would define prod grouper being responsible for gt: and Test being responsible for test:gt:. This might simplify the code and fix our current problems, but it might also help when groups are deleted from grouper or, perhaps, unmarked for provisioning.

ATM, we're going to have to manually scrub these attributes in an oob script.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Nov/23 ]

In 4.7.2+ the other delete settings should work better.  You can delete if grouper deleted, or if grouper manages that value.  If we need the prefix thing we can add it but we should be ok with the current settings right?  So many delete options





[GRP-5110] loader list doesnt show disabled jobs correctly Created: 08/Nov/23  Updated: 08/Nov/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford
  6:10 PM
Hi All,
Just noticed something a bit confusing. If you look up a disabled loder job under misc. It will show ERROR if it’s disabled, It shows up correctly in the Daemon Job menu.






[GRP-5091] translate grouper memberships to target using id index as int(8) uses strings Created: 26/Oct/23  Updated: 26/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

23-10-25 23:45:31.242: Provisioner 'iam_unifieddb_group_memberships' (vygitnze) state 'translateGrouperMembershipsToTarget' type 'fullProvisionFull':

{state=translateGrouperMembershipsToTarget}

(vygitnze): Grouper target memberships (6):
(vygitnze): 0. Mship(group: "testGroup", groupId: "1000039", entityId: "1000067", recalcObject: false)
(vygitnze): 1. Mship(group: "testGroup4", groupId: "1000052", entityId: "1000095", recalcObject: false)
(vygitnze): 2. Mship(group: "testGroup2", groupId: "1000040", entityId: "1000067", recalcObject: false)
(vygitnze): 3. Mship(group: "testGroup", groupId: "1000039", entityId: "1000053", recalcObject: false)
(vygitnze): 4. Mship(group: "testGroup", groupId: "1000039", entityId: "1000068", recalcObject: false)
(vygitnze): 5. Mship(group: "testGroup4", groupId: "1000052", entityId: "1000094", recalcObject: false)






[GRP-5087] sql provisioning to only a membership table has issues with new provisionable groups, and maybe other things. do a full test Created: 25/Oct/23  Updated: 25/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Oct/23 ]

provisioner.iam_unifieddb_group_memberships.addDisabledFullSyncDaemon = true
provisioner.iam_unifieddb_group_memberships.addDisabledIncrementalSyncDaemon = true
provisioner.iam_unifieddb_group_memberships.class = edu.internet2.middleware.grouper.app.sqlProvisioning.SqlProvisioner
provisioner.iam_unifieddb_group_memberships.customizeEntityCrud = true
provisioner.iam_unifieddb_group_memberships.customizeGroupCrud = true
provisioner.iam_unifieddb_group_memberships.dbExternalSystemConfigId = grouper
provisioner.iam_unifieddb_group_memberships.deleteGroups = false
provisioner.iam_unifieddb_group_memberships.entityAttributeValueCache0entityAttribute = id
provisioner.iam_unifieddb_group_memberships.entityAttributeValueCache0has = true
provisioner.iam_unifieddb_group_memberships.entityAttributeValueCache0source = grouper
provisioner.iam_unifieddb_group_memberships.entityAttributeValueCache0type = entityAttribute
provisioner.iam_unifieddb_group_memberships.entityAttributeValueCacheHas = true
provisioner.iam_unifieddb_group_memberships.groupAttributeValueCache0groupAttribute = id
provisioner.iam_unifieddb_group_memberships.groupAttributeValueCache0has = true
provisioner.iam_unifieddb_group_memberships.groupAttributeValueCache0source = grouper
provisioner.iam_unifieddb_group_memberships.groupAttributeValueCache0type = groupAttribute
provisioner.iam_unifieddb_group_memberships.groupAttributeValueCacheHas = true
provisioner.iam_unifieddb_group_memberships.insertGroups = false
provisioner.iam_unifieddb_group_memberships.logAllObjectsVerbose = true
provisioner.iam_unifieddb_group_memberships.makeChangesToEntities = false
provisioner.iam_unifieddb_group_memberships.membershipTableName = memberships_from_grouper
provisioner.iam_unifieddb_group_memberships.numberOfEntityAttributes = 1
provisioner.iam_unifieddb_group_memberships.numberOfGroupAttributes = 1
provisioner.iam_unifieddb_group_memberships.numberOfMembershipAttributes = 3
provisioner.iam_unifieddb_group_memberships.operateOnGrouperEntities = true
provisioner.iam_unifieddb_group_memberships.operateOnGrouperGroups = true
provisioner.iam_unifieddb_group_memberships.operateOnGrouperMemberships = true
provisioner.iam_unifieddb_group_memberships.provisioningType = membershipObjects
provisioner.iam_unifieddb_group_memberships.recalculateAllOperations = true
provisioner.iam_unifieddb_group_memberships.selectEntities = false
provisioner.iam_unifieddb_group_memberships.selectGroups = false
provisioner.iam_unifieddb_group_memberships.showAdvanced = true
provisioner.iam_unifieddb_group_memberships.startWith = this is start with read only
provisioner.iam_unifieddb_group_memberships.subjectSourcesToProvision = jdbc,personLdapSource
provisioner.iam_unifieddb_group_memberships.targetEntityAttribute.0.name = id
provisioner.iam_unifieddb_group_memberships.targetEntityAttribute.0.translateExpressionType = grouperProvisioningEntityField
provisioner.iam_unifieddb_group_memberships.targetEntityAttribute.0.translateFromGrouperProvisioningEntityField = subjectId
provisioner.iam_unifieddb_group_memberships.targetGroupAttribute.0.name = id
provisioner.iam_unifieddb_group_memberships.targetGroupAttribute.0.translateExpressionType = grouperProvisioningGroupField
provisioner.iam_unifieddb_group_memberships.targetGroupAttribute.0.translateFromGrouperProvisioningGroupField = name
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.0.name = group_name
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.0.translateExpressionType = grouperProvisioningGroupField
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.0.translateFromGrouperProvisioningGroupField = groupAttributeValueCache0
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.1.name = subject_id
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.1.translateExpressionType = grouperProvisioningEntityField
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.1.translateFromGrouperProvisioningEntityField = entityAttributeValueCache0
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.2.name = subject_source_id
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.2.translateExpressionType = grouperProvisioningEntityField
provisioner.iam_unifieddb_group_memberships.targetMembershipAttribute.2.translateFromGrouperProvisioningEntityField = subjectSourceId
provisioner.iam_unifieddb_group_memberships.unresolvableSubjectsRemove = true
provisioner.iam_unifieddb_group_memberships.updateGroups = false
 

Comment by Chris Hyzer (upenn.edu) [ 25/Oct/23 ]

CREATE TABLE public.memberships_from_grouper (
	group_name varchar(1024) NULL,
	subject_id varchar(100) NULL,
	subject_source_id varchar(100) NULL
);
 





[GRP-5084] delete rows from grouper_members table where it is not used anywhere (e.g. pit or audits etc) Created: 25/Oct/23  Updated: 25/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5083] Loader Failsafes: Information Improvements Created: 25/Oct/23  Updated: 25/Oct/23

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We had a sql-list loader job trigger a failsafe and found a few ways that would help us handle it.

  1. I was hoping, at least, the Loader Job message box would have a description of what the failsafe trigger was (too many fewer groups, groups that were going to shrink to much) along with the numbers
  2. Instead, we had to do a subjob search and scroll through thousands of subjobs and luckily only one group had a failsafe trigger. Luckily the Loader Job did not exceed 4k groups, otherwise we wouldn't have been able to find the information in the UI
    1. It would have helped if subjob+error-only filter would have just shown the relevant groups
    2. Once the right group/subjob was found, the Loader Message field had terrific information about shrinkage and original size. It might help to put some (3-10) example subjects into the message to help sanity check the failsafe
  3. The 'Approve Failsafe' job action was in a great location in the Daemon Log pulldown, but we were hoping it would bring up a page explaining the Failsafe situation, and, ideally, offering some selective approvals. Instead, it seemed to blindly approve whatever failsafes were outstanding.





[GRP-5081] add a jexl script tester for ldap loader group name expression Created: 24/Oct/23  Updated: 24/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5080] edit button on report daemons should go to report edit screen Created: 23/Oct/23  Updated: 23/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga
  29 minutes ago
We get it when we go to “Daemon jobs”, find a report, click on the report name (showing the logs), and then choosing “Job actions --> Edit daemon”
grouper.log
 
2023-10-23T13:54:20,359: [ajp-nio-0.0.0.0-8009-exec-9] ERROR GrouperUiRestServlet.doGet(370) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Admin.editDaemon
java.lang.RuntimeException: Problem converting JSP to string: /WEB-INF/grouperUi2/admin/adminDaemonJobEdit.jsp,
Problem calling method editDaemon on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Admin
    at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1825)
    at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiScreenAction.newInnerHtmlFromJsp(GuiScreenAction.java:597)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Admin.editDaemon(UiV2Admin.java:750)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5511)
    at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5462)
    at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337)
    at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
    at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)
    at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)
    at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
    at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:533)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: org.apache.jasper.JasperException: An exception occurred processing [/WEB-INF/grouperUi2/admin/adminDaemonJobEdit.jsp] at line [67]
64:                           </td>
65:                         </tr>
66:
67:                       <c:forEach items="${guiGrouperDaemonConfiguration.grouperDaemonConfiguration.subSections}" var="subSection">
68:                           <tbody>
69:                             <c:if test="${!grouper:isBlank(subSection.label) and subSection.show}">
70:                               <tr>
Stacktrace:
    at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:605)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:498)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:383)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:331)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:662)
    at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:540)
    at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:483)
    at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1823)
    ... 41 more
Caused by: javax.el.ELException: Error reading [subSections] on type [edu.internet2.middleware.grouper.app.daemon.GrouperDaemonReportForGroupStemConfiguration]
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:104)
    at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:112)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:168)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189)
    at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:942)
    at org.apache.jsp.WEB_002dINF.grouperUi2.admin.adminDaemonJobEdit_jsp._jspx_meth_c_005fforEach_005f0(adminDaemonJobEdit_jsp.java:416)
    at org.apache.jsp.WEB_002dINF.grouperUi2.admin.adminDaemonJobEdit_jsp._jspService(adminDaemonJobEdit_jsp.java:291)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465)
    ... 50 more
Caused by: java.lang.RuntimeException: configFileName cant be null for edu.internet2.middleware.grouper.app.daemon.GrouperDaemonReportForGroupStemConfiguration
    at edu.internet2.middleware.grouper.app.config.GrouperConfigurationModuleBase.retrieveAttributes(GrouperConfigurationModuleBase.java:605)
    at edu.internet2.middleware.grouper.app.config.GrouperConfigurationModuleBase.getSubSections(GrouperConfigurationModuleBase.java:910)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:99)
    ... 59 more
 






[GRP-5079] when indexing rules see what queries can be done in batch (e.g. checkKeyForStem) Created: 23/Oct/23  Updated: 23/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5076] Provisioning: Activity Improvements Created: 23/Oct/23  Updated: 23/Oct/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-10-23-00-51-50-135.png     PNG File image-2023-10-23-01-09-46-839.png    

 Description   

There's such a wealth of information about what the Provisioner framework is doing, but I wanted to report that I'm not finding what I'm looking for when I'm troubleshooting or otherwise answering questions. This Jira is an attempt to describe some changes that would help, but we want to warn you that ideas will probably come to us iteratively.

Some of what happens when we try to use existing transparency:

We turn to the Activity Report for a provisioner pretty frequently, but we're often faced with all the information looking something like this:

 

What 'Activity' is this trying to tell us? It seems to be saying that the Provisioner didn't see the membership in the target system at 1:47, but that it did see it in the system a few hours later at 4:18. However, it seems to indicate that it didn't make any changes. To me this is reporting that the provisioner lost track of memberships in the target system at 1:47 and then rediscovered they were actually there at 4:18. This is odd for various reasons, but isn't what we're typically looking for.

Note: This person's membership in this group hasn't changed for over a month, and many successful Full Sync provisioners have run before these 1:47 and 4:18 instances:

 

Note that the 1:17 did provision a lot of memberships, but they are not related to the activity line above. Also note that we can't use the existing UI to understand what those 16k changes were.

 

Suggestions:

  1. Have the ability to see Provisioned Changes
    1. This could be within the Activity-Report page, but it doesn't seem compatible with all the Begin/End/Etc Dates and other information the Activity Report shows
    2. This would show things like:
      1. Created/Updated/Deleted Group in target system with grouper group name, and ideally, the Group's target system information too (DN, etc)
      2. Added/Removed membership in target system [Subject, Group]
      3. Created/Updated/Deleted Entity in target system [Subject]
  1. Be able to page through the changes
  2. Be able to filter the changes based on Date, Group, and/or subject
  3. Link to this Provisioned Changes report from a provisioned group, obviously filtered on that group
  4. Link to this Provisioned Changes report from membership changes shown in an Audit entry, filtering on the Subject and Group
  5. In the existing Activity Report:
    1. Be able to page through information
    2. Filter based on Group (and be able to link to it from Group's provisioner menu)

Thank you






[GRP-5075] Provisioning Logs: Counts seem to be expected changes Created: 23/Oct/23  Updated: 23/Oct/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-10-23-00-24-40-000.png    
Issue Links:
Related
is related to GRP-5045 exceptions in provisioning should rep... Resolved

 Description   

We had an Active Directory Provisioning problem where an error-logging line threw an unexpected RuntimeException and, therefore, crashed out the provisioner's Full Sync. This Jira is not about this Exception nor the provisioner's resilience to logging exceptions; I don't think it's worth the trouble to catch problems with logging. Instead, this Jira is about how the Daemon Log was confusing while the provisioner had this problem....

Every FullSync's daemon log for weeks showed thousands of changes into and out of our Active Directory. The top half of this screen shot is after the logging problem was fixed >10-18 05:17, and the bottom half shows the problem.

 

We believe that the 4000ish adds and 4000ish deletes were never actually happening, but were instead the expected changes based on comparing Grouper to the Target System. We were very confused and chasing ghosts for a good while. Additionally, the Activity Log didn't show any activity so we doubted it as well.

This report is requesting that the counts be a tabulation of actual changes made and anticipated changes. Perhaps the expected counts could be log4j-logged, but the Changes Made numbers in the Daemon Log should be correct.



 Comments   
Comment by Bert Bee-Lindgren (gatech.edu) [ 23/Oct/23 ]

GRP-5045 is the logging bug that was causing the provisioner to completely stop before all the calculated changes were attempted.





[GRP-5070] Job log include elapsed time in something besides millisecond Created: 20/Oct/23  Updated: 20/Oct/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-10-20-13-07-55-396.png    

 Description   

This request is just for convenience. Sometimes it's hard to tell how long something runs, especially when the numbers are large. It should be something friendly, like 2h 21m or 2d3h25m if it runs that long.

 






[GRP-5069] Remove "Attribute name for net ID" from subject source Created: 20/Oct/23  Updated: 20/Oct/23

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This is a field that shows up in subject source configuration, but there is no explanation what a "net ID" is for. I had traced through the source code a while ago, and at that time it was only used in either the custom UI or a less common reporting setup. It would eliminate some confusion if it were just refactored to not use this custom net ID. It we do need some kind of preferred identifier, then maybe it just needs to be rebranded – renaming and adding a description.






[GRP-5068] Throttling functionality for WS Created: 19/Oct/23  Updated: 19/Oct/23

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Services that sustain a high rate of API calls to the WS can cause it to run out of memory over time.  Workarounds have been to conduct periodic restarts to reclaim the memory in a timely manner.

If WS were feature a form of throttling, it can allow WS nodes to require less frequent restarts and indicate to services that they need to slow their roll.

 

 






[GRP-5067] put version of grouper not in config part since that is locked down Created: 19/Oct/23  Updated: 19/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5066] stem view privilege table needs a primary key for mysql Created: 19/Oct/23  Updated: 19/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

ALTER TABLE grouper_stem_view_privilege ADD COLUMN cmu_row_id bigint unsigned PRIMARY KEY  NOT NULL AUTO_INCREMENT;
 






[GRP-5064] folders should be able to read attributes without create Created: 18/Oct/23  Updated: 18/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5063] readonly admins should be able to read everything in misc (e.g. daemons etc) Created: 18/Oct/23  Updated: 18/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5062] allow various attestation email schedules Created: 16/Oct/23  Updated: 16/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. for some groups have it email every three days...






[GRP-5059] full provisioning run should update all target cache buckets on retrieved objects Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5058] incremental membership errors should recalc group/entity on retry (not recalc memberships) Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5057] a DN change (which causes membership provisioning error) should retry next incremental run and not fail other actions Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5056] add option to look up group and entities always (not recalc memberships) Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5055] refreshEntityLinkIfLessThanAmount is not working Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 14/Oct/23 ]

check group one too





[GRP-5054] grouper loader diagnostics should work for large jobs... (partial?) Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 14/Oct/23 ]

i think they are running but need a thread to refresh screen until its done...

Comment by Chris Hyzer (upenn.edu) [ 14/Oct/23 ]

Bert Bee-Lindgren
< 1 minute ago
Or maybe the diagnostics is trying to do too much…. Perhaps do the group-list query and a couple groups? I’m sure every environment is different, but I’m hoping for a sanity check on connectivity, sql grants, syntax errors, etc.
Beyond those basics, what I’d really like is a dry-run of the loader either overall or for a loaded group, because what I sometimes really want to know is whether I’m about to empty a bunch of groups or test our failsafes. This would be a ‘real’ run of the loader in the daemon, but where the stats/subjobs/etc were not actually making the changes they count.





[GRP-5053] add google start with metadata options which also adds attributes with translation Created: 14/Oct/23  Updated: 14/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Description   

For example, prompt for all these things in start with (manageGroupsManageEntities or manageGroupsReadonlyEntities)



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 14/Oct/23 ]

Comment by Chris Hyzer (upenn.edu) [ 14/Oct/23 ]

If true, set that metadata show to true in the group configuration and also add an attribute for that setting with a translation like this

${grouperProvisioningGroup.retrieveAttributeValueString('md_grouper_allowExternalMembers')}
 





[GRP-5051] SCIM provisioner NPE on missing json values itemsPerPage and startIndex Created: 13/Oct/23  Updated: 13/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.40, 2.6.0, 4.0.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper;grouper_error.log;dev;nothing;2023-10-13T23:23:08,561: [Thread-45] ERROR GrouperProvisioningLogic$1.run(2017) - [] - error querying target: scimGroupsAndEntities
java.lang.NullPointerException: Cannot invoke "java.lang.Integer.intValue()" because the return value of "edu.internet2.middleware.grouper.util.GrouperUtil.jsonJacksonGetInteger(com.fasterxml.jackson.databind.JsonNode, String)" is null
	at edu.internet2.middleware.grouper.app.scim2Provisioning.GrouperScim2ApiCommands.retrieveScimGroups(GrouperScim2ApiCommands.java:1102) ~[grouper-4.7.2.jar:4.7.2]
	at edu.internet2.middleware.grouper.app.scim2Provisioning.GrouperScim2TargetDao.retrieveAllGroups(GrouperScim2TargetDao.java:64) ~[grouper-4.7.2.jar:4.7.2]
	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveAllGroups(GrouperProvisionerTargetDaoAdapter.java:131) ~[grouper-4.7.2.jar:4.7.2]
	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveAllData(GrouperProvisionerTargetDaoAdapter.java:786) ~[grouper-4.7.2.jar:4.7.2]
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic$1.run(GrouperProvisioningLogic.java:2006) [grouper-4.7.2.jar:4.7.2]
	at java.lang.Thread.run(Thread.java:833) [?:?]

This is from a demo server with this request and response:

http://scim:8080/scim/v2/Groups?startIndex=1&count=50

{"totalResults":0,"startIndex":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[]}

The offending line:

int itemsPerPage = GrouperUtil.jsonJacksonGetInteger(jsonNode, "itemsPerPage")

The problem isn't getting the integer, it's that the null value it gets can't be assigned to an int. Per the RFC both itemsPerPage and startIndex are only required when there is paging






[GRP-5050] Logging error in container librarySetupFilesTomcat.sh Created: 13/Oct/23  Updated: 13/Oct/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Wil Cooley Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In function `setupFilesTomcat_sslCertsClient`, most of the log message identify themselves as being called from `setupFilesTomcat_sslCertsAnchors`, e.g.,

255      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode"

 
It seems like it would be better to take advantage of bash's builtin facilities for reporting locations and define functions to remove much of the noise and potential for copy & paste errors, like this:

#!/bin/bash
# libLog.sh
__log_output_tag="grouperContainer"
 
_log_base() {
    local level="$1"
    local message="$2"
 
    local source="$(basename ${BASH_SOURCE[2]})"
 
    local origin
    if [[ -n "${FUNCNAME[2]}" && "${FUNCNAME[2]}" != "main" ]]; then
        origin="${source}-${FUNCNAME[2]}"
    else
        origin="${source}"
    fi
 
    printf "${__log_output_tag}; ${level}: (${origin}) ${message}\n"
}
 
log_info() {
    _log_base INFO "$*"
}
 
log_warn() {
    _log_base WARN "$*"
}
 
# ... etc for the rest of the logging levels

Here's a small demonstration script:

#!/bin/bash
 
source /tmp/libLog.sh
 
foo() {
    log_info "Hi foo"
}
 
bar() {
    log_info Hi bar
    foo
}
 
baz() {
    log_warn Baz on
    bar
}
baz
log_info Called from main
log_info Called from main through a pipe | tee /tmp/pretend-this-is-a-pipe

Abstracting the logging this way would also make it easier to incorporate $ENV and $USERTOKEN and make the format consistent with the formats used everywhere else.






[GRP-5049] add batch and bulk operations to duo Created: 13/Oct/23  Updated: 13/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://duo.com/docs/adminapi#create-multiple-users

https://duo.com/docs/adminapi#bulk-user-operations






[GRP-5042] local entities should be resolvable by uuid Created: 11/Oct/23  Updated: 11/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5041] document the deprovisioning and adding user back veto Created: 11/Oct/23  Updated: 11/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Grouper+deprovisioning
Working on deprovisioning
if you deprovision a user they end up in a group
Putting logic in place so on the UI, add this subject to this group, will give an error message ,“you can not add this member to this group , that member has already been deprovisioned”
Configuration: If someone is deprovisioned do you want them to be allowed back?
Default is no
Question : What is the use case for this new feature to make it difficult to reprovision?
This was requested from Harvard…
AI CHRIS and VIVEK , document the work on deprovisioning and adding a member back






[GRP-5030] Can't add entitySubjectIdentifier attribute to local entity Created: 06/Oct/23  Updated: 11/Oct/23

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: 4.7.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Trying to add attribute etc:attribute:entities:entitySubjectIdentifier to a local entity per documentation in https://spaces.at.internet2.edu/display/Grouper/Grouper+local+entities.

Result is:

 Error: Not allowed to assign to member: AttributeDef[name=etc:attribute:entities:entitySubjectIdentifierDef,uuid=a4feba4da40142f19242879d9d586776], 8b220b8132c54beb95957271eb4eb803, to allow this, make sure the attributeDef has setAssignToMember(true), Problem calling method assignAttributeSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment

The attribute assignment is being treated as if it's being added to a subject, not an entity.

If I edit the assignment to allow it to be set for members, I can add the attribute. But then I can't add a value to it due to another error:

Error: Cannot invoke "edu.internet2.middleware.grouper.entity.Entity.getName()" because "entity" is null, Exception in save: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, edu.internet2.middleware.grouper.hibernate.ByObject@e0363ca, Problem in HibernateSession: HibernateSession (10bc9d8f): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (74265a05), Exception in saveOrUpdate: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null, Problem in HibernateSession: HibernateSession (5b7b04bb): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (74265a05), Problem calling method attributeAssignAddValueSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment



 Comments   
Comment by Chad Redman [ 06/Oct/23 ]

Also can't view the assignments once assigned.

 Error: Problem converting JSP to string: /WEB-INF/grouperUi2/subjectAttribute/subjectViewAttributeAssignsContents.jsp, Problem calling method viewAttributeAssignments on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment

 

Stacktrace (very long, it's all from the same single page view)

grouper_1     | grouper;tomcat;catalina.out;dev;nothing;2023-10-06T00:26:49,906: [http-nio-8080-exec-4] ERROR DirectJDKLog.log(175) - [] - Servlet.service() for servlet [jsp] threw exception
grouper_1     | java.lang.RuntimeException: Cannot find assign delegate for assignment and attributeDef: 39ebdb2a9e8442368306842ca16854c8, etc:attribute:entities:entitySubjectIdentifierDef
grouper_1     |     at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.retrieveAttributeAssignable(AttributeAssign.java:1876) ~[grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.internal_retrieveValues(AttributeAssignValueDelegate.java:150) ~[grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.internal_retrieveValues(AttributeAssignValueDelegate.java:125) ~[grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.retrieveValues(AttributeAssignValueDelegate.java:107) ~[grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.getAttributeAssignValues(AttributeAssignValueDelegate.java:115) ~[grouper-4.6.0.jar:4.6.0]
grouper_1     |     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
grouper_1     |     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
grouper_1     |     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
grouper_1     |     at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
grouper_1     |     at javax.el.BeanELResolver.getValue(BeanELResolver.java:99) ~[el-api.jar:3.0.FR]
grouper_1     |     at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:112) ~[jasper.jar:8.5.90]
grouper_1     |     at org.apache.el.parser.AstValue.getValue(AstValue.java:168) ~[jasper-el.jar:8.5.90]
grouper_1     |     at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) ~[jasper-el.jar:8.5.90]
grouper_1     |     at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:942) ~[jasper.jar:8.5.90]
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fforEach_005f1(subjectViewAttributeAssignsContents_jsp.java:553) ~[?:?]
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fforEach_005f0(subjectViewAttributeAssignsContents_jsp.java:405) ~[?:?]
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fotherwise_005f0(subjectViewAttributeAssignsContents_jsp.java:303) ~[?:?]
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fchoose_005f0(subjectViewAttributeAssignsContents_jsp.java:204) ~[?:?]
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspService(subjectViewAttributeAssignsContents_jsp.java:163) ~[?:?]
grouper_1     |     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ~[jasper.jar:8.5.90]
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583) ~[servlet-api.jar:?]
grouper_1     |     at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465) ~[jasper.jar:8.5.90]
grouper_1     |     at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:383) ~[jasper.jar:8.5.90]
grouper_1     |     at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:331) ~[jasper.jar:8.5.90]
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583) ~[servlet-api.jar:?]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212) ~[catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) ~[catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:662) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:540) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:483) [catalina.jar:8.5.90]
grouper_1     |     at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1823) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiScreenAction.newInnerHtmlFromJsp(GuiScreenAction.java:597) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment.filterHelper(UiV2SubjectAttributeAssignment.java:109) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment.viewAttributeAssignments(UiV2SubjectAttributeAssignment.java:67) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
grouper_1     |     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
grouper_1     |     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
grouper_1     |     at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
grouper_1     |     at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5514) [grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5465) [grouper-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:515) [servlet-api.jar:?]
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583) [servlet-api.jar:?]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) [tomcat-websocket.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) [catalina.jar:8.5.90]
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101) [csrfguard-4.1.4.jar:4.1.4]
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91) [csrfguard-4.1.4.jar:4.1.4]
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63) [csrfguard-4.1.4.jar:4.1.4]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) [catalina.jar:8.5.90]
grouper_1     |     at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322) [grouper-ui-4.6.0.jar:4.6.0]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.90]
grouper_1     |     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:617) [tomcat-coyote.jar:8.5.90]
grouper_1     |     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-coyote.jar:8.5.90]
grouper_1     |     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932) [tomcat-coyote.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695) [tomcat-coyote.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-coyote.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:8.5.90]
grouper_1     |     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.90]
grouper_1     |     at java.lang.Thread.run(Thread.java:833) [?:?]
grouper_1     | grouper;grouper_error.log;dev;nothing;2023-10-06T00:26:49,927: [http-nio-8080-exec-4] ERROR GrouperUiRestServlet.doGet(370) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment.viewAttributeAssignments
grouper_1     | 
grouper_1     | java.lang.RuntimeException: Problem converting JSP to string: /WEB-INF/grouperUi2/subjectAttribute/subjectViewAttributeAssignsContents.jsp,
grouper_1     | Problem calling method viewAttributeAssignments on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment
grouper_1     |     at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1825)
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiScreenAction.newInnerHtmlFromJsp(GuiScreenAction.java:597)
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment.filterHelper(UiV2SubjectAttributeAssignment.java:109)
grouper_1     |     at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment.viewAttributeAssignments(UiV2SubjectAttributeAssignment.java:67)
grouper_1     |     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
grouper_1     |     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
grouper_1     |     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
grouper_1     |     at java.base/java.lang.reflect.Method.invoke(Method.java:568)
grouper_1     |     at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5514)
grouper_1     |     at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5465)
grouper_1     |     at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337)
grouper_1     |     at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1     |     at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)
grouper_1     |     at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1     |     at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1     |     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
grouper_1     |     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
grouper_1     |     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
grouper_1     |     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
grouper_1     |     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
grouper_1     |     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
grouper_1     |     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
grouper_1     |     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:617)
grouper_1     |     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
grouper_1     |     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)
grouper_1     |     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)
grouper_1     |     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
grouper_1     |     at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
grouper_1     |     at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
grouper_1     |     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
grouper_1     |     at java.base/java.lang.Thread.run(Thread.java:833)
grouper_1     | Caused by: org.apache.jasper.JasperException: An exception occurred processing [/WEB-INF/grouperUi2/subjectAttribute/subjectViewAttributeAssignsContents.jsp] at line [44]
grouper_1     | 
grouper_1     | 41:                      <c:set var="valueRow" value="0" />
grouper_1     | 42:                  
grouper_1     | 43:                      
grouper_1     | 44:                      <c:forEach items="${guiAttributeAssign.attributeAssign.valueDelegate.attributeAssignValues}" var="attributeAssignValue">
grouper_1     | 45:                      
grouper_1     | 46:                        <%-- we need a newline before non-first rows --%>
grouper_1     | 47:                        <c:if test="${valueRow != 0}">
grouper_1     | 
grouper_1     | 
grouper_1     | Stacktrace:
grouper_1     |     at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:605)
grouper_1     |     at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:498)
grouper_1     |     at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:383)
grouper_1     |     at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:331)
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)
grouper_1     |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:662)
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:540)
grouper_1     |     at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:483)
grouper_1     |     at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1823)
grouper_1     |     ... 42 more
grouper_1     | Caused by: javax.el.ELException: Error reading [attributeAssignValues] on type [edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate]
grouper_1     |     at javax.el.BeanELResolver.getValue(BeanELResolver.java:104)
grouper_1     |     at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:112)
grouper_1     |     at org.apache.el.parser.AstValue.getValue(AstValue.java:168)
grouper_1     |     at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189)
grouper_1     |     at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:942)
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fforEach_005f1(subjectViewAttributeAssignsContents_jsp.java:553)
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fforEach_005f0(subjectViewAttributeAssignsContents_jsp.java:405)
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fotherwise_005f0(subjectViewAttributeAssignsContents_jsp.java:303)
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspx_meth_c_005fchoose_005f0(subjectViewAttributeAssignsContents_jsp.java:204)
grouper_1     |     at org.apache.jsp.WEB_002dINF.grouperUi2.subjectAttribute.subjectViewAttributeAssignsContents_jsp._jspService(subjectViewAttributeAssignsContents_jsp.java:163)
grouper_1     |     at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
grouper_1     |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)
grouper_1     |     at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465)
grouper_1     |     ... 51 more
grouper_1     | Caused by: java.lang.RuntimeException: Cannot find assign delegate for assignment and attributeDef: 39ebdb2a9e8442368306842ca16854c8, etc:attribute:entities:entitySubjectIdentifierDef
grouper_1     |     at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.retrieveAttributeAssignable(AttributeAssign.java:1876)
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.internal_retrieveValues(AttributeAssignValueDelegate.java:150)
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.internal_retrieveValues(AttributeAssignValueDelegate.java:125)
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.retrieveValues(AttributeAssignValueDelegate.java:107)
grouper_1     |     at edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate.getAttributeAssignValues(AttributeAssignValueDelegate.java:115)
grouper_1     |     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
grouper_1     |     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
grouper_1     |     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
grouper_1     |     at java.base/java.lang.reflect.Method.invoke(Method.java:568)
grouper_1     |     at javax.el.BeanELResolver.getValue(BeanELResolver.java:99)
grouper_1     |     ... 63 more
grouper_1     | 

 





[GRP-5040] add option to not have ability to delete built in attributes (defs and names) Created: 11/Oct/23  Updated: 11/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

like this

  1. if this is true, attribute definitions can only be deleted via gsh or WS, to prevent accidental deletion, including cascading deletion of all attribute names and their assignments
  2. {valueType: "boolean", required: true}

    uiV2.attributeDef.preventDeleteBuiltInInUi = false

  1. if this is true, attribute names can only be deleted via gsh or WS, to prevent accidental deletion, including cascading deletion of all attribute assignments
  2. {valueType: "boolean", required: true}

    uiV2.attributeDefName.preventDeleteBuiltInInUi = false

groups and folders






[GRP-5036] make folder and group dropdown wider so long names show Created: 08/Oct/23  Updated: 08/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Oct/23 ]





[GRP-5033] total count of sql sync incremental should be number of change log records Created: 07/Oct/23  Updated: 07/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

should also confirm it updates the inserts/updates/deletes






[GRP-5032] OWASP_CSRFTOKEN header has underscore, not passed along by nginx Created: 07/Oct/23  Updated: 07/Oct/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Trying to debug a Grouper UI error going to any page besides the main page. Comparing the browser headers vs. the ones seen by the server, the OWASP_CSRFTOKEN header is missing. There is an nginx front end forwarding to Grouper, but possibly another hop too.

Internet searches suggest that nginx by default doesn't pass headers containing an underscore. See https://stackoverflow.com/q/17920949 . The fix is likely to configure nignx to allow underscores:

 

server {
   ...
   underscores_in_headers on;

but I haven't tested this yet. Longer-term, if it's possible to change this header name to replace or remove the underscore, it means Grouper would work out of the box with nginx without customization. The header string is both in the Owasp configuration, javascript, and Java code, so it may not be a trivial change that end users can do.






[GRP-4563] Add switch for Apache to log x-forwarded clientip instead of load balancer Created: 12/Jan/23  Updated: 07/Oct/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: 2.6.19.1
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When using a load balancer, you can set GROUPER_APACHE_REMOTE_IP_HEADER and GROUPER_APACHE_REMOTE_IP_INTERNAL_PROXY to get the underlying originating address to Apache and Shibboleth. The Apache configuration is using the default log format which is %h for the host. If this is switched to %a, it logs the original address it gets from the remoteIp header.

It's working with a custom hook to modify the log format. But it would be good if everyone using LBs didn't need to add that.

 

grouperScriptHooks_setupFilesPost() {
  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ -n "$GROUPER_APACHE_REMOTE_IP_HEADER" ] && [ "$GROUPER_APACHE_REMOTE_IP_HEADER" != "" ] && [ -f /etc/httpd/conf/httpd.conf ]; then
      echo "grouperContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) Setting X-Forwarded-For in httpd logs"
      sed -i '/LogFormat\b/ s/;%h %l/;%a %l/' /etc/httpd/conf/httpd.conf
      returnCode=$?
      echo "grouperContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i '/LogFormat\b/ s/;%h %l/;%a %l/' /etc/httpd/conf/httpd.conf, result: $?"
      if [ $returnCode != 0 ]; then exit $returnCode; fi
  fi
  return
}



 Comments   
Comment by Chad Redman [ 07/Oct/23 ]

This is now configured in /etc/httpd/conf.d/09_i2inc_logging.conf. This isn't part of the Grouper distribution, so it may be in the i2incommon/shibboleth_sp image.





[GRP-5031] index for grouper_audit_entry last_updated Created: 06/Oct/23  Updated: 06/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In V4:

Add to the postgres, oracle, and mysql new installation ddl

Add an UpgradeTask that will add the index if it doesn't already exist.  (Hopefully there's a clean way to see if indexes exist across the databases.)

 

Oracle:

check user_indexes and then 'create index audit_entry_last_updated_idx on grouper_audit_entry(last_updated) online;'

 

Postgres:

create index concurrently if not exists audit_entry_last_updated_idx on grouper_audit_entry(last_updated);

 

Mysql:






[GRP-4982] daemon screen is slow Created: 20/Sep/23  Updated: 04/Oct/23

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/Oct/23 ]

initial pass at this sets page size to lower number





[GRP-5025] hide side panel by default institution-wide and people can expand it Created: 04/Oct/23  Updated: 04/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4984] Provisioner error handling should allow threshold of DNE errors before job error Created: 20/Sep/23  Updated: 04/Oct/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Right now, there is a setting for a provisioner in error handling: "Object not exist is error" which corresponds to DNE errors. A small number of these is usually ok to ignore, but you may want large numbers of DNE's to trigger an error, since it may be a larger problem in the target data.

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Sep/23 ]

there is a new setting to help with this where you can ignore certain attributes if they are null which I would assume causes most of the DNE.  Then you shouldnt have to ignore DNE errors?  Or where do you see that there are a large number of DNEs?

 

Comment by Chris Hyzer (upenn.edu) [ 27/Sep/23 ]

ie dont kick off another full due to errors

Comment by Chris Hyzer (upenn.edu) [ 27/Sep/23 ]

add another job status?  (ok but has issues)





[GRP-4958] Jobs exit while in starting state, nothing logged Created: 14/Sep/23  Updated: 04/Oct/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-09-20-13-12-56-883.png    

 Description   

This is an intermittent problem seen especially in provisioning jobs. The job stays in the starting state, nothing happens or is logged, yet a few minutes later the job runs again. Shouldn't the job runner be captured any errors, so that unless the container restarts, all jobs should have an eventual status before running again?



 Comments   
Comment by Chad Redman [ 15/Sep/23 ]

Once I saw a log message that just said it was in state initConsumerName. But mostly the log messages are blank

Comment by Chad Redman [ 20/Sep/23 ]

The latest time I am seeing this with v4.5.5: the log says state 'end':

 

2023-09-20 16:51:05.216: Provisioner 'xxx_accounts_posixGroups' (vw10q8nf) state 'end' type 'incrementalProvisionChangeLog': {syncObjectStoreCount=1, finalLog=true, queryCount=17, tookMillis=86061, took=00:01:26.061}

Comment by Chris Hyzer (upenn.edu) [ 04/Oct/23 ]

jvm is dying. OOM error?





[GRP-4968] make sure case insensitive compare works in membership attributes (groupAttributes and entityAttributes), e.g. dn's Created: 15/Sep/23  Updated: 04/Oct/23

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 4.7.0

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5020] if there is an error in duo admin create entity it does not show command log Created: 02/Oct/23  Updated: 02/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5019] tune up duo admin role start with Created: 02/Oct/23  Updated: 02/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5018] in duo admin startwith we should support converting no special chars and display extension from starts with Created: 02/Oct/23  Updated: 02/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g.. if the translated role is ApplicationManager, send Application Manager to duo.

in the starts with for role mapping, displayExtension is not an option and should be






[GRP-5016] Edit "Organization hierarchies via the grouper loader" page to be more applicable Created: 02/Oct/23  Updated: 02/Oct/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Organization+hierarchies+via+the+grouper+loader

 

This page is currently Penn-centric, and a lot of the page is how to set up a PoC to match it. I was looking for a more general example of a rollup loader to send to a client, but this is the best page I could find. The screenshots are also from the Admin UI which no longer exists.






[GRP-5011] add in abac virtual attributes where an attribute can be looked up to derive Created: 29/Sep/23  Updated: 29/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. if a student record identifies a division. and the division is in a school. then maybe we dont need an attribute for school and can have a row about the division that populates virtual attributes






[GRP-5010] make grouper loader logs optional for logging DEBUG Created: 29/Sep/23  Updated: 29/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

<Logger name="edu.internet2.middleware.grouper.app.loader.GrouperLoaderLog" level="debug" additivity="false">
<AppenderRef ref="grouper_daemon"/>
</Logger>

maybe check other logs too






[GRP-5008] add subject resolvable and deleted status in provisioning member details Created: 29/Sep/23  Updated: 29/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5006] add imports to GSH commands that need it Created: 28/Sep/23  Updated: 28/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. https://spaces.at.internet2.edu/pages/viewpage.action?pageId=188842249






[GRP-5003] add ability to save entire metadata json in provisionableSave GSH class Created: 27/Sep/23  Updated: 27/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-5002] midpoint provisioner starts with not working Created: 27/Sep/23  Updated: 27/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

  Michael Gettes
    20 hours ago
  in latest Grouper - I quickly tried to add a midpoint provisioner and I was led to believe the Starts With would create a functioning provisioner.  BUT… I hit submit after I fill in the basics noted by the documentation and I get:
  Error: you need to operate on groups, entities, or memberships
  What did I not understand from the demo during TechEx and from the documentation?






[GRP-4556] LDAP provisioner error: "inaccessible or unknown property grouperProvisioningGroup" on group delete with DN jexl displayName Created: 09/Jan/23  Updated: 27/Sep/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.6.18.1, 4.1.6, 4.6.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Caused by: org.apache.commons.jexl2.JexlException$Property: edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguageScript@11387![124,160]: 'edu.internet2.middleware.grouper.util.GrouperUtil.ldapBushyDn(edu.internet2.middleware.grouper.util.GrouperUtil.stripPrefix(grouperProvisioningGroup.displayName, 'app:active_directory:groups:'), 'CN', 'OU', true, false) + ',OU=Groups,DC=example,DC=edu';' inaccessible or unknown property grouperProvisioningGroup

 

Seeing this at two different institutions. This is a periodic problem, and sometimes doesn't show up the first run.



 Comments   
Comment by Chad Redman [ 22/Aug/23 ]

Still exists as of 4.1.6.

Comment by Chad Redman [ 26/Sep/23 ]

Tested again with 4.1.7; this is specifically a problem with deletes. I can reproduce this locally so I will debug some more

Comment by Chad Redman [ 27/Sep/23 ]

Found the issue, it's in GrouperProvisioningLogic.calculateProvisioningGroupsToDelete(). It's only setting grouperProvisioningGroup attributes for id, idIndex, and name. So if the DN is based on a jexl using displayName or something else, it is null and returns this error.

 

Comment by Chris Hyzer (upenn.edu) [ 27/Sep/23 ]

anything not in point in time needs to be in a cache bucket

Comment by Chris Hyzer (upenn.edu) [ 27/Sep/23 ]

make sure extension is in the PIT group represenation

Comment by Chris Hyzer (upenn.edu) [ 27/Sep/23 ]

test if DN is translated (e.g. truncating path) and cached from target, if this will delete





[GRP-5001] check quartz table for running quaartz processes, and if a job has a registered process that isnt listed, end it with error and description Created: 27/Sep/23  Updated: 27/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

make sure jobs running manually (e.g. outside of quartz) are not affected






[GRP-4998] should be able to add entity attribute if not provisioning entities Created: 26/Sep/23  Updated: 26/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

see rsst_role test case, can add group attribute, but not entity






[GRP-4997] in sql provisioner dont prompt for group table name if doing no crud on groups Created: 26/Sep/23  Updated: 26/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4993] Add a notes field for attestation Created: 25/Sep/23  Updated: 25/Sep/23

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

As requested by a customer. Have a notes field when attesting a group. Maybe clicking the button expands to show a text field? It may be enough just to have it in the audit log, and the would see the notes in the audit history.






[GRP-4992] Option to default membership filter to Direct or Indirect for certain groups Created: 25/Sep/23  Updated: 25/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

As requested by a customer. For certain groups, they need to always filter to see the direct memberships, which is an extra step every time.

 

May something like this?

grouperUi.membershipFilter.pattern.direct = ref:student:., app:.:security:.*






[GRP-4991] Hide the Create group/Create folder button if the current user can't create any groups or folders Created: 25/Sep/23  Updated: 25/Sep/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

As requested by a customer. The button is confusing if the user isn't the manager of any groups or folders.






[GRP-4990] Allow to add membership notes when adding a membership Created: 25/Sep/23  Updated: 25/Sep/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 4.6.0
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Similar to adding a start/end date on a new membership, have fields for membership attributes that can be added. The configuration can be similar to the Group editor page where you can configure which attributes show up.






[GRP-4985] usdu starts but stays in starting state until next run 24 hours later Created: 20/Sep/23  Updated: 25/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-09-20-14-07-26-170.png    

 Description   

Nothing logged in the job.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Sep/23 ]

i think the daemon is dying...  Grouper needs to detect this and let the admins know that something is very wrong.  in your case is USDU running when other big jobs are running?





[GRP-4983] add show users button on membership screens Created: 20/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for performance purposes, do not show memberships by default.  (option for user stored in user preferences?) (global default?)






[GRP-4957] Incremental LDAP provisioner always runs the full sync even if no changelog entries Created: 14/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Note that the full sync result is error status due to DNE errors. Could that be related?



 Comments   
Comment by Chad Redman [ 15/Sep/23 ]

Some experimenting suggests that DNE errors count toward the membership threshold for converting to a full sync. The default is 10000, which means it would be a lot of DNEs before this gets to be an issue. However, in a non-production environment with inconsistent data refreshes, this could be realistic. But the DNE's will never be fixed, so the threshold will be always there, meaning the full sync will run every minute.

Maybe there needs to be an advanced option for only actual changelog generated data to count toward the threshold, and not DNE errors from a full sync?

Comment by Chris Hyzer (upenn.edu) [ 20/Sep/23 ]

there is a new feature to just not provision (no error) if an attribute is null.  would that solve this?

Comment by Chad Redman [ 20/Sep/23 ]

It's the entity resolution triggering the DNE. It would only be null as the result of the DNE, and already counted





[GRP-4952] provision a user with a MAT error, then unprovision them. The framework keeps complaining Created: 13/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

if a record has an error, but is not provisionable and not in target, then ignore it






[GRP-4962] SQL provisioner membership requires the group column to be a standard core field Created: 14/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The group-related column when provisioning to a membership table needs to be one of the core (id, name, displayName, ...) fields. If it's a translation script, there is an error "Error: Cant find membership column to use for matching when it involves groups". The source code looks through all the provisioned columns, and only accepts if it can find one with a GrouperProvisioningGroup value.

Note it's not about uniqueness, since it allows the value to be displayExtension, which is far from guaranteed unique.

It's an easy workaround just to add another column that can store a core value (ideally the name, id, or idIndex). But it's not documented that it's required, and the error message is oddly written.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Sep/23 ]

i think this shouldnt be a core field, it should be a group attribute right?

 





[GRP-4969] if adding value to a metadata attribute, it should show that attribute (in addition) to the underlying attribute Created: 15/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 15/Sep/23 ]

Comment by Chris Hyzer (upenn.edu) [ 20/Sep/23 ]

this shows "rule", but that is the underlying attribute.  The attribute (is an attribute metadata on an attribute assignment), is really ruleThenEnum or whatever.  the rule, and the ruleThenEnum should show on screen with sensible labels





[GRP-4980] put default commented out gsh script when adding new template or daemon or changelog consumer Created: 20/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4979] when saving abac script validate that groups exist, and make them cacheable if not Created: 20/Sep/23  Updated: 20/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4978] stem view privilege type issue? Created: 19/Sep/23  Updated: 19/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

groupRowsInserted: 0, groupInsertTookMs: 19, exception: java.lang.RuntimeException: Unexpected privilege type: attributeDef
at edu.internet2.middleware.grouper.stem.StemViewPrivilegeEsbListener.loadStemIds(StemViewPrivilegeEsbListener.java:804)
at edu.internet2.middleware.grouper.stem.StemViewPrivilegeEsbListener.incrementalLogic(StemViewPrivilegeEsbListener.java:126)
at edu.internet2.middleware.grouper.stem.StemViewPrivilegeEsbListener.dispatchEventList(StemViewPrivilegeEsbListener.java:71)
at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)






[GRP-4976] table sync should normalize data to BigDecimal for example (from long) Created: 18/Sep/23  Updated: 18/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. in the crashplan example






[GRP-4961] Old reports should be deleted after a period of time Created: 14/Sep/23  Updated: 14/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Is this a current feature? If you set reporting, it saves a row in the database and a blob for it. Is this going to just increase forever? There should be an option for how many reports to keep, or to expire them after a certain period of time.






[GRP-4960] Need documentation on managing failsafes Created: 14/Sep/23  Updated: 14/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.5.5
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently can't find any documentation on managing provisioner failsafes in the UI.






[GRP-4956] allow gsh template ws to specify result body json Created: 14/Sep/23  Updated: 14/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

right now it is json embedded in json






[GRP-4954] go to group, membership attribute assignments, then click on Group Privileges tab, nothing happens Created: 14/Sep/23  Updated: 14/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4953] membership actions menu needs to be alphabetical Created: 13/Sep/23  Updated: 13/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4951] oidc session timeout issues Created: 13/Sep/23  Updated: 13/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 13/Sep/23 ]

2023-08-01T10:04:15,297: [ajp-nio-0.0.0.0-8009-exec-7] ERROR GrouperUiFilter.initRequest(1189) - [] - error in init
java.lang.RuntimeException: requestUrl https://grouper.it.umich.edu/grouper/grouperExternal/public/UiV2Public.index is not valid.
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.remoteUser(GrouperUiFilter.java:754) ~[grouper-ui-4.5.0.jar:4.5.0]
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.initRequest(GrouperUiFilter.java:1122) [grouper-ui-4.5.0.jar:4.5.0]
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1264) [grouper-ui-4.5.0.jar:4.5.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181) [catalina.jar:8.5.90]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) [catalina.jar:8.5.90]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) [catalina.jar:8.5.90]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [catalina.jar:8.5.90]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) [catalina.jar:8.5.90]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) [catalina.jar:8.5.90]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [catalina.jar:8.5.90]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:8.5.90]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.90]
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:533) [tomcat-coyote.jar:8.5.90]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-coyote.jar:8.5.90]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932) [tomcat-coyote.jar:8.5.90]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695) [tomcat-coyote.jar:8.5.90]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-coyote.jar:8.5.90]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:8.5.90]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:8.5.90]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.90]
at java.lang.Thread.run(Thread.java:833) [?:?]

Comment by Chris Hyzer (upenn.edu) [ 13/Sep/23 ]

Liam Hoekenga [1:42 PM]
I think so? Gail complains that when her session times out, and grouper redirects her to whereever, it doesn’t start a new session. she has to go back to the UI’s root url
Chris Hyzer [1:56 PM]
we will fix this before stable i think. can you confirm what your session timeout settings are? maybe an ENV var in the container for it?
Liam Hoekenga [1:58 PM]
I see this?
GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600
Liam Hoekenga [1:58 PM]
that seems like 10 hours





[GRP-4941] the full scim provisioner should replace every time Created: 08/Sep/23  Updated: 13/Sep/23

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 10/Sep/23 ]

when i run full scim provisioner, it does not count the number of replaces, is it replacing the membership for every group?

Comment by Chris Hyzer (upenn.edu) [ 10/Sep/23 ]

i think that one works right it just needs to indicate the count in the debug logs where it says how many replaces? maybe the udpate col in the loader logs too?

Comment by Chris Hyzer (upenn.edu) [ 13/Sep/23 ]

When full runs it should replace all memberships of all groups, there should be an option in group advanced to not do this (current behavior), lets discuss





[GRP-4949] GrouperLoader: Cleanup based on Loader Metadata Created: 12/Sep/23  Updated: 12/Sep/23

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We have begun creating auxiliary/sidecar groups based on memberships of other groups, sometimes reference groups. For example, we have Admin (aka PSA) accounts issued to some people in addition to their personal account, and we sometimes want to group those Admin accounts. Another example is where we want the Supervisors of people in a Group (eg, Supervisors of people who have not completed mandatory training so we can notify those supervisors).

Again, these use cases and others have led us to selectively create these derivative groups, and the best location we've determined for them is adjacent to the source group.

The (only?) downside of this approach is that the we end up have multiple loader jobs creating groups in a given folder... ref:affiliations may be 99% managed by our affiliation-loading job, but a handful of groups are added and managed by these sidecar capabilities. This means that the affiliation-loading job can not 'own' ref:affiliations to clean up old groups when a department goes away or whatever.

This Jira is requesting that sql-group-list loader jobs (or other multiple-group-managing loader jobs) support removing groups they previously loaded (probably based on loader metadata) when they're no longer listed in the upstream system. We think this should be the default behavior, but understand that that might be dangerous at this point.






[GRP-4920] web service user who can see an attribute gets an error when reading membership assignments Created: 30/Aug/23  Updated: 12/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Error with grouper client, check the logs: Bad response from web service: resultCode: INVALID_QUERY, Error on attributeDef index: 0, ATTRIBUTE_DEF_NOT_FOUND, name: test:isc:astt:chris:dateMembershipDef, Found 0 results.
Aug 29, 2023 9:30:14 PM edu.internet2.middleware.grouperClient.GrouperClient main
SEVERE: Bad response from web service: resultCode: INVALID_QUERY, Error on attributeDef index: 0, ATTRIBUTE_DEF_NOT_FOUND, name: test:isc:astt:chris:dateMembershipDef, Found 0 results. 

 

[mchyzer@flash pennGroupsClient-2.6.0]$ java -jar grouperClient-2.6.19.jar --operation=getAttributeAssignmentsWs --attributeAssignType=any_mem --attributeDefNames=test:isc:astt:chris:dateMembershipDef --ownerMembershipAny0GroupName=test:isc:astt:chris:dateMembership:testMfa --ownerMembershipAny0SubjectId=10021368 --ownerMembershipAny0SubjectSource=pennperson --debug=true 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 12/Sep/23 ]

Graham Ballantyne August 29th slack discussion





[GRP-4945] attribute assignments with lengthy values should use the ellipses and abbreviated values, click and see textarea Created: 11/Sep/23  Updated: 11/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 11/Sep/23 ]





[GRP-4944] provisionable groups button on UI on provisioning screen take a long time Created: 10/Sep/23  Updated: 10/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4922] make provisioning creation lag configurable per provisioner (with defaults for various provisioners) Created: 30/Aug/23  Updated: 10/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4940] add shortcut for attribute framework provisioning integration Created: 08/Sep/23  Updated: 10/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Just enter the name of the attributes and grouper should figure it out



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 10/Sep/23 ]

for external group attributes, in addition to SQL option, can be "Attribute framework". Ask user for comma separated attribute names (fully qualified). And validate that those are existing attribute names (note, not attribute defs).

for each one, see what the structure is with query.
provisioning attribute name is: groupAttributeFramework__a:b:myAttributeName

for ones that are assignable to group with no value, do one SQL to get those like the existing query, assign value to true if exists

for ones that have a name/value on group, do one SQL and assign values

for ones that have assignable to group assignments, do one SQL and assign values





[GRP-4943] add more data conversion strategies Created: 10/Sep/23  Updated: 10/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This error was converting a String to a boolean

  public <T> T getFieldValue(Class<T> clazz, Object value){
 
    if (value ==  null){
      return null;
    }
 
    if (clazz.isAssignableFrom(value.getClass())){
      return (T)value;
    }
 
    try{
      if (value instanceof Number) {
        if (clazz == int.class || clazz == Integer.class){
          value = ((Number)value).intValue();
        } else if (clazz == double.class || clazz == Double.class){
          value = ((Number)value).doubleValue();
        } else if (clazz == long.class || clazz == Long.class){
          value = ((Number)value).longValue();
        } else if (clazz == String.class){
          value = ((Number)value).toString();
        } else {
          throw new RuntimeException("Not expecting value: " + value.getClass());
        }
      } else {
        throw new RuntimeException("Not expecting value: " + value.getClass());
      }
      return (T)value;
    } catch (Exception e){
      throw new RuntimeException(e);
    }
  }
 
 

Caused by: java.lang.RuntimeException: Not expecting value: class java.lang.String
at edu.internet2.middleware.grouperClient.jdbc.GcBoundDataConversionImpl.getFieldValue(GcBoundDataConversionImpl.java:160) ~[grouperClient-4.5.2.jar:4.5.2]
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.addObjectToList(GcDbAccess.java:2527) ~[grouperClient-4.5.2.jar:4.5.2]
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.access$100(GcDbAccess.java:58) ~[grouperClient-4.5.2.jar:4.5.2]
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess$2.callback(GcDbAccess.java:1779) ~[grouperClient-4.5.2.jar:4.5.2]
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess$2.callback(GcDbAccess.java:1759) ~[grouperClient-4.5.2.jar:4.5.2]
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2358) ~[grouperClient-4.5.2.jar:4.5.2]







[GRP-4942] Data provider change log queries Created: 09/Sep/23  Updated: 09/Sep/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4938] Interesting bug, not sure if it's an issue past 2.x version, but [in Grouper External Systems for external system type of LDAP] selecting TLS (as default) doesn't work, TLS set to "True" must be selected. In case this is helpful for anyone else out there. Created: 07/Sep/23  Updated: 07/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

if not fixed already this should default to false






[GRP-4936] add gsh built in validation for list of netids Created: 04/Sep/23  Updated: 04/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4935] add some GSH template built in validations with colons (for group names) Created: 04/Sep/23  Updated: 04/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4934] add placeholder provisioner which doesnt do anything but allows provisionable assignments and metadata (splunk example) Created: 03/Sep/23  Updated: 03/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4931] take duplicates out of scim user group select Created: 01/Sep/23  Updated: 01/Sep/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4926] upgrade jline Created: 31/Aug/23  Updated: 31/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Emilio Recio
  7 hours ago
GSH in Grouper 4.4.0: How do I make it do name completion for the Grouper API? For example "Group<TAB>" works in 2.x but not in 4.x

 

3 replies

Emilio Recio
  7 hours ago
It's already loading the regular groovysh.profile and not the lightweight one.

Emilio Recio
  5 hours ago
Found it! Problem with version of Groovy installed and Java 17. Imported libraries don't get added to AutoComplete.
 https://github.com/jline/jline3/issues/674 It has since been fixed in jLine3 which Groovy uses (2021) but we're running an older version. 
@mchyzer
 can we get a bump in Groovy? Perhaps just replace the jline jar?
It's a handy feature that allows me to scratchpad code quickly without looking at the API docs all the time.
#674 Groovy REPL: enum tab completion fails for imported class
JVM:
\>java -version
openjdk version "13" 2019-09-17
OpenJDK Runtime Environment (build 13+33)
OpenJDK 64-Bit Server VM (build 13+33, mixed mode, sharing)
Enum tab completion works when entering a complete class name i.e.
groovy-repl> org.jline.reader.LineReader.Option.tab
Show more
Milestone
3.21.0
<https://github.com/jline/jline3|jline/jline3>jline/jline3 | May 23rd, 2021 | Added by GitHub






[GRP-4925] see if change log temp can update hib3 loader log so ui shows progress Created: 30/Aug/23  Updated: 30/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4923] change changeLog.changeLogConsumerBatchSize to 10k or something higher in v5 Created: 30/Aug/23  Updated: 30/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 30/Aug/23 ]

run tests and see whats best





[GRP-4918] if the provisioner supports it, add "Provision now" buttons to groups, entities, and memberships Created: 29/Aug/23  Updated: 29/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4914] assign password on configuration screen Created: 28/Aug/23  Updated: 28/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford
1 hour ago
Question for the Grouper developers out there;
I’ve noticed that when I’m trying to save the current config sourced from files into the configuration screen, so that the configuration is now saved in the DB. It excludes the password entries. I have to explicitly set the password before it’s saved, but all the other values allow me to just open up the config and hit save.
Is this intentional to prevent the UI from being able to leak the password, or was it an oversight, since Grouper for sure knows what the password is when loading data.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 28/Aug/23 ]

if asterisks are submitted (or blank?), dont change password. if a password is in there, set it





[GRP-4913] Refactor data provider syncing Created: 28/Aug/23  Updated: 28/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 5.3.4

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4903] NullPointerException: ChangeLogTempToEntity.processGroupSetAdd Created: 25/Aug/23  Updated: 28/Aug/23

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.6.19.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-08-24-22-54-56-359.png    

 Description   

Job: CHANGE_LOG_changeLogTempToChangeLog

Our ChangeLogTemp processing got stuck, throwing NullPointerExceptions. We ended up deleting a CLET row to get things moving again (see image). Of course, we're interested in what the invalid row was, how it came to exist, as well having the job auto-recover instead of throwing NPEs.

 

| grouper-ui;provisioning.log;2023-08-24T21:31:10,117: v2 [DefaultQuartzScheduler_Worker-10] ERROR e.int.middleware.grouper.app.loader.GrouperLoaderJob - [] - Error running up job |
| java.lang.NullPointerException: Problem in HibernateSession: HibernateSession (1862419b): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (2974a73), |
| jobName: CHANGE_LOG_changeLogTempToChangeLog |
| at edu.internet2.middleware.grouper.changeLog.ChangeLogTempToEntity.processGroupSetAdd(ChangeLogTempToEntity.java:2006) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.changeLog.ChangeLogTempToEntity.access$3800(ChangeLogTempToEntity.java:68) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.changeLog.ChangeLogTempToEntity$1.callback(ChangeLogTempToEntity.java:262) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:722) ~[grouper-2.6.19.jar:2.6.19] |
| at edu.internet2.middleware.grouper.changeLog.ChangeLogTempToEntity.convertRecordsOnePage(ChangeLogTempToEntity.java:121) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.changeLog.ChangeLogTempToEntity.convertRecords(ChangeLogTempToEntity.java:93) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:637) ~[grouper-2.6.19.jar:2.6.19] |
| at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541) ~[classes/:2.6.19] |
| at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345) [classes/:2.6.19] |
| at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
| at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

 

The row we deleted, viewed via a copy of grouper_changelog_v put stop CLET:

id                                change_log_type_id                context_id                              created_on  string01                          string02  string03                          string04  string05                          string06  string07  string08                          string09                          string10                          string11  string12
--------------------------------  --------------------------------  --------------------------------  ----------------  --------------------------------  --------  --------------------------------  --------  --------------------------------  --------  --------  --------------------------------  --------------------------------  --------------------------------  --------  --------
7de3fcdaa2b54d91b4a6b56e4aa92b05  729b73f3709d4a89a8b99fc2d774482d  8f33dd3941684e8a8cb234da6728958b  1692111391001000  5713a37b952a4a7883ee36ff21906733  <null>    ff4561a350934b118484c985d638d12a  <null>    24f23dcbc8cc4f9e86bf4b7c85e4001f  <null>    <null>    6f6d67c9bb7f4b528687bfdc1d51cf39  5b636a5a3f8b433fa40e6a4118a4f5f8  23922778dd484ec0a0f04d0a95cd49a9  2         <null>  



 Comments   
Comment by Chad Redman [ 25/Aug/23 ]

2005 pitRoleSet.setEndTimeDb(time);
2006 pitRoleSet.setActiveDb("F");
2007 pitRoleSet.setContextId(contextId); 

Line 2006 in 2.6.19 is not a line that would trigger an NPE. ???

Comment by Chris Hyzer (upenn.edu) [ 28/Aug/23 ]

do you have a patch (class file in classes dir) or something? are you sure its 2.6.19?





[GRP-4905] fix provider query defaults on ui Created: 25/Aug/23  Updated: 25/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

"Provider query subject id type" has comment under dropdown "Which type of subject id. Default value is 'false'." huh?
"Provider query subject source id" has comment under dropdown "which subject source this is a subject id for. Default value is 'false'." Huh?






[GRP-4902] (vt) shouldnt need an entity translation if doing WS provisioning Created: 24/Aug/23  Updated: 24/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4899] add externalId to groups in scim provisioning Created: 24/Aug/23  Updated: 24/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4892] add jexl tester example for removing accented chars Created: 24/Aug/23  Updated: 24/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 24/Aug/23 ]

${edu.internet2.middleware.grouper.util.GrouperUtil.normalize("NFKD", edu.internet2.middleware.grouper.util.GrouperUtil.defaultString(gcGrouperSyncMember.getEntityAttributeValueCache1(), grouperProvisioningEntity.subjectIdentifier0)).replaceAll("\\p{M}", "")}
 





[GRP-4889] Metadata not available for jexl in LDAP provisioner diagnostics Created: 24/Aug/23  Updated: 24/Aug/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 4.5.2
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If provisioner metadata is in a grouperProvisioningGroup jexl (e.g.

${grouperUtil.defaultIfBlank(grouperProvisioningGroup.retrieveAttributeValueString('md_gidNumber') , "" )}

, this works in the daemon jobs, but not in the diagnostics. The value of the field is blank, unless a real provisioning job sets it in the cache.

Diagnostics with empty provisioner state
 
 key = "grouperProvisioningGroup"
 value = {ProvisioningGroup@16662} "Group(attr[description]: <null>, attr[displayName]: "test:testGroup", attr[id]: "7ca5c4bb461742bab8cdaa8409a3efb1", attr[idIndex]: 1000038, attr[name]: "test:testGroup", recalcObject: false, recalcMships: false)"
  attributes = {TreeMap@16669}  size = 5
   "description" -> {ProvisioningAttribute@16678} "<null>"
   "displayName" -> {ProvisioningAttribute@16679} ""test:testGroup""
   "id" -> {ProvisioningAttribute@16680} ""7ca5c4bb461742bab8cdaa8409a3efb1""
   "idIndex" -> {ProvisioningAttribute@16681} "1000038"
   "name" -> {ProvisioningAttribute@16682} ""test:testGroup""
 
 
Full sync
 
 
 key = "grouperProvisioningGroup"
 value = {ProvisioningGroup@16724} "Group(attr[description]: <null>, attr[displayName]: "test:testGroup", attr[id]: "7ca5c4bb461742bab8cdaa8409a3efb1", attr[idIndex]: 1000038, attr[md_gidNumber]: "380047", attr[name]: "test:testGroup", recalcObject: false, recalcMships: false)"
  attributes = {TreeMap@16752}  size = 6
   "description" -> {ProvisioningAttribute@16762} "<null>"
   "displayName" -> {ProvisioningAttribute@16763} ""test:testGroup""
   "id" -> {ProvisioningAttribute@16764} ""7ca5c4bb461742bab8cdaa8409a3efb1""
   "idIndex" -> {ProvisioningAttribute@16765} "1000038"
   "md_gidNumber" -> {ProvisioningAttribute@16766} ""380047""
   "name" -> {ProvisioningAttribute@16767} ""test:testGroup""
 
 
Diagnostics after a full sync
 
key = "grouperProvisioningGroup"
value = {ProvisioningGroup@16814} "Group(attr[description]: <null>, attr[displayName]: "test:testGroup", attr[id]: "7ca5c4bb461742bab8cdaa8409a3efb1", attr[idIndex]: 1000038, attr[md_gidNumber]: "380047", attr[name]: "test:testGroup", recalcObject: false, recalcMships: false)"
 attributes = {TreeMap@16822}  size = 6
  "description" -> {ProvisioningAttribute@16832} "<null>"
  "displayName" -> {ProvisioningAttribute@16833} ""test:testGroup""
  "id" -> {ProvisioningAttribute@16834} ""7ca5c4bb461742bab8cdaa8409a3efb1""
  "idIndex" -> {ProvisioningAttribute@16835} "1000038"
  "md_gidNumber" -> {ProvisioningAttribute@16836} ""380047""
  "name" -> {ProvisioningAttribute@16837} ""test:testGroup""






[GRP-4885] copying folders should have a progress screen Created: 21/Aug/23  Updated: 21/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4876] add option for case insensitive subject source id/identifier searches Created: 08/Aug/23  Updated: 16/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Richard Frovarp
5 minutes ago
Is there a way to make a subject lookup in the UI case insensitive. People generate a list of users to add to a group, and they frequently have upper case letters in them. Everything in our subject source db is in lower case and the values are case sensitive. So what we would just need to do to work on our side is force each one to lower case.
2 replies

Chris Hyzer
1 minute ago
im not thinking of a way... people need to use lower case for now. we could make an option for that.

Richard Frovarp
< 1 minute ago
It would be handy. Not sure where they are getting these lists. The username is something like richard.frovarp, so we of course see Richard.Frovarp in some of these lists. It's less of an issue for one off searches, but in lists it is a pain when they somehow have got a list with uppers in it.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 16/Aug/23 ]

option in subject source to lower or upper the subject id and/or identifier





[GRP-4883] provisioning error screen in ui not showing mat errors Created: 16/Aug/23  Updated: 16/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

on 4.5.2 I have an AD provisioner which hit a MAT error in the daemon log (see below) but the error does NOT surface in view errors for the SLAC_ADtestGroups provisioner in the UI.
provisionerClass: LdapSync, configId: SLAC_ADtestGroups, provisioningType: fullProvisionFull, state: sendChangesToTarget, retrieveSyncGroupsMillis: 2, syncGroupCount: 50, retrieveSyncEntitiesMillis: 151, syncEntityCount: 13812, retrieveSyncMshipsMillis: 106, syncMshipCount: 12165, propagateProvisioningAttributes_millis: 809, targetRetrieveAllGroups: 1, retrieveGrouperGroupsMillis: 15, grouperGroupCount: 50, retrieveGrouperEntitiesMillis: 307, grouperEntityCount: 30399, targetGroupsRetrieved: 2289, originalTargetGroupsRetrieved: 2289, originalTargetTotalCount: 51896, targetMembershipsRetrieved: 22608, originalTargetMembershipsRetrieved: 22608, targetRetrieveAllEntities: 1, targetEntitiesRetrieved: 26999, originalTargetEntitiesRetrieved: 26999, retrieveGrouperMshipsMillis: 3180, grouperMshipCount: 9618, provisioningEntitiesToDelete: 2829, provisioningMshipsToDelete: 74, retrieveDataPass1_millis: 3669, grouperGroupsRetrieved: 50, grouperEntitiesRetrieved: 30399, grouperMembershipsRetrieved: 9618, retrieveTargetGroupsAndEntitiesMillis: 0, provisioningGroupWrappersWithMatch: 50, provisioningGroupWrappersWithNoMatch: 2239, provisioningEntityWrappersWithMatch: 35015, provisioningEntityWrappersWithNoMatch: 45986, missingEntitiesForRetrieve: 1, missingEntitiesForRetrieveFound: 2, loadDataToGrouper_millis: 0, groupsCannotFindSyncGroup: 2239, linkGcSyncEntitiesUpdated: 1, entitiesCannotFindSyncMember: 15329, targetEntitiesForLinkNull: 2140, retrieveTargetMembershipsMillis: 2, provisioningMembershipWrappersWithNoMatch: 9692, objectErrors: entity error MAT count 1, membership error MAT count 1, syncObjectStoreCount: 5, finalLog: true, queryCount: 18, tookMillis: 6168, took: 00:00:06.168






[GRP-4879] Full/Incremental overlap protection does not timeout Created: 12/Aug/23  Updated: 15/Aug/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.6.19.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Bert Bee-Lindgren (gatech.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Our ChangelogTemp processing was 24+ hours behind and to try to isolate the problem, we disabled "optional" jobs – loaders and provisioners – until things seem stabilized.

We then got our loaders running.

We then tried to get full-syncs running, but they seemed to not do anything theoretically because the Quartz and LoaderLogs tables still indicated that ancient copies of the jobs were running (when the daemons running them had long exited).

After several efforts, we had to manually clean qz_fired_triggers and loader_logs which seemed to get the Full daemon jobs proceeding.

 

This leads to the following suggestions:

  1. Better detection of orphaned jobs qz_fired_triggers, perhaps noticing that a running-job's instance_name is no longer in qz_scheduler_state
  2. A UI button in the Daemon-job panel that allows admins to mark a job as definitely not running
  3. Periodic logs (in log4j as well as in loader_logs, etc) when a Full is waiting for an Incremental to finish


 Comments   
Comment by Chad Redman [ 15/Aug/23 ]

A complicating issue was that a docker container wasn't running, but the java process from the container was somehow running, and functional enough to phone home to quartz that they were available, but didn't actually start the jobs assigned to it. The issue did serve to illustrate how badly things go when full syncs and incremental syncs don't coordinate and nothing progresses.





[GRP-4882] TIER instrumentation daemon shows success even if fails due to firewall Created: 15/Aug/23  Updated: 15/Aug/23

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 4.1.6
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Instrumentation is firewalled, it times out after 40 minutes, but still reports as a success in the daemon log.

Status Success
Loaded group N/A
Job type overall
Start time 2023-08-14 21:00:00.037
End time 2023-08-14 21:40:36.828
Millis 2436791
Millis get data
Millis load data
Total count 0
Add count 0
Update count 0
Delete count 0
Unresolvable count 0
Log ID 2c9180828946e8f30189f6ebdd2552a8
Last updated 2023-08-14 21:40:36.828
Host d109190f57f4
Job message Finished running TIER instr... more
Parent job ID

Took

Finished running TIER instrumentation daemon but received an error while sending data to TIER: java.lang.RuntimeException: Failed to send data to endpoint http://collector.testbed.tier.internet2.edu:5001.  Code=-1, body=
	at edu.internet2.middleware.grouper.instrumentation.TierInstrumentationDaemon.sendToTier(TierInstrumentationDaemon.java:209)
	at edu.internet2.middleware.grouper.instrumentation.TierInstrumentationDaemon.run(TierInstrumentationDaemon.java:168)
	at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
	at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392)
	at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376)
	at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)






[GRP-4874] stem view privilege incremental should catch up after full sync finishes Created: 07/Aug/23  Updated: 07/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.19.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Seen with Grouper 2.6.19. There was a large amount of changelog entries to process, and the stem view privileges were out of date. However, the full sync had run at some point, and the incremental sequence pointer should have been updated.






[GRP-4873] advice for google external system security when not managing users Created: 07/Aug/23  Updated: 07/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Marwan Shaher
3 days ago
In our setup, Grouper doesn’t create the entities/users in Google. That is handled by another system. Grouper will just manage groups and memberships . Assigning the following scopes to the service account worked for our purposes:
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.user.readonly






[GRP-4872] change google external system to better describe credentials Created: 07/Aug/23  Updated: 07/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-08-07-13-23-32-687.png    

 Description   






[GRP-4871] test deprovisioning and make sure it works Created: 07/Aug/23  Updated: 07/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Alpha Sanneh
11:58 AM
greetings from Germany, qq about the deprovisioning feature. I would like to to put an entity into a group and have an affiliation tied to that group so anyone added to that group can be deprovisioned automatically from all groups except a few groups. Is that use case easy to setup?
Right now I'm only manually able to deprovision because the deamon is not doing it. I set this deprovisioning.defaultNumberOfDaysInDeprovisioningGroup to zero

Chris Hyzer
1:18 PM
yeah it should be possible, im not sure what the blocker is that we need to work on. Should I do a simple test about it?






[GRP-4850] jexl loader add methods entity attribute value like or regex Created: 19/Jul/23  Updated: 04/Aug/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  • The jexl loaders work ok for queries involving single attribute values. But to be a suitable replacement for existing loader jobs against internal Grouper groups, it should support like strings and regular expressions. The regular expressions would be database-specific, but there are only a few different flavors.

 
This is not for group memberships, it is for attribute values






[GRP-4869] fix help text of jexl loader Created: 02/Aug/23  Updated: 02/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4868] add provisioning tests to remove member without making the member unprovisionable. i.e. not managing members (e.g. google but others too) Created: 02/Aug/23  Updated: 02/Aug/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4865] allow grouper loader to specify active dates on groups / memberships Created: 01/Aug/23  Updated: 01/Aug/23

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful if the grouper loader could specify the dates in which a group or membership are active.

 

e.g. Our source data includes information on when courses are in session.  It would be helpful if a loader was configured to automatically create course groups, if that loader could also specify the enabled / disabled dates for the group based on what's in the source data.

similarly, it would be useful if the loader could specify at the membership level when an individual subject's membership in the group started / ended.  We have use case where we want new hires to be in a "new hire" group for a year after their start date.  It would be excellent if we could base end of that membership based on a date from HR rather than a date relative to when Grouper first noticed the user (in a certain group).

 






[GRP-4863] add friendly description for parts of abac script Created: 31/Jul/23  Updated: 31/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4861] LDAP loaders need a way to filter non-person source members Created: 31/Jul/23  Updated: 31/Jul/23

Status: Open
Project: Grouper
Component/s: API, daemon
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

dn: cn=testGroup,ou=groups,dc=example,dc=edu
objectClass: groupOfNames
objectClass: top
cn: testGroup
member: employeeId=940002073,ou=people,dc=example,dc=edu
member: employeeId=940002080,ou=people,dc=example,dc=edu
member: employeeId=940002084,ou=people,dc=example,dc=edu
member: cn=otherGroup,ou=groups,dc=example,dc=edu

When used with loaderLdapElUtils.convertDnToSpecificValue(subjectId), the loader will parse every row indiscriminately, including the row which is not a person. At minimum there will be unresolvable subjects, but at worst the non-person member will accidentally have the same id as a real person, and that person will incorrectly be loaded.

There should be some way to indicate to skip rows. The existing jexl converter property would be a good place for it.

Experiment 1:

${ subjectId.startsWith('employeeId=') ? loaderLdapElUtils.convertDnToSpecificValue(subjectId) : null}

This calculates a subjectId of "null" in 2.6.19, and since there is no subject with this id, it is an unresolvable subject. Other rows do load. There is a warning in the daemon log for the bad row, but the job log is success, and nothing is in the job log about any bad rows.

Experiment 2:

${ subjectId.startsWith('employeeId=') ? loaderLdapElUtils.convertDnToSpecificValue(subjectId) : ""}

Runtime exception: "Result has a null subject_id, please correct the query (maybe just filter where subject_id is not null)". No rows loaded, and the job ends in error state.

Experiment 3:

LDAP_GROUPS_FROM_ATTRIBUTES, setting Attribute filter expression

Result: Doesn't work – the filter expression is for the group attribute, not the subjects.






[GRP-4857] start with in sql provisioner can add same column twice Created: 26/Jul/23  Updated: 26/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 26/Jul/23 ]

users too





[GRP-4856] provisioning subject attribute cache translation that returns nothing evaluates to "null" string sometimes and should be null Created: 25/Jul/23  Updated: 25/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

use an attribute that doesnt exist






[GRP-4839] Add config options to restrict membership export Created: 10/Jul/23  Updated: 19/Jul/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In order to prevent users from downloading a list of all employees, etc., have some way to restrict the export functionality.

Options?
1) Restrict by object type
2) Exclude based on an attribute (create a built-in one, rather than making everyone make one up)
3) Restrict by regular expression patterns:

uiV2.group.exportDisallowedPattern.0 = ^ref:affiliation:.*



 Comments   
Comment by Chad Redman [ 19/Jul/23 ]

Other ideas after discussion:

 

  • Don't export a list if a disallowed group is a member. Prevents a workaround of adding the disallowed group as a member and then exporting it
  • Have a limit on size of a group you can export




[GRP-4846] Loader job action to clear a job stuck in the Started state Created: 12/Jul/23  Updated: 12/Jul/23

Status: Open
Project: Grouper
Component/s: API, UI, WS
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If a job is started but something happens and it exits without updating the status, it is stuck in the starting state in the loader log, and won't start again until restart (or until it gets reset in 10 minutes?). It would be good to clear out the state so it can restart normally, without needing to restart the whole daemon, or doing sql manipulation to clear out the stuck job from the log.

Something available in the API and WS as well as the UI would be good for more options.






[GRP-4841] if you call groupSave over WS, it should only update attributes that are sent Created: 10/Jul/23  Updated: 10/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from Graham Ballantyne

e.g. it clears out the enabled/disabled dates






[GRP-4840] if you save a group over WS (and maybe API) and include the same idIndex, it will fail Created: 10/Jul/23  Updated: 10/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

java.lang.RuntimeException: idIndex already in use: 12345



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 10/Jul/23 ]

from Graham Ballantyne





[GRP-4835] consider jsoup cleaner for html in descriptions Created: 07/Jul/23  Updated: 07/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer






[GRP-4833] moving a group has the folder symbol Created: 06/Jul/23  Updated: 06/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-07-06-02-39-17-605.png    

 Description   






[GRP-4823] cannot assign entity identifier to local entity in ui Created: 04/Jul/23  Updated: 06/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4824] local entity identifier should go in subjectIdentifier1 Created: 04/Jul/23  Updated: 06/Jul/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4801] show membership history in v5 throws stack Created: 25/Jun/23  Updated: 25/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Error: org.hibernate.exception.SQLGrammarException: could not extract ResultSet, Problem in HibernateSession: HibernateSession (5879b01b): new, readonly, READONLY_NEW, notActiveTransaction, session (36e2989f), Exception in list: (class [Ljava.lang.Object;), ByHqlStatic, query: 'select distinct pitms, pitg, pitm, m from Member m, PITMembershipView pitms, Group g, Field f, PITMember pitm, PITGroup pitg, PITField pitf where pitms.ownerGroupId = pitg.id and pitms.fieldId = pitf.id and pitms.memberId = pitm.id and pitg.sourceId = g.uuid and pitf.sourceId = f.uuid and pitm.sourceId = m.uuid and f.typeString = 'list' and g.uuid in (:VTL1Z7L70) and m.uuid in (:VTL1Z7L80, :VTL1Z7L81) and (pitms.membershipEndTimeDb is null or pitms.membershipEndTimeDb > pitms.groupSetStartTimeDb) and (pitms.groupSetEndTimeDb is null or pitms.groupSetEndTimeDb > pitms.membershipStartTimeDb) ', cacheable: false, cacheRegion: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3PITMembershipViewDAO, tx type: null, tx type: nullBind var[0]: 'Param (class java.lang.String): 'VTL1Z7L70'->'56d1d9bb55f1485780a016808dace360', Bind var[1]: 'Param (class java.lang.String): 'VTL1Z7L80'->'8f15cdf7fba74b5b9cd3af351541eaac'Bind var[2]: 'Param (class java.lang.String): 'VTL1Z7L81'->'980b02b5ea2946b9a525e59cc15865a0', , Problem calling method filter on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group
 






[GRP-4798] error creating stem on fk_grouper_st_v_pr_st Created: 21/Jun/23  Updated: 21/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Exception in thread "main" java.lang.RuntimeException: sql: insert into grouper_stem_view_privilege (member_uuid, stem_uuid, object_type) values (?, ?, 'S'), args: ArrayList size: 2: [0]: 04960af703974feabce09f959e344106
[1]: 09ff118ec1734624b6c40b1a904c3521
,
Problem creating child stem: Stem[displayName=penn:seas:test:apps:aws:provisioning,name=penn:seas:test:apps:aws:provisioning,uuid=cb458dcfe5714c519bf2b2e395a157c6,creator=c602a577-6346-4937-802d-22a0aff529c1,modifier=c602a577-6346-4937-802d-22a0aff529c1], extn: test4, dExtn: test4, uuid: null, sql: insert into grouper_stem_view_privilege (member_uuid, stem_uuid, object_type) values (?, ?, 'S'), args: ArrayList size: 2: [0]: 04960af703974feabce09f959e344106
[1]: 09ff118ec1734624b6c40b1a904c3521
,
Problem in HibernateSession: HibernateSession (48971262): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (77136cf3),
Problem in HibernateSession: HibernateSession (76ac3ad0): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (77136cf3)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2361)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.executeSql(GcDbAccess.java:2390)
	at edu.internet2.middleware.grouper.stem.StemViewPrivilege.addStemPrivilegeIfNeeded(StemViewPrivilege.java:435)
	at edu.internet2.middleware.grouper.Stem.internal_grantPriv(Stem.java:1553)
	at edu.internet2.middleware.grouper.Stem.grantPriv(Stem.java:1467)
	at edu.internet2.middleware.grouper.rules.RuleThenEnum$11.fireRule(RuleThenEnum.java:887)
	at edu.internet2.middleware.grouper.rules.RuleThen.fireRule(RuleThen.java:241)
	at edu.internet2.middleware.grouper.rules.RuleEngine$2.callback(RuleEngine.java:471)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
	at edu.internet2.middleware.grouper.rules.RuleEngine.fireRule(RuleEngine.java:453)
	at edu.internet2.middleware.grouper.Stem$9.callback(Stem.java:2919)
	at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:722)
	at edu.internet2.middleware.grouper.Stem.internal_addChildStem(Stem.java:2866)
	at edu.internet2.middleware.grouper.Stem.addChildStem(Stem.java:619)
	at edu.internet2.middleware.grouper.StemSave$1$1.callback(StemSave.java:507)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
	at edu.internet2.middleware.grouper.StemSave$1.callback(StemSave.java:604)
	at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO$1.callback(Hib3TransactionDAO.java:66)
	at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:722)
	at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO.transactionCallback(Hib3TransactionDAO.java:56)
	at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:87)
	at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:106)
	at edu.internet2.middleware.grouper.StemSave.save(StemSave.java:375)
	at Test50gsh.main(Test50gsh.java:8)
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "grouper_stem_view_privilege" violates foreign key constraint "fk_grouper_st_v_pr_st"
  Detail: Key (stem_uuid)=(09ff118ec1734624b6c40b1a904c3521) is not present in table "grouper_stems".
	at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)
	at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)
	at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)
	at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)
	at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)
	at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)
	at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeUpdate(NewProxyPreparedStatement.java:462)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2350)
	... 23 more
 
 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 21/Jun/23 ]

drop that foreign key for a temporary fix





[GRP-4796] configurable mood / theme music Created: 16/Jun/23  Updated: 16/Jun/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Jeffrey Williams (uncg.edu)

 Description   

Grouper should support theme or mood music while in UI.

It could be as simple as associating midi songs with certain activities, or as complicated as using AI to procedurally generate music appropriate for the population being managed.

Maybe it plays a little jingle when a massive group import is completed, like when my dishwasher finishes a load of dishes?

I feel that it could increase satisfaction in UAT.






[GRP-4763] delete a user from duo. then add them back and add membership with incremental. The cache should have new entity id and work Created: 22/May/23  Updated: 12/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/May/23 ]

2023-05-22 15:51:03.509: ERROR: Provisioner 'duoNf' (vr8z8ssc) Error with provisioner 'duoNf' - 'vr8z8ssc' with membership: Mship(group: "DuoNf_New_User_test", entity: "63301192", groupId: "DGKSMTOZ3N4JOCK7BSMP", entityId: "DUCF8CDJDD853L28C7T7", matchingAttrs: LinkedHashSet(1): [0]: [id, val: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], compareVal: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], currentValue: true], exception: java.lang.RuntimeException: Invalid return code '404', expecting: 200. 'https://xxx/admin/v1/users/DUCF8CDJDD853L28C7T7/groups' {"code": 40401, "message": "Resource not found", "stat": "FAIL"},
(vr8z8ssc): Mship(group: "DuoNf_New_User_test", entity: "63301192", groupId: "DGKSMTOZ3N4JOCK7BSMP", entityId: "DUCF8CDJDD853L28C7T7", matchingAttrs: LinkedHashSet(1): [0]: [id, val: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], compareVal: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], currentValue: true], provisioned: false, attr[id]: <null>, action: insert, recalcObject: false, create: true, millis1970: 1684770550730), provisioned: false, attr[id]: <null>, action: insert, recalcObject: false, create: true, errorCode: "ERR", millis1970: 1684770550730)
(vr8z8ssc): java.lang.RuntimeException: Invalid return code '404', expecting: 200. 'https://xxxxx/admin/v1/users/DUCF8CDJDD853L28C7T7/groups' {"code": 40401, "message": "Resource not found", "stat": "FAIL"},
(vr8z8ssc): Mship(group: "DuoNf_New_User_test", entity: "63301192", groupId: "DGKSMTOZ3N4JOCK7BSMP", entityId: "DUCF8CDJDD853L28C7T7", matchingAttrs: LinkedHashSet(1): [0]: [id, val: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], compareVal: MultiKey[DGKSMTOZ3N4JOCK7BSMP, DUCF8CDJDD853L28C7T7], currentValue: true], provisioned: false, attr[id]: <null>, action: insert, recalcObject: false, create: true, millis1970: 1684770550730)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.duo.GrouperDuoApiCommands.executeMethod(GrouperDuoApiCommands.java:368)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.duo.GrouperDuoApiCommands.associateUserToGroup(GrouperDuoApiCommands.java:956)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.duo.GrouperDuoTargetDao.insertMembership(GrouperDuoTargetDao.java:265)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.insertMembershipHelper(GrouperProvisionerTargetDaoAdapter.java:3969)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$32.callLogic(GrouperProvisionerTargetDaoAdapter.java:4087)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$32.callLogic(GrouperProvisionerTargetDaoAdapter.java:4082)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
(vr8z8ssc): 	at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
(vr8z8ssc): 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
(vr8z8ssc): 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
(vr8z8ssc): 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
(vr8z8ssc): 	at java.base/java.lang.Thread.run(Thread.java:833)
(vr8z8ssc): 
 

Comment by Chris Hyzer (upenn.edu) [ 12/Jun/23 ]

"it doesn't seem to pick up the existing memberships, so it tries to add all of the users to the groups again even though they're already there, and also doesn't try to remove any users from groups."





[GRP-4773] provision a user to a WS (e.g. google) which is recently deleted from target, it uses old cached ID... Created: 06/Jun/23  Updated: 06/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4771] grouper google api call for all groups (or one group) doesnt return the group sometimes Created: 05/Jun/23  Updated: 05/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2023-06-05 15:16:11.639: vstev2pw, myGoogleProvisioner, fullProvisionFull: INFO: Command log for provisioner 'myGoogleProvisioner' - 'vstev2pw', retrieveAllData: HTTP method: get
HTTP URL: https://admin.googleapis.com/admin/directory/v1/groups?domain=viveksachdeva.com&maxResults=200&fields=nextPageToken,groups(id,email,name,description)
HTTP request header: Authorization: *******
HTTP request header: Content-Type: application/json
HTTP response code: 200, took ms: 252
HTTP response header: X-Frame-Options: SAMEORIGIN
HTTP response header: Server: ESF
HTTP response header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
HTTP response header: ETag: "U_pIbeRhS7q0AtcsS0sUNDKseYKzPB_gzT7_H_f2FEM/HMFwD2wLX237BRmKZQUJYB5ZE7U"
HTTP response header: X-Content-Type-Options: nosniff
HTTP response header: Vary: Referer
HTTP response header: Content-Length: 3
HTTP response header: X-XSS-Protection: 0
HTTP response header: Date: Mon, 05 Jun 2023 19:16:11 GMT
HTTP response header: Content-Type: application/json; charset=UTF-8
{}






[GRP-4770] provisioning diagnostics should work for google with first name as subject attribute going through cache Created: 05/Jun/23  Updated: 05/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4769] Document the non-sso health check page somewhere besides the v2.5 container doc page Created: 02/Jun/23  Updated: 02/Jun/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Searching for what the non-SSO version of the diagnostics URL was not successful given the current wiki pages and confluence keywords.

Step 1: Try search terms (result: only old or unrelated results)

  • grouper health check
  • grouper status endpoint
  • grouper healthcheck
  • grouper /status
  • grouper /grouper_status
  • grouper monitor (top result is "Grouper Book - Monitoring" from 2010)
  • grouper diagnostics (only mentions the sso-protected page, not the public one)

Step 2: Look at the Grouper training copy/paste wiki for it (result: it only mentions the sso-protected version)

Step 3: Dig up the Grouper training slides (result: a slide mentions it as https://localhost:8443/status_grouper/status?diagnosticType=all)

Step 4: Search confluence for "status_grouper"

Result:

  • only link is the container docs for v2.5 page
  • the text on that page does mention the (relative) url, and describes "The status path is good for monitoring (e.g. from nagios)"
  • yet this page doesn't come up when searching for combined keywords "grouper" "status" "monitoring"; the top link is "Grouper Book - Monitoring" from 2010. What is going on with Confluence keyword search??

Recommendations:

1) Create a separate page for Grouper health checks, OR add the public status page to Grouper diagnostics
2) Improve keywords; "diagnostics" is not something that comes to mind when thinking of health checks
3) Fix Confluence keyword indexing; I don't know, prioritize by date maybe?






[GRP-4584] caching by script does not work Created: 31/Jan/23  Updated: 25/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

John Gasper
6:04 PM
@mchyzer
I’m wondering if the new provisioner has a bug with group attribute caching, specifically with translation scripts. I’d think the following:
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache0has = true
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache0source = grouper
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache0translationScript = ${'test2'}
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache0type = translationScript
would fill GROUPER_SYNC_GROUP.GROUP_FROM_ID2 with ‘test2’ (after a successful run), but the columns are null.
However:
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache1groupAttribute = cn
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache1has = true
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache1source = grouper
provisioner.zooGroupOfUniqueNames_1.groupAttributeValueCache1type = groupAttribute
populates values.



 Comments   
Comment by John Gasper III [ 25/May/23 ]

Any idea of when this might be resolved? 





[GRP-4765] Daemon job history chart should show started jobs as an extended line Created: 23/May/23  Updated: 23/May/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the job history chart, a job in the started state shows a very narrow box. In reality, the job is potentially still running, so the line should extend to the present time, or until the next time the job ran.






[GRP-4761] add option in provisioning advanced to not validate the configuration Created: 20/May/23  Updated: 20/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

in case there is a temporary validation problem






[GRP-4760] add built in template to adjust path parts Created: 19/May/23  Updated: 19/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

${var nameParts = grouperUtil.splitTrimToList(grouperProvisioningGroup.getName(), ":");
nameParts.get(2) + '-' + nameParts.get(4); }

And see why multiline script doesnt work






[GRP-4758] when provisioning attribute, and removing only ones grouper created or deleted, check the cache to see if the value is in the cache and should be removed Created: 18/May/23  Updated: 18/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4757] validation error on entity customize crud with no options selected Created: 18/May/23  Updated: 18/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

turned off customize entity and still got the error






[GRP-4756] add drop downs to configuration editor Created: 17/May/23  Updated: 17/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4748] Grouper UI should show if running old release Created: 10/May/23  Updated: 10/May/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Perhaps there should be a banner at the top that is shown to grouper admins if the version is expired or unstable.  






[GRP-4747] add debug map to daemon logs for gsh change log consumer Created: 10/May/23  Updated: 10/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4745] Subject diagnostics Long label "not used in the new UI" inaccurate Created: 09/May/23  Updated: 10/May/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File subject_name_appearance_in_ui.png    

 Description   

The format for subject names for the Member Add drop down list differs from how it appears everywhere else. It's also configured with a different property.

1) Subject page heading, search results, and group member list: `screenSubjectIcon2.screenHtmlEl.0 screenLabel2.screenEl.0`

This corresponds to the diagnostics value for "Short link with icon"

2) Subject breadcrumbs: `screenLabel2.screenEl.0` (basically #1 without the icon)

This corresponds to the diagnostics value for "Short link with icon"

3) The drop down names during the Member Add autocomplete field: screenSubjectIcon2.screenHtmlEl.0 subjectImgLong.screenEl.0

This corresponds to the diagnostics value for "Long label with icon", even though right after it reads "This is not used in the new UI"

4) The Member Add autocomplete after choosing a value: subjectImgLong.screenEl.0 (basically #3 without the icon)

 

The descriptions for the diagnostics values under "SUBJECT IN UI" should be adjusted to be more accurate. Suggested:

 

  Short link with icon: ...
  * Appearance of the subject in most places – its own subject page heading, in search results, in group members, etc.
  * Configured in grouper.text.en.us.base.properties with guiSubjectShortLink
  * Also configured in grouper-ui.properties
    * icon is grouperUi.screenSubjectIcon2.screenHtmlEl.X, or grouperUi.screenSubjectIcon2.screenHtmlEl.default, or default `<i class="fa fa-user"></i>`
    * label is grouperUi.subjectImgLong.screenEl.X, or default of subject name
  * tooltip is subject description
Long label with icon: ...
  * This is used in the Member Add drop down
  * Configured in grouper.text.en.us.base.properties with guiSubjectLongLinkWithIcon
  * Also configured in grouper-ui.properties
    * icon is grouperUi.screenSubjectIcon2.screenHtmlEl.X, or grouperUi.screenSubjectIcon2.screenHtmlEl.default, or default `<i class="fa fa-user"></i>`
    * label is grouperUi.subjectImgLong.screenEl.X, or default of subject description

 






[GRP-4740] duo incremental runs a full sync for some reason Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 05/May/23 ]

I think this is because there were a ton of errors and they are retried... maybe ignored errors should not be retried?





[GRP-4741] validate that group and entity link is true for provisioners that need it Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4739] github should validate that organization is in external system Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

external system should have a type






[GRP-4738] github provisioning should not allow operating on groups Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4737] Generic warnings from the loader container Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Minor
Reporter: Andrew Aschenbrener Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When we start v4.1.2 we see the following warnings. These all appear to be regarding the base image.
grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN CacheConfiguration.isEternalValueConflictingWithTTIOrTTL(841) - [] - Cache 'null' is set to eternal but also has TTI/TTL set. To avoid this warning, clean up the config removing conflicting values of eternal, TTI and TTL. Effective configuration for Cache 'null' will be eternal='true', timeToIdleSeconds='0', timeToLiveSeconds='0'.

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN EhcacheRegionFactory.<init>(60) - [] - HHH020100: The Ehcache second-level cache provider for Hibernate is deprecated. See https://hibernate.atlassian.net/browse/HHH-12441 for details.
grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN UUIDHexGenerator.<init>(42) - [] - HHH000409: Using org.hibernate.id.UUIDHexGenerator which does not generate IETF RFC 4122 compliant UUID values; consider using org.hibernate.id.UUIDGenerator instead

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN EhcacheRegionFactory.defaultRegionName(127) - [] - HHH90001007: Using legacy cache name [org.hibernate.cache.spi.UpdateTimestampsCache] because configuration could not be found for cache [default-update-timestamps-region]. Update your configuration to rename cache [org.hibernate.cache.spi.UpdateTimestampsCache] to [default-update-timestamps-region].

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN EhcacheRegionFactory.defaultRegionName(127) - [] - HHH90001007: Using legacy cache name [org.hibernate.cache.internal.StandardQueryCache] because configuration could not be found for cache [default-query-results-region]. Update your configuration to rename cache [org.hibernate.cache.internal.StandardQueryCache] to [default-query-results-region].

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN RootClass.checkCompositeIdentifier(287) - [] - HHH000038: Composite-id class does not override equals(): edu.internet2.middleware.grouper.stem.StemViewPrivilege

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN RootClass.checkCompositeIdentifier(290) - [] - HHH000039: Composite-id class does not override hashCode(): edu.internet2.middleware.grouper.stem.StemViewPrivilege

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN EhcacheRegionFactory.createCache(155) - [] - HHH90001006: Missing cache[edu.internet2.middleware.grouper.file.GrouperFile] was created on-the-fly. The created cache will use a provider-specific default configuration: make sure you defined one. You can disable this warning by setting 'hibernate.cache.ehcache.missing_cache_strategy' to 'create'.

grouper-daemon;grouper_error.log; [localhost-startStop-1] WARN EhcacheRegionFactory.createCache(155) - [] - HHH90001006: Missing cache[edu.internet2.middleware.grouper.pit.PITGrouperConfigHibernate] was created on-the-fly. The created cache will use a provider-specific default configuration: make sure you defined one. You can disable this warning by setting 'hibernate.cache.ehcache.missing_cache_strategy' to 'create'.

grouper-daemon;grouper_error.log; [DefaultQuartzScheduler_Worker-6] WARN SessionImpl.createCriteria(1837) - [] - HHH90000022: Hibernate's legacy org.hibernate.Criteria API is deprecated; use the JPA javax.persistence.criteria.CriteriaQuery instead






[GRP-4736] Grouper WS on Groups with Unresolvable subject Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Andrew Aschenbrener Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When midPoint's Grouper connector tries to 'sync' with a group with an unresolvable subject, the Web Services generates this error.

grouper-daemon;grouper_error.log;dev;ICP;2023-05-05T13:55:47,801: [ajp-nio-0.0.0.0-8009-exec-5] ERROR GrouperWsException.logError(147) - [< midpoint - 18.221.229.130 >] - java.lang.NullPointerException: Cannot invoke "java.util.Map.remove(Object)" because "this.translationMap" is null






[GRP-4735] add github test case and make sure ui works Created: 05/May/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

provisioner.github_itd.acceptHeader = application/vnd.github.v3+json
provisioner.github_itd.addDisabledFullSyncDaemon = true
provisioner.github_itd.addDisabledIncrementalSyncDaemon = true
provisioner.github_itd.bearerTokenExternalSystemConfigId = github
provisioner.github_itd.class = edu.internet2.middleware.grouper.app.scim2Provisioning.GrouperScim2Provisioner
provisioner.github_itd.entityAttributeValueCache0entityAttribute = id
provisioner.github_itd.entityAttributeValueCache0has = true
provisioner.github_itd.entityAttributeValueCache0source = target
provisioner.github_itd.entityAttributeValueCache0type = entityAttribute
provisioner.github_itd.entityAttributeValueCache1has = true
provisioner.github_itd.entityAttributeValueCache1source = grouper
provisioner.github_itd.entityAttributeValueCache1translationScript = \u0024{subject.getAttributeValue(‘givenname’)}
provisioner.github_itd.entityAttributeValueCache1type = subjectTranslationScript
provisioner.github_itd.entityAttributeValueCache2has = true
provisioner.github_itd.entityAttributeValueCache2source = grouper
provisioner.github_itd.entityAttributeValueCache2translationScript = \u0024{subject.getAttributeValue(‘sn’)}
provisioner.github_itd.entityAttributeValueCache2type = subjectTranslationScript
provisioner.github_itd.entityAttributeValueCacheHas = true
provisioner.github_itd.entityMatchingAttribute0name = userName
provisioner.github_itd.entityMatchingAttributeCount = 1
provisioner.github_itd.hasTargetEntityLink = true
provisioner.github_itd.logAllObjectsVerbose = true
provisioner.github_itd.makeChangesToEntities = true
provisioner.github_itd.numberOfEntityAttributes = 5
provisioner.github_itd.operateOnGrouperEntities = true
provisioner.github_itd.provisioningType = membershipObjects
provisioner.github_itd.scimType = Github
provisioner.github_itd.selectAllEntities = true
provisioner.github_itd.showAdvanced = true
provisioner.github_itd.startWith = this is start with read only
provisioner.github_itd.subjectSourcesToProvision = ldap
provisioner.github_itd.targetEntityAttribute.0.name = id
provisioner.github_itd.targetEntityAttribute.1.name = emailValue
provisioner.github_itd.targetEntityAttribute.1.translateExpressionType = grouperProvisioningEntityField
provisioner.github_itd.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField = email
provisioner.github_itd.targetEntityAttribute.2.name = userName
provisioner.github_itd.targetEntityAttribute.2.translateExpressionType = grouperProvisioningEntityField
provisioner.github_itd.targetEntityAttribute.2.translateFromGrouperProvisioningEntityField = subjectId
provisioner.github_itd.targetEntityAttribute.3.name = familyName
provisioner.github_itd.targetEntityAttribute.3.translateExpressionType = grouperProvisioningEntityField
provisioner.github_itd.targetEntityAttribute.3.translateFromGrouperProvisioningEntityField = entityAttributeValueCache2
provisioner.github_itd.targetEntityAttribute.4.name = givenName
provisioner.github_itd.targetEntityAttribute.4.translateExpressionType = grouperProvisioningEntityField
provisioner.github_itd.targetEntityAttribute.4.translateFromGrouperProvisioningEntityField = entityAttributeValueCache1
 
 
 






[GRP-4724] add test for google external system (and others) Created: 27/Apr/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 4.1.6

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Vivek Sachdeva (google.com) [ 04/May/23 ]

Done for Google, Box, Remedy digital marketplace, and remedy





[GRP-4723] alphabetize daemon dropdown when adding daemon Created: 26/Apr/23  Updated: 05/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 4.1.6

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4728] when adding a daemon, if use an existing config key, then it edits the existing daemon Created: 03/May/23  Updated: 03/May/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4725] jdbc2 subject source needs identifier tweak Created: 28/Apr/23  Updated: 28/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4718] add filter term in box provisioner to retrieve an individual user or group Created: 21/Apr/23  Updated: 21/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4714] provisioning matching ids blank causes error Created: 21/Apr/23  Updated: 21/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jason Cho

grouper-daemon;grouper_error.log;dev;nothing;2023-04-21T15:10:47,537: [DefaultQuartzScheduler_Worker-8] ERROR GrouperProvisioner.provision(855) - [] - Provisioner ‘LdapGroupsProvisioner’ (vq0yojx9) Error, java.util.NoSuchElementException
(vq0yojx9): at java.base/java.util.LinkedHashMap$LinkedHashIterator.nextNode(LinkedHashMap.java:758)
(vq0yojx9): at java.base/java.util.LinkedHashMap$LinkedKeyIterator.next(LinkedHashMap.java:778)
(vq0yojx9): at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningMatchingIdIndex.mergeInNewTargetEntities(GrouperProvisioningMatchingIdIndex.java:341)
(vq0yojx9): at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.processTargetDataEntities(GrouperProvisioningLogic.java:2535)
(vq0yojx9): at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveAllData(GrouperProvisionerTargetDaoAdapter.java:839)
(vq0yojx9): at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic$1.run(GrouperProvisioningLogic.java:1878)
(vq0yojx9): at java.base/java.lang.Thread.run(Thread.java:833)
(vq0yojx9):
grouper-daemon;grouper_error.log;dev;nothing;2023-04-21T15:10:47,554: [DefaultQuartzScheduler_Worker-8] ERROR OtherJobBase$2.callback(447) - [] - Error occurred while running job: OTHER_JOB_LdapGroupProvisionerFull
java.lang.RuntimeException: provisionerClass: LdapSync, configId: LdapGroupsProvisioner, provisioningType: fullProvisionFull, state: retrieveAllDataFromGrouperAndTarget, retrieveSyncGroupsMillis: 8, syncGroupCount: 224, retrieveSyncEntitiesMillis: 4976, syncEntityCount: 177418, retrieveSyncMshipsMillis: 4846, syncMshipCount: 187316, propagateProvisioningAttributes_millis: 11443, targetRetrieveAllGroups: 1, retrieveGrouperGroupsMillis: 12, grouperGroupCount: 223, targetGroupsRetrieved: 5203, originalTargetGroupsRetrieved: 5203, originalTargetTotalCount: 1261683, targetMembershipsRetrieved: 1256480, originalTargetMembershipsRetrieved: 1256480, targetRetrieveAllEntities: 1, retrieveGrouperEntitiesMillis: 68275, grouperEntityCount: 45114, retrieveGrouperMshipsMillis: 3911, grouperMshipCount: 90322, exception: java.util.NoSuchElementException
at java.base/java.util.LinkedHashMap$LinkedHashIterator.nextNode(LinkedHashMap.java:758)
at java.base/java.util.LinkedHashMap$LinkedKeyIterator.next(LinkedHashMap.java:778)
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningMatchingIdIndex.mergeInNewTargetEntities(GrouperProvisioningMatchingIdIndex.java:341)
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.processTargetDataEntities(GrouperProvisioningLogic.java:2535)
at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.retrieveAllData(GrouperProvisionerTargetDaoAdapter.java:839)
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic$1.run(GrouperProvisioningLogic.java:1878)
at java.base/java.lang.Thread.run(Thread.java:833)
, finalLog: true, queryCount: 12, tookMillis: 107380, took: 00:01:47.380
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:948) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:867) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:56) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19) ~[grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376) [grouper-4.1.2.jar:4.1.2]
at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57) [grouper-4.1.2.jar:4.1.2]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

Message incommon-grouper






[GRP-4711] in provisioning metadata, if boolean has default value, just check that radio, dont add "default" option Created: 20/Apr/23  Updated: 20/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Apr/23 ]





[GRP-4710] document stem move and group move in table at top of gsh page Created: 20/Apr/23  Updated: 20/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4706] millis load data is off for SFTP to SQL job Created: 18/Apr/23  Updated: 18/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Apr/23 ]





[GRP-4705] allow HTML template attestation emails where list of groups can be in arbitrary location Created: 18/Apr/23  Updated: 18/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for v5, from alpha






[GRP-4697] End of life OpenSAML jars in libWs folder Created: 13/Apr/23  Updated: 18/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Scott Cantor (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Grouper 4.1's libWs folder contains several out of date and unsupported/end-of-life jars dating to opensaml 2.x which has been dead for almost a decade. opensaml, openws, and xmltooling are all from those days.



 Comments   
Comment by Scott Cantor (osu.edu) [ 13/Apr/23 ]

xmlsec 1.x is similarly EOL.

Comment by Shilen Patel (duke.edu) [ 18/Apr/23 ]

I've confirmed at least that the old dependencies mentioned won't be in the next v5 release.  They are in v4 because of soap/rampart.





[GRP-4696] Loader jobs summary page shows count -1 if there are any subject problems Created: 12/Apr/23  Updated: 12/Apr/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The daemon log for a loader job shows this:

Status Loaded group Job type Start time End time Millis Millis
get
data
Millis
load
data
Total
count
Add
count
Update
count
Delete
count
Unresolvable
count
Subject_problems multiple overall 2023-04-12 07:05:00.227 2023-04-12 07:05:37.965 37739 32600 5136 13795 5 0 5 394

 

But the loader job page shows this for the same job:

Group Status Actions Count Recent
changes
Type
 loaderFacStaffByDept (etc) ERROR Loader actions  -1 -1 SQL_GROUP_LIST

 

The loader page should reflect the same status and counts as the actual loader log.






[GRP-4695] Visualization "Unable to retrieve..." errors shouldn't dump a whole stacktrace Created: 11/Apr/23  Updated: 11/Apr/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Visualization can have various issues if the user doesn't have permission to see certain attributes. These don't need a whole stacktrace for that, as it's obviously either permissions or a missing attribute.

 

  • "Unable to retrieve attribute " + loaderMetadataGroupIdName + "; results will not include groups loaded by jobs"
  • "Unable to retrieve PSPNG provision_to attribute; results will not include provisioning relationships"
  • "Unable to retrieve attribute for sql loader jobs; groups might not be detected as loader jobs"
  • "Unable to retrieve attribute for Grouper object types"

 






[GRP-4692] configure hasMember, invalid cache membership value, does not remove memberships Created: 07/Apr/23  Updated: 07/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4691] provisioning, if you pick a cache location that is not populated it should throw configuration error Created: 07/Apr/23  Updated: 07/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4690] ldap provisioning, if selecting entities, and no target link, need to enter search ou Created: 07/Apr/23  Updated: 07/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4680] some recent activity is blank Created: 03/Apr/23  Updated: 03/Apr/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 4.1.2
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 03/Apr/23 ]





[GRP-4672] add information about sql drivers to sql external system page Created: 31/Mar/23  Updated: 31/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

John Gasper
  2 hours ago
So I use a customized image based on the grouper image:
ARG JRE_VERSION=8
ARG ORCL_VERSION=19.14.0.0
ADD --chown=tomcat:root https://repo1.maven.org/maven2/com/oracle/database/jdbc/ojdbc${JRE_VERSION}/${ORCL_VERSION}/ojdbc${JRE_VERSION}-${ORCL_VERSION}.jar /opt/grouper/grouperWebapp/WEB-INF/lib/
 
 
 
 
 
John Gasper
  2 hours ago
Your results may vary. :smile:
 
 
Drew Roberts
  2 hours ago
Thanks!
:+1:
1
 
 
 
Marwan Shaher
  1 hour ago
@Drew Roberts
, in our case, our backend DB is oracle. The ojdbc8 jar file isn’t included with the ITAP Grouper image. We include that as part of our build. We always build on top of the base image because we have hooks and other customization that we do anyways. The ojdbc8 goes in the /opt/grouper/grouperWebapp/WEB-INF/lib/ directory
 
 






[GRP-4665] Git integration for Grouper configs Created: 24/Mar/23  Updated: 24/Mar/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Just some ideas I had while working with a customer. When provisioners, gsh templates, or other configs are managed in the UI, the history is stored in the UI. But if you want these exported on a regular basis to version control, it's a manual process.

(1) A script, maybe an external gsh batch script, to export configs into local files which are under version control
(2) Optionally add Git as an external system; maybe needs an api key

Maybe just item #1 is good enough for user needs?






[GRP-4651] add a start with for ldap entity provisioner to manage a flag attribute like colorado test case LdapProvisionerTestUtils.configureColoradoSingleEntityAttribute() Created: 22/Mar/23  Updated: 22/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4593] loaded groups should handle membership requirements and not fail Created: 07/Feb/23  Updated: 16/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Shilen Patel (duke.edu) [ 16/Mar/23 ]

I think this should be fixed for membership adds due to rules as well.  Perhaps ignore the add gracefully?

 

grouper-daemon;grouper_error.log;2023-03-16T08:11:16,047: [DefaultQuartzScheduler_Worker-2] ERROR GrouperLogger.error(77) - [] - problem
edu.internet2.middleware.grouper.hooks.logic.HookVeto: veto.membershipVeto.customComposite.vetoRequireEmployee: User is not eligible to be in this group since they are not in: <something>,
, group name: <something>, subject: Subject id: <something>, sourceId: jndiperson, field: members
	at edu.internet2.middleware.grouper.app.membershipRequire.MembershipRequireMembershipHook$1.callback(MembershipRequireMembershipHook.java:115) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.app.membershipRequire.MembershipRequireMembershipHook.checkMembershipEligibility(MembershipRequireMembershipHook.java:95) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.app.membershipRequire.MembershipRequireMembershipHook.membershipPreAddMember(MembershipRequireMembershipHook.java:70) ~[grouper-2.6.19.jar:2.6.19]
	at sun.reflect.GeneratedMethodAccessor760.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_352]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_352]
	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5425) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.executeHook(GrouperHooksUtils.java:509) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.callHooksIfRegistered(GrouperHooksUtils.java:309) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.callHooksIfRegistered(GrouperHooksUtils.java:248) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.callHooksIfRegistered(GrouperHooksUtils.java:211) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Membership.onPreSave(Membership.java:1813) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hibernate.ByObject.save(ByObject.java:283) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hibernate.ByObjectStatic$7.callback(ByObjectStatic.java:494) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:722) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hibernate.ByObjectStatic.save(ByObjectStatic.java:481) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO.save(Hib3MembershipDAO.java:2345) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Membership.internal_addImmediateMembership(Membership.java:1286) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Group$4.callback(Group.java:1616) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:722) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Group.internal_addMember(Group.java:1587) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Group.internal_addMember(Group.java:1534) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Group.addMember(Group.java:1129) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.Group.addMember(Group.java:1048) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.rules.RuleThenEnum$6.fireRule(RuleThenEnum.java:328) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.rules.RuleThen.fireRule(RuleThen.java:241) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.rules.RuleEngine$2.callback(RuleEngine.java:471) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.rules.RuleEngine.fireRule(RuleEngine.java:453) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.RuleConsumer$RuleEventType$2.processEvent(RuleConsumer.java:128) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.RuleConsumer.processChangeLogEntries(RuleConsumer.java:345) [grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261) [grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:676) [grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541) [grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345) [grouper-2.6.19.jar:2.6.19]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]





[GRP-4629] validation on rabbitmq when using EL Created: 14/Mar/23  Updated: 14/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes
7 hours ago
i tried to remove jre from the path using the external system UI and I got the error:
Error: ‘host’ is required
My host is defined as ${java.lang.System.getenv().get(‘RABBITMQ_HOST’)} with EL checked.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 14/Mar/23 ]

note: check other external systems too





[GRP-4627] null pointer in GrouperProvisioningCompare.compareTargetEntities Created: 13/Mar/23  Updated: 13/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.18, 2.6.19
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Set up and ran a full sync job in 2.6.18 and 2.6.19, was successful the first few days, but then errors started showing up.

For a delete of an entity attribute value, provisioningAttribute.getValueToProvisioningMembershipWrapper() is null. I don't see an explanation for why that happens. I added some extra debugging lines to a patched class to capture the error for better diagnostics. There were 29 errors out of 2518 total users provisioned. What was in common with all these users was that none of them were in provisioned groups. All except 2 did not even have the ldap attribute in LDAP, so it should not have tried to change anything.

What made the error go away is to assign all 29 users to a provisioned group, run an incremental sync, and then remove them and sync again. Since then there haven't been more errors.

grouper-daemon;grouper_error.log;2023-03-06T11:51:28,470: [DefaultQuartzScheduler_Worker-3] ERROR GrouperLogger.error(77) - [] - Error occurred while running job: OTHER_JOB_provisioner_full_utorable_ldap_user
java.lang.RuntimeException: provisionerClass: LdapSync, configId: utorable_ldap_user, provisioningType: fullProvisionFull, state: compareTargetObjects, retrieveSyncGroupsMillis: 498, syncGroupCount: 29621, retrieveSyncEntitiesMillis: 3487, syncEntityCount: 162895, retrieveSyncMshipsMillis: 13129, syncMshipCount: 965936, propagateProvisioningAttributes_millis: 21674, targetRetrieveAllGroups: 1, retrieveGrouperGroupsMillis: 2224, grouperGroupCount: 29597, retrieveGrouperEntitiesMillis: 8964, grouperEntityCount: 322174, retrieveGrouperMshipsMillis: 42636, grouperMshipCount: 1590921, provisioningGroupsToDeleteCount: 24, provisioningEntitiesToDelete: 1808, provisioningMshipsToDelete: 14294, retrieveDataPass1_millis: 72548, grouperGroupsRetrieved: 29597, grouperEntitiesRetrieved: 322174, grouperMembershipsRetrieved: 1590921, assignDefaultFieldsAndAttributesCount: 163220, originalTargetGroupCount: 29632, originalTargetEntityCount: 162861, originalTargetMembershipCount: 932803, originalTargetTotalCount: 1125296, targetGroupsRetrieved: 29632, targetEntitiesRetrieved: 162861, targetMembershipsRetrieved: 0, retrieveTargetDataMillis: 46279, provisioningGroupWrappersWithMatch: 59195, provisioningGroupWrappersWithNoMatch: 93, provisioningEntityWrappersWithMatch: 325722, missingGroupsForRetrieve: 7, missingGroupsForRetrieveFound: 1, missingEntitiesForRetrieve: 10, missingEntitiesForRetrieveFound: 0, loadDataToGrouper_millis: 0, provisioningEntityWrappersWithNoMatch: 34, linkGcSyncEntitiesUpdated: 100, targetEntitiesForLinkNull: 34, provisioningMembershipWrappersWithNoMatch: 965936, processResultsSelectMembershipsFullCantUnresolveMemberships: true, exception: java.lang.NullPointerException
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningCompare.compareTargetEntities(GrouperProvisioningCompare.java:1053)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningCompare.compareTargetObjects(GrouperProvisioningCompare.java:1740)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionFull(GrouperProvisioningLogic.java:273)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$1.provision(GrouperProvisioningType.java:41)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:77)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:797)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:56)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376)
    at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 14, tookMillis: 163445, took: 00:02:43.445
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:910) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:829) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:56) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grou
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19) ~[grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376) [grouper-2.6.19.jar:2.6.19]
    at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57) [grouper-2.6.19.jar:2.6.19]
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]






[GRP-4623] fix audits for jexl script tester Created: 13/Mar/23  Updated: 13/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper;grouper_error.log;dev;nothing;2023-03-13T17:37:11,580: [ajp-nio-0.0.0.0-8181-exec-9] ERROR GuiAuditEntry.getAuditLine(1153) - [] - Cant find audit builtin for category: jexlTest and action: jexlTestExec






[GRP-4620] version does not show in ui for v4 Created: 13/Mar/23  Updated: 13/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

System settings and wizards to setup the registry. Grouper version:






[GRP-4617] add 'run report' to report menu for ad hoc runs Created: 10/Mar/23  Updated: 10/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4616] provisioning: validate that the membership attribute is not cached Created: 09/Mar/23  Updated: 09/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4609] allow resize of left navigation panel Created: 02/Mar/23  Updated: 02/Mar/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Ben E Rappleyea Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.6.9



 Description   

We have received requests from our customers to make the left hand navigational panel resizable so that they are not having to scroll back and forth constantly or search for the group instead.






[GRP-4467] Add property for GrouperLoaderLog jobs not to log at DEBUG Created: 04/Nov/22  Updated: 02/Mar/23

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.6.7
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Now that GrouperLoaderLog is being logged at debug level by default, it tends to clutter up the logs with maintenance and changelog jobs that run every minute. I think ideally you shouldn't have GrouperLoaderLog at debug level. But if you do, maybe it's because you want to know about a specific problem job, and not CHANGE_LOG_changeLogTempToChangeLog or basically any other CHANGE_LOG or MAINTENANCE job.



 Comments   
Comment by Chad Redman [ 04/Nov/22 ]

Maybe a regular expression, or comma-separated list of expressions?

Comment by Chris Hyzer (upenn.edu) [ 02/Mar/23 ]

we have this but it defaults to true

//enable certain logs
if (!GrouperLoaderConfig.retrieveConfig().propertyValueBoolean("daemon.log.logEnabled_" + label, true))

{ return; }

I think we need something in the daemon config to enable logging, default false... but if you do that then logging should just happen withot changing log4j. we will need to look at that in the near future





[GRP-4601] LDAP startsWith eduPersonAffiliation invalid config Created: 15/Feb/23  Updated: 02/Mar/23

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.6.19
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-02-15-15-45-23-614.png    

 Description   

When choosing the "eduPersonAffiliation" startsWith configuration, it asks for the group attribute to provision for the membership (default was extension). This value used to be entered in the "Group attribute name for memberships" field. In 2.6.19, the drop down for that field only has the 4 group cache buckets, and the group attributes no longer show up. This makes the field have a blank value, and can't save since it's a required field.

 

Note that the field description still reads "The group attribute that has values...", even though group attributes are no longer options



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Mar/23 ]

we changed the label in the provisioner config so its a cache label. we need to fix the starts with...





[GRP-4608] Loader Jobs with External Unique Ids to Support moving group path Created: 01/Mar/23  Updated: 01/Mar/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Minor
Reporter: Andrew Aschenbrener Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The current version of grouper loader jobs does not support the ability to move an existing group. Instead groups are deleted and then recreated. Based on Grouper Dev call here is a suggestion:

  • Add configuration to Loader Job that can enable "Loader_Group_ID" which is a external immutable identifier for a group. When enabled, this option will require that the SQL query return a field with that name.
  • When that configuration is enabled you get two additional configuration options
    • 'grouper_name change';  'Move', 'Delete & Recreate'
    • 'set alternate name';  'yes', 'no'
  • Update loaderjob logic to store the Loader_group_ID in the groups metadata if available.
  • Update loaderjob logic such that if a group has a loader_group_id, it's looked up in grouper to compare the 'group_name'. If the group_name (aka path) has changed, use the configurations above to take the appropriate actions.


 Comments   
Comment by Andrew Aschenbrener [ 01/Mar/23 ]

To prevent unexpected errors, maybe there should also be some validation that the given metadata field for two groups don't share the same value.





[GRP-4607] Container startup scripts to check for tomee mounted files and move them to tomcat Created: 01/Mar/23  Updated: 01/Mar/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: 2.6.19
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Moving from TomEE to Tomcat, the container directory will be different. It may not be common, but some installations may be mounting files into /opt/tomee. On startup, the init scripts should check for mounted files there, give a warning that it's deprecated, and copy them to /opt/tomcat. There should be a new environment variable to skip the check copy, in case there is some reason they would want them to stay in /opt/tomee.

 






[GRP-4604] config value on each group to override global: attestation.daysBeforeNeedsAttestationToShowButton Created: 24/Feb/23  Updated: 24/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful if each attestation could support control over when the needs attestation button would show for it.

Instead of being forced to use the global default config attestation.daysBeforeNeedsAttestationToShowButton = 14, or forcing all attestations to behave identically.






[GRP-4603] add paging to getGrouperPrivileges WS Created: 16/Feb/23  Updated: 16/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4602] allow search in ui to find things by uuid (e.g. memberId in subjects) Created: 16/Feb/23  Updated: 16/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4598] if subject source if not enabled, it shouldnt do anything Created: 10/Feb/23  Updated: 10/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 10/Feb/23 ]

Comment by Chris Hyzer (upenn.edu) [ 10/Feb/23 ]

grouper;grouper_error.log;2023-02-10T17:21:26,445: [ajp-nio-0.0.0.0-8181-exec-5] ERROR GrouperLogger.error(77) - [] - UI error
edu.internet2.middleware.subject.SourceUnavailableException: problem in subject.properties source: silly-junk-do-not-use, sql: select bla,column from not_real where 
bla in (?) limit 0,2,
Cant find subject from login id: mchyzer@upenn.edu
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.search(JDBCSourceAdapter2.java:1116) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubjectsByIds(JDBCSourceAdapter2.java:590) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubjectsByIds(JDBCSourceAdapter2.java:866) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubject(JDBCSourceAdapter2.java:308) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubject(JDBCSourceAdapter2.java:877) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.BaseSourceAdapter.getSubjectByIdOrIdentifier(BaseSourceAdapter.java:520) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubjectByIdOrIdentifier(JDBCSourceAdapter2.java:379) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.getSubjectByIdOrIdentifier(JDBCSourceAdapter2.java:393) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.cache.SubjectSourceCache.getSubjectByIdOrIdentifierFromCacheOrSource(SubjectSourceCache.java:1700) ~[grouper-2.6.19.
jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$4.callLogic(SourcesXmlResolver.java:580) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$4.callLogic(SourcesXmlResolver.java:576) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$LogLabelCallable.call(SourcesXmlResolver.java:182) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.executeCallables(SourcesXmlResolver.java:243) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:586) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:486) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:258) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:419) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:404) ~[grouper-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedInHelper(GrouperUiFilter.java:385) ~[grouper-ui-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:319) ~[grouper-ui-2.6.19.jar:2.6.19]
	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1302) [grouper-ui-2.6.19.jar:2.6.19]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.57]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.57]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.57]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.57]
	at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) [tomee-catalina-7.0.9.jar:7.0.9]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.57]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.57]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.57]
	at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) [tomee-catalina-7.0.9.jar:7.0.9]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.57]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.57]
	at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:524) [tomcat-coyote.jar:8.5.57]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.57]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) [tomcat-coyote.jar:8.5.57]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626) [tomcat-coyote.jar:8.5.57]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.57]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_352]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_352]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.57]
	at java.lang.Thread.run(Thread.java:750) [?:1.8.0_352]
Caused by: java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syn
tax to use near 'column from not_real where bla in ('mchyzer@upenn.edu') limit 0,2' at line 1
	at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:120) ~[mysql-connector-java-8.0.28.jar:8.0.28]
	at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) ~[mysql-connector-java-8.0.28.jar:8.0.28]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:953) ~[mysql-connector-java-8.0.28.jar:8.0.28]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeQuery(ClientPreparedStatement.java:1009) ~[mysql-connector-java-8.0.28.jar:8.0.28]
	at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:431) ~[c3p0-0.9.5.4.jar:0.9.5.4]
	at edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.search(JDBCSourceAdapter2.java:1082) ~[grouper-2.6.19.jar:2.6.19]
	... 40 more
 





[GRP-4595] attribute on a group to control UI default filter on direct/indirect display Created: 09/Feb/23  Updated: 09/Feb/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.19.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from discussion in slack channel

Add an attribute to a group to cause the UI to display the group with a filter of direct memberships or indirect by default.  The absence of the attribute is all (current behavior).  There could be a system-wide default to control the default display of groups in the ui as well... but this is usually desirable for large groups for environments where the display of the large group is slow (which may in fact be a sign of a misconfigured cache and other components - but this at least allows for helping with the display of the group).






[GRP-4594] GSH Template multi-value checkbox Created: 08/Feb/23  Updated: 08/Feb/23

Status: Open
Project: Grouper
Component/s: GSH Templates
Affects Version/s: 2.6.19.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I seek a multi-value checkbox capability in a GSH Template.  I'd like to pass in 

In GSH Template config I'd like to pass in the following parameters:

CheckBoxItems: 'Administrator','Author','Manager','Editor','Allowed','Reviewer','Developer' (a text box with comma separated list of items)
Vertical: true/false (whether to display the list vertically or horizontally with wrap) default: T
AllChecked: true/false (to default all items to checked or not - default: T

and the gsh_input_varname for this multi-value checkbox would return a list of those items checked.  Something like:
gList = gsh_input_checkboxGroups;
and the gList = ['Manager','Editor','Allowed','Reviewer']

I think it may be just this simple.  I'm sure there are ideas to make it complicated, but this is all I can think of at this point.






[GRP-4592] pre-create grouperDdl dir so it has right owner in case gsh runs as root Created: 03/Feb/23  Updated: 03/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

David Li  2 days ago
During grouper upgrade from v2.6.15.1 to v2.6.19, we encountered a file permission error when running GSH in the gsh container:
“Exception in thread “main” java.lang.RuntimeException: Cant create file: /opt/grouper/grouperWebapp/WEB-INF/ddlScripts/grouperDdl_20230201_12_57_32_025.sql”
The WEB-INF directory is like:


[root@ace07bb81a4e WEB-INF]# ls -la
 total 56
 drwxrwsr-x. 1 tomcat root 4096 Jan 31 18:09 .
drwxrwsr-x. 1 tomcat root   88 Dec 21 12:15 ..
drwxrwsr-x. 1 tomcat root   89 Dec 21 12:15 bin
 drwxrwsr-x. 1 tomcat root 4096 Jan 31 18:07 classes
drwxrwsr-x. 1 tomcat root   23 Dec 21 12:15 conf
drwxr-sr-x. 2 root   root   50 Jan 31 18:09 ddlScripts
-rwxrwsr-x. 1 tomcat root   14 Dec 21 12:14 .gitignore






[GRP-4591] performance improvement in daemon page Created: 03/Feb/23  Updated: 03/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Joel Rettinger
20 hours ago
For the "View all daemon jobs" page in the Grouper UI, would it be possible to have a "lite" version of the page in the UI containing just a search page for specific jobs,
and/or a simpler list of "All daemon jobs" linking to their job logs that wouldn't preload as much data?
It takes over 2 1/2 minutes to load, and sometimes it just errors out loading for a long time. It takes that long even when reloading that page, or opening it in a different browser window/tab immediately after loading it the first time.
The individual job logs pages load so much faster that I've taken to navigating to them directly by manually editing URL the job logs url's "jobName" parameter in the browser, i.e. in
.../grouper/grouperUi/app/UiV2Main.index?operation=UiV2Admin.viewLogs&jobName=CHANGE_LOG_consumer_changelogConsumer
Are there config settings that could help with this?
Thanks! :slightly_smiling_face: (edited)






[GRP-4590] "enter at least two characters" in groupMove always Created: 03/Feb/23  Updated: 03/Feb/23

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.1
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Jutta Biernath Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

multiple



 Description   

If you want to move a group, open the search form by clicking on "search for a folder where you are allowed to create new subfolders"  and enter no matter what, you will always get the error message "enter at least two characters".
 
I have already found the solution and would like to provide it here: In grouper-ui/webapp/WEB-INF/grouperUi2/group/groupMove.jsp, line 21, input name="groupSearch" is to be changed to input name="stemSearch".

We still use Version 2.4 but I've taken a look at the Grouper project at Github and it seems to me that the bug still occurs in 2.6 as well.






[GRP-4589] show group name of groups on entity membership report when groups are deleted Created: 01/Feb/23  Updated: 01/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Right now it says "name unknown"






[GRP-4577] allow privileges to be read with READ privilege in groups Created: 25/Jan/23  Updated: 01/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Jan/23 ]

Heather Gwinn
2 days ago
I feel a little bit ridiculous that I can't sort this out, but can someone tell me what privileges would need to be assigned for a user to be able to view the Privileges tab and settings on a group but not change them? Is it possible to grant read only access to the privilege tab? (edited)
6 replies

Carey Black
1 day ago
I don't think you can do that. :disappointed:
At least I can not put my finger on a way to do it. "simply".
Now .. if you get tricky and use Grouper reporting... ( maybe with some GSH Template magic ) https://spaces.at.internet2.edu/display/Grouper/Grouper+reporting
I think you could make reports Privileges of object(s) that way.

Heather Gwinn
1 day ago
Oh well that’s disappointing and at least confirms why I couldn’t figure it out! Thanks
@black.123

Chris Hyzer
4 minutes ago
i think we should allow people who can READ a group to be able to READ privs... anyone disagree? :slightly_smiling_face:

Heather Gwinn
3 minutes ago
I'm 1000% in agreement

Chris Hyzer
1 minute ago
thats a lot of percent :slightly_smiling_face:

Heather Gwinn
1 minute ago
I wanted to be thorough

Comment by Chris Hyzer (upenn.edu) [ 01/Feb/23 ]

leaning toward adding two new privileges to groups/folders/attributes read privilege and write privilege





[GRP-4588] translation failing on entities Created: 01/Feb/23  Updated: 01/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Benjamin Rappleyea
21 hours ago
So would this be why our provisioners are failing since updating to 2.6.19? (non-prod)
Caused by: org.apache.commons.jexl2.JexlException$Property: edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguageScript@11397![9,53]: ''uid=' + grouperProvisioningEntity.subjectIdentifier0 + ',ou=People,o=Services,dc=ilstu,dc=edu';' inaccessible or unknown property grouperProvisioningEntity






[GRP-4587] disable subject source via env var (via config) Created: 01/Feb/23  Updated: 01/Feb/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black
7:16 PM
I spent some time with Tim Maness.
Setting up subject source (in the DB, via the UI) can be a 'opps now the container will not start. Now what?' problem.
Maybe there should be a container flag, or a CLI to do the following:
Export all subject config to a file and delete the config from the grouper_config table.
It can be very frustrating when you break the container by using the UI.

Chad Redman
7:58 PM
that's true, you can't even use gsh because it will exit if it can't boot all its subject sources

Carey Black
8:37 PM
I guess another alternative would be to disable a subject source before startup via an ENV setting?
DISABLED_SUBJECT_SOURCES=sub_one_source;sub_two_source;
Then ( somehow ) during start up honor the ENV value by "skipping" those subject sources like they don't exist yet?

Chris: note, it should be a subject.properties config that defaults to env var...






[GRP-4586] Subject diagnostics incorrectly printing subject Id for identifier test Created: 31/Jan/23  Updated: 31/Jan/23

Status: Open
Project: Grouper
Component/s: subject API
Affects Version/s: 2.5.23, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Diagnostics report

WARNING: No subject found by id in 0ms: '10001111'
         with SubjectFinder.findByIdAndSource("10001111", "Active Directory", false)
ERROR: Exception thrown when finding subject by id in 4ms: '10001111'
         with SubjectFinder.findByIdentifierAndSource("sAMAccountName", "Active Directory", false)
edu.internet2.middleware.subject.SourceUnavailableException: Ldap Exception: Problem with ldap conection: Active_Directory,
Error querying ldap server id: Active_Directory, searchDn: ou=users,dc=internet2,dc=edu, filter: 'ou=users,dc=internet2,dc=edu', returning attributes: null

SubjectSourceDiagnostics.java

        if (subject != null) {
          subjectApiReport.append("<font color='green'>SUCCESS:</font> Found subject by identifier in " + millis + "ms: '" + GrouperUtil.xmlEscape(subjectIdentifier) + "'\n         with SubjectFinder.findByIdentifierAndSource(\"" + GrouperUtil.xmlEscape(subjectIdentifier) + "\", \"" + GrouperUtil.xmlEscape(sourceId) + "\", false)\n");
        } else if (exception == null) {
          subjectApiReport.append("<font color='orange'>WARNING:</font> No subject found by identifier in " + millis + "ms: '" + GrouperUtil.xmlEscape(subjectIdentifier) + "'\n         with SubjectFinder.findByIdentifierAndSource(\"" + GrouperUtil.xmlEscape(subjectIdentifier) + "\", \"" + GrouperUtil.xmlEscape(sourceId) + "\", false)\n");
        } else {
          subjectApiReport.append("<font color='red'>ERROR:</font> Exception thrown when finding subject by id in " + millis + "ms: '" + GrouperUtil.xmlEscape(subjectId) + "'\n         with SubjectFinder.findByIdentifierAndSource(\"" + GrouperUtil.xmlEscape(subjectIdentifier) + "\", \"" + GrouperUtil.xmlEscape(sourceId) + "\", false)\n");
          subjectApiReport.append(ExceptionUtils.getFullStackTrace(exception));
        }

Note the subject identifier tests reports the subjectId from an unrelated part of the code, and "finding subject by id" in one of the 3 subject identifier cases.






[GRP-4585] add a GSH change log consumer. Example is emailing supervisor when someone added to group Created: 31/Jan/23  Updated: 31/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4583] Create wiki page for morphString Created: 30/Jan/23  Updated: 30/Jan/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Either the Confluence search isn't working, the page for morphString usage got reworked into oblivion, or there never was a page. I thought there used to be documentation for this, but I am not seeing it. There is only a brief mention in the gsh page on how to encrypt a value.

Digging into the code for a customer, I uncovered a lot about how morphString works. It would be useful to have a page somewhere since there are recommendations to use it.

  • Pretty much all the provisioning and external systems can read an encrypted value from a file, although this is something each provider implements independently.
  • If a password value is a file, it must be encrypted. Grouper expects to decrypt it, and will error if it can't
  • This doesn't apply to the morphstring key itself, which can be in a file, but obviously not encrypted
  • I don't see anything in the source that treats slashes in a password special. Maybe it got factored out? It will always try to read the value as a file, and fall back to a string if it can't
  • How to replicate the encryption if Grouper is totally down and you need to encrypt a string offline (note, Grouper appends a "w" to the raw string so you need to do this too)
  • the encryption pads the encrypt key to 16 or 32 characters with "x" characters, and truncates to 32 characters. Note that this happens after adding the "w", so people should be generating 15 or 31 character strings, not 16 or 32. They also don't need to make strings longer than 32 characters.





[GRP-4582] add rate limiting to provisioning Created: 26/Jan/23  Updated: 26/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Tim Darby

Is there a way to rate limit the LDAP queries, mods, adds, deletes?
The issue is that our LDAP instance is insanely busy and I've seen the provisioning in grouper 2.5 cause it to become unusable (we're working on beefing up our LDAP too)






[GRP-4581] membership import does not recognize header row Created: 26/Jan/23  Updated: 26/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    




[GRP-4574] store state of hide/show left UI panel in user preferences in DB so persists across refresh or browsers or session. Created: 21/Jan/23  Updated: 21/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

also add config to disable this in grouper-ui.properties, and default to storing in DB






[GRP-4569] Attestation API markAsAttested(true) no effect Created: 18/Jan/23  Updated: 18/Jan/23

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.44, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

new AttestationGroupSave().assignGroup(attestedGroup).assignMarkAsAttested(true).assignReplaceAllSettings(false).save()

The save() method is generating a local variable for the current YYYY/MM/DD date, but not doing anything with it. Probably a problem both in AttributeGroupSave and AttributeStemSave.



 Comments   
Comment by Chad Redman [ 18/Jan/23 ]

Workaround is setting the certified date manually:

 

import edu.internet2.middleware.grouper.app.attestation.AttestationGroupSave
import edu.internet2.middleware.grouper.app.attestation.GrouperAttestationJob
import java.text.SimpleDateFormat
 
grouperSession = GrouperSession.startRootSession()
attestedGroup = new GroupFinder().addGroupName("etc:testGroup").findGroup()
 
AttributeAssign attrAssign = new AttestationGroupSave().assignGroup(attestedGroup).assignMarkAsAttested(true).assignReplaceAllSettings(false).save()
 
String daysUntilRecertify = new SimpleDateFormat("yyyy/MM/dd").format(new Date())
attrAssign.attributeValueDelegate.assignValue(GrouperAttestationJob.retrieveAttributeDefNameDateCertified().name, daysUntilRecertify)





[GRP-4562] store csrf tokens in the database Created: 12/Jan/23  Updated: 12/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

implement the org.owasp.csrfguard.token.storage.TokenHolder interface described here:

https://github.com/aramrami/OWASP-CSRFGuard/blob/master/csrfguard/src/main/resources/csrfguard.properties

Note, we dont need page level tokens, just the session tokens. Still store in memory too. Periodically purge the database table.

Explore hashing the tokens and session keys to see if that can work to not let the DB be a vector for session hacking...






[GRP-4561] grouper duo provisioner throttling Created: 12/Jan/23  Updated: 12/Jan/23

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

we are still experiencing issues with the new duo provisioner. We are seeing error 429/42901 (The account has made too many requests of this type recently. Try again later) when processing large membership changes with either the incremental or full sync so the membership counts in grouper are not matching up with those in Duo. Taking a look here https://community.duo.com/t/429-too-many-requests-after-a-request-every-20-seconds/6863 and here https://github.com/duosecurity/duo_client_python/issues/101 we are being throttled due to too many requests per minute. Duo’s website https://help.duo.com/s/article/1338?language=en_US mentions updating to the newest version of the duo client library to ensure the client backs off automatically and makes requests within the limit. I am not sure if this is an update/fix that needs to be implemented in Grouper or if there is a setting we can change currently in Grouper to rate limit the requests the duo provisioner is making. Any suggestions on how to fix this?

From Andrew Costa






[GRP-4557] grouperScriptHooks_prepConfPost is unreachable code Created: 11/Jan/23  Updated: 11/Jan/23

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: 2.5.30, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

prep_conf() {
    ...    
    # if we are stopping and starting, we just read the env vars and we done
    if [ -f /opt/grouper/grouperEnv.sh ]
      then
        echo "grouperContainer; INFO: (libraryPrep.sh-prep_conf) Loading env vars from /opt/grouper/grouperEnv.sh"
        . /opt/grouper/grouperEnv.sh
        return
    fi
    
    prep_initDeprecatedEnvVars
    grouperScriptHooks_prepConfPost
 
}

Note that if /opt/grouper/grouperEnv.sh exists, the function returns early. However, even in the base image the file exists with zero bytes. Thus, grouperScriptHooks_prepConfPost is never called.

The next opportunity to call a hook is setupFilesPost, which happens after file manipulation. So there is no way to add any hooks for setup that setupFiles can act on.

The other opportunity to call a hook before Grouper does file configuration is prepComponentPost. The setupFilesPost hook happens after Grouper file manipulation.






[GRP-4553] attributeassignmembershipdelegate needs privilege revision Created: 29/Dec/22  Updated: 29/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

AttributeAssignMembershipDelegate.assertCanUpdateAttributeDefName



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 29/Dec/22 ]

checks if can update group???





[GRP-4546] substitute gsh template dollar with unicode '$', or at least give a good error Created: 22/Dec/22  Updated: 23/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4548] SUpport file attachments in workflows Created: 22/Dec/22  Updated: 22/Dec/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0.patch
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4547] Support start/end dates in workflow Created: 22/Dec/22  Updated: 22/Dec/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0.patch
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Is this currently supported? I didn't see it in the wiki or in the 2.6.18 source code. This would be from optional fields from workflow approval states, or from the original requestor






[GRP-4545] give good error message if grouperIncludeExclude.use = false (default) and loader addIncludeExclude Created: 22/Dec/22  Updated: 22/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4542] add database config id to sql reports Created: 21/Dec/22  Updated: 21/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4541] add knobs for retries Created: 15/Dec/22  Updated: 15/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.19

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4532] allow sql loader queries to be brought in by config or other way Created: 12/Dec/22  Updated: 12/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for long queries






[GRP-4531] dry run option for loader Created: 09/Dec/22  Updated: 09/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford
3 hours ago
Hi Grouper Team,
Would like to to request a loader job “dry run” option instead of loader job diagnostics screen. I think seeing what the job update would do is more valuable, and most of our queries time out anyway on the diagnostic screen.






[GRP-4529] regex validation does not work for gsh template password inputs Created: 07/Dec/22  Updated: 07/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from alpha






[GRP-4528] SubjectFinder() builder can only find one subject, not multiple Created: 05/Dec/22  Updated: 05/Dec/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the builder method for SubjectFinder, there is a findSubject() method, but no findSubjects() method. The use case for me is to get all subjects for a specific source, so I can loop through them.

Set<Subject> subjects = New SubjectFinder().assignXXXX...findSubjects()






[GRP-4526] if an exception occurs, check to see if the data is in the right state? Created: 03/Dec/22  Updated: 03/Dec/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File gruoperJiraProvisioner.txt    




[GRP-4520] add subject source restriction in membership requirements (e.g. only people) Created: 30/Nov/22  Updated: 30/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4519] Provisioning Framework - inability to provision custom attributes to bushy stems Created: 30/Nov/22  Updated: 30/Nov/22

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.6.16
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Robert Bradley Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.6.16 with new Provisioning Framework.



 Description   

In Grouper 2.2.2 and the old Grouper PSP software, it was possible to provision custom attributes on bushy stems.  For example, it was possible to set the displayName of a stem separately from the ou attribute in LDAP, along with setting other custom attributes (e.g. course codes or owning departments).  We currently use these custom attributes for managing course groups in our VLE/LMS system.  However, in the new Provisioning Framework and PSPNG, bushy stems are created as needed, but only with the objectClass and ou/RDN attributes.  This means that if other attributes are required by the schema, the stem addition will fail.

It would be useful if the new Provisioning Framework were expanded to allow attribute provisioning to stem objects in LDAP to allow for the addition of non-RDN/non-objectClass attributes to avoid such issues, and avoid the need for a custom reconciliation process to add the missing custom attributes.






[GRP-4517] add group membership filter by subject source Created: 28/Nov/22  Updated: 28/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Drew Aschenbrener
  3:53 PM
In the Grouper UI filter options for Group members, it would be nice to have an advanced filter for subject source.
e.g. Only show me members with subject source 'g:gsa' or 'ldap', etc.
Not a blocker or anything but would be a nice QOL change. (edited



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 28/Nov/22 ]

Carey Black
  2 minutes ago
related?
https://todos.internet2.edu/browse/GRP-2387
https://todos.internet2.edu/browse/GRP-2351
https://todos.internet2.edu/browse/GRP-2025





[GRP-4512] add view for jwt creds Created: 23/Nov/22  Updated: 23/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

example query for postgres

select gp.username, gm_user_to_email.subject_source as subject_to_email_source_id, gm_user_to_email.subject_id as subject_to_email_id, 
gm_user_to_email.email0 as email, to_timestamp(gp.expires_millis / 1000) as expires, gm_credential.subject_identifier0 credential_name
from grouper_password gp, grouper_members gm_user_to_email, grouper_members gm_credential
where gp.member_id_who_set_password  = gm_user_to_email.id
and gm_user_to_email.email0 is not null
and to_timestamp(gp.expires_millis  / 1000) > now()
and to_timestamp(gp.expires_millis  / 1000) < (now() + interval '14' day)
and gm_credential.id = gp.member_id ;
 






[GRP-4510] in ldap groups from attributes, if an extra attribute is a group attribute dont fail since multivalued is ok Created: 22/Nov/22  Updated: 22/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

java.lang.RuntimeException: java.lang.RuntimeException: Grouper LDAP loader only supports single valued group attributes at this point: eduPersonSchoolCollegeName,
Error querying ldap server id: ldap, searchDn: dc=cmu,dc=edu, filter: '(&(objectClass=cmuaccountperson)(status=active)(eduPersonPrimaryAffiliation=faculty)(ou=andrew.cmu.edu))', returning subject attribute: uid
at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.getLdapMembershipsForLdapGroupsFromAttributes(GrouperLoaderResultset.java:1271)
at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.initForLdapGroupsFromAttributes(GrouperLoaderResultset.java:915)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$11.runJob(GrouperLoaderType.java:1159)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJobLdap(GrouperLoaderJob.java:658)
at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:336)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.lang.RuntimeException: Grouper LDAP loader only supports single valued group attributes at this point: eduPersonSchoolCollegeName,
Error querying ldap server id: ldap, searchDn: dc=cmu,dc=edu, filter: '(&(objectClass=cmuaccountperson)(status=active)(eduPersonPrimaryAffiliation=faculty)(ou=andrew.cmu.edu))', returning subject attribute: uid
at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.getLdapMembershipsForLdapGroupsFromAttributes(GrouperLoaderResultset.java:1182)
... 6 more






[GRP-4509] make sure recent memberships job incremental is making all necessary changes Created: 20/Nov/22  Updated: 20/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga
2 days ago
Anyone here run the grouperRecentMembershipsLoader job more than once a day?

Michael Gettes
2 days ago
Every 5 min

Liam Hoekenga
2 days ago
looks like it takes less than a minute to run

Liam Hoekenga
2 days ago
I think we’re gonna up the frequency

Liam Hoekenga
2 days ago
thanks!

Chris Hyzer
41 minutes ago
@Liam Hoekenga

@gettes
there is a change log consumer for recent memberships. Why do you need to run the full sync that often? Are there things not being handled in the incremental?

Michael Gettes
35 minutes ago
because i am a dope? it takes 85ms to run. i guess i will run it less frequently. :slightly_smiling_face:

Liam Hoekenga
25 minutes ago
because ours really only seems to be running at 3:41am ? so we only seem to be updating Grace period groups once a day. i don’t know that the CLC is doing what it’s supposed to for us (edited)

Chris Hyzer
< 1 minute ago
ok well run the full often and we can look at that. it does most of the stuff but maybe something is missing






[GRP-4508] upgrade ehache for cve on embedded jackson-databind Created: 19/Nov/22  Updated: 19/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://mvnrepository.com/artifact/org.ehcache/ehcache/3.10.6

 

verify that jackson is not inside anymore






[GRP-4507] allow bushy group to be in base DN Created: 18/Nov/22  Updated: 18/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

throw new RuntimeException("Group's parent dn is the base dn!");






[GRP-4506] add compare methods for attributes in provisioning. Created: 18/Nov/22  Updated: 18/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Default to case sensitive.  Have case insensitive there.  Provisioners can add their own.  LDAP provisioner should add a DN compare






[GRP-4503] add incremental tests to example WS tests Created: 18/Nov/22  Updated: 18/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4502] provisioning membershipObjects should default to translation if there is a group and entity attribute Created: 18/Nov/22  Updated: 18/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

see example WS






[GRP-4501] pull configuration defaults up a class in provisioner wizard configuration class Created: 18/Nov/22  Updated: 18/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

and update the example and all provisioners






[GRP-4476] add unit test for grouper / midpoint with multi valued metadata Created: 10/Nov/22  Updated: 17/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.19

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4496] bad membership finder should remove invalid circular references from composites Created: 16/Nov/22  Updated: 16/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From Joel,

Should circular group membership references work when the complementary member groups are composites made from the "container" groups? I.e.
container groups are A and B
Aa is a composite of (A intersect group Z)
Bb is a composite of (B intersect group Z)
A has members D,E, and Bb.
B has members F,G, Aa.
What we are seeing is if you remove say D from A as a direct member, D still shows up as an indirect member of both A and B even though it has no direct membership in A or B. The findBadMemberships job doesn't seem to fix this either.
Any recommendations on what to do to fix the reference?



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 16/Nov/22 ]

bad membership change log consumer should detect this too?





[GRP-4478] add ability to remove an attribute via wizard. e.g. #3 of 5 Created: 11/Nov/22  Updated: 11/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 11/Nov/22 ]

maybe move up or down or insert





[GRP-4479] report viewers group combobox has trouble finding group by system name Created: 11/Nov/22  Updated: 11/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

see GTE 101.11






[GRP-4468] allow setting the idIndex of groups in UI if not conflict and below current index Created: 05/Nov/22  Updated: 05/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4459] allow enabled/disabled dates without time components Created: 02/Nov/22  Updated: 02/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford
 Today at 6:05 PM
I got some complaints from our support center about having to now add the minutes in disable dates. Is there a config we can set to just consider dates on leave the 00:00 off?






[GRP-4458] enable partial full syncs in provisioner for large provisioners Created: 01/Nov/22  Updated: 01/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. in sql do this in batches






[GRP-4396] ldap loaders should auto enable like sql (on create) Created: 30/Sep/22  Updated: 01/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Nov/22 ]

note i dont think sql loaders auto enable...





[GRP-3119] daemon configuration for reports Created: 05/Feb/21  Updated: 01/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by GRP-4451 daemon job for reports gives error "E... Resolved

 Description   

Do I need to worry about this?  It comes up every time I go into the Daemon jobs..

Error: can’t find daemon config for jobName grouper_report_9d681135d4084d0ab06b992e47615c4b_71c5e29a75764ddc8b4ca2f6544738ff






[GRP-3682] change grouper report daemon names to be the system name not uuid Created: 03/Nov/21  Updated: 01/Nov/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to GRP-4451 daemon job for reports gives error "E... Resolved

 Description   

grouper_report_6905452b5df74a778025ecfa15414864_8dce82492bed47be8e8a34d4bbd6d851






[GRP-4450] Provisioner metadata is readonly unless "can change" is true Created: 01/Nov/22  Updated: 01/Nov/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.16
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When a provisioner has metadata, there is no way to set the value of it unless the "Metadata xxx: can change" is set to true






[GRP-4445] SQL subject source should show form field for maxPageSize Created: 25/Oct/22  Updated: 25/Oct/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.40, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4443] run harvard group of names add a large group, takes 20 minutes Created: 24/Oct/22  Updated: 24/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4439] Subject source adapters don't limit query to default limit when max results is blank Created: 22/Oct/22  Updated: 22/Oct/22

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: 2.5.41, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the UI for the new sql subject adapter (GrouperJdbcSourceAdapter2_5), the field for Max results size has a description "Max results size. Default value is '100'". However, if the field is left blank, there is no limit of 100, and all records are returned.

This applies to substring searches in the add member search box which looks up for every character typed after a pause, when the length is 2+. With a small search string, this could potentially return a large list of results.

The workaround is to always put a value in this field, even if you want the value to be 100.

The `subjectApi.source.genericSource.param.maxResults.value` does have a default of 100, but that may just for display. I don't see any source init functions that set the default as a fallback.



 Comments   
Comment by Chad Redman [ 22/Oct/22 ]

The suggested workaround of setting maxResults causes loader jobs to fail. This was the result when maxResults was set to 50 (I reformatted the sql for readbility):

 

groovy:000> GrouperLoader.runJobOnceForGroup(gs, g)
ERROR java.lang.RuntimeException:
edu.internet2.middleware.subject.SubjectTooManyResults: More results than allowed: 50 for search 'select ID, FACSTAFF_UID, STUDENT_UID, FIRST_NAME, LAST_NAME, FACSTAFF_EMAIL
from identity_vw
where ID in
      (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
       ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
       ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
       ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
       ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
limit 51
',
jobName: SQL_GROUP_LIST__etc:loader:campuscode_loader__5be89955d801457799db798d4e3d901d
        at edu.internet2.middleware.grouper.app.loader.GrouperLoader.runJobOnceForGroup (GrouperLoader.java:1733)
        at edu.internet2.middleware.grouper.app.loader.GrouperLoader.runJobOnceForGroup (GrouperLoader.java:1664)
        at edu.internet2.middleware.grouper.app.loader.GrouperLoader$runJobOnceForGroup.call (Unknown Source)

(there are 180 of those ?'s)





[GRP-4438] azure error on memberships (null pointer) Created: 22/Oct/22  Updated: 22/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2022-10-20T09:19:01,498: [DefaultQuartzScheduler_Worker-9] ERROR GrouperProvisionerTargetDaoAdapter.logError(239) - []
- Provisioner 'AZURE_AD' (vjk1ych6) Error with provisioner 'AZURE_AD' - 'vjk1ych6' with membership: Mship(groupId: "46d95573-744b-4335-9f8a-095a10609003", matchingAttrs: LinkedHashSet(1): [0]: [id, MultiKey[46d95573-744b-4335-9f8a-095a10609003, null], currentValue: true], exception: java.lang.NullPointerException, provisioned: false, attr[id]: <null>, incrementalDataAction: insert, errorCode: "ERR")
(vjk1ych6): java.lang.NullPointerException
(vjk1ych6):     at java.net.URLEncoder.encode(URLEncoder.java:204)
(vjk1ych6):     at edu.internet2.middleware.grouper.util.GrouperUtil.escapeUrlEncode(GrouperUtil.java:3465)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.azure.GrouperAzureApiCommands.createAzureMemberships(GrouperAzureApiCommands.java:577)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.azure.GrouperAzureTargetDao.insertMemberships(GrouperAzureTargetDao.java:325)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.insertMembershipsHelper(GrouperProvisionerTargetDaoAdapter.java:3681)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.access$2300(GrouperProvisionerTargetDaoAdapter.java:42)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$25.callLogic(GrouperProvisionerTargetDaoAdapter.java:3741)
(vjk1ych6):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter$25.callLogic(GrouperProvisionerTargetDaoAdapter.java:3735)
(vjk1ych6):     at edu.internet2.middleware.grouper.util.GrouperUtil.executorServiceSubmit(GrouperUtil.java:13915)
 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/Oct/22 ]

note, this stops the provisioner, does not register as error

Comment by Chris Hyzer (upenn.edu) [ 22/Oct/22 ]

user id is null

arrayNode.add(GrouperUtil.stripLastSlashIfExists(resourceEndpoint) + "/directoryObjects/" + GrouperUtil.escapeUrlEncode(userId));





[GRP-4434] WS SCIM 2 to implement Bulk updates Created: 20/Oct/22  Updated: 20/Oct/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.6.17
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Not yet implemented in the WS SCIM service.

Was not working in the Penn State implementation either; it gave an error:

org.apache.johnzon.mapper.MapperException: class edu.psu.swe.scim.spec.resources.ScimResource not instantiable

 






[GRP-4436] WS SCIM 2 allow to enable/disable via configuration property Created: 20/Oct/22  Updated: 20/Oct/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.6.17
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Create a grouper-ws property that can turn off SCIM in the WS module if the user doesn't want a SCIM service. It's enabled from CommonServletContainerInitializer like WS is, so that code can just look at the property before adding the filter and servlet.






[GRP-4435] WS SCIM 2 to implement PATCH method Created: 20/Oct/22  Updated: 20/Oct/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.6.17
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The PATH http method is essential for membership updates via the group object. Without it, you can't add or delete individual members from a membership list, rather you need to pass back the whole membership list with just one entry changed.

This was not working in the Penn State Scim implementation, the error was

java.lang.UnsupportedOperationException: PATCH operations are not implemented at this time.






[GRP-4433] WS SCIM 2 to implement /Schemas endpoint Created: 20/Oct/22  Updated: 20/Oct/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.6.17
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The /Schemas endpoint hasn't yet been implemented in the WS Scim solution. It was not working in the Penn State implementation either (nested fields were referencing their parents, so the was an infinite loop that crashed the stack)

 

  • /scim/v2/Schemas/{resourceType} should return a schema object defining the attributes for a schema
  • /scim/v2/Schemas should return a json array for User, Group, Membership, TierMetaExtension, TierGroupExtension





[GRP-4417] upgrade xmlsec Created: 10/Oct/22  Updated: 19/Oct/22

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chad Redman [ 19/Oct/22 ]

Reverted, hibernate was not able to start

 

$ bin/gsh.sh -registry -runscript -nopromptDetected Grouper directory structure 'webapp' (valid is api, apiMvn, webapp)
Using GROUPER_HOME:           XXX/grouper/grouper-ui/webapp/WEB-INF
Using GROUPER_CONF:           XXX/grouper/grouper-ui/webapp/WEB-INF/classes
Using JAVA:                   /usr/lib/jvm/java-8-openjdk-amd64/bin/java
Using CLASSPATH:              XXX/grouper/grouper-ui/webapp/WEB-INF/classes:XXX/grouper-ui/webapp/WEB-INF/lib/*
using MEMORY:                 64m-750m
2022-10-19T10:22:38,029: [main] FATAL Hib3DAO.initHibernateIfNotInittedHelper(374) - [] - unable to initialize hibernate: org.codehaus.stax2.ri.EmptyIterator.getInstance()Lorg/codehaus/stax2/ri/EmptyIterator;
java.lang.NoSuchMethodError: org.codehaus.stax2.ri.EmptyIterator.getInstance()Lorg/codehaus/stax2/ri/EmptyIterator;
    at com.ctc.wstx.util.EmptyNamespaceContext.getNamespaces(EmptyNamespaceContext.java:36) ~[woodstox-core-asl-4.2.0.jar:4.2.0]
    at com.ctc.wstx.evt.BaseStartElement.getNamespaces(BaseStartElement.java:82) ~[woodstox-core-asl-4.2.0.jar:4.2.0]
    at org.hibernate.boot.jaxb.internal.stax.HbmEventReader.applyNamespace(HbmEventReader.java:78) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.stax.HbmEventReader.wrap(HbmEventReader.java:62) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.stax.HbmEventReader.peek(HbmEventReader.java:52) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:445) ~[jaxb-runtime-2.3.1.jar:2.3.1]
    at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:435) ~[jaxb-runtime-2.3.1.jar:2.3.1]
    at org.hibernate.boot.jaxb.internal.AbstractBinder.jaxb(AbstractBinder.java:172) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.MappingBinder.doBind(MappingBinder.java:53) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.AbstractBinder.doBind(AbstractBinder.java:103) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.AbstractBinder.bind(AbstractBinder.java:58) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.InputStreamXmlSource.doBind(InputStreamXmlSource.java:43) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.jaxb.internal.InputStreamXmlSource.doBind(InputStreamXmlSource.java:38) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.spi.XmlMappingBinderAccess.bind(XmlMappingBinderAccess.java:94) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.boot.MetadataSources.addInputStream(MetadataSources.java:430) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at org.hibernate.cfg.Configuration.addInputStream(Configuration.java:495) ~[hibernate-core-5.6.10.Final.jar:5.6.10.Final]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.addClass(Hib3DAO.java:427) ~[grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.addClass(Hib3DAO.java:386) ~[grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.initHibernateIfNotInittedHelper(Hib3DAO.java:199) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.initHibernateIfNotInitted(Hib3DAO.java:170) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.session(Hib3DAO.java:490) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAO.session(Hib3DAO.java:477) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3DAOFactory.getSession(Hib3DAOFactory.java:200) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.hibernate.HibernateSession.<init>(HibernateSession.java:261) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.hibernate.HibernateSession._internal_hibernateSession(HibernateSession.java:486) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:681) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.hibernate.ByHqlStatic.uniqueResult(ByHqlStatic.java:356) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.findBySubject(Hib3MemberDAO.java:306) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.MemberFinder.internal_findOrCreateBySubject(MemberFinder.java:726) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.MemberFinder.internal_findBySubject(MemberFinder.java:641) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.MemberFinder.internal_findBySubject(MemberFinder.java:625) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.GrouperSession.getMember(GrouperSession.java:653) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.GrouperSession.start(GrouperSession.java:493) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.GrouperSession.startRootSession(GrouperSession.java:428) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1062) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:292) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.registry.RegistryInitializeSchema.main(RegistryInitializeSchema.java:176) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_342]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_342]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_342]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_342]
    at edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:245) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:167) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
    at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31) [grouper-2.6.0-SNAPSHOT.jar:2.6.0-SNAPSHOT]
Grouper starting up: version: 2.6.0-SNAPSHOT, build date: 2022/10/19 14:18:57 +0000, env: <no label configured>





[GRP-4429] MembershipSave.save() doesn't return a membership on insert Created: 18/Oct/22  Updated: 18/Oct/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.43, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

      Membership mship = new MembershipSave()
              .assignGroup(group)
              .assignMember(member)
              .assignImmediateMshipEnabledTime(GrouperUtil.longObjectValue(resource.getEnabledTime(), true))
              .assignImmediateMshipDisabledTime(GrouperUtil.longObjectValue(resource.getDisabledTime(), true)).save();

This should return the created membership. per the javadoc, "@return the membership that was updated or created or deleted".






[GRP-4428] For SQL subject source, add option for search column to wildcard just the suffix Created: 18/Oct/22  Updated: 18/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.40, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

For new style SQL subject sources (GrouperJdbcSourceAdapter2_5), parameter lowerSearchCol is a wildcard search, appending '%' both before and after the search string. The wildcard prefix negates the effect of any indexes on the field, and it needs to do a full table scan to find substring matches. If there were an option to only add the '%' to the suffix of the string and not the prefix, it may perform better when the subject table is large.



 Comments   
Comment by Chad Redman [ 18/Oct/22 ]

Actually, if this column is going to concatenate a few different values, it needs the prefix wildcard to find those. So maybe this isn't a request that makes sense.





[GRP-4427] adjust mailNickname documentation to note the max length Created: 17/Oct/22  Updated: 17/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

maybe also set max length as a validation?

Liam Hoekenga
4:13 PM
mailNickname in azure has to be <= 64 characters.
https://morgantechspace.com/2019/07/fix-badrequest-invalid-value-specified-for-mailnickname.html
MorganTechSpaceMorganTechSpace
Solved: BadRequest Invalid value specified for property mailNickname
This post provides fix for the error message BadRequest Invalid value specified for property mailNickname of resource user when create new Office 365 user.
Written by
Morgan
Est. reading time
1 minute
Jul 18th, 2019

4:14
wrong link
4:14
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11129
#11129 List of unallowed characters for the mailNickName is not complete
Hi,
The current description for the mailNickName states:
The mail alias for the group. Max. length: 64 characters. These characters cannot be used in the mailNickName: @()[]";:.,SPACE. Required.
I accidentally failed to create a Group by using the characters §^°, which are not listed in the description above.
Are you going to update the documentation?
Cheers,
Patrick

  • * *
    Document Details
    :warning: Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
    • ID: 1e7c37f6-ee5d-52a5-4db5-eee157bd3935
    • Version Independent ID: 25cddb92-e198-16e9-635e-bc4dbd5587ac
    Show more
    Assignees
    @yyuank
    Comments
    5
    <https://github.com/microsoftgraph/microsoft-graph-docs|microsoftgraph/microsoft-graph-docs>microsoftgraph/microsoft-graph-docs | Dec 28th, 2020 | Added by GitHub
    4:15
    and I think we had to define mailnickname even for non-emailable security groups
    4:15
    if that’s true, could that limit be noted someplace?





[GRP-4425] provisioning edit provisionable if set provision to No, then it doesnt save (when previously provisionable) Created: 14/Oct/22  Updated: 14/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

the rest of screen should disappear too






[GRP-4424] translate objects with default values Created: 14/Oct/22  Updated: 14/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. right now we need

${grouperProvisioningGroup ? ('cn=' + edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.displayExtension) + ':Member,ou=Groups-qa,dc=law,dc=harvard,dc=edu') : null}
 






[GRP-4423] provisioner exception Created: 14/Oct/22  Updated: 14/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File provisionerException.txt    




[GRP-4422] allow other system to remove memberships in provisioning Created: 13/Oct/22  Updated: 13/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The only thing I can think of that we need in new provisioning at the moment is a bit more control of what happens when grouper wants to remove someone from a target group and the someone is no longer in the target.

Gail Lift
1:49 PM
We have targets (LDAP and Azure) from which people are removed as soon as they become unresolvable in our subject source.

Chris Hyzer
1:49 PM
and does it remove the memberships too?

Gail Lift
1:50 PM
So if the unresolvable triggers removing someone from groups, they are already gone by the time grouper talks to the target.

Chris Hyzer
1:50 PM
ok, we can do that






[GRP-4415] Add option to dump ddlScript output to stdout instead of a file Created: 10/Oct/22  Updated: 10/Oct/22

Status: Open
Project: Grouper
Component/s: API, gsh
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When needing to run a registry check with

gsh -registry -check -deep

or similar, the output gets saved to a local file. Users may not have a convenient option to mount the ddlScripts folder on demand, and logging it to standard output may be an easier option.

If stdout is a problem due to being to much output which prevents it from being captured, it may be advantageous to rewrite this to log the output using log4j, and then the user will have the ability to set appenders as needed.






[GRP-4412] do not query ldap_dn attribute in ldap filters Created: 07/Oct/22  Updated: 07/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4411] Grouper Version Upgrade 2.6.16.2 Created: 07/Oct/22  Updated: 07/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Minor
Reporter: Andrew Aschenbrener Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4410] Allow option to not show subject attribute friendly description for names Created: 06/Oct/22  Updated: 06/Oct/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.16
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Example:
Unique ID:
002100007

The subjectId is the opaque unchanging ID of the entity
Email:
d.kwdln41@example.edu.invalid

This is the entity attribute: preferred_email
Name:
Margaret Simmons

The entity attribute 'name' is the first and last name of the entity
Description:
Margaret Simmons

The 'description' attribute differentiates entities with the same name

 

This is new UI behavior for 2.6.16, and may not be desirable for all institutions






[GRP-4404] configure import file or copy paste submit does not do anything... Created: 05/Oct/22  Updated: 05/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4403] ldap provisioner with default member does not get removed Created: 05/Oct/22  Updated: 05/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

the default member gets added and then it doesnt get removed when other members are there.






[GRP-4400] loader subjob entries should be capped at 100 Created: 03/Oct/22  Updated: 03/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Paul Rubenis: Any reason that any loader jobs that are creating subfolders need to spam the grouper_loader_log table with so many entries? In our case, a couple loader jobs are running 3-4x per hour and creating 10s of thousands of sub folders..which end up creating 100s of thousands of db table entries in grouper_loader_log...In just 14 days that ends up being over 9M+ rows in that table... AND the daemon loader view apparently needs to read that entire table (or vast portions of it) in order to actually display the view for daemon loader jobs... (edited)






[GRP-4399] data fixer daemon should make sure no group has the same name as another alternate name Created: 01/Oct/22  Updated: 01/Oct/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4398] dont allow changing subject source id in subject source wizard Created: 30/Sep/22  Updated: 30/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4394] Allow the UI list of Provisioners to be extended Created: 30/Sep/22  Updated: 30/Sep/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.16
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The drop down list of provisioner types that can be created is a hard coded list of specific classes in ProvisioningConfiguration.provisionerConfigClassNames that is defined as final at Grouper startup. If an institution creates a custom provisioner, the classes can be supplied in a separate jar. But there isn't a way to extend the drop down list since it is sealed.

Maybe something like this in grouper-ui.properties?

additionalProvisioners.0.class = MySpecialProvisionerConfiguration
additionalProvisioners.1.class = OtherSpecialProvisionerConfiguration

The provisioners would then appear after the built-in ones, in the order enumerated in the config.



 Comments   
Comment by Jonathan Johnson (unicon.net) [ 30/Sep/22 ]

in 2.6.16, the `Set` is indeed `final`, but it's not unmodifiable. Elsewhere, I've set up an initializer that adds to the set, but it might be nice to add a standard/supported method to the class





[GRP-4391] put limits on group size for provisioning Created: 27/Sep/22  Updated: 30/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jonathon Taylor
Today at 5:01 PM
Question about the provisioner. We currently use something custom to prevent users from syncing “large groups” to some specific external systems that are particularly slow. I believe we are using an attribute to control if the specific group is allowed to sync more than X number of members. This is custom code we’d like to stop using. Is there a way to handle this with the latest version of Grouper and the fail safes? The key is that we don’t have that limit on some external systems, only particular ones. Long story short we want our IAM staff to approve the provisioning of large groups for specific external systems.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 30/Sep/22 ]

@mchyzer
regarding https://todos.internet2.edu/browse/GRP-4391. Some more clarification on our use case and background from the person I’m going to be backing up (Jeff McCullough):
We are currently using this along with the change log consumer from Carnegie Melon for LDAP/AD, the original google provisioner and groupDuo provisioner for our provisioning:
https://github.com/Unicon/grouper-provisioning-target-ui
We plan on moving to the Provisioning Framework when we migrate from 2.4 to 2.6. Our current process gives us the ability to configure a specific provisioner in a way that limits the max number of entities synced. A good example for us is Google, which is very slow, so we only allow small groups to sync by default. If a customer wants to sync a large group we can apply an attribute either at the folder or group level based on allowLargeGroupsDef we’ve created. We currently have written into each provisioner the ability to check for that attribute and do the override.
Going forward it would be ideal if:

  • The provisioning framework had some way to limit, on a per provioner basis, an optional ceiling on the number of members a group can have
  • The ability to override that outside of the provisioner at the folder or group level via an attribute
    This would allow us to give some customers the ability to configure provisioning but keep the ‘failsafe’ in the hands of IAM staff.




[GRP-4393] relieve or increase SQL size limit for loader jobs Created: 28/Sep/22  Updated: 28/Sep/22

Status: Open
Project: Grouper
Component/s: daemon, UI
Affects Version/s: 2.6.16
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

per slack conversation:
https://internet2.slack.com/archives/C7V0UQDJ4/p1664378034256609?thread_ts=1664301961.029599&cid=C7V0UQDJ4
increase or relieve the size limit of a SQL query in loader jobs.






[GRP-4390] if query too long for loader, should give error on UI before saving Created: 27/Sep/22  Updated: 27/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4389] abbreviate group display names on main page Created: 27/Sep/22  Updated: 27/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    




[GRP-4387] Refactor or remove GrouperUtil.fileCopyExampleResourceIfNotExist() Created: 26/Sep/22  Updated: 26/Sep/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.0, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Commit 8c081131 "get grouper ui dev env working" added a new method

GrouperUtil.fileCopyExampleResourceIfNotExist(String exampleResource, String resource) 

. This interferes with unit testing.

The only place this is called is the first time GrouperUtil.getLog() is called by any class that does logging. It is called with parameters "log4j2.example.xml" and "log4j2.xml". The method itself checks whether log4j2.xml already exists before copying, which contradicts the purpose suggested by the "IfNotExist" method name. This is what causes the JUnit errors, since log4j2.xml is not packaged with the Grouper artifacts. Also, log4j2.example.xml is not packaged in the grouper jar. Since both the example and the target need to already exist as files in the filesystem for a successful startup, the fileCopyExampleResourceIfNotExist() method is pretty much superfluous.

A normal Grouper startup already has a CheckConfig step to verify log4j2.xml exists. There is no danger of a container running while missing the file.

I haven't yet figured out how log4j2.example.xml gets into the image. It's not packaged in the grouper jar, is not handled by the installer, and doesn't exist in the Git repo for the docker build. I must be missing something.






[GRP-4386] add attestation where if not attested the group will be disabled Created: 23/Sep/22  Updated: 23/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

enable once attestation is done
do not allow enabling without attestation






[GRP-4383] grouper provisioning null pointer when incremental adding a user (not in target) to a group that requires users to exist Created: 23/Sep/22  Updated: 23/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

type: consumer, finalLog: false, state: init, consumerName: provisioner_incremental_gpf_groupOfNamesHlsLdap, totalCount: 2, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer, runId: vinudton, exception: java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, tookMillis: 1701Error: java.lang.RuntimeException: Couldn't process any records: type: consumer, finalLog: true, state: init, consumerName: provisioner_incremental_gpf_groupOfNamesHlsLdap, totalCount: 2, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer, runId: vinudton, exception: java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, tookMillis: 1701
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:595)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Error: Error processing record -1, sequenceNumber: -1, java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Did not get all the way through the batch! -1 != 41911183java.lang.RuntimeException: Error in loader job: null, status: ERROR, check logs: type: consumer, finalLog: false, state: init, consumerName: provisioner_incremental_gpf_groupOfNamesHlsLdap, totalCount: 2, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer, runId: vinudton, exception: java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, tookMillis: 1701Error: java.lang.RuntimeException: Couldn't process any records: type: consumer, finalLog: true, state: init, consumerName: provisioner_incremental_gpf_groupOfNamesHlsLdap, totalCount: 2, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer, runId: vinudton, exception: java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, tookMillis: 1701
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:595)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Error: Error processing record -1, sequenceNumber: -1, java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: incrementalProvisionChangeLog, state: retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc, changeLogRawCount: 2, changeLogItemsApplicableByType: 2, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 2, syncGroupsFound: 1, retrieveSyncGroupsMillis: 3, syncGroupCount: 1, groupsWithRecalcMembershipsThatCannotSelectMemberships: 2, convertToFullSyncScore: 2, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 2, syncMembershipsFromMembership: 1, retrieveSyncMembershipsMillis: 2, syncMembershipCount: 1, syncMembersToQuery: 1, syncMembersFound: 1, retrieveSyncMembersMillis: 0, syncMemberCount: 1, retrieveDataStartMillisSince1970: 1663962121729, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 0, retrieveGrouperGroupsMillis: 1, grouperGroupCount: 1, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 0, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 15, copyIncrementalStateToWrappersMissing: 1, assignDefaultFieldsAndAttributesCount: 2, retrieveTargetDataMillis: 50, provisioningGroupWrappersWithMatch: 2, provisioningEntityWrappersWithNoMatch: 2, provisioningMembershipWrappersWithNoMatch: 2, targetEntitiesForLinkNull: 1, exception: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogicIncremental.retrieveTargetIncrementalMembershipsWithRecalcWhereContainerIsNotRecalc(GrouperProvisioningLogicIncremental.java:2088)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:993)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:779)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
, finalLog: true, queryCount: 18, tookMillis: 1691, took: 00:00:01.691
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provisionFinallyBlock(GrouperProvisioner.java:890)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:811)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:674)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Did not get all the way through the batch! -1 != 41911183
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:549)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
 
 






[GRP-4382] fix this error message to mention caching on links Created: 23/Sep/22  Updated: 23/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

"Error: if you are using 'entity link' you must translate an entity attribute to a sync field (recommended) or have an entity link script (less likely)"






[GRP-4379] change audit log to add start/end dates Created: 23/Sep/22  Updated: 23/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Added Sandra Johnson as a member of the Expelled 2023 (basis) group.






[GRP-4378] audit log says someone added even if the start date is in the future Created: 23/Sep/22  Updated: 23/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Added Johnny Jimenez as a member of the testGroup group.






[GRP-4371] Refactor session initializer to remove resources/init/*.properties Created: 21/Sep/22  Updated: 21/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Since 2.2, localization is configured in grouper.text.bundle.* properties in either grouper-ui.properties (2.2->2.4p54) or grouper.properties (2.4p55+). But the SessionInitialiser class is still looking at and setting a session variable based on grouper-ui configuration files resources/init.properties and resources/grouper/init.properties. Those session values don't appear to be doing anything during some light testing. In fact, you can't override the values anyway, since they are packaged in the grouper-ui jar.

They do seem to be harmless, but it would be nice to refactor that class to not deal with those property files, and then remove them from the jar.

 






[GRP-4368] Creation of Local Entity Failing when not user in sysadmingroup Created: 21/Sep/22  Updated: 21/Sep/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.10
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Jonathan Keller (ucdavis.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File grouper_local_entity_create_stack_trace.txt    

 Description   

Creation of a local entity in a folder seems to be failing due to the system attempting to assign permissions to the entity which are not allowed by the user creating the entity.  The user has Admin privs on the folder (inherited) that the entity is being created in. 

There are no explicit permissions being assigned to these entities as far as we can tell, so we are a bit at a loss as to which permissions are triggering this error.

Users in the sysadmingroup do not have this issue.

I'm attaching the stack trace which is logged when this happens.  The UI returns the usual message related to the Hibernate transaction being closed.
Error creating local entity: , stem name: 'app:adminit:api:service:consumers', group extension: 'UCD_General_Library', group dExtension: 'UCD General Library', uuid: null, typeOfGroup: entity, Problem in HibernateSession: HibernateSession (333d0b92): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (10c9553e), Problem in HibernateSession: HibernateSession (3f75ab72): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (10c9553e), Problem in HibernateSession: HibernateSession (300ef3bb): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (10c9553e), Problem saving group: app:adminit:api:service:consumers:UCD_General_Library, thread: c4742a7






[GRP-4362] Provisioning Framework is provisioning entities that exist in Grouper but not Target Created: 21/Sep/22  Updated: 21/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Alpha Sanneh Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OpenLDAP



 Description   

We have encountered a bug in the Provisioning Framework whereby if an entity exists in grouper but not in the target (i.e. OpenLDAP) grouper will insert the entity in a provisionable group. This is a critical bug because grouper is not the entity source so should never add one if it does not exist in the target. Our production Grouper v2.6.8 and we plan to upgrade to v2.6.15.1 within the next two weeks. We have tested this in our stage environment which is running v2.6.15 and it the issue persists






[GRP-4171] Subject change daemon Created: 22/Jul/22  Updated: 16/Sep/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: 2.6.11

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Subject+change+daemon



 Comments   
Comment by Shilen Patel (duke.edu) [ 16/Sep/22 ]

Waiting on entity recalc to work...





[GRP-4358] remove jsonlib and replace with jackson Created: 16/Sep/22  Updated: 16/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

note there are helper methods in GrouperUtil.jsonJackson...






[GRP-4357] add start/end date to member export of group Created: 16/Sep/22  Updated: 16/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4355] maven checkstyle shouldn't warn on missing javadoc on private fields/methods Created: 16/Sep/22  Updated: 16/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

[WARN] /GIT/grouper/grouper/src/grouper/edu/internet2/middleware/grouper/client/GrouperX509TrustManager.java:51:3: Missing a Javadoc comment. [JavadocVariable]

It's complaining about private methods and fields. What is the coding standard? I assume it's optional, but do we want checkstyle warning about it?






[GRP-4352] loader should add before remove Created: 14/Sep/22  Updated: 14/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We're looking to provide a seamless transition from "current summer student, future fall student" to "past summer student, current fall student" on the term changeover boundary. A simplified scenario is below, with (A), (B), and (C) standing in for Group UUIDs.

Before fall semester start, a student might be members of the following groups; (C) is a populated by the loader, looking for Current groups:

(A) Current Summer Students in L&S
(B) Future Fall Students in L&S
(C) All Current Students [via (A)]

To reduce processing churn, we pause processing in Grouper and run a script after midnight on the first day of fall semester to rename the groups, which results in these memberships for the user:

(A) Past Summer Students in L&S
(B) Current Fall Students in L&S
(C) All Current Students [via (A)]

When we turn the loader back on, because deletes happen first, (A) is removed from (C) before (B) is added, so the user loses all the memberships / eligibility granted to All Current Students. These m



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 14/Sep/22 ]

for one subject, do adds/deletes in one transaction if the number of work is under a certain amount

Comment by Chris Hyzer (upenn.edu) [ 14/Sep/22 ]

have options to order adds/deletes or deletes/adds

Comment by Chris Hyzer (upenn.edu) [ 14/Sep/22 ]

change default behavior?





[GRP-4349] new local entity screen should have "entity id" not "group id" Created: 13/Sep/22  Updated: 13/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4348] add view for change log temp Created: 13/Sep/22  Updated: 13/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

CREATE OR REPLACE VIEW penngrouper.grouper_change_log_entry_tmp_v
AS SELECT gcle.created_on,
gclt.change_log_category,
gclt.action_name,
gclt.label_string01,
gcle.string01,
gclt.label_string02,
gcle.string02,
gclt.label_string03,
gcle.string03,
gclt.label_string04,
gcle.string04,
gclt.label_string05,
gcle.string05,
gclt.label_string06,
gcle.string06,
gclt.label_string07,
gcle.string07,
gclt.label_string08,
gcle.string08,
gclt.label_string09,
gcle.string09,
gclt.label_string10,
gcle.string10,
gclt.label_string11,
gcle.string11,
gclt.label_string12,
gcle.string12,
gcle.context_id,
gcle.change_log_type_id
FROM grouper_change_log_type gclt,
grouper_change_log_entry_temp gcle
WHERE gclt.id::text = gcle.change_log_type_id::text;






[GRP-4345] WsGetGroupsLiteResult with no found groups should return empty list Created: 12/Sep/22  Updated: 12/Sep/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 1.3.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

{
  "WsGetGroupsLiteResult": {
    "resultMetadata": {
      "success": "T",
      "resultCode": "SUCCESS",
      "resultMessage": "Success for: clientVersion: 2.6.5, subjectLookups: Array size: 1: [0]: WsSubjectLookup[subjectId=banderson]\n\nmemberFilter: All, includeGroupDetail: false, actAsSubject: null\n, params: null\n fieldName1: null\n, scope: null, wsStemLookup: WsStemLookup[]\n, stemScope: null, enabled: null, pageSize: null, pageNumber: null, sortString: null, ascending: null\n, pointInTimeFrom: null, pointInTimeTo: null"
    },
    "wsSubject": {
      "sourceId": "ldap",
      "success": "T",
      "name": "Bob Anderson",
      "resultCode": "SUCCESS",
      "id": "banderson"
    },
    "responseMetadata": {
      "serverVersion": "2.6.15",
      "millis": "473"
    }
  }
}

When no groups are found, it is missing the wsGroups node, which means callers may need to do an extra for null or get a null pointer exception.






[GRP-4342] Create GrouperUtil.join() method that works on Collections Created: 07/Sep/22  Updated: 07/Sep/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 1.4.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There are currently a few different GrouperUtil methods for joining to return a delimited string. All work with either an iterator or an array. The iterator version can be used for Set objects, but the caller needs to check for a null Set before getting its iterator. If there were a version taking in a Collection object instead of an iterator, it could do the null check in the method (returning null?) so the caller doesn't need to do it. This would be particularly useful in jexl calls where results can't be saved to temporary variables, so lookups need to be done twice.

 

E.g.,

Now (subject.getAttributeValues called twice)

${subject.getAttributeValues("eduPersonAffiliation") == null ? null : edu.internet2.middleware.grouper.util.GrouperUtil.join(subject.getAttributeValues("eduPersonAffiliation").iterator(), "|")}

Proposed:

${edu.internet2.middleware.grouper.util.GrouperUtil.join(subject.getAttributeValues("eduPersonAffiliation"), "|")}

 

 






[GRP-4339] grouper loader should remove memberships from groups instead of delete groups as an option Created: 07/Sep/22  Updated: 07/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4337] GroupFinder builder missing method for assignIdIndexes() and addIdIndex() Created: 06/Sep/22  Updated: 06/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Searching for a group by its idIndex can only be done using the GroupFinder.findByIdIndexSecure(Long). If you want to use the new builder pattern, there isn't a chained method to set the idIndex or multiple idIndexes to search on.






[GRP-4330] Make ChangeLog Consumer queue/backlog size available via web request Created: 01/Sep/22  Updated: 01/Sep/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: John Gasper III Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be great if the ChangeLog Consumer backlog/queue count was available via a web query like it is on the Daemon Extended Log page. I'm not sure if this could be a SOAP/REST request or just part of the status page dump.

 

Either, the desired outcome is that external processes can monitor the queue size (without having to create db accounts/permissions/calculations, etc) and doing things with that info, like alerting or programmatically make decisions like when importing 25K records into a group, slowing down or temporarily suspending the process if specific CLC's queue gets too long.

(Carey had a larger wishlist at https://internet2.slack.com/archives/C7V0UQDJ4/p1662055948632379?thread_ts=1662051345.455219&cid=C7V0UQDJ4)






[GRP-4063] gsh template add a "warning" output status Created: 02/Jun/22  Updated: 31/Aug/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford Yesterday at 7:52 PM
Random question about GSH templates and gsh_builtin_gshTemplateOutput.addOutputLine it looks like the message types are only success (green), info (blue) and error (red) but when I set to error it seems to think the script failed and it rolls everything back. Is there something like “warn” (yellow) possible, or is there a way to have a error message that doesn’t make the system think there was an error we can’t handle (I’m asking for a list of users, and if any can’t be found, I just want to display a message regarding that.)

I don't know if we can make just those lines yellow, or if the whole div needs to be yellow.

IIRC these statuses are magic string values. It would be good to have an enum version of these too, which would make it more "Java-like".

 

 






[GRP-4326] flat ldap dn should be there Created: 30/Aug/22  Updated: 30/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2022-08-30 14:29:47.327: ERRROR: Provisioner 'ldapMemberUidProvisioner' (vhqslgbe) Error inserting group java.lang.RuntimeException: Why is targetGroup.retrieveAttributeValueString(ldap_dn) blank?,
(vhqslgbe): Group(matchingAttrs: LinkedHashSet(1): [0]: [gidNumber, 10642, currentValue: true], provisioned: false, attr[cn]: "afl_civil_service", attr[gidNumber]: "10642", attr[ldap_dn]: <null>, attr[objectClass]: LinkedHashSet(2): [0]: posixGroup, [1]: groupofuniquenames, ins cn "afl_civil_service", ins gidNumber "10642", ins objectClass "posixGroup", ins objectClass "groupofuniquenames", recalcObject: true, recalcMships: true, create: true)
(vhqslgbe):     at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.insertGroup(LdapProvisioningTargetDao.java:228)
(vhqslgbe):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.insertGroup(GrouperProvisionerTargetDaoAdapter.java:303)
(vhqslgbe):     at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.insertGroups(GrouperProvisionerTargetDaoAdapter.java:2248)
 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 30/Aug/22 ]

log all objects verbose did not log here





[GRP-4321] add confirm popup for enabled/disable/delete on daemon jobs... Created: 29/Aug/22  Updated: 29/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4319] add target object cache to grouper provisioning Created: 28/Aug/22  Updated: 28/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4253] ldap provisioner: starts with: flat provisioning, name: flatReverseNameLimit64 - fail Created: 03/Aug/22  Updated: 20/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Aug/22 ]

        if (StringUtils.equals(rdnValueForGroups, "nameBackwardsUnderscoreMax64")) {
          provisionerSuffixToValue.put("targetGroupAttribute."+groupAttributes+".translateExpression", "${"+GrouperUtil.class.getName()+".stringFormatNameReverseReplaceTruncate(grouperProvisioningGroup.name, '_', 64)}");
 
 





[GRP-4304] add servername to apache configs in container Created: 17/Aug/22  Updated: 17/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Reply…

Also send to incommon-grouper

incommon-grouper
Benjamin Rappleyea and you

Benjamin Rappleyea
1 day ago
If "servername" is not being written into ssl-enabled.conf is there a way to add it so that it will?

Show 3 more replies

Benjamin Rappleyea
1 day ago

  1. modern configuration, tweak to your needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
  1. OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling off
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)

Listen 8443 https
<VirtualHost *:8443>
ServerName example.server.name.edu

RewriteEngine on
RewriteRule "^/$" "/grouper/" [R]

SSLEngine on
#SSLCertificateChainFile _GROUPER_SSL_CHAIN_FILE_

SSLCertificateFile /path/to/file.cert

SSLCertificateKeyFile /path/to/file.key

  1. HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    </VirtualHost>
    New
    Added to your saved items

Benjamin Rappleyea
4 hours ago
@mchyzer
I discovered a typo in my SSLCertificateKeyFile path that was causing this file to stop the build, however, I am still overlaying the file because the normal process doesn't populate the ServerName in order to give Shib the data it needs.

Chris Hyzer
< 1 minute ago
i dont know when i can get an example for you, but basically i think you need a grouperScriptHooks.sh which runs a sed on the files to change them... is that possible? :slightly_smiling_face:

Chris Hyzer
< 1 minute ago
maybe we need a built in for servername too... to make it easier...






[GRP-4301] update shib from image in grouper Created: 17/Aug/22  Updated: 17/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

3.3.0_06242022






[GRP-4299] Provisioning Framework should produce "Audit data" about what it does to external systems. Created: 17/Aug/22  Updated: 17/Aug/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.0, 2.6.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In a similar manor to Audit data for a user, "system operations" ( like the Provisioning Framework ) should also document/audit the work. It should be done in a consistent manor with those kinds of events caused by the system as those does in the system.

It would allow for a map of "User did 'x' in Grouper" to 'provision(s) did 'Y' in external system(s)'.

With out the visibility in the Grouper Audit information then it become very challenging, ( if not impossible ) to later look back and know why something was done in an external system.






[GRP-4297] add manager role to provisioner to do things other than assign provisioning Created: 17/Aug/22  Updated: 17/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4281] Grouper Report - ad last_index_reserved to OVERALL Created: 12/Aug/22  Updated: 12/Aug/22

Status: Open
Project: Grouper
Component/s: reporting
Affects Version/s: 2.6.14
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Please add the various last_index_reserved values from grouper_table_index to the OVERALL section of the Grouper Report so we can keep track of values to prevent collisions with other systems.






[GRP-4280] integrate with google analytics Created: 11/Aug/22  Updated: 11/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

jasonrap
7 days ago
Good morning. Is it possible to use Google analytics within Grouper to do Google analytics stuff?

Chris Hyzer
13 hours ago
Of you can help me know what's needed we can add an option in there…

jasonrap
6 hours ago
We wanted to get a sense of how much the web UI was used. That is, do our customers use the web UI on a daily basis, or every few days.

Chris Hyzer
4 hours ago
So you want some html inserted at the bottom of each page? Does it need to work with Ajax too or just regular browser requests?

jasonrap
6 minutes ago
Yes, some html inserted at the bottom of each page would be great. By default, GA doesn't work with Ajax, but it seems possible. I found this post regarding it https://www.sitepoint.com/google-analytics-track-javascript-ajax-events/ I was just looking for general analytics.
sitepoint.comsitepoint.com
How to Track JavaScript and Ajax Events with Google Analytics - SitePoint
Craig Buckler shows how to use Google Analytics to track not just page views but also events such as Ajax updates, file downloads and social interactions.
Written by
Craig Buckler
Dec 17th, 2017
https://www.sitepoint.com/google-analytics-track-javascript-ajax-events/

Chris Hyzer
2 minutes ago
ok, i think if the ajax renders a page, and that page has the GA link, then it should work just fine for most things...
New

jasonrap
2 minutes ago
Great!strong text






[GRP-4269] ws.diagnostics.minutesSinceLastSuccess improvement Created: 08/Aug/22  Updated: 08/Aug/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.6.13
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From SLACK:
Michael Gettes Today at 11:18

Good morning Groupies:  for status monitoring I’d like to do a little less configuring to limit mistakes.  I have a naming convention for various daemon jobs.  Example: OTHER_JOB_prov_* — I’d like to be able to specify just the “prefix” name in ws.diagnostics something like “ws.diagnostic.minutesSinceLastSuccess.loader_OTHER_JOB_prov_ = 90".  So, if there is not an exact match on the lastSuccess then see if there is a prefix match.  Then as I add provisioners I won’t default to 1440 minutes.  If this is possible (and hopefully others want it) I am happy to submit a jira.
 


Michael Gettes  19 minutes ago

and… if it is possible to allow for % in the job name for “like” matching then I could do even more!






[GRP-4256] provisioning change in cached entity DN in group attributes error retry Created: 04/Aug/22  Updated: 04/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  • memberToId to wrong
  • incremental, add to group picked up
  • dn - changed, error in membership, should recalc in next incremental





[GRP-4251] entity recalc by message not working Created: 03/Aug/22  Updated: 03/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from shilen over slack






[GRP-4245] update documentation for group attribute edit Created: 03/Aug/22  Updated: 03/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I tried following the demo at https://spaces.at.internet2.edu/display/Grouper/Grouper+attribute+framework+attributes+editable+in+group+edit+screen and I couldn’t get it to work. I found that the keys in the example grouper.properties are not what the code is expecting. The example has these:
groupScreenType.theConfigId.attributeName
groupScreenType.theConfigId.label
groupScreenType.theConfigId.description
groupScreenType.theConfigId.index
What I found in the code, and which work for me, are these:
groupScreen.attribute.theConfigId.attributeName
groupScreen.attribute.theConfigId.label
groupScreen.attribute.theConfigId.description
groupScreen.attribute.theConfigId.index
Also, grouper.base.properties has the same issue.






[GRP-4244] add deepEquals() method to remove groups/entities/memberships retrieved from dao in case there are dupes Created: 02/Aug/22  Updated: 02/Aug/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4233] v2.6.13 Unable to turn off provisioning for a provisioner configured as DN Override only Created: 01/Aug/22  Updated: 01/Aug/22

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Aimee Lahann (umich.edu) Assignee: Vivek Sachdeva
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.6.13


Attachments: PNG File Screen Shot 2022-08-01 at 9.36.56 AM.png    

 Description   

I am unable to turn provisioning off on a group provisioned by a DN Override only provisioner (LDAP_MCOMM_UserGroups.)

I am getting the error message "Group DN override is required"

See pic.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Aug/22 ]

note, you can remove the attribute assignment until this is fixed





[GRP-4231] add immutable id to search for entities in azure provisioning Created: 29/Jul/22  Updated: 29/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4218] RabbitMQ configuring password.elconfig via grouper.messaging doesn't work Created: 28/Jul/22  Updated: 28/Jul/22

Status: Open
Project: Grouper
Component/s: grouperClient, messaging
Affects Version/s: 2.6.13
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

docker



 Description   

Configuring for RabbitMQ using the grouper.messaging .password works but .password.elConfig does not.  See below.  While I am reporting this on 2.6.13 I think this has been an issue for some time - just getting around to reporting it.

grouper.messaging.system.rabbitmqSystem.password.elConfig = ${java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(new("java.io.File", java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE')), "utf-8") : java.lang.System.getenv().get('RABBITMQ_PASSWORD') }






[GRP-4216] duo incremental daemon throws errors Created: 28/Jul/22  Updated: 28/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Andrew Costa
11:16 AM
From what I can tell so far, full has always worked, incrementally throw errors after I make any change but stops throwing errors after the next full, even though I see errors in the logs the changes I make are represented in the DUO groups as the incremental runs (basically almost real time)



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 28/Jul/22 ]

provisioner.duo_test.addDisabledFullSyncDaemon = true
provisioner.duo_test.addDisabledIncrementalSyncDaemon = true
provisioner.duo_test.class = edu.internet2.middleware.grouper.app.duo.GrouperDuoProvisioner
provisioner.duo_test.customizeEntityCrud = true
provisioner.duo_test.customizeGroupCrud = true
provisioner.duo_test.customizeMembershipCrud = true
provisioner.duo_test.deleteEntities = false
provisioner.duo_test.deleteGroups = false
provisioner.duo_test.deleteMembershipsIfNotExistInGrouper = true
provisioner.duo_test.duoExternalSystemConfigId = nebraska_duo_external
provisioner.duo_test.entityAttributeValueCache0entityAttribute = id
provisioner.duo_test.entityAttributeValueCache0has = true
provisioner.duo_test.entityAttributeValueCache0source = target
provisioner.duo_test.entityAttributeValueCache0type = entityAttribute
provisioner.duo_test.entityAttributeValueCache1has = false
provisioner.duo_test.entityAttributeValueCache2has = true
provisioner.duo_test.entityAttributeValueCache2source = grouper
provisioner.duo_test.entityAttributeValueCache2translationScript = ${subject.getAttributeValue('email')}
provisioner.duo_test.entityAttributeValueCache2type = subjectTranslationScript
provisioner.duo_test.entityAttributeValueCacheHas = true
provisioner.duo_test.entityMatchingAttribute0name = loginId
provisioner.duo_test.entityMatchingAttributeCount = 1
provisioner.duo_test.groupAttributeValueCache0groupAttribute = id
provisioner.duo_test.groupAttributeValueCache0has = true
provisioner.duo_test.groupAttributeValueCache0source = target
provisioner.duo_test.groupAttributeValueCache0type = groupAttribute
provisioner.duo_test.groupAttributeValueCacheHas = true
provisioner.duo_test.groupMatchingAttribute0name = name
provisioner.duo_test.groupMatchingAttributeCount = 1
provisioner.duo_test.hasTargetEntityLink = true
provisioner.duo_test.hasTargetGroupLink = true
provisioner.duo_test.logAllObjectsVerbose = true
provisioner.duo_test.makeChangesToEntities = true
provisioner.duo_test.numberOfEntityAttributes = 3
provisioner.duo_test.numberOfGroupAttributes = 2
provisioner.duo_test.operateOnGrouperEntities = true
provisioner.duo_test.operateOnGrouperGroups = true
provisioner.duo_test.operateOnGrouperMemberships = true
provisioner.duo_test.provisioningType = membershipObjects
provisioner.duo_test.selectAllEntities = true
provisioner.duo_test.showAdvanced = true
provisioner.duo_test.startWith = this is start with read only
provisioner.duo_test.subjectSourcesToProvision = jdbc
provisioner.duo_test.targetEntityAttribute.0.name = id
provisioner.duo_test.targetEntityAttribute.1.name = loginId
provisioner.duo_test.targetEntityAttribute.1.translateExpressionType = grouperProvisioningEntityField
provisioner.duo_test.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField = subjectId
provisioner.duo_test.targetEntityAttribute.2.name = email
provisioner.duo_test.targetEntityAttribute.2.translateExpression = ${gcGrouperSyncMember.getEntityAttributeValueCache2()}
provisioner.duo_test.targetEntityAttribute.2.translateExpressionType = translationScript
provisioner.duo_test.targetGroupAttribute.0.name = id
provisioner.duo_test.targetGroupAttribute.1.name = name
provisioner.duo_test.targetGroupAttribute.1.translateExpressionType = grouperProvisioningGroupField
provisioner.duo_test.targetGroupAttribute.1.translateFromGrouperProvisioningGroupField = extension
provisioner.duo_test.updateEntities = false
 

Comment by Chris Hyzer (upenn.edu) [ 28/Jul/22 ]

Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: grouper-daemon;grouper_error.log;__ENV____USERTOKEN__2022-07-27T19:16:02,134: [DefaultQuartzScheduler_Worker-8] ERROR GrouperProvisionerTargetDaoAdapter.insertEntity(2302) - [] - Provisioner 'duo_test' (vgd89o63) Error inserting entity java.lang.RuntimeException: Invalid return code '400', expecting: 200. 'https://api-819b39e4.duosecurity.com/admin/v1/users' {"code": 40003, "message": "Duplicate resource", "stat": "FAIL"},
Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: grouper-daemon;grouper_error.log;__ENV____USERTOKEN__2022-07-27T19:16:02,134: [DefaultQuartzScheduler_Worker-8] ERROR GrouperProvisionerTargetDaoAdapter.logEntity(2112) - [] - Error in provisioner 'duo_test' - 'vgd89o63' with entity: Entity(matchingId: "33513462", exception: java.lang.RuntimeException: Invalid return code '400', expecting: 200. 'https://api-819b39e4.duosecurity.com/admin/v1/users' {"code": 40003, "message": "Duplicate resource", "stat": "FAIL"},
Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: grouper-daemon;provisioning.log;__ENV____USERTOKEN__2022-07-27T19:16:02,141: [DefaultQuartzScheduler_Worker-8] ERROR GrouperProvisioningObjectLog.error(35) - [] - Provisioner 'duo_test' (vgd89o63) Error with membership, grouperTargetGroup: Group(matchingId: "duo_test_2_6_13", attr[id]: "DG1TAUA2YPD83I01OTU4", attr[name]: "duo_test_2_6_13", recalcObject: true), grouperTargetEntity: Entity(matchingId: "20621195", exception: java.lang.RuntimeException: Invalid return code '400', expecting: 200. 'https://api-819b39e4.duosecurity.com/admin/v1/users' {"code": 40003, "message": "Duplicate resource", "stat": "FAIL"},
Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: (vgd89o63): Entity(matchingId: "20621195", provisioned: false, attr[email]: "user@nebraska.edu", attr[id]: "", attr[loginId]: "20621195", ins email "user@nebraska.edu", ins id "", ins loginId "20621195", recalcObject: true, recalcMships: true, create: true), provisioned: false, attr[email]: "user@nebraska.edu", attr[id]: "", attr[loginId]: "20621195", recalcObject: true, recalcMships: true, create: true, errorCode: "ERR"), , ERR, java.lang.RuntimeException: Invalid return code '400', expecting: 200. 'https://api-819b39e4.duosecurity.com/admin/v1/users' {"code": 40003, "message": "Duplicate resource", "stat": "FAIL"},
Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: (vgd89o63): Entity(matchingId: "20621195", provisioned: false, attr[email]: "mwassenmiller@nebraska.edu", attr[id]: "", attr[loginId]: "20621195", ins email "user@nebraska.edu", ins id "", ins loginId "20621195", recalcObject: true, recalcMships: true, create: true)
Jul 27 14:16:02 its-iam-gpr-es-tst2.nebraska.edu 55324b0c92af[1434]: grouper-daemon;grouper_error.log;__ENV____USERTOKEN__2022-07-27T19:16:02,209: [DefaultQuartzScheduler_Worker-8] ERROR GrouperLoaderJob.runJob(560) - [] - Error on job: CHANGE_LOG_consumer_provisioner_incremental_duo_test
type: consumer, finalLog: false, state: init, consumerName: provisioner_incremental_duo_test, totalCount: 956, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer, runId: vgd9ebic, exception: java.lang.RuntimeException: provisionerClass: GrouperDuoProvisioner, configId: duo_test, provisioningType: incrementalProvisionChangeLog, state: indexMatchingIdOfGrouperObjects, changeLogRawCount: 956, changeLogItemsApplicableByType: 108, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 71, syncGroupsFound: 3, retrieveSyncGroupsMillis: 9, syncGroupCount: 3, filterByNotProvisionable: 79, convertToFullSyncScore: 47, recalcEventsDuringGroupSync: 0, syncMembershipsToQuery: 27, syncMembershipsFromMembership: 27, syncMembershipsToQueryFromGroup: 2, syncMembershipsFromGroup: 10, retrieveSyncMembershipsMillis: 20, syncMembershipCount: 37, syncMembersToQuery: 27, syncMembersFound: 27, retrieveSyncMembersMillis: 0, syncMemberCount: 27, retrieveDataStartMillisSince1970: 1658950981035, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 8, retrieveGrouperGroupsMillis: 4, grouperGroupCount: 3, retrieveGrouperEntitiesMillis: 7, grouperEntityCount: 10, provisioningEntitiesToDelete: 26, provisioningMshipsToDelete: 27, retrieveGrouperDataMillis: 22, copyIncrementalStateToWrappersMissing: 1, subjectsNeedRefreshDueToLink: 0, retrieveTargetDataMillis: 5895, grouperTargetGroupsUnmatched: 1, targetGroupsForLinkNull: 1, targetEntitiesForLinkNull: 27, exception: java.lang.RuntimeException: Why do multiple memberships have the same matching id???
Mship(group: "grouper_268_test", entity: "18066740", groupId: "DGSI4YN500EYOFFUDDC6", entityId: "", matchingId: MultiKey[DGSI4YN500EYOFFUDDC6, ], attr[id]: <null>, incrementalDataAction: delete, delete: true)
null
Mship(group: "grouper_268_test", entity: "25438182", groupId: "DGSI4YN500EYOFFUDDC6", entityId: "", matchingId: MultiKey[DGSI4YN500EYOFFUDDC6, ], attr[id]: <null>, incrementalDataAction: delete, delete: true)
null
  at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningMatchingIdIndex.indexMatchingIdMemberships(GrouperProvisioningMatchingIdIndex.java:408)
  at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:1036)
  at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
  at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:73)
  at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:705)
 
 





[GRP-4177] on group provisioning screen should be able to pull drop down next to provisioner and edit Created: 22/Jul/22  Updated: 22/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4173] for azure provisioning, allow a metadata with drop down to pick a group to be the owner list in azure Created: 22/Jul/22  Updated: 22/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4170] Create rule to copy newly added member to another group Created: 22/Jul/22  Updated: 22/Jul/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 1.6.4
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We have a need to listen to groups in a specific folder, and when a member is added to one of those groups, add it to another target group (possibly outside that stem). There won't be a rule for deleting members, so the effect is to create an accumulation of anyone ever added to the folder.

This is the opposite of the capability that is in the flattenedMembershipAddInFolder rule. For that rule, the Then action acts on the group that triggered it (to send an email, etc). There isn't a Then rule to add that member to another group (is there?).






[GRP-4166] Attribute framework should use database constraints to ensure single assign attributes aren't multi assigned Created: 20/Jul/22  Updated: 20/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4164] add auditWs to grouper client help text Created: 19/Jul/22  Updated: 19/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4093] document entity attribute value cache config is below group config Created: 10/Jun/22  Updated: 19/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Vivek Sachdeva (google.com) [ 19/Jul/22 ]

Add anchors for each element in the wizard and link from one to the other.





[GRP-4163] taglib errors in WS Created: 18/Jul/22  Updated: 18/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Andrew Costa
 Today at 11:51 AM
As part of preparing for our next Grouper upgrade, I am trying to clean up some of the old errors that are appearing in our grouper logs. One of the errors that has appeared for quite some time is one that states “Unable to load tag library class” followed by about 25 or so different class names. Can anyone point me towards a way to fix that error message? Or do others see that message as well and just ignore it?

 

12 replies

Chris Hyzer
  2 hours ago
can you send me the class names?

Andrew Costa
  2 hours ago
@mchyzer
 just sent you a DM with the class names. Thanks!

Chad Redman
  2 hours ago
https://todos.internet2.edu/browse/GRP-3346
:+1::skin-tone-2:
1

 

Andrew Costa
  2 hours ago
Those don’t look like the tags we are seeing

Andrew Costa
  2 hours ago
edu.internet2.middleware.grouper.ui.tags.GrouperProvisioningObjectMetadataItemFormElement
edu.internet2.middleware.grouper.ui.tags.GrouperHideShowTarget
edu.internet2.middleware.grouper.ui.tags.GrouperTooltipTag
edu.internet2.middleware.grouper.ui.tags.GrouperTitleTag
edu.internet2.middleware.grouper.ui.tags.GrouperSubtitleTag
edu.internet2.middleware.grouper.ui.tags.GrouperMenuTag
edu.internet2.middleware.grouper.ui.tags.GrouperInfodotTag
edu.internet2.middleware.grouper.ui.tags.GrouperParamTag
edu.internet2.middleware.grouper.ui.tags.SubjectIconTag
edu.internet2.middleware.grouper.ui.tags.GrouperPerformanceTimingGateTag
edu.internet2.middleware.grouper.ui.tags.GrouperPagingTag2
edu.internet2.middleware.grouper.ui.tags.GrouperPagingTag
edu.internet2.middleware.grouper.ui.tags.GrouperMessageTag
edu.internet2.middleware.grouper.ui.tags.GroupBreadcrumbTag
edu.internet2.middleware.grouper.ui.tags.ConfigFormElement
edu.internet2.middleware.grouper.ui.tags.GrouperComboboxTag2
edu.internet2.middleware.grouper.ui.tags.GrouperComboboxTag
edu.internet2.middleware.grouper.ui.tags.GrouperAbbreviateTextareaTag
org.owasp.csrfguard.tag.FormTag
org.owasp.csrfguard.tag.ATag
org.owasp.csrfguard.tag.TokenValueTag
org.owasp.csrfguard.tag.TokenNameTag
org.owasp.csrfguard.tag.TokenValueTag
org.owasp.csrfguard.tag.TokenTag

Andrew Costa
  2 hours ago
We are on 2.6.9 in out TST environment and still seeing the errors

Chris Hyzer
  2 hours ago
weird, those classes exist... hmmm

Chris Hyzer
  1 hour ago
i dont see those in my logs... you are in a UI container right?  do you have the exact log messages?  is this from the docker logs from container?

Andrew Costa
  1 hour ago
docker container logs

Andrew Costa
  1 hour ago
looks like ws not ui

Andrew Costa
  1 hour ago
Here is the full error Jul 18 09:55:30 its-iam-gpr-es-tst2.nebraska.edu 7a879ed20eb6[1434]: grouper-ws;grouper_error.log;_ENV__USERTOKEN_2022-07-18T14:55:30,813: [localhost-startStop-1] ERROR JuliLogStream.log(106) - [] - Unable to load tag library tag class: edu.internet2.middleware.grouper.ui.tags.GrouperProvisioningObjectMetadataItemFormElement

Chris Hyzer
  < 1 minute ago
i cant really explain why that is happening, but we can clean it up a little bit...



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Jul/22 ]

make sure servlets not mapped?  not sure what is calling a JSP that tries to load a custom tag

Comment by Chris Hyzer (upenn.edu) [ 18/Jul/22 ]

maybe remove all jsps?





[GRP-4161] GroupAnyAttributeFilter() matches partial group names as well as attribute values Created: 15/Jul/22  Updated: 15/Jul/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 1.5.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

groovy:000> def x = new GroupAnyAttributeFilter("sysadmingroup", StemFinder.findRootStem(gs)).getResults(gs)
===> [Group[name=etc:sysadmingroup,uuid=b486380c757446ef86644ec690792465]]

It looks like this was introduced in 1.5.0. it's not just matching on the group name, but the display name too.

commit 05750d0a9caa
Date: Fri Jan 2 06:57:12 2009 +0000
move group 1 to 1 attributes to group table

Can this be changed to just query attributes and not the group names? If I want to act on the resulting set of groups and do something with the attribute, I don't want to get groups that don't actually have the attribute.






[GRP-4158] validate provisioning azure (and others) that required fields are configured for various CRUD Created: 13/Jul/22  Updated: 13/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4152] Allow assignments only on group Created: 12/Jul/22  Updated: 12/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

we need an option under "assigning provisioning" called

"Allow assignments only on groups"

Description: If folders should not be able to be marked as provisionable, e.g. if there is metadata on groups which is required

Note, if this is false, and there is a required metadata only assignable on groups, then also do not allow provisioning on folders.

This can be tests on an "only DN" LDAP provisioner






[GRP-4151] dn override "start with" Created: 12/Jul/22  Updated: 12/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4150] Export of loader job won't import Created: 11/Jul/22  Updated: 11/Jul/22

Status: Open
Project: Grouper
Component/s: gsh
Affects Version/s: 2.6.9a
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.6.9 latest containers



 Description   

See https://internet2.slack.com/archives/C7V0UQDJ4/p1657571863131669

The last comment is:
Wow - i’m stumped.  will submit Jira.  I ended up removing ALL comments and all newlines - back to one long SQL statement… and it STILL fails on the import.  I am going to submit a jira with the one long line of SQL and see if that helps.

I'll attach the script which fails.

:set verbosity quiet
/* imports for use under Java, or in groovy if evaluating as an external file */
import edu.internet2.middleware.grouper.*;
import edu.internet2.middleware.grouper.attr.*;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssign;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssignSave;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssignType;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssignAction;
import edu.internet2.middleware.grouper.attr.finder.AttributeDefFinder;
import edu.internet2.middleware.grouper.attr.finder.AttributeDefNameFinder;
import edu.internet2.middleware.grouper.group.CompositeSave;
import edu.internet2.middleware.grouper.group.TypeOfGroup;
import edu.internet2.middleware.grouper.misc.CompositeType;
import edu.internet2.middleware.grouper.misc.SaveResultType;
import edu.internet2.middleware.grouper.privs.Privilege;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.subject.Subject;
import java.util.HashSet;
import java.util.Set;
import java.util.Date;
 
 
GrouperSession grouperSession = GrouperSession.startRootSession();
long gshTotalObjectCount = 0L;
long gshTotalChangeCount = 0L;
long gshTotalErrorCount = 0L;
 
 
StemSave stemSave = null;
Stem stem = null;
Stem ownerStem = null;
GroupSave groupSave = null;
Group group = null;
Group ownerGroup = null;
Group leftFactorGroup = null;
Group rightFactorGroup = null;
Group ifHasRole = null;
Group thenHasRole = null;
CompositeType compositeType = null;
AttributeDefSave attributeDefSave = null;
AttributeDef attributeDef = null;
AttributeDef ownerAttributeDef = null;
Privilege privilege = null;
Subject subject = null;
Subject ownerSubject = null;
AttributeDefNameSave attributeDefNameSave = null;
AttributeDefName attributeDefName = null;
AttributeDefName ifHasAttributeDefName = null;
AttributeDefName thenHasAttributeDefName = null;
AttributeDefScopeType attributeDefScopeType = null;
AttributeAssignSave attributeAssignSave = null;
AttributeAssignSave attributeAssignOnAssignSave = null;
boolean problemWithAttributeAssign = false;
 
 
System.out.println(new Date().toString() + " Done with folders, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
groupSave = new GroupSave(grouperSession).assignName("etc:loaders:Unix_PosixGroups").assignCreateParentStemsIfNotExist(true).assignDisplayName("etc:loaders:Unix_PosixGroups").assignTypeOfGroup(TypeOfGroup.group);
group = groupSave.save();
gshTotalObjectCount++;
if (groupSave.getSaveResultType() != SaveResultType.NO_CHANGE) { System.out.println("Made change for group: " + group.getName()); gshTotalChangeCount++;}
System.out.println(new Date().toString() + " Done with groups, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with composites, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute definitions, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with role hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute actions, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute action hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with memberships and privileges, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute names, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute name hierarchies, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
System.out.println(new Date().toString() + " Done with attribute definition scopes, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount);
Set<String> attributeAssignIdsAlreadyUsed = new HashSet<>();
problemWithAttributeAssign = false;
attributeAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignSave.assignAttributeAssignType(AttributeAssignType.group);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyGroupType_grouperLoader", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyGroupType_grouperLoader");  problemWithAttributeAssign = true; }
attributeAssignSave.assignAttributeDefName(attributeDefName);
ownerGroup = GroupFinder.findByName(grouperSession, "etc:loaders:Unix_PosixGroups", false);
if (ownerGroup == null) { gshTotalErrorCount++; System.out.println("Error: cant find group: etc:loaders:Unix_PosixGroups"); problemWithAttributeAssign = true;  }
attributeAssignSave.assignOwnerGroup(ownerGroup);
attributeAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyAttribute_grouperLoaderQuartzCron", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyAttribute_grouperLoaderQuartzCron");  problemWithAttributeAssign = true; }
attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
attributeAssignOnAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave.addValue("0 0/15 6-20 * * ?");
attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
attributeAssignOnAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyAttribute_grouperLoaderQuery", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyAttribute_grouperLoaderQuery");  problemWithAttributeAssign = true; }
attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
attributeAssignOnAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave.addValue("select distinct group_name, subject_source_id, subject_id , unixgroups.gidnumber from( with gid_dups as ( select gidnumber as gid, count(*) from ldap_unix_groups lug group by gid having count(*) > 1), all_groups as ( select distinct Group_name, subject_id, gidnumber from( select lug.cn as Group_name , b.but_lid || '@slac.stanford.edu' as subject_id , lug.gidnumber from ldap_unix_groups_attrs luga, ldap_unix_groups lug , ldap_unix_accounts lua, but b, iam_registry_enabled_v irev where luga.ldap_id = lug.the_dn and luga.attribute_value = lua.uid and lua.uidnumber = b.but_uid and b.but_ldt = 'unix' and b.but_stat = 'E' and b.but_sid = irev.sid and irev.hrstat = 'ACTIVE' union all /* bring primary groups from but into the list */ select distinct but_grp as Group_name, b.but_lid || '@slac.stanford.edu' as subject_id, lug.gidnumber from but b, iam_registry_enabled_v irev, ldap_unix_groups lug where b.but_grp = lug.cn and irev.sid = b.but_sid and b.but_ldt = 'unix' and b.but_stat = 'E' and irev.hrstat = 'ACTIVE' /* do this once to force the creation of all unix groups (false becomes true) * then change true to false to remove * root@slac from all groups */ union all select lug.cn as Group_name , 'root@slac.stanford.edu' subject_id , lug.gidnumber from ldap_unix_groups lug where false) as allgroups) select 'basis:Unix:posixGroups:' || Group_name as Group_name , 'slacPerson' as subject_source_id, subject_id, gidnumber from all_groups ag where not exists (select 1 from gid_dups gd2 where ag.gidnumber = gd2.gid) union all select 'basis:Unix:posixGroups:' || case when Group_name like 'glpwr-%' then 'glast-power' when Group_name like 'glgr-%' then 'glground' when Group_name like 'bfact-%' then 'bfactory' else regexp_replace(Group_name, '(-[a-z])$', '') end as Group_name , 'slacPerson' as subject_source_id, subject_id, gidnumber from all_groups ag, gid_dups gd where ag.gidnumber = gd.gid union all /* all accounts in any group into 1 */ select distinct 'basis:Unix:ActiveAccountsFromGroups' as Group_name , 'slacPerson' as subject_source_id , subject_id , 0 as gidnumber from all_groups ag) as unixgroups");
attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
attributeAssignOnAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyAttribute_grouperLoaderType", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyAttribute_grouperLoaderType");  problemWithAttributeAssign = true; }
attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
attributeAssignOnAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave.addValue("SQL_GROUP_LIST");
attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
attributeAssignOnAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyAttribute_grouperLoaderScheduleType", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyAttribute_grouperLoaderScheduleType");  problemWithAttributeAssign = true; }
attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
attributeAssignOnAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave.addValue("CRON");
attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
attributeAssignOnAssignSave = new AttributeAssignSave(grouperSession).assignAttributeAssignIdsToNotUse(attributeAssignIdsAlreadyUsed).assignPrintChangesToSystemOut(true);
attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
attributeDefName = AttributeDefNameFinder.findByName("etc:legacy:attribute:legacyAttribute_grouperLoaderDbName", false);
if (attributeDefName == null) { gshTotalErrorCount++;  System.out.println("Error: cant find attributeDefName: etc:legacy:attribute:legacyAttribute_grouperLoaderDbName");  problemWithAttributeAssign = true; }
attributeAssignOnAssignSave.assignAttributeDefName(attributeDefName);
attributeAssignOnAssignSave.assignPutAttributeAssignIdsToNotUseSet(true);
attributeAssignOnAssignSave.addValue("iam");
attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
gshTotalObjectCount += 11;
if (!problemWithAttributeAssign) { AttributeAssign attributeAssign = attributeAssignSave.save(); if (attributeAssignSave.getChangesCount() > 0) { gshTotalChangeCount+=attributeAssignSave.getChangesCount();  System.out.println("Made " + attributeAssignSave.getChangesCount() + " changes for attribute assign: " + attributeAssign.toString()); } }
System.out.println(new Date().toString() + " Script complete: total objects, objects: " + gshTotalObjectCount + ", expected approx total: 12, changes: " + gshTotalChangeCount + ", known errors (view output for full list): " + gshTotalErrorCount); 






[GRP-4147] dont fail provisioning if there are subject problems (e.g. resolution) Created: 06/Jul/22  Updated: 06/Jul/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4129] mail.smtp.grouperEmailContentType values not supported for "Grouper report" email ( and likely other standard emails) Created: 29/Jun/22  Updated: 29/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When setting
grouper.properties, mail.smtp.grouperEmailContentType = text/html; charset=utf-8 

The daily "Grouper report" email ( and likely other standard emails) no longer wrap lines properly.

https://github.com/Internet2/grouper/blob/GROUPER_2_6_BRANCH/grouper/src/grouper/edu/internet2/middleware/grouper/util/GrouperEmail.java

Already has some "odd" logic trying to fix "line endings" based on the start of the body having "<HTML>", but it appears to be flawed / lacking.

Perhaps the behavior should be controlled only based on  mail.smtp.grouperEmailContentType settings? ( if contains "text/html" then sub \r\n with "</br>"  instead of looking at the starting string of the body? )

Or
Do a more formal encoding assuming inputs are always "plain text" and need to be HTML escaped?






[GRP-4125] Rule membershipAdd does not work for members previously expired Created: 27/Jun/22  Updated: 27/Jun/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.59
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Erik Coleman
 Jun 24th at 12:50 PM
Trying to figure out if this is a bug (2.5.59.3), but we have a group with a membershipAdd GrouperRule to add a membership expiration. When the membership expires, the subject goes away and all looks good, but when we re-add a subject that had been previously expired, the membership is added and there is no expiration added. It's like there is no membershipAdd event the second time around. Is that by design?

 

Steps to reproduce

1) Add a rule to a group

etc:attribute:rules:rule
	etc:attribute:rules:ruleActAsSubjectId	GrouperSystem
	etc:attribute:rules:ruleActAsSubjectSourceId	g:isa
	etc:attribute:rules:ruleCheckType	membershipAdd
	etc:attribute:rules:ruleThenEnum	assignMembershipDisabledDaysForOwnerGroupId
	etc:attribute:rules:ruleThenEnumArg0	7
	etc:attribute:rules:ruleThenEnumArg1	F
	etc:attribute:rules:ruleValid	T

2) Add a member
3) Edit membership and privileges -> should have an end date 7 days from now
4) Edit the end date to a day in the past -> member disappears after submitting
5) Add the member again
6) Edit membership and privileges -> **missing the end date

 






[GRP-4124] problem with multiple rules on the same group Created: 18/Jun/22  Updated: 18/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford  4 days ago
Hey,
I’ve been playing with assignMembershipDisabledDaysForOwnerGroupId. I had a question on when the grace group get applied. It looks like there is a gap between the base-policy and base-grace groups, when someone is removed from the base-policy, it takes a min for them to get added to the base-grace groups with the disable date.
Am I missing something to help bridge that gap? I can imagine that we would have 10k students to no longer be students and have the entitlement/role/groupMembership disappear and then reappear in the downstream system. They could be without access for some time while we wait for the provisioner to remove memberships and then add it back.

Chris Hyzer  4 days ago
does the "recent memberships" loader help with that?  there shouldnt be a gap there

Jeffrey Crawford  3 days ago
maybe I’m doing something wrong. my test case is creating two policy groups:
ref-employees
ref-students
two member service groups:
bol-policy
bol-grace
I’ve assigned the bol-grace the assignMembershipDisabledDaysForOwnerGroupId rule. Then the final group which drives the access bol-service which contains bol-policy and bol-grace. I added members to ref-students and ref-employees and when I remove someone from them. It seems to be gone for a while but comes back.

Jeffrey Crawford  3 days ago
okay found this page and I think I was doing this wrong:
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=168690139

Jeffrey Crawford  3 days ago
okay I think this works but say for example we wanted to send emails out warning people that their membership will end in X number of days? It looks like the rule based stuff relies on the end date being populated, and that doesn’t appear to be how this one works?

Chris Hyzer  3 days ago
when exactly do you want emails sent, and just one or recurring?

Jeffrey Crawford  3 days ago
I wanted to set up grace period for some services, but also warn the user that they are under grace period. and send an email when the grace period starts and one more the day before it ends.

Jeffrey Crawford  3 days ago
Okay I’m wondering if this need to be split into two different groups:
policy-grace (uses the loader config)
policy-mail (uses combo of assignMembershipDisabledDaysForOwnerGroupId and sendEmail)

Jeffrey Crawford  3 days ago
policy-grace is used to drive the policy and the policy-mail is used to just track what’s happening on policy-grace and set end dates and email?

Jeffrey Crawford  3 days ago
@mchyzer Okay I set this up to be an option using templates, however what I’m seeing is that the policy-mail group has the settings above, and it works with assigning a membership with an end date, but the email isn’t being sent. We have this in non production so “Send all messages here” is set to our team email address, but it should still send the test emails there correct?
Added to your saved items

Jeffrey Crawford  3 days ago
here are the settings to see if this is set up correctly
Screen Shot 2022-06-14 at 2.43.09 PM.png 
Screen Shot 2022-06-14 at 2.43.09 PM.png

 

Chris Hyzer  2 days ago
i will need to try that out... there is also this email notification that with creative SQL we could do what you want, but i think the rule should work
https://spaces.at.internet2.edu/display/Grouper/Grouper+daily+email+notification

Jeffrey Crawford  2 days ago
I guess what you are saying is that if you could construct a query where a subject only shows up on the days you want the email sent then this job could do that?
Alternatively is there something somewhere when grouper tries to send an email that shows it was tried?

Chris Hyzer  1 day ago
set the smtp server in the email external system to "testing", and you should se logs of emails.
if you set logging to DEBUG for this package: edu.internet2.middleware.grouper.rules   you should see rules logs
New

Jeffrey Crawford  3 hours ago
@mchyzer,
Is it possible that you can only have one RuleApi.emailOnFlattenedDisabledDate assigned to the group at a time? I was adding two, one that was supposed to trigger when the user had a disable date set, and the other that would send a message the day before. I accidentally removed one and it suddenly started working.

Chris Hyzer  < 1 minute ago
anything is possible :slightly_smiling_face:  We can track that in a jira and get back to it :slightly_smiling_face:






[GRP-4123] grouper should complain if multiple groups have the same overrideDN for the same provisioning target Created: 17/Jun/22  Updated: 17/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-06-17-17-15-05-155.png     PNG File image-2022-06-17-17-15-25-159.png    

 Description   

I think that grouper should complain if a single provisioner has multiple groups (actively being provisioned) that specify the same override DN

 

Maybe something along the lines of this error...
Why do multiple groups have the same matching id???



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 17/Jun/22 ]

Grouper let us specify two groups with the same override DN (cn=GrouperTest,ou=User Groups,ou=Groups,dc=umich,dc=edu), and the provisioner didn't complain, though it also didn't do the right thing.





[GRP-4122] if matching id is retrieved from target (e.g. dn, or uuid), then it should create before through required error Created: 17/Jun/22  Updated: 17/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4120] grouper provisioner entity attribute value cache auto-USDU Created: 16/Jun/22  Updated: 16/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.9
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the 2.6.9+ provisioner, whether “Entity attribute value cache 2 auto-USDU” is displayed seems to be tied to the “Use entity attribute value cache 1" toggle, not the “Use entity attribute value cache 2” toggle.






[GRP-4119] provisioning activity log not decompressing log messages Created: 16/Jun/22  Updated: 16/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.8, 2.6.9, 2.6.9a
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-06-16-15-27-11-744.png    

 Description   

Grouper started zipping provisioner error messages to try to get around Oracle's 4000 character varchar2 limit.

 

Grouper does not seem to uncompress them reliably.






[GRP-3485] Script from gsh export fail with dollar in attribute value Created: 28/May/21  Updated: 15/Jun/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.46
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Yoann Delattre Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If i export groups with export to gsh and these groups have an attribute value with a dollar sign, i get an error when i run the gsh result script :

FATAL: java.lang.IllegalArgumentException: Error when handling error: Error while running command (attributeAssignOnAssignSave.addValue("${attributeValue.contains('$IEN$')}");)
java.lang.IllegalArgumentException: Error when handling error: Error while running command (attributeAssignOnAssignSave.addValue("${attributeValue.contains('$IEN$')}");)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
 at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
 at org.codehaus.groovy.reflection.CachedConstructor.doConstructorInvoke(CachedConstructor.java:77)
 at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrap.callConstructor(ConstructorSite.java:84)
 at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60)
 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235)
 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:247)
 at org.codehaus.groovy.tools.shell.ShellRunner.run(ShellRunner.groovy:71)
 at org.codehaus.groovy.tools.shell.InteractiveShellRunner.super$2$run(InteractiveShellRunner.groovy)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
 at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
 at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1224)
 at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:132)
 at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuper0(ScriptBytecodeAdapter.java:152)
 at org.codehaus.groovy.tools.shell.InteractiveShellRunner.run(InteractiveShellRunner.groovy:93)
 at java_lang_Runnable$run.call(Unknown Source)
 at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117)
 at org.codehaus.groovy.tools.shell.Groovysh.run(Groovysh.groovy:607)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShell.grouperShellHelper(GrouperShell.java:361)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:182)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)

If I escape all dollars, it works.
Maybe gsh to export could escape automatically all dollar sign ?
Thanks.
Yoann



 Comments   
Comment by Dominique Petitpierre [ 15/Jun/22 ]

The bug is still there in Grouper version 2.6.8.

For me it occured in a loader configuration  SQL query value that contains a regex: e.g.
attributeAssignOnAssignSave.addValue("SELECT.... WHERE REGEXP_LIKE(q,'/(D|FTI|FPSE|L|M|S|T)$')....

This causes a similar IllegalArgumentException error when the exported script is run.

Question:

  • are there other special characters that need escaping? (double quotes are properly escaped).




[GRP-4115] flat group attributes ldap membershipDN provisioner error on add member diagnostics Created: 15/Jun/22  Updated: 15/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-06-15-12-33-00-387.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 15/Jun/22 ]





[GRP-4106] make the sql provisioner transctional Created: 12/Jun/22  Updated: 12/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4101] change log to change log temp export from new grouper, change to every 15, and two entries Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4100] add entity to group in config should make it default in diagnostics Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4096] review diagnostics dao stuff if allowed to delete Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4092] document ldap_dn for provisioning Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4091] document search filters for groups and entities in ldap provisioning Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4089] clarify membership attribute in provisioning Created: 10/Jun/22  Updated: 10/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4079] folder create and privs not showing in folder audits Created: 09/Jun/22  Updated: 09/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 09/Jun/22 ]

Comment by Chris Hyzer (upenn.edu) [ 09/Jun/22 ]

Drew Aschenbrener  1 hour ago
We missed our opportunity to go over this earlier. In a nutshell
go to stem 'foo'
add permission to stem 'foo'
remove permission from stem 'foo'
create folder 'foo:bar'
delete folder 'foo:bar'
check audit log of foo
Step 2 and step 5 are not be visible in the audit log for me.





[GRP-4084] if a membership add happens in group, it should not count as an update in the daemon counts Created: 09/Jun/22  Updated: 09/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4082] entitlement by group provisioner lists update count when not Created: 09/Jun/22  Updated: 09/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4081] entity attributes with group name does not fill in membership value Created: 09/Jun/22  Updated: 09/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4078] convert messaging endpoints to be external systems Created: 09/Jun/22  Updated: 09/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4077] add elfilter to messaging changelog consumer screen Created: 08/Jun/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This is an example from ESB

changeLog.consumer.messagingEsb.elfilter






[GRP-4056] "Export configuration file" only exports DB properties without any indication Created: 26/May/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.34, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Under Miscellaneous->Configuration, the option under Config actions to "Export configuration file" is really only exporting properties that are defined in the database. There is no indication that is what it is doing. It isn't intuitive, since it's not exporting what the user sees on the screen, which is the overlay of the entire hierarchy. It's also not acting on any Source type filter (e.g. non-base) or string filter, and it isn't intuitive that they will be ignored.

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Jun/22 ]

maybe add more options or have descriptive error message if nothing there to export





[GRP-4075] allow configuration in ldap to truncate part of the group name Created: 08/Jun/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Jun/22 ]

maybe multiple?





[GRP-4074] look at provisioning screen to see why lots of logs slows down Created: 08/Jun/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4073] an update to a group membership in provisioning without recalc causes an update to the group attributes Created: 08/Jun/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4072] Add loader configuration to the OSGI services Created: 08/Jun/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jonathan Johnson (unicon.net) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently, several configurations are available as OSGI services. Add the loader configuration to allow its use within other OSGI services






[GRP-4027] provision to target where user previous existed then is removed (membertoid2) Created: 06/May/22  Updated: 08/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from gail

"I'm looking back at the conversation that started on Jan 28 about how the new ldap provisioner handles the case of an entity that was previously found in the target (in membertoId2), but has since been deleted or moved. Full provisioner is not handling that,or ldaptive is not returning a useful error"



 Comments   
Comment by Bruce Timberlake [ 08/Jun/22 ]

It would be helpful to have the provisioner write a log line with details (at least date/time, provisioner, and entity being attempted) for each failed attempt when it can't provision someone. That way, Splunk or other log aggregating services can easily find and report on the issue. 





[GRP-4059] pspng null pointer in log and setup test Created: 27/May/22  Updated: 07/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.61, 2.6.10

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

pspng should test connection with the connection test dn and filter if there

and logging should not have a NPE



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 27/May/22 ]

grouper;pspng.log;DEV;_;2022-05-23 14:14:45,177: [DefaultQuartzScheduler_Worker-4] INFO  LdapSystem.performTestLdapRead(227) -  - ldapMasterPool: Performing test read of directory root
grouper;pspng.log;DEV;_;2022-05-23 14:14:45,183: [DefaultQuartzScheduler_Worker-4] ERROR ProvisionerFactory.createProvisioner(131) -  - Problem constructing provisioner & properties: edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner
java.lang.reflect.InvocationTargetException
	at sun.reflect.GeneratedConstructorAccessor111.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at edu.internet2.middleware.grouper.pspng.ProvisionerFactory.createProvisioner(ProvisionerFactory.java:119)
	at edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer(FullSyncProvisionerFactory.java:36)
	at edu.internet2.middleware.grouper.pspng.FullSyncStarter.getProvisionerFromOtherJobKey(FullSyncStarter.java:161)
	at edu.internet2.middleware.grouper.pspng.FullSyncStarter.execute(FullSyncStarter.java:119)
	at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.lang.NullPointerException
	at edu.internet2.middleware.grouper.pspng.LdapSystem.log(LdapSystem.java:191)
	at edu.internet2.middleware.grouper.pspng.LdapSystem.performTestLdapRead(LdapSystem.java:247)
	at edu.internet2.middleware.grouper.pspng.LdapSystem.buildLdapConnectionPool(LdapSystem.java:145)
	at edu.internet2.middleware.grouper.pspng.LdapSystem.test(LdapSystem.java:1090)
	at edu.internet2.middleware.grouper.pspng.LdapProvisioner.<init>(LdapProvisioner.java:85)
	at edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.<init>(LdapGroupProvisioner.java:45)
	... 10 more
grouper;pspng.log;DEV;_;2022-05-23 14:14:45,183: [DefaultQuartzScheduler_Worker-4] ERROR FullSyncStarter.execute(135) -  - Error running full-sync job
edu.internet2.middleware.grouper.pspng.PspException: Problem while constructing provisioner & properties: edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner: null
	at edu.internet2.middleware.grouper.pspng.ProvisionerFactory.createProvisioner(ProvisionerFactory.java:132)
	at edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer(FullSyncProvisionerFactory.java:36)
	at edu.internet2.middleware.grouper.pspng.FullSyncStarter.getProvisionerFromOtherJobKey(FullSyncStarter.java:161)
	at edu.internet2.middleware.grouper.pspng.FullSyncStarter.execute(FullSyncStarter.java:119)
	at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
grouper;grouperDaemon.log;DEV;_;2022-05-23 14:14:50,029: [DefaultQuartzScheduler_Worker-7] DEBUG GrouperLoaderLog.logDebug(45) -  - logType: overallLog, overallId: VDS18CC7, startTime: Mon May 23 14:14:50 UTC 2022, jobName: CHANGE_LOG_changeLogTempToChangeLog, dryRun: false, quartzCron: 50 * * * * ?, status: SUCCESS, jobType: CHANGE_LOG, host: 4b23a654e110, jobMessage: Ran the changeLogTempToChangeLog daemon, threadId: 99, elapsed: 17 ms 





[GRP-3923] Duo - Provision user accounts Created: 08/Mar/22  Updated: 07/Jun/22

Status: Open
Project: Grouper
Component/s: duo
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Ryan Rumbaugh Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File duo-user-account-1.patch    

 Description   

The University of Nebraska has modified the grouper-duo provisioner to create new Duo accounts for the past few years. Typically Grouper stays out of the business of creating accounts and instead focuses on groups and memberships, but in our case it has proven to be invaluable.

With our two-factor policies in Grouper using it to provision the Duo account, once the user is in the appropriate access policy, forces the user to enroll their device when they initiate their next SSO session. We could use our IdMS system, but using Grouper is more timely (no batch process or feeds required).

Instead of maintaining the code ourselves we think this should be a configurable feature for the entire Grouper community.

When we began our work there was no code to refer to, but now that the Duo provisioner supports creating admin accounts the class method (updateDuoUser) we built may be redundant.

Attached is a Git patch that shows the changes we made – should be straightforward (I hope, I did have some challenges with the line endings).

We included a new property in grouper-loader.properties to make it configurable.

grouperDuo.provisionUsers = true



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 07/Jun/22 ]

lets try this in 2.6.9





[GRP-4066] group update idindex should add a chnagelog entry Created: 06/Jun/22  Updated: 06/Jun/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes  7 minutes ago
way back in this thread @mchyzer gave the following to update the IdIndex...
new GroupSave().assignName("a:b:c").assignIdIndex(12345).assignSaveMode("UPDATE").assignReplaceAllSettings(false).save()
should this trigger a changelog change causing grouper provisioner to update the gidNumber which depends on idIndex??  It doesn't do it now... but should it?  (more of a theoretical question)






[GRP-4060] grouper smtp is enabled by default Created: 30/May/22  Updated: 30/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

it should only be enabled if host is filled in, do not default to localhost






[GRP-4058] LDAP loader form missing option to schedule job Created: 26/May/22  Updated: 26/May/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-05-26-18-57-23-341.png     PNG File image-2022-05-26-18-57-34-417.png    

 Description   

SQL Loader:

 

LDAP Loader:






[GRP-3895] Add GSH as a loader job type Created: 02/Mar/22  Updated: 25/May/22

Status: Open
Project: Grouper
Component/s: API, grouperLoader, UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader+GSH

 

A GSH job type will allow more kinds of sources in loader jobs. The script could be written to query a REST endpoint, a flat file, or a proprietary client-server interface, and then produce either a list of subjects (GSH_SIMPLE) or groups + subjects (GSH_GROUPS_LIST). The wiki proposes the subject and group resolution be done in the script rather than outputting then as strings. This is so that the script has total control, in case it needs to do more complex logic – e.g. custom display names or descriptions for groups, or dynamic source determination for subjects.

Like gsh templates and reports, there will be specific variables passed into the script. GrouperSession and LoaderJobBean objects will be used like in the SQL and LDAP loader types, while a new GshLoaderJobResults object will hold the rows of the script results. for a GSH_SIMPLE job the rows will be Subjects, while for a GSH_GROUPS_LIST they will be Group + Subject tuples. It will not need a separate group query like the SQL loader does, because the script will be doing its own group creation as needed.



 Comments   
Comment by Chad Redman (unc.edu) [ 25/May/22 ]

This will be tabled for now. There is a lot of duplicated base work, since there is no re-use of the attributes, form fields text config labels, or beans. Perhaps there will be a redesign of the loader in a future release so that there is more common infrastructure.

In the meantime, creating an OTHER_JOB to run a gsh script (https://spaces.at.internet2.edu/pages/viewpage.action?pageId=166661325) should work just as well. You would just need to write your own group and membership sync.





[GRP-4055] dont even try to do * in sql sync, it doesnt always do the right thing Created: 25/May/22  Updated: 25/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

i'm banging my head - 2.6.8 SQL sync from a view in Oracle to a postgres table.  fullSyncFull - a primaryKey of emplid – all data is copied and it's quick BUT the emplid data is swapped with another column called empl_status.  I have tried this a couple of times now and I get the same results.
grouper.client.properties has:
grouperClient.syncTable.sid_iam_person_sync.columns *   database
grouperClient.syncTable.sid_iam_person_sync.databaseFrom SID    database
grouperClient.syncTable.sid_iam_person_sync.databaseTo grouper  database
grouperClient.syncTable.sid_iam_person_sync.primaryKeyColumns emplid    database
grouperClient.syncTable.sid_iam_person_sync.tableFrom SID.IAM_PERSON_VW database
grouperClient.syncTable.sid_iam_person_sync.tableTo public.sid_iam_person
grouper-loader.properties has:
otherJob.SLAC_SID_iam_person_sync.class edu.internet2.middleware.grouper.app.tableSync.... more database
otherJob.SLAC_SID_iam_person_sync.grouperClientTableSyncConfigKey sid_iam_person_sync   database
otherJob.SLAC_SID_iam_person_sync.quartzCron 0 0/30 * * * ?  Cron human readable: Every 30 minutes      database
otherJob.SLAC_SID_iam_person_sync.syncType fullSyncFull
sync daemon output:
finalLog: true, state: done, sync: sqlTableSync, provisionerName: sid_iam_person_sync, syncType: fullSyncFull, databaseFrom: SID, tableFrom: SID.IAM_PERSON_VW, databaseTo: grouper, tableTo: public.sid_iam_person, retrieveDataToCount: 0, retrieveDataToMillis: 0, retrieveDataFromCount: 66312, retrieveDataFromMillis: 624, deletesCount: 0, deletesMillis: 0, insertsCount: 66312, insertsIntendedCount: 464184, insertsMillis: 2242, updatesCount: 0, updatesMillis: 0, gcSyncObjectChanges: 3, queryCount: 91, tookMillis: 2909, took: 0:00:02.909
and no errors
4 replies

Michael Gettes  29 days ago
i even tried swapping the cols in the table definition for emplid and empl_status and it had no effect - the data values are swapped.

Chris Hyzer  28 days ago
sorry dont do columns *, write out the cols comma separated...  yes, we can make this better

Michael Gettes  28 days ago
Ok, I'll give that a try.  Thanks!

Michael Gettes  28 days ago
That did it.  THANKS AGAIN!  :panda-dance:






[GRP-4053] attributeName in dijit combo box is one gear, not 3 Created: 25/May/22  Updated: 25/May/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0, 2.5.0, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-05-25-01-31-48-957.png    

 Description   

 

When searching for an attributeName in the combo box, the icon is one gear, not 3. It used to be a folder icon, before GRP-1780 changed both attribute defs and names to the same gear icon

 

 






[GRP-4052] member not found in ui should not error out Created: 24/May/22  Updated: 24/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I'm seeing an error on some groups when accessed via the UI. In the UI, it refuses to display the group and displays:
Error: Problem converting JSP to string: /WEB-INF/grouperUi2/group/viewGroup.jsp, Problem calling method viewGroup on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group
In the logs, it says:
httpd;access_log;;;128.2.42.4 - [24/May/2022:16:50:01 -0400] "POST /grouper/grouperUi/app/UiV2Stem.filter?stemId=0d9b1de996af2f&pagingTagPageNumber=2 HTTP/1.1" 200 27065 "https://group...du/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Stem.viewStem&stemId=0d9b1de9989e4d6af2f" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"
tomee;localhost.log;${env:ENV};${env:USERTOKEN};2022-05-24 16:50:03,885 [ajp-nio-0.0.0.0-8009-exec-6] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/grouper].[jsp]- Servlet.service() for servlet [jsp] threw exception
edu.internet2.middleware.grouper.exception.MemberNotFoundException: null
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.findByUuid(Hib3MemberDAO.java:374) ~[grouper-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.findByUuid(Hib3MemberDAO.java:341) ~[grouper-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.MemberFinder.findByUuid(MemberFinder.java:577) ~[grouper-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.ui.tags.GrouperUiFunctions.subjectStringLabelShort2fromMemberId(GrouperUiFunctions.java:317) ~[grouper-ui-2.5.60.jar:2.5.60]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_322]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_322]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_322]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_322]
at org.apache.el.parser.AstFunction.getValue(AstFunction.java:199) ~[jasper-el.jar:8.5.57]
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190) ~[jasper-el.jar:8.5.57]
at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944) ~[jasper.jar:8.5.57]
at org.apache.jsp.WEB_002dINF.grouperUi2.group.viewGroup_jsp._jspService(viewGroup_jsp.java:426) ~[?:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71) ~[jasper.jar:8.5.57]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[servlet-api.jar:?]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) ~[jasper.jar:8.5.57]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) ~[jasper.jar:8.5.57]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) ~[jasper.jar:8.5.57]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[servlet-api.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:583) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:519) [catalina.jar:8.5.57]
at edu.internet2.middleware.grouper.ui.util.GrouperUiUtils.convertJspToString(GrouperUiUtils.java:1813) [grouper-ui-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiScreenAction.newInnerHtmlFromJsp(GuiScreenAction.java:597) [grouper-ui-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.viewGroup(UiV2Group.java:292) [grouper-ui-2.5.60.jar:2.5.60]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_322]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_322]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_322]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_322]
at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5032) [grouper-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4983) [grouper-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337) [grouper-ui-2.5.60.jar:2.5.60]
at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204) [grouper-ui-2.5.60.jar:2.5.60]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652) [servlet-api.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [servlet-api.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.57]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.57]
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88) [csrfguard-3.1.0.jar:3.1.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.57]
at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1174) [grouper-ui-2.5.60.jar:2.5.60]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.57]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.57]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.57]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.57]
at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) [tomee-catalina-7.0.9.jar:7.0.9]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.57]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.57]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.57]
at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) [tomee-catalina-7.0.9.jar:7.0.9]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.57]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.57]
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:524) [tomcat-coyote.jar:8.5.57]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.57]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) [tomcat-coyote.jar:8.5.57]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626) [tomcat-coyote.jar:8.5.57]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.57]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_322]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_322]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.57]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_322]



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 24/May/22 ]

select * from grouper_groups gg where gg.creator_id is not null and not exists (select 1 from grouper_members gm where gm.id = gg.creator_id );
 
select * from grouper_groups gg where gg.modifier_id is not null and not exists (select 1 from grouper_members gm where gm.id = gg.modifier_id );
 
select * from grouper_stems gs where gs.creator_id is not null and not exists (select 1 from grouper_members gm where gm.id = gs.creator_id );
 
select * from grouper_stems gs where gs.modifier_id is not null and not exists (select 1 from grouper_members gm where gm.id = gs.modifier_id ); 

Comment by Chris Hyzer (upenn.edu) [ 24/May/22 ]

update grouper_groups set creator_id = (select gm.id from grouper_members gm where gm.subject_id = 'GrouperSystem' and gm.subject_source = 'g:isa') where grouper_groups.creator_id is not null and not exists (select 1 from grouper_members gm where gm.id = grouper_groups.creator_id );
 
update grouper_groups set modifier_id = null where grouper_groups.modifier_id is not null and not exists (select 1 from grouper_members gm where gm.id = grouper_groups.modifier_id );
 
update grouper_stems set creator_id = (select gm.id from grouper_members gm where gm.subject_id = 'GrouperSystem' and gm.subject_source = 'g:isa') where grouper_stems.creator_id is not null and not exists (select 1 from grouper_members gm where gm.id = grouper_stems.creator_id );
 
update grouper_stems set modifier_id = null where grouper_stems.modifier_id is not null and not exists (select 1 from grouper_members gm where gm.id = grouper_stems.modifier_id ); 

Comment by Chris Hyzer (upenn.edu) [ 24/May/22 ]

note this occurred in an env with missing foreign keys





[GRP-4050] remove this start with read only row if not real start with Created: 22/May/22  Updated: 22/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-05-22-12-22-08-008.png    

 Description   






[GRP-4048] move morphString to grouper.hibernate.properties and document that it is required Created: 19/May/22  Updated: 19/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4047] allow daemon jobs with underscores Created: 19/May/22  Updated: 19/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Marwan Shaher Today at 12:15 PM
Grouper versions: 2.6.8 and 2.5.59
It looks like deleted daemon jobs, at least of type “Provisioning incremental sync” and “Provisioning full sync”, come back in an Enabled state if they were deleted using the daemon item menu, after the Grouper Daemon is restarted.
This happens even if the daemon job was in a Disabled state before it was deleted.
To make sure that the daemon jobs are actually deleted, the following parameters should be manually deleted from the configuration (grouper-loader.properties):
changeLog.consumer.MyProvisioner_Incremental.class
changeLog.consumer.MyProvisioner_Incremental.quartzCron
changeLog.consumer.MyProvisioner_Incremental.publisher.class
changeLog.consumer.MyProvisioner_Incremental.provisionerConfigId
changeLog.consumer.MyProvisioner_Incremental.publisher.debug
otherJob.MyProvisioner_Full.class
otherJob.MyProvisioner_Full.quartzCron
otherJob.MyProvisioner_Full.provisionerConfigId (edited)

4 replies

Justin Robinson 2 hours ago
We discovered that jobs with _ have some sticking power. See thread https://internet2.slack.com/archives/C7V0UQDJ4/p1642916707158600

Justin Robinson
I have a GSH daemon job that appears to be stuck in the system. I have tried to delete it, but when the daemon restarts it seems to bring it back into the system recreated. Any thoughts on how to purge it?
Thread in incommon-grouper | Jan 23rd | View message

Marwan Shaher 2 hours ago
Thanks! I’ll try it without underscores in the names as suggested in the thread

Marwan Shaher 2 hours ago
It was the underscores. Not having them in the daemon job name deletes the job as expected
:+1:
1

Justin Robinson 1 hour ago
On the other hand if you want a job to never go away - name it with an underscore consider it a fail safe






[GRP-4046] zoom duplicate user id Created: 19/May/22  Updated: 19/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

java.lang.RuntimeException: java.sql.BatchUpdateException: Batch entry 92 insert into grouper_prov_zoom_user ( config_id, member_id, id, email, first_name, last_name, type, pmi, timezone, verified, created_at, last_login_time, language, status, role_id ) values ( 'pennZoomProd', 'dde6bab7a', 'jZ4M4TexS', 'jenenn.edu', 'Jenna', '', 2.0, NULL, 'America/New_York', 1.0, NULL, NULL, NULL, 'active', NULL ) was aborted: ERROR: duplicate key value violates unique constraint "grouper_zoom_user_id_idx"
Detail: Key (id, config_id)=(jZ4M4TexS3i, pennZoomProd) already exists. Call getNextException to see other errors in the batch.,
sql: insert into grouper_prov_zoom_user ( config_id, member_id, id, email, first_name, last_name, type, pmi, timezone, verified, created_at, last_login_time, language, status, role_id ) values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ), ,
Error in 'inserts' query: 'insert into grouper_prov_zoom_user ( config_id, member_id, id, email, first_name, last_name, type, pmi, timezone, verified, created_at, last_login_time, language, status, role_id ) values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )'
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2344)
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.executeBatchSql(GcDbAccess.java:2390)
at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.executeBatchSql(GcDbAccess.java:2404)
at edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncSubtype.runInserts(GcTableSyncSubtype.java:1119)
at edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncSubtype.runInsertsUpdatesDeletes(GcTableSyncSubtype.java:1705)
at edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncSubtype.access$300(GcTableSyncSubtype.java:30)
at edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncSubtype$1.syncData(GcTableSyncSubtype.java:75)
at edu.internet2.middleware.grouper.app.zoom.GrouperZoomLoader.loadUsersToTable(GrouperZoomLoader.java:681)
at edu.internet2.middleware.grouper.app.zoom.GrouperZoomLoader$1.callback(GrouperZoomLoader.java:501)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
at edu.internet2.middleware.grouper.app.zoom.GrouperZoomLoader.fullLoad(GrouperZoomLoader.java:264)
at edu.internet2.middleware.grouper.app.zoom.GrouperZoomLoader.run(GrouperZoomLoader.java:147)
at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392)
at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376)
at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.sql.BatchUpdateException: Batch entry 92 insert into grouper_prov_zoom_user ( config_id, member_id, id, email, first_name, last_name, type, pmi, timezone, verified, created_at, last_login_time, language, status, role_id ) values ( 'pennZoomProd', 'dde6bab7a3bd41388fed01e, 'jZ4M4TexS3iB', 'jen', 'Jenna', '', 2.0, NULL, 'America/New_York', 1.0, NULL, NULL, NULL, 'active', NULL






[GRP-4045] grouper should require morph string at start up Created: 18/May/22  Updated: 18/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Scott Koranda  25 minutes ago
@mchyzer To follow up on this: Since I was building a sandbox, I did NOT define GROUPER_MORPHSTRING_ENCRYPT_KEY. Once I did that, the command to set the UI password worked.
Is that a bug, or is the use of GROUPER_MORPHSTRING_ENCRYPT_KEY a hard requirement?

 

 

Chris Hyzer  1 minute ago
yes that is a requirement, maybe grouper shouldnt even start without that... right?  :slightly_smiling_face:  btw you dont need the env var, you could have it in a config file, but yeah






[GRP-4044] google provisioning framework should sync the manager role of a group Created: 18/May/22  Updated: 18/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jason Cho Today at 1:54 PM
can Google provisioner provision manager role instead of just a member in Google group?






[GRP-4042] change add / replace / remove in group import to be a drop down with more documentation Created: 17/May/22  Updated: 17/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4041] add WS labels in UI for object fields Created: 17/May/22  Updated: 17/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

FROM

ID path: ref:student:students

TO

ID path: ref:student:students
(internal name should not change often, systemName in WS)





[GRP-3218] new daemon to delete old logs from grouper_sync_log Created: 06/Mar/21  Updated: 16/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-05-13-18-08-21-638.png    

 Description   

this is for any functions that write to grouper_sync_log (e.g. new provisioning framework).  This is not needed after 2.6.9



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 06/Mar/21 ]

temp delete on postgres with:

delete from grouper_sync_log where last_updated < '2021-01-31 06:53:00.259' ;
commit; 

Comment by Chris Hyzer (upenn.edu) [ 13/May/22 ]

as a workaround you can add a script daemon to do this before 2.6.9

GSH script in daemon should be

int deleteAfterDays = edu.internet2.middleware.grouper.app.loader.GrouperLoaderConfig.retrieveConfig().propertyValueInt(
"grouper.provisioning.removeSyncLogRowsAfterDays", 7);
int rowsDeleted = new GcDbAccess().sql("delete from grouper_sync_log where last_updated < ?").addBindVar(
new Timestamp(System.currentTimeMillis() - 1000*60*60*24*7)).executeSql();
OtherJobScript.retrieveFromThreadLocal().getOtherJobInput().getHib3GrouperLoaderLog().setDeleteCount(rowsDeleted); 

 

Then delete this daemon when you upgrade to 2.6.9





[GRP-4039] non-Root with folder VIEW and ATTR_READ can't access attributes Created: 14/May/22  Updated: 15/May/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File GRP-4039-stemMoreActionsButtonContents.png    

 Description   

For a non-root user, with the correct READ privileges on an attributeDef, and VIEW and ATTR_READ on a folder, the user can't see the attributes on the folder because the menu item isn't an option. See screenshot






[GRP-4040] StemFinder and GroupFinder findByUuidOrName can't find when name has upper case letters Created: 15/May/22  Updated: 15/May/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.4.0.patch, 2.5.0, 2.6.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

new StemSave().assignName("test").save()
def folderA = new StemSave().assignName("test:folderA").save()
def folderB = new StemSave().assignName("test:folder-b").save()
 
new StemFinder().assignScope("test:folderA").assignFindByUuidOrName(true).findStem()
// not found, name has upper case
new StemFinder().assignScope("test:folder-b").assignFindByUuidOrName(true).findStem()
// found

Part of the StemFinder code is converting the scope to lower case, but not making the field lower case when using it in the query.

Also applies to GroupFinder.

Introduced in grouper_2_4_0-a74-u44-w8-p11 and 2.5.0






[GRP-4038] Changes lost between incremental loader triggering full loader(s)? Created: 13/May/22  Updated: 13/May/22

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We've deployed an incremental loader based on the information found at...
https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+real+time+updates

In our example, 
GROUPER_INCREMENTAL = myincrementaltable
UMICHHR__V = myloadertable

 

We are losing transactions in the case where the incremental is running with a threshold of 100 and a large amount of transactions are processing.  The incremental loader notes that there are transactions over the 100 threshold on the GROUPER_INCREMENTAL table and calls the full loader to take over.  At that time, the full loader grabs the transactions that are there to process at that time.  Meanwhile data is still processing through and queuing on GROUPER_INCREMENTAL table to be processed.  At one minute increments, the incremental loader wakes up and checks the GROUPER_INCREMENTAL table and sees a batch of data to process again over the 100 threshold.  The incremental loader tries to call the full loader.  The full loader is already running.  The incremental loader adds a time_completed to the GROUPER_INCREMENTAL and thinks it is good .  Those new batches of changes do not get picked up because the first full loader is still processing its first 100+ changes from the first call.  Additional full loader runs are NOT scheduled.  This continues as long as there are enough transactions over the threshold for the incremental loader.  

The result is transactions after the incremental first calls the full loader to run are not processed but are marked complete.

Annotated log....

Incremental loader activity from 9:01, removing 805 umichhr values, with annotations:

grouper-daemon;grouper_error.log;${ENV};${USERTOKEN};2022-05-11T09:01:00,179: [DefaultQuartzScheduler_Worker-5] WARN  GrouperLoaderIncrementalJob.runJob(327) - [] - Loader group etc:loader:umichhr__v has too many changes.  Threshold=100.  Changes=163.  Marking incremental updates as complete and triggering full sync.

Full run triggered, 2022-05-11 09:01:00.0 almost immediately issues sql query for all data, picking up ??? of the records

meanwhile, data continues to arrive . . .

 

grouper-daemon;grouper_error.log;${ENV};${USERTOKEN};2022-05-11T09:02:00,404: [DefaultQuartzScheduler_Worker-8] WARN  GrouperLoaderIncrementalJob.runJob(327) - [] - Loader group etc:loader:umichhr__v has too many changes.  Threshold=100.  Changes=164.  Marking incremental updates as complete and triggering full sync.

another full run is NOT successfully triggered; Grouper does not see most of these changes

 

grouper-daemon;grouper_error.log;${ENV};${USERTOKEN};2022-05-11T09:03:00,148: [DefaultQuartzScheduler_Worker-4] WARN  GrouperLoaderIncrementalJob.runJob(327) - [] - Loader group etc:loader:umichhr__v has too many changes.  Threshold=100.  Changes=164.  Marking incremental updates as complete and triggering full sync.

another full run is NOT successfully triggered; Grouper does not see these changes

 

grouper-daemon;grouper_error.log;${ENV};${USERTOKEN};2022-05-11T09:04:00,170: [DefaultQuartzScheduler_Worker-9] WARN  GrouperLoaderIncrementalJob.runJob(327) - [] - Loader group etc:loader:umichhr__v has too many changes.  Threshold=100.  Changes=168.  Marking incremental updates as complete and triggering full sync.

another full run is NOT successfully triggered; Grouper does not see these changes

 

grouper-daemon;grouper_error.log;${ENV};${USERTOKEN};2022-05-11T09:05:00,363: [DefaultQuartzScheduler_Worker-3] WARN  GrouperLoaderIncrementalJob.runJob(327) - [] - Loader group etc:loader:umichhr__v has too many changes.  Threshold=100.  Changes=145.  Marking incremental updates as complete and triggering full sync.

another full run is NOT successfully triggered; Grouper does not see these changes

full run ends 2022-05-11 09:18:50.0, only the first 163 changes were processed



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 13/May/22 ]

Left on its own, the incremental isn't working for us if we allow it to hit its threshold.   We can raise the threshold, but I'm not sure it would ever work for us based, based on our observations.

Comment by Liam Hoekenga (umich.edu) [ 13/May/22 ]

Is it safe that the incremental loader is running when a full loader runs?





[GRP-4032] container httpd config error format is after the include Created: 10/May/22  Updated: 10/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 

David Li  3:22 PM
Got a question related to the built-in httpd config (/etc/httpd/conf/httpd.conf):
I’m trying to override the http error format in my custom conf.d/custom-http.d, but found the following problem:

IncludeOptional conf.d/*.conf
ErrorLogFormat “httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%\{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i”

Is there any reason that the “ErrorLogFormat” directive is put after “IncludeOptional conf.d/*.conf”? Can the order be reversed? Or is there a work-around?






[GRP-4031]  look at the introspection endpoint for OIDC Connect (e.g. UI authn) Created: 09/May/22  Updated: 09/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 look at the introspection endpoint for OIDC Connect






[GRP-4030] make a template example to disable daemon jobs Created: 09/May/22  Updated: 09/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3703] provision groups without memberships to azure and get exception Created: 18/Nov/21  Updated: 09/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

java.lang.RuntimeException: provisionerClass: GrouperAzureProvisioner, configId: azureProvisioner, provisioningType: fullProvisionFull, state: retrieveAllDataFromGrouperAndTarget, retrieveSyncGroupsMillis: 2, syncGroupCount: 1, retrieveSyncEntitiesMillis: 1, syncEntityCount: 0, retrieveSyncMshipsMillis: 2, syncMshipCount: 0, propagateProvisioningAttributes_millis: 118, retrieveGrouperGroupsMillis: 3, grouperGroupCount: 1, exception: java.lang.RuntimeException: Problem with query in listSelect: select     gm.id,     gm.subject_source,     gm.subject_id,     gm.subject_identifier0,     gm.name,     gm.description from     grouper_members gm,     grouper_memberships ms,     grouper_group_set gs,     grouper_sync_group gsg where     gsg.grouper_sync_id = ?     and ms.owner_id = gs.member_id     and ms.field_id = gs.member_field_id     and ms.member_id = gm.id     and gs.owner_group_id = gsg.group_id     and gsg.provisionable = 'T'     and ms.enabled='T'  and gm.subject_source in ()  and gs.field_id in (?) ,
Problem in HibernateSession: HibernateSession (1434cbe7): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (1e24022e)
    at edu.internet2.middleware.grouper.hibernate.BySqlStatic$4.callback(BySqlStatic.java:390)
    at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:700)
    at edu.internet2.middleware.grouper.hibernate.BySqlStatic.listSelect(BySqlStatic.java:333)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisionerGrouperDao.retrieveMembers(GrouperProvisionerGrouperDao.java:248)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisionerGrouperDao.retrieveGrouperDataFull(GrouperProvisionerGrouperDao.java:757)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.retrieveGrouperDataFull(GrouperProvisioningLogic.java:1411)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.retrieveAllData(GrouperProvisioningLogic.java:1345)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionFull(GrouperProvisioningLogic.java:81)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$1.provision(GrouperProvisioningType.java:41)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:53)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:587)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:57)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:392)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase.execute(OtherJobBase.java:376)
    at edu.internet2.middleware.grouper.app.loader.GrouperDaemonJob.execute(GrouperDaemonJob.java:57)
    at org.quartz.core.JobRunShell.run(JobRunShel 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 09/May/22 ]

Dec 8 2021 AI Chris add more info to GRP-3703,  (provision groups without memberships to azure and get exception ),      discussion Feb 16: what should happen when there is a validation. problem?   Suggestion to add another flag.   Tackle this in the next Grouper release.   Other use cases : groups with no membership should be considered not provisionable, do this as a separate option , with a checkbox, Leave this as of March 2 2022

Hard to know if group has no memberships. Use a Validation error. 

Already keeping track in sync table?   Chris will look at that….

Workflow of provisioner…   making changes, if no value, it pops a value in there.

Added a new validation type:  required, non existent topic, length, invalid value, membership required but not there.





[GRP-4029] clean up grouper image after removing log4j, so its not in the intermediate files on system scans Created: 09/May/22  Updated: 09/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

research the clean-up step after a Grouper sub image probe  that removes broken files related to old LOG4J versions






[GRP-4025] Removing recent membership config doesn't remove settings Created: 04/May/22  Updated: 04/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Ben E Rappleyea Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: ui
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OpenShift running grouper 2.6.8


Attachments: PNG File image-2022-05-04-11-56-41-841.png    

 Description   

When loader configuration is set initially to be "recent memberships" and saved. Attempts to remove this configuration via the UI fail. You are able to set it back to "No, doesn't have loader configuration" but when you save and then open again the result is that it is set back to "Yes, has loader configuration". This appears to coincide with what is in the database also. 

 






[GRP-4023] in subject source config ldap the only option is subtree scope Created: 03/May/22  Updated: 03/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4022] add attestation report widget on home page Created: 03/May/22  Updated: 03/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4021] maybe have data owners as drop down and searchable groups by data owner Created: 03/May/22  Updated: 03/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4020] add zoom external system Created: 02/May/22  Updated: 02/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4019] refactor matching and search attribute configuration Created: 02/May/22  Updated: 02/May/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-4008] "Include current members" status in UI Created: 26/Apr/22  Updated: 29/Apr/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Ben E Rappleyea Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: ui
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Red Hat Openshift containers of the Internet2 image 2.6.8


Attachments: File Demonstrating GRP-4008.mp4     PNG File image-2022-04-26-14-22-12-898.png     PNG File image-2022-04-26-14-22-37-565.png    

 Description   

When configuring the loader for a group it has been our experience that if you set the config in the UI to one thing the "view loader settings" option will show the opposite of what is selected in the "edit loader configuration" option. 

 



 Comments   
Comment by Ben E Rappleyea [ 29/Apr/22 ]

Adding a video that might better explain what is occurring. I have confirmed, however, that this is not occurring at the DB level and appears to only be in the UI.





[GRP-4012] Provisioner UI: Name field is set to drop down when the attribute name is EL-based. Created: 28/Apr/22  Updated: 28/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Jeffrey Williams (uncg.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.6.8 UI



 Description   

I've noticed, however, is that when I go to edit that provisioner now, the custom name of the  attribute(even though I have it as an EL attribute), defaults back to its dropdown option and I have to re-enter the name each time.  If you know an easy workaround for it, that'd be great.  Seems to happen with "groupTypes" and "${'groupTypes'}" as values.






[GRP-4009] per user trigger for USDU Created: 26/Apr/22  Updated: 26/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

As discussed in https://internet2.slack.com/archives/C7V0UQDJ4/p1643407164579049?thread_ts=1643399763.779279&cid=C7V0UQDJ4

Consider adding something to allow 3rd party to trigger usdu for a specific subject.

 

Chris Hyzer  [4:06 PM]
ok, if you can put an entry in a table, i can give you an example of a GSH loader script to update the member record, and maybe tell a provisioner to recalc the user... thoughts?you would put subjectId in table with a timestamp right?

Liam Hoekengabut we could probably do something that populated a message queue event, or maybe hit a web service, or put an entry in a table (like the incremental loader)






[GRP-4005] azure provisioner should limit which types of groups it can create/manage Created: 25/Apr/22  Updated: 25/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Only Microsoft 365 and security groups can be managed through the Microsoft Graph groups API. Mail-enabled and distribution groups are read-only through Microsoft Graph.






[GRP-3998] provisioning azure metadata should be for groups or folders Created: 23/Apr/22  Updated: 23/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3997] azure provisioner group type metadata Created: 23/Apr/22  Updated: 23/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for groups and folders

values: unified, security, distributionGroup, securityMailEnabled, unifiedSecurityEnabled

${grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'unified' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'unifiedSecurityEnabled' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'distributionGroup' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'securityMailEnabled'}

${grouperUtil.contains(['unified', 'unifiedSecurityEnabled', 'distributionGroup', 'securityMailEnabled'], grouperProvisioningGroup.retrieveAttributeValueString('md_groupType'))}

${grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'unifiedSecurityEnabled' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'security' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'securityMailEnabled'}

${grouperUtil.contains(['unifiedSecurityEnabled', 'security', 'securityMailEnabled'], grouperProvisioningGroup.retrieveAttributeValueString('md_groupType'))}

${grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'unifiedSecurityEnabled' || grouperProvisioningGroup.retrieveAttributeValueString('md_groupType') == 'unified' }

${grouperUtil.contains(['unifiedSecurityEnabled', 'unified'], grouperProvisioningGroup.retrieveAttributeValueString('md_groupType'))}






[GRP-3996] add group owners in azure provisioner Created: 23/Apr/22  Updated: 23/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

metadata to add group name to a provisionable group
make sure the members of that group are owners of the provisionable group (right subject source?)
get the full and incremental to sync those as well






[GRP-3995] azure provisioner subject link exception Created: 23/Apr/22  Updated: 23/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

provisionerClass: GrouperAzureProvisioner, configId: azureUNCGSecurity, provisioningType: incrementalProvisionChangeLog, state: retrieveSubjectLink, changeLogRawCount: 100000, changeLogItemsApplicableByType: 99964, recalcEventsDuringFullSync: 0, checkErrorsBack: 2min, syncGroupsToQuery: 14, syncGroupsFound: 4, retrieveSyncGroupsMillis: 40, syncGroupCount: 4, filterByNotProvisionable: 89502, convertToFullSyncScore: 40, recalcEventsDuringGroupSync: 0, syncMembershipsToQueryFromGroup: 4, syncMembershipsFromGroup: 6, retrieveSyncMembershipsMillis: 5, syncMembershipCount: 6, syncMembersToQuery: 0, syncMembersFound: 0, retrieveSyncMembersMillis: 0, syncMemberCount: 0, retrieveDataStartMillisSince1970: 1650737162476, retrieveGrouperMshipsMillis: 4, grouperMshipCount: 5, retrieveGrouperGroupsMillis: 2, grouperGroupCount: 4, retrieveGrouperEntitiesMillis: 6, grouperEntityCount: 10, provisioningEntitiesToDelete: 1, provisioningMshipsToDelete: 1, retrieveGrouperDataMillis: 14, subjectsNeedRefreshDueToLink: 3, exception: edu.internet2.middleware.subject.SourceUnavailableException: Cant find source with id: 'null', Possible source id's: 'g:isa', 'uncg-person', 'g:gsa', 'grouperEntities', 'grouperExternal', 'jdbc', 'uncg-computer', 
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.getSource(SourcesXmlResolver.java:435)
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIds(SourcesXmlResolver.java:1102)
	at edu.internet2.middleware.grouper.subj.CachingResolver.findByIds(CachingResolver.java:958)
	at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIds(ValidatingResolver.java:314)
	at edu.internet2.middleware.grouper.SubjectFinder.findByIds(SubjectFinder.java:1878)
	at edu.internet2.middleware.grouper.SubjectFinder.findBySourceIdsAndSubjectIds(SubjectFinder.java:1945)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisionerGrouperSyncDao.updateSubjectLink(GrouperProvisionerGrouperSyncDao.java:509)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLinkLogic.retrieveSubjectLink(GrouperProvisioningLinkLogic.java:148)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:740)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$3.provision(GrouperProvisioningType.java:100)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:69)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:678)
	at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91)
	at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503)
	at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:681)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: edu.internet2.middleware.subject.SourceUnavailableException: Source not found: 'null', available sources are: g:isa, uncg-person, g:gsa, grouperEntities, grouperExternal, jdbc, uncg-computer
	at edu.internet2.middleware.subject.provider.SourceManager.getSource(SourceManager.java:319)
	at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.getSource(SourcesXmlResolver.java:432)
	... 19 more
, finalLog: true, queryCount: 17, tookMillis: 437, took: 0:00:00.437 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 23/Apr/22 ]

provisioner.azureUNCGSecurity.allowPolicyGroupOverride = false
provisioner.azureUNCGSecurity.allowProvisionableRegexOverride = false
provisioner.azureUNCGSecurity.azureExternalSystemConfigId = uncgSpartan
provisioner.azureUNCGSecurity.class = edu.internet2.middleware.grouper.app.azure.GrouperAzureProvisioner
provisioner.azureUNCGSecurity.common.subjectLink.memberFromId2 = ${subject.getAttributeValue('userPrincipalName')}
provisioner.azureUNCGSecurity.deleteGroups = true
provisioner.azureUNCGSecurity.deleteGroupsIfGrouperDeleted = true
provisioner.azureUNCGSecurity.deleteMemberships = true
provisioner.azureUNCGSecurity.deleteMembershipsIfNotExistInGrouper = true
provisioner.azureUNCGSecurity.hasSubjectLink = true
provisioner.azureUNCGSecurity.hasTargetEntityLink = true
provisioner.azureUNCGSecurity.hasTargetGroupLink = true
provisioner.azureUNCGSecurity.insertGroups = true
provisioner.azureUNCGSecurity.insertMemberships = true
provisioner.azureUNCGSecurity.logAllObjectsVerbose = true
provisioner.azureUNCGSecurity.numberOfEntityAttributes = 2
provisioner.azureUNCGSecurity.numberOfGroupAttributes = 8
provisioner.azureUNCGSecurity.onlyProvisionPolicyGroups = false
provisioner.azureUNCGSecurity.operateOnGrouperEntities = true
provisioner.azureUNCGSecurity.operateOnGrouperGroups = true
provisioner.azureUNCGSecurity.operateOnGrouperMemberships = true
provisioner.azureUNCGSecurity.provisionableRegex = groupName matches ^(?:(?!:(:etc:|:ref:)).)*$
provisioner.azureUNCGSecurity.provisioningType = membershipObjects
provisioner.azureUNCGSecurity.selectAllEntities = true
provisioner.azureUNCGSecurity.selectEntities = true
provisioner.azureUNCGSecurity.selectGroups = true
provisioner.azureUNCGSecurity.selectMemberships = true
provisioner.azureUNCGSecurity.showAdvanced = true
provisioner.azureUNCGSecurity.showAssigningProvisioning = true
provisioner.azureUNCGSecurity.showProvisioningDiagnostics = true
provisioner.azureUNCGSecurity.subjectSourcesToProvision = uncg-person
provisioner.azureUNCGSecurity.targetEntityAttribute.0.fieldName = id
provisioner.azureUNCGSecurity.targetEntityAttribute.0.isFieldElseAttribute = true
provisioner.azureUNCGSecurity.targetEntityAttribute.0.select = true
provisioner.azureUNCGSecurity.targetEntityAttribute.0.translateToMemberSyncField = memberToId2
provisioner.azureUNCGSecurity.targetEntityAttribute.1.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetEntityAttribute.1.matchingId = true
provisioner.azureUNCGSecurity.targetEntityAttribute.1.name = userPrincipalName
provisioner.azureUNCGSecurity.targetEntityAttribute.1.searchAttribute = true
provisioner.azureUNCGSecurity.targetEntityAttribute.1.select = true
provisioner.azureUNCGSecurity.targetEntityAttribute.1.translateExpression = ${gcGrouperSyncMember.memberFromId2}
provisioner.azureUNCGSecurity.targetEntityAttribute.1.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.0.fieldName = displayName
provisioner.azureUNCGSecurity.targetGroupAttribute.0.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.isFieldElseAttribute = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.matchingId = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.maxlength = 256
provisioner.azureUNCGSecurity.targetGroupAttribute.0.searchAttribute = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.translateExpression = ${grouperProvisioningGroup.name.replaceAll('[^a-zA-Z0-9]', '_')}
provisioner.azureUNCGSecurity.targetGroupAttribute.0.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.0.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.0.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.1.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.1.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.1.maxlength = 1024
provisioner.azureUNCGSecurity.targetGroupAttribute.1.name = description
provisioner.azureUNCGSecurity.targetGroupAttribute.1.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.1.translateExpressionType = grouperProvisioningGroupField
provisioner.azureUNCGSecurity.targetGroupAttribute.1.translateFromGrouperProvisioningGroupField = attribute__description
provisioner.azureUNCGSecurity.targetGroupAttribute.1.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.1.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.2.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.2.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.2.name = mailEnabled
provisioner.azureUNCGSecurity.targetGroupAttribute.2.required = true
provisioner.azureUNCGSecurity.targetGroupAttribute.2.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.2.translateExpression = ${'false'}
provisioner.azureUNCGSecurity.targetGroupAttribute.2.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.2.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.2.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.3.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.3.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.3.name = mailNickname
provisioner.azureUNCGSecurity.targetGroupAttribute.3.required = true
provisioner.azureUNCGSecurity.targetGroupAttribute.3.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.3.translateExpression = ${grouperProvisioningGroup.name.replaceAll('[^a-zA-Z0-9]', '_')}
provisioner.azureUNCGSecurity.targetGroupAttribute.3.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.3.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.3.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.4.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.4.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.4.name = securityEnabled
provisioner.azureUNCGSecurity.targetGroupAttribute.4.required = true
provisioner.azureUNCGSecurity.targetGroupAttribute.4.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.4.translateExpression = ${'true'}
provisioner.azureUNCGSecurity.targetGroupAttribute.4.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.4.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.5.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.5.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.5.name = visibility
provisioner.azureUNCGSecurity.targetGroupAttribute.5.required = true
provisioner.azureUNCGSecurity.targetGroupAttribute.5.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.5.translateExpressionCreateOnly = ${'public'}
provisioner.azureUNCGSecurity.targetGroupAttribute.5.translateExpressionTypeCreateOnly = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.5.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.5.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.6.fieldName = id
provisioner.azureUNCGSecurity.targetGroupAttribute.6.isFieldElseAttribute = true
provisioner.azureUNCGSecurity.targetGroupAttribute.6.required = true
provisioner.azureUNCGSecurity.targetGroupAttribute.6.select = true
provisioner.azureUNCGSecurity.targetGroupAttribute.6.translateToGroupSyncField = groupToId2
provisioner.azureUNCGSecurity.targetGroupAttribute.6.valueType = string
provisioner.azureUNCGSecurity.targetGroupAttribute.7.insert = true
provisioner.azureUNCGSecurity.targetGroupAttribute.7.isFieldElseAttribute = false
provisioner.azureUNCGSecurity.targetGroupAttribute.7.name = groupTypeSecurity
provisioner.azureUNCGSecurity.targetGroupAttribute.7.translateExpression = ${'true'}
provisioner.azureUNCGSecurity.targetGroupAttribute.7.translateExpressionType = translationScript
provisioner.azureUNCGSecurity.targetGroupAttribute.7.update = true
provisioner.azureUNCGSecurity.targetGroupAttribute.7.valueType = string
provisioner.azureUNCGSecurity.updateGroups = true 





[GRP-3993] add unique contraints on provisioning tables e.g. group name Created: 23/Apr/22  Updated: 23/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3988] allow cte queries in loaders Created: 20/Apr/22  Updated: 20/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

jeffrey crawford:

Just wanted to point out that I’m using a recursive CTE query for ATTR_SQL_SIMPLE. I noted in the past that SQL loader seems to have a sanity check that forces the beginning of the query to begin with “SELECT”, CTE’s begin with “WITH”. I’m just worried that someday it may be corrected and my query will break. Can we please note to allow CTE type queries going forward?






[GRP-3986] add ruleIfConditionEnum aGroupInFolderHasImmediateEnabledMembership Created: 19/Apr/22  Updated: 19/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for starrez, so an org change can trigger email if user has a membership in folder.

also need to remove if not active from any group based on eligible group (employee?)






[GRP-3985] provisioner test case with entitlements and display extension Created: 18/Apr/22  Updated: 18/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Apr/22 ]

start with extension, change to display extension, try deletes too

provisioner.gpf_isMemberOfHlsLdap.canFullSync = true
provisioner.gpf_isMemberOfHlsLdap.class = edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync
provisioner.gpf_isMemberOfHlsLdap.debugLog = true
provisioner.gpf_isMemberOfHlsLdap.deleteMemberships = true
provisioner.gpf_isMemberOfHlsLdap.deleteMembershipsIfNotExistInGrouper = true
provisioner.gpf_isMemberOfHlsLdap.hasTargetEntityLink = true
provisioner.gpf_isMemberOfHlsLdap.insertMemberships = true
provisioner.gpf_isMemberOfHlsLdap.ldapExternalSystemConfigId = hlsLdapProvisioner
provisioner.gpf_isMemberOfHlsLdap.logAllObjectsVerbose = true
provisioner.gpf_isMemberOfHlsLdap.logCommandsAlways = true
provisioner.gpf_isMemberOfHlsLdap.numberOfEntityAttributes = 4
provisioner.gpf_isMemberOfHlsLdap.numberOfGroupAttributes = 1
provisioner.gpf_isMemberOfHlsLdap.operateOnGrouperEntities = true
provisioner.gpf_isMemberOfHlsLdap.operateOnGrouperGroups = true
provisioner.gpf_isMemberOfHlsLdap.operateOnGrouperMemberships = true
provisioner.gpf_isMemberOfHlsLdap.provisioningType = entityAttributes
provisioner.gpf_isMemberOfHlsLdap.selectAllEntities = true
provisioner.gpf_isMemberOfHlsLdap.selectEntities = true
provisioner.gpf_isMemberOfHlsLdap.selectMemberships = true
provisioner.gpf_isMemberOfHlsLdap.showAdvanced = true
provisioner.gpf_isMemberOfHlsLdap.showProvisioningDiagnostics = true
provisioner.gpf_isMemberOfHlsLdap.subjectSourcesToProvision = harvardperson
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.0.fieldName = name
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.0.isFieldElseAttribute = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.0.select = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.0.translateToMemberSyncField = memberToId2
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.0.valueType = string
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.isFieldElseAttribute = false
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.matchingId = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.name = harvardEduUUID
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.searchAttribute = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.select = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.translateExpressionType = grouperProvisioningEntityField
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField = subjectId
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.1.valueType = string
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.isFieldElseAttribute = false
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.multiValued = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.name = objectClass
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.translateExpression = ${grouperUtil.toSet('lawHarvardEduPerson')}
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.translateExpressionType = translationScript
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.2.valueType = string
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.isFieldElseAttribute = false
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.membershipAttribute = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.multiValued = true
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.name = isMemberOf
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.translateFromGroupSyncField = groupFromId2
provisioner.gpf_isMemberOfHlsLdap.targetEntityAttribute.3.valueType = string
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.isFieldElseAttribute = false
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.name = entitlementValue
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.translateExpression = ${'cn=' + edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.displayExtension) + ':Member,ou=Groups-new,dc=law,dc=harvard,dc=edu'}
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.translateExpressionType = translationScript
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.translateGrouperToGroupSyncField = groupFromId2
provisioner.gpf_isMemberOfHlsLdap.targetGroupAttribute.0.valueType = string
provisioner.gpf_isMemberOfHlsLdap.updateEntities = true
provisioner.gpf_isMemberOfHlsLdap.userSearchBaseDn = ou=People,dc=law,dc=harvard,dc=edu 

 

java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_posixGroupHlsLdap, provisioningType: fullProvisionFull, state: translateGrouperGroupsEntitiesToTarget, retrieveSyncGroupsMillis: 2, syncGroupCount: 10, retrieveSyncEntitiesMillis: 2, syncEntityCount: 27, retrieveSyncMshipsMillis: 2, syncMshipCount: 81, propagateProvisioningAttributes_millis: 1169, retrieveGrouperGroupsMillis: 2, grouperGroupCount: 9, retrieveGrouperEntitiesMillis: 5, grouperEntityCount: 320, retrieveGrouperMshipsMillis: 6, grouperMshipCount: 80, provisioningGroupsToDeleteCount: 1, provisioningMshipsToDelete: 1, originalTargetGroupCount: 9, originalTargetEntityCount: 21335, originalTargetMembershipCount: 80, originalTargetTotalCount: 21424, retrieveDataPass1_millis: 1038, loadDataToGrouper_millis: 0, exception: java.lang.RuntimeException: Error substituting string: 'edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.displayExtension + ':Member')',
, script: '${edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.displayExtension + ':Member')}', ,
{grouperProvisioningGroup=Group(id: "9babecd75bfc46a4824ae6e1b81dd62a", idIndex: 590880, name: "test:folder-for-alpha:hls-ldap:new-provisioner-posx-group-001", delete: true), provisioningGroupWrapper=GroupWrapper@4783bba0, grouperTargetGroup=Group(delete: true), gcGrouperSyncGroup=GcGrouperSyncGroup(errorTimestamp = '2022-04-17 15:23:29.358', groupId = '9babecd75bfc46a4824ae6e1b81dd62a', groupIdIndex = '590880', groupName = 'test:folder-for-alpha:hls-ldap:new-provisioner-posx-group-001', id = '8b30fc67fba74a1ba63610ee97b07d8a', provisionableDb = 'F', provisionableEnd = '2022-04-17 15:26:00.21', provisionableStart = '2022-04-17 15:25:00.185')}
    at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguageScript(GrouperUtil.java:11043)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslatorBase.runScript(GrouperProvisioningTranslatorBase.java:1153)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslatorBase.attributeTranslation(GrouperProvisioningTranslatorBase.java:762)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTranslator.attributeTranslation(LdapProvisioningTranslator.java:83)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningTranslatorBase.translateGrouperToTargetGroups(GrouperProvisioningTranslatorBase.java:538)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionFull(GrouperProvisioningLogic.java:151)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$1.provision(GrouperProvisioningType.java:41)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:69)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:678)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:57)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19)
    at edu.internet2.middleware.grouper.app.loader.OtherJobBase$2.callback(OtherJobBase.java:439)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(Gro

Comment by Chris Hyzer (upenn.edu) [ 18/Apr/22 ]
  1. configure a provisioner that has cn attribute set to  '${edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.extension + ':Member')}
  2. name field set to {{${ 'cn=' + edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.extension) + ':Member' + ',ou=Groups-new,dc=law,dc=harvard,dc=edu' }}}
  3. run the provisioner and provision groups
  4. create a new provisioner that adds attributes to the entities based on group membership and have the name and cn the same as above
  5. change both provisioners to use displayExtension instead of extension
  6. run all the provisioners again and you might see that that the grouper_sync_group did not update the group_from_id2 values to use those of {{displayExtension }} therefore still provisioning the wrong entitlement attributes to entities




[GRP-3984] template folder label not externalized Created: 13/Apr/22  Updated: 13/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-04-13-17-00-57-397.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 13/Apr/22 ]

 





[GRP-3983] provisionable column does not match screen Created: 08/Apr/22  Updated: 08/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-04-08-10-15-42-373.png    

 Description   






[GRP-3982] reports: group to send report to should not be required Created: 05/Apr/22  Updated: 05/Apr/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

"Group id to send email to is a required field"

 

All the email fields should go away if not sending email






[GRP-3981] Misnamed property for SQS secret key Created: 04/Apr/22  Updated: 04/Apr/22

Status: Open
Project: Grouper
Component/s: grouperClient
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Scott Cantor (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It appears as though the "built-in" settings in the GUI and in the default property examples for establishing an external system definition for a message queue contain a property of secretyKey instead of secretKey, which I assume is just a mistype.

I'm not sure that the internals actually are wrong though, I think it may just show up incorrectly in the GUI (including not providing the means to set the right property when adding a new external system definition).

We haven SQS CLC and it seems to work, but using the key in secretKey as one would expect.



 Comments   
Comment by Scott Cantor (osu.edu) [ 04/Apr/22 ]

(This is true AFAIK in both 2.5 and 2.6.)





[GRP-3164] Add container param to set static instrumentation uuid Created: 24/Feb/21  Updated: 02/Apr/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.42
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-02-23-20-57-42-388.png    

 Description   

Since moving to containers, the instrumentation uuid used to identify the host for metrics gets regenerated every time a new container is started. Since the list of hosts is keyed by this id, it makes the list of containers longer over time, needed to scroll a lot before seeing the graphs. The suspicion that this might happen was guessed at in GRP-1856.

The number of uuids can be reduced by being able to set it per container. So the UI in a certain environment would have one, WS in the same environment would have another, the UI in a different environment another, etc.

This may not be enough, since there is another column "Server Label" which is the machine name. In OpenShift at least this gets a new name for every container, so fixing the uuid wouldn't reduce the number of rows.

Maybe make the list collapsible so it doesn't take so much scrolling? Or put it after the graphs?



 Comments   
Comment by Chad Redman (unc.edu) [ 24/Feb/21 ]

Comment by Chris Hyzer (upenn.edu) [ 24/Feb/21 ]

so if I have 3 daemon nodes in prod, would they all have the same server label?  I cant put a label in the container since it fargate and its the same image/config.  Right?  or maybe theres a script I could write to ask AWS if I am node 1, 2, or 3?

Comment by Chad Redman (unc.edu) [ 01/Apr/22 ]

Maybe we can think about the whole concept of the uuid? Instrumentation was designed before containers, when Grouper only ran on one or two servers. The random uuid was generated, saved to a local file, and remained as is forever.

I don't know what is is useful for, other than to indicate a different instance of a container (which the server label is possibly already doing). That is really the problem – it's going to generate a new uuid every time the container starts, and it proliferates a new set of statistics for it, and will eventually affect performance. These are attribute assignments, not audit logs, and it isn't designed to store ever-increasing rows.

My use case is for (a) batch jobs that run a one-off container, or (b) a UI container that may restart periodically. I don't care about differentiating the uuid, and I want to put a static value there so it can aggregate the data better.

Comment by Chris Hyzer (upenn.edu) [ 02/Apr/22 ]

remind me to discuss this at the next dev call





[GRP-3980] provisioning: add option to not select all groups or memberships (e.g. azure) Created: 31/Mar/22  Updated: 31/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3979] if marked not provisionable in grouper, then delete from the target Created: 31/Mar/22  Updated: 31/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

not working at harvard.  delete setting is "delete if not exist in grouper"






[GRP-3978] provisioning, delete group, matching/search is extension, create same extension, error Created: 31/Mar/22  Updated: 31/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 31/Mar/22 ]

java.lang.RuntimeException: provisionerClass: LdapSync, configId: gpf_groupOfNamesHlsLdap, provisioningType: fullProvisionFull, state: indexMatchingIdGroups, retrieveSyncGroupsMillis: 2, syncGroupCount: 52, retrieveSyncEntitiesMillis: 331, syncEntityCount: 23880, retrieveSyncMshipsMillis: 792, syncMshipCount: 94739, propagateProvisioningAttributes_millis: 1910, retrieveGrouperGroupsMillis: 7, grouperGroupCount: 48, originalTargetGroupCount: 48, originalTargetEntityCount: 20318, originalTargetMembershipCount: 10860, originalTargetTotalCount: 31226, retrieveGrouperEntitiesMillis: 2134, grouperEntityCount: 101718, retrieveGrouperMshipsMillis: 1926, grouperMshipCount: 96793, provisioningGroupsToDeleteCount: 4, provisioningEntitiesToDelete: 4, provisioningMshipsToDelete: 14, retrieveDataPass1_millis: 4785, loadDataToGrouper_millis: 0, assignDefaultFieldsAndAttributesCount: 52, exception: java.lang.NullPointerException: Why do multiple groups have the same matching id???
Group(name: "cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu", matchingId: "group-of-names-001:Member", attr[cn]: "group-of-names-001:Member", attr[description]: "test:alpha-folder:hls-ldap:groupOfNames-folder:group-of-names-001", attr[labeledURI]: "ldap:///ou=People,dc=law,dc=harvard,dc=edu??one?(isMemberOf=cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu)", attr[member]: HashSet(1): [0]: , attr[objectClass]: LinkedHashSet(3): [0]: top, [1]: groupOfNames, [2]: labeledURIObject, delete: true)
null
Group(name: "cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu", matchingId: "group-of-names-001:Member", attr[cn]: "group-of-names-001:Member", attr[description]: "test:alpha-folder:hls-ldap:groupOfNames-folder:group-of-names-001", attr[labeledURI]: "ldap:///ou=People,dc=law,dc=harvard,dc=edu??one?(isMemberOf=cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu)", attr[member]: HashSet(1): [0]: , attr[objectClass]: LinkedHashSet(3): [0]: top, [1]: groupOfNames, [2]: labeledURIObject)
Group(name: "cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu", matchingId: "group-of-names-001:Member", attr[cn]: "group-of-names-001:Member", attr[description]: "test:alpha-folder:hls-ldap:groupOfNames-folder:group-of-names-001", attr[labeledURI]: "ldap:///ou=People,dc=law,dc=harvard,dc=edu??one?(isMemberOf=cn=group-of-names-001:Member,ou=Groups-new,dc=law,dc=harvard,dc=edu)", attr[member]: HashSet(1): [0]: uid=emichaud,ou=People,dc=law,dc=harvard,dc=edu, attr[objectClass]: HashSet(3): [0]: top, [1]: groupOfNames, [2]: labeledURIObject)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningMatchingIdIndex.indexMatchingIdGroups(GrouperProvisioningMatchingIdIndex.java:72)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionFull(GrouperProvisioningLogic.java:203)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$1.provision(GrouperProvisioningType.java:41)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:69)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:678)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.runFullSync(GrouperProvisioningFullSyncJob.java:57)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob$1.callback(GrouperProvisioningFullSyncJob.java:30)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
	at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
	at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob.run(GrouperProvisioningFullSyncJob.java:19)
	at edu.internet2.m 





[GRP-3977] failsafe for too many adds Created: 30/Mar/22  Updated: 30/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Brett Bieber 2:08 PM
Loader failsafes seem to be focused on preventing the removal of members. Is there a way to configure a failsafe to stop if the loader ADDs too many members? — Background: I'm working on a lastLogonTimestamp LDAP loader to find inactive accounts, and want to prevent this system from triggering the disable of too many accounts. In this case, that would be an ADD exceeding a specific number or percentage.






[GRP-3969] provisioning: verify that "select all entities" false will not select all entities specifically in LDAP and SQL Created: 29/Mar/22  Updated: 29/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3968] ldap provisioning validation to see if the translated DN rdn value matches the RDN translation Created: 29/Mar/22  Updated: 29/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. there was a dn: uid=123,ou=whatever
and the uid configured as: 234
and the provisioner created two uid's. maybe a validation or something could help address that...






[GRP-3967] add and remove entity provisioning diagnostics defaults in config Created: 29/Mar/22  Updated: 29/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3956] add provisioning customizeMembershipAttributeCrud Created: 28/Mar/22  Updated: 29/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-03-28-22-10-43-089.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 29/Mar/22 ]





[GRP-3958] provisioning group show validation settings Created: 28/Mar/22  Updated: 28/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-03-28-18-52-15-989.png     PNG File image-2022-03-28-18-52-42-698.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 28/Mar/22 ]

Comment by Chris Hyzer (upenn.edu) [ 28/Mar/22 ]





[GRP-3950] fix deprecated "number of batches" methods Created: 26/Mar/22  Updated: 26/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

should pass in if there should be at least one returned






[GRP-3945] dont make all files executable, only dirs Created: 22/Mar/22  Updated: 22/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Tames McTigue  3 hours ago
In my opinion it should be fixed. If someone found a way to replace one of those images or other files with a binary or script it would be one less step for them.
:+1:
1

 

 

Tames McTigue  3 hours ago
Something like this may be enough: https://tecadmin.net/set-all-directories-to-755-and-all-files-to-644/
find . -type d -exec chmod 0755 {} \; 
find . -type f -exec chmod 0644 {} \; 
TecAdminTecAdmin
How to Set all directories to 755 And all files to 644
Security always comes first. It is recommended to keep your files secure on your systems. No one liked that anyone misused their hard work due to silly mistakes. Many of fresher set file permissions to 777 on production servers to avoid any permission issue. But they are doing big mistakes by setting world writable permissions.
Written by
Rahul
Est. reading time
2 minutes
Dec 14th, 2020

Tames McTigue  2 hours ago
@mchyzer Forgot to tag you.






[GRP-3944] in provisioning, if not configured perhaps try to automatically decide if should select all entities based on count and configured threshold and other configs Created: 21/Mar/22  Updated: 21/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3943] provisioning diagnostics make easier to bootstrap Created: 18/Mar/22  Updated: 18/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

at the beginning of diagnostics

  1. if the test group if not marked as provisionable, then programmatically set it to provisionable
  2. if there is not an incremental daemon for this provisioner which is enabled, and the full sync is not currently running, then propagate provisioning attributes for the provisioner

the result is you can configure the provisioner without adding a full or incremental and without marking the test group as provisionable, and the diagnostics will do its thing and tell you if your config is ok






[GRP-3942] in provisioning if there are multiple records with the same matching id, just error those records Created: 18/Mar/22  Updated: 18/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

threshold?  maybe only a small percentage?






[GRP-3936] refactor provisioning tests to have fewer configuration sections Created: 16/Mar/22  Updated: 18/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Mar/22 ]

also instead of:

    GrouperLoaderConfig.retrieveConfig().propertiesOverrideMap().put("provisioner.ldapProvTest.deleteGroups", "true"); 

use this format:

    new GrouperDbConfig().configFileName("grouper-loader.properties").propertyName("provisioner.ldapProvTest.deleteGroups").value("true").store();

this allows running a test and then reproducing or exporting config in ui





[GRP-3941] provisioning take out attribute__ from values Created: 18/Mar/22  Updated: 18/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3940] refactor box provisioner to not use java box client Created: 18/Mar/22  Updated: 18/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3938] provisioning selectAllEntities should not have a default Created: 17/Mar/22  Updated: 17/Mar/22

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

people should choose if they want to select all entities or not






[GRP-3935] change grouperProvisioningGroupField to grouperProvisioningGroupAttribute Created: 16/Mar/22  Updated: 16/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3934] merge provisioning grouperProvisioningGroupField and groupSyncField Created: 16/Mar/22  Updated: 16/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3933] change from translateFromGrouperProvisioningGroupField to attribute (and other objects) Created: 16/Mar/22  Updated: 16/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3932] take out attribute__ from provisioning scriptlets Created: 16/Mar/22  Updated: 16/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 16/Mar/22 ]

e.g. attribute_subjectSourceId, attribute_description





[GRP-3931] change ldap DN from field name to attribute ldap_dn Created: 14/Mar/22  Updated: 14/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3929] logging env and usertoken do not work Created: 11/Mar/22  Updated: 11/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.8
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Joel Rettinger  4:37 PM
Most of our logs from the Grouper daemon, ui, and web service are no longer expanding the ENV and USERTOKEN variables,  so there are a lot of entries that look like:
grouper-daemon;grouperDaemon.log;${ENV};${USERTOKEN};2022-03-11T16:27:50,021: [DefaultQuartzScheduler_Worker-3] DEBUG....
This started happening after upgrading to 2.6.8. (We have been on 2.6.5 before that.) Is there some additional logging or container configuration we could be missing that's needed for version?
I shelled into the containers and verified that there is an env variable value for ENV, and we have grouper.env.name defined in grouper.properties. We have not been using any log4j/log4j2 config file overlays.
Before, ${USERTOKEN} always just expanded to an empty string before, except in the httpd access_log (and I don't know if that is using the USERTOKEN variable or something else where it shows usernames accessing the endpoints of the UI). (edited)






[GRP-3928] gsh template should be able to have an optional drop down Created: 10/Mar/22  Updated: 10/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

'Run mode' is not valid. Valid values are 'audit, update'.






[GRP-3897] User having read/update on a group should be able to see group names that are members even without view privilege on them Created: 02/Mar/22  Updated: 03/Mar/22

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: 2.6.8
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-03-02-13-12-00-099.png    

 Description   

If a user has READ + UPDATE on a group, and a group is a member of that group, but the user doesn't have READ or VIEW on that member group, they can see the members of that group indirectly, but not the group name itself.
 

In the screenshot above, a user needs to attest the group, but can only see the indirect members, not the direct group member. They can't determine whether that group is appropriate in order to attest to it.

Should it be assumed that if a user has read and update on a group, they should be able to see the names of member groups? This would probably affect the API and WS as well, not just the UI. The current behavior also affects visualization, where it shows the group having members, but doesn't include the source group that is the source of those members.



 Comments   
Comment by Chad Redman (unc.edu) [ 03/Mar/22 ]

Since the group entry is hyperlinked, we will need to handle it somehow. Maybe not hyperlink it, possibly also add a note to the group name that it's not not readable?

 

Carey Black 21 hours ago
What will happen when they "click on the link"? Then it goes boom?
Giving the user a clue that "this group" is "not for you" in the list is useful information.
Should it say something other than "UUID..." ? ( Yea.. that would be an improvement. )

Chris Hyzer 21 hours ago
Well, we could allow people to view a group if they can read a group where its a member, then the link would work... why not

Chris Hyzer 21 hours ago
Or just not have a link
:tada:
1

 





[GRP-3896] cannot index a primary key in oracle Created: 02/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford  2 hours ago
Running the gsh class did add the legacy attributes and I’m no longer getting the error, however in running the gsh -registry -deep It’s showing two indexes missing. However when I try to create them I get a message “ORA-01408: such column list already indexed” for index “grouper_failsafe_id_idx” which may mean that the column already has a unique constraint or be a primary key (I guess you can’t create and index twice for a column) Same thing with “grouper_last_login_mem_idx”

 

Jeffrey Crawford  1 hour ago
Okay yea so looking at the script the creation of the table identifies a primary key, which, at least for Oracle, creates an index, so trying to create further indexes causes an error:
CREATE TABLE GROUPER_LAST_LOGIN
(
    MEMBER_UUID VARCHAR2(40) NOT NULL,
    LAST_LOGIN NUMBER(38,0),
    LAST_STEM_VIEW_NEED NUMBER(38,0),
    LAST_STEM_VIEW_COMPUTE NUMBER(38,0),
    PRIMARY KEY (MEMBER_UUID)
);
– conflicts with
CREATE UNIQUE INDEX grouper_last_login_mem_idx ON GROUPER_LAST_LOGIN (MEMBER_UUID);

CREATE TABLE GROUPER_FAILSAFE
(
    ID VARCHAR2(40) NOT NULL,
    NAME VARCHAR2(200) NOT NULL,
    LAST_RUN NUMBER(38,0),
    LAST_FAILSAFE_ISSUE_STARTED NUMBER(38,0),
    LAST_FAILSAFE_ISSUE NUMBER(38,0),
    LAST_SUCCESS NUMBER(38,0),
    LAST_APPROVAL NUMBER(38,0),
    APPROVAL_MEMBER_ID VARCHAR2(40),
    APPROVED_ONCE VARCHAR2(1) NOT NULL,
    APPROVED_UNTIL NUMBER(38,0),
    LAST_UPDATED NUMBER(38,0),
    PRIMARY KEY (ID)
);
– conflicts with
CREATE UNIQUE INDEX grouper_failsafe_id_idx ON GROUPER_FAILSAFE (ID);






[GRP-3888] load more actions in group in ajax only if needed Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3887] add performance logging on view group in ui Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3834] remove slf api v25 from maven Created: 18/Feb/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chad Redman  10:22 AM
Two versions of slf4j-api
rw-rwxr- 1 tomcat tomcat   41203 Feb 18 09:40 slf4j-api-1.7.25.jar
rw-r-xr- 1 tomcat tomcat   41513 Feb 18 15:11 slf4j-api-1.7.32.jar



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Feb/22 ]

or change to v32

 

Comment by Chad Redman (unc.edu) [ 18/Feb/22 ]

Maven sees the dependencies differently in the grouper (api) pom vs. the grouper-api-container pom, even though the latter should be inheriting the former's dependencies

cd grouper
mvn -Dgrouper.version=2.6.7 dependency:tree
 
[INFO] edu.internet2.middleware.grouper:grouper:jar:2.6.0-SNAPSHOT
...
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile

cd grouper-container/grouper-api-container
mvn -Dgrouper.version=2.6.7 dependency:tree
 
[INFO] edu.internet2.middleware.grouper:grouper-container:pom:2.6.0-SNAPSHOT
[INFO] \- edu.internet2.middleware.grouper:grouper:jar:2.6.7:compile
...
[INFO]    +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO]    |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO]    |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile

So it seems to be a strange maven dependency issue with 2-level vs. 3-level deep dependencies.The pom for log4j-slf4j-impl itself does indeed depend on 1.7.25, per its pom at https://search.maven.org/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.17.1/jar:

  <artifactId>log4j-slf4j-impl</artifactId>
  <packaging>jar</packaging>
  <name>Apache Log4j SLF4J Binding</name>
  <description>The Apache Log4j SLF4J API binding to Log4j 2 Core</description>
  <properties>
    <log4jParentDir>${basedir}/..</log4jParentDir>
    <docLabel>SLF4J Documentation</docLabel>
    <projectDir>/slf4j-impl</projectDir>
    <!-- Do not upgrade the SLF4J version. 1.7.26 broke backward compatibility. Users can update the version if
      they do not require support for SLF4J's EventData -->
    <slf4j.version>1.7.25</slf4j.version>
    <module.name>org.apache.logging.log4j.slf4j</module.name>

The solution for the next Grouper version may be to revert to 1.7.25, to match the log4j-slf4j-impl transitive dependency.

For now, since the jar difference is possibly only in the EventData api, we may be ok with both versions, and the java processes will just pick one and work ok





[GRP-3886] error when editing templates Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2022-03-01T09:30:29,586: [ajp-nio-0.0.0.0-8009-exec-7] WARN Interpreter.unknownVariable(329) - [] - edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguage@10760![44,150]: 'grouperUtil.xmlEscape(grouperUtil.xmlEscape(grouperRequestContainer.commonRequestContainer.guiService.guiAttributeDefName.attributeDefName.description));' inaccessible or unknown property attributeDefName 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Mar/22 ]

Chris Hyzer  1 hour ago
@moremellotron Im sorry but regarding that last error, any chance you have a full stack?

 

Scott Cantor  24 minutes ago
That was the only error in the log, no stack, I'll check the log config

Scott Cantor  15 minutes ago
Our templates are in the DB for the moment I believe.

Scott Cantor  3 minutes ago
re: the log trace, I don't think that message actually includes an exception, it would be logged if there were.

Chris Hyzer  < 1 minute ago
ok cool we will try to track that down...

Chris Hyzer  < 1 minute ago
ok if templates are in DB the 2.6.8 upgrade will fix those automatically...





[GRP-3875] groups are public read and view but users cannot see the folder Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3891] If there are too many errors then stop the provisioner Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Ben

when I run a SQL table provisioner it immediately dumps about 75GB of data to /tmp/logpipe






[GRP-3894] how to know when matching id is required... Created: 02/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for group attributes, you need groups

if there is an entity link, then you need entities

etc






[GRP-3893] failsafe attribute not found Created: 01/Mar/22  Updated: 02/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 edu.internet2.middleware.grouper.exception.AttributeNotFoundException: Cant find attribute: grouperLoaderFailsafeUse,
 Problem calling method loader on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader
 	at edu.internet2.middleware.grouper.Group.getAttributeValue(Group.java:2875)
 	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.attributeValueOrDefaultOrNull(GrouperLoaderType.java:2641)
 	at edu.internet2.middleware.grouper.grouperUi.beans.ui.GrouperLoaderContainer.getSqlFailsafeUse(GrouperLoaderContainer.java:3287)
 	at edu.internet2.middleware.grouper.grouperUi.beans.ui.GrouperLoaderContainer.grouperLoaderFailsafeAssignUse(GrouperLoaderContainer.java:3318)
 	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.loader(UiV2GrouperLoader.java:703)
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 	at java.lang.reflect.Method.invoke(Method.java:498)
 	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5159)
 	at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5110)
 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:337)
 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)
 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1174)
 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
 	at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
 	at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
 	at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:524)
 	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626)
 	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 	at java.lang.Thread.run(Thread.java:750) 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Mar/22 ]

this needs to be removed grouper.properties (default is true in base config)

grouper.attribute.loader.autoconfigure = 

this needs to be removed from grouper-loader.properties (default is true in base config)

loader.autoadd.typesAttributes = 

this should return no records.  If it returns something, contact the grouper team

select count(*) from grouper_types_legacy 

Comment by Chris Hyzer (upenn.edu) [ 02/Mar/22 ]

Run this GSH to create loader types (should be automatic, but if not, then this might help)

edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType(); 





[GRP-3892] add assignments on assignments to group edit attributes Created: 01/Mar/22  Updated: 01/Mar/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.9

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Peter DiCamillo  5 months ago
We’re upgrading to Grouper 2.5, and I have 2.5.57 running in maturity level 1 containers. Now I need to add back the legacy Admin UI. Is that possible? I found these directions, but there’s no mention of 2.5 and containers: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=132976920
Chris Hyzer  5 months ago
you need the admin ui or just some lite uis?  i.e. what exactly minimally do you really need?Chris Hyzer  5 months ago
its best to not add that stuff back in, having old struts is a security concern (edited) Chris Hyzer  5 months ago
at penn we do have some "lite uis" still in the container (built in subimage) and it works finePeter DiCamillo  5 months ago
The minimum we need is the ability to manage legacy group types and attributes in the UI. That’s the group types section of Edit group in the Admin UI and Edit attributes, plus displaying the current types & attribute values as part of the group info.Chris Hyzer  5 months ago
and using the "attribute assign" screen is not good enough?Chris Hyzer  5 months ago
three thoughts...
Maybe attribute assign screen is good enough
Is this for provisioning?  We could use the provisioning screen for this though we need to explore that with a conversation
We could consider adding more features to the current UI to accommodate you if you can send some screenshots that shows how users use the screen and legacy attributes :)Peter DiCamillo  5 months ago
The assign attribute screen is too low level. This is for provisioning, for use with our local change log consumer. For example, we can set a group type LDAPVisble to provision a group to LDAP, and set an attribute LDAPGroupName to specify the group name in LDAP.Chris Hyzer  5 months ago
might you consider using the new provisioning framework for that?  there is a specific screen for provisioning and you can specify a group name there tooChris Hyzer  5 months ago
you can also see activity, when provisionable, when provisioned, errors, etc.  a lot of compelling featuresPeter DiCamillo  5 months ago
Eventually, but that would be big project.Chris Hyzer  5 months ago
Would you consider using provisioning attributes / screens, but the provisioner does nothing, and your change log consumer keys off of provisioning attributes instead of legacy attributes?Peter DiCamillo  5 months ago
That might be a possibility. I don’t see anything useful on those screens now since we have no provisioners defined.Peter DiCamillo  5 months ago
However, we have a huge number of groups that would need attributes changed.Peter DiCamillo  5 months ago
My preference would be to get 2.5 in place first, then after that we could work on eliminating the Admin UI.Chris Hyzer  5 months ago
ok, then yes, you should be able to get the admin ui in there... you need an example or more docs?Peter DiCamillo  5 months ago
I’d like a description of the general process when containers are being used. Also, I noticed that the .tar.gz file on the directions page is very old, and there are differences if I build that file from the current source.Chris Hyzer  5 months ago
@Chad Redman will get back to you on this :slightly_smiling_face:Peter DiCamillo  5 months ago
Ok, thanksPeter DiCamillo  4 months ago
I tried to see how far I could get with this. I followed the directions at https://spaces.at.internet2.edu/pages/viewpage.action?pageId=132976920, but applied to updates to slashRoot/opt/grouper/grouperWebapp to get them into the container. The container contents looks ok. However, Tomcat gets errors trying to start the Grouper app.Peter DiCamillo  4 months ago
@Chad Redman @mchyzer I’m hoping I can get some help with resolving the errors. (edited) Chris Hyzer  4 months ago
what errors?  :slightly_smiling_face:Peter DiCamillo  4 months ago
Following the directions, I get this error
error deploying grouper
java.lang.IllegalArgumentException: Filter mapping specifies an unknown filter name [GrouperUi]
I found that web.xml references the GrouperUi filter but had no <filter> element for it. So I added these lines to web.xml
<filter>
  <filter-name>GrouperUi</filter-name>
  <filter-class>edu.internet2.middleware.grouper.ui.GrouperUiFilter</filter-class>
</filter>
That eliminated the error, but then I got a new error:
Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/grouper]]
Caused by: java.lang.NullPointerException
        at edu.internet2.middleware.grouper.j2ee.CommonServletContainerInitializer.onStartup(CommonServletContainerInitializer.java:66) ~[?:?]Peter DiCamillo  4 months ago
I looked at line 66, it’s
grouperUiFilter.addMappingForUrlPatterns(null, false, "*.jsp");Peter DiCamillo  4 months ago
That’s as far as I could go.Chad Redman  4 months ago
yes, those lines should be doing the same thing as what the web.xml lines are doing. I will try this out laterPeter DiCamillo  4 months ago
Which lines are you referring to?Chad Redman  4 months ago
that line 66 and the few lines before
          String grouperUiFilterName = "GrouperUi";
          Class grouperUiFilterClass = Class.forName("edu.internet2.middleware.grouper.ui.GrouperUiFilter");
          Dynamic grouperUiFilter = context.addFilter(grouperUiFilterName, grouperUiFilterClass);
          grouperUiFilter.addMappingForUrlPatterns(null, false, "*.jsp");Chris Hyzer  4 months ago
this did used to work, and then grouper diverged from the state where it did work.  Some issues I see:
As you state, we no longer use a web.xml
There are replaces of grouper-ui.base.properties and Owasp.CsrfGuard.overlay.properties and we cant do that
The class GroupContainer.class has been replaced, and we cant do that
and thats just the first issues :slightly_smiling_face:Chris Hyzer  4 months ago
im kind of thinking we should add the things you need in the current ui...
identifying marker attributes or string single valued attributes to be displayed in group info
identifying marker attributes or string single valued attributes to be edited in the group edit screen
correct?Chad Redman  4 months ago
What is the old feature you are using the admin ui for? Maybe it's going to be easier to add a new jsp using the current apiPeter DiCamillo  4 months ago
It’s what I wrote at the start of the thread, “The minimum we need is the ability to manage legacy group types and attributes in the UI. That’s the group types section of Edit group in the Admin UI and Edit attributes, plus displaying the current types & attribute values as part of the group info.”Chad Redman  4 months ago
Those group types show up under attribute assignments? Probably with a legacy as part of the attribute name?Chris Hyzer  4 months ago
yeah, let me take a quick pass at this...Chris Hyzer  4 months ago
i assume VIEWers can view these attributes and ADMINs can edit them, irrespective of the attribute privileges...Peter DiCamillo  4 months ago
Are there no longer the Attrubute read and Attribute update ACLs?Peter DiCamillo  4 months ago
But ADMINs should be able to read and update in any case.Chris Hyzer  4 months ago
there are, so it should honor who can READ or UPDATE the attribute definitions right?Peter DiCamillo  4 months ago
Yes, either ADMIN or has the required attribute ACL.Chris Hyzer  4 months ago
well, for attributes, you need ADMIN or ATTR_READ on the group side, and ADMIN or READ on the attribute side to see it.  You need ADMIN or ATTR_UPDATE on the group side, and ADMIN or UPDATE on the attribute side to see it.  Is that what you want?  :slightly_smiling_face:Peter DiCamillo  4 months ago
I think so. If that’s how it’s always worked, that’s fine.Peter DiCamillo  4 months ago
We want our existing ACLs from 2.3 to work as they have been.Peter DiCamillo  4 months ago
I can make some screen shots from the Admin UI if that would be useful.Peter DiCamillo  4 months ago
3 files 
Group Summary.jpg
Edit Group.jpg
Edit Attributes.jpgChris Hyzer  4 months ago
do you have an env which is upgraded and i can see what the legacy attributes look like?  :slightly_smiling_face:Chris Hyzer  4 months ago
ie what the types converted toPeter DiCamillo  4 months ago
I have a test Grouper 2.6.4 with a database that includes groups with the legacy group types and attributes. For the group in the screenshots, it has these underlying attributes in 2.3:
etc:legacy:attribute:legacyGroupType_CanvasGroup (marker)
etc:legacy:attribute:legacyGroupType_CanvasGroupControls (marker)
    etc:legacy:attribute:legacyAttribute_canvasGroupTitle = "Intermediate Microeconomics"
    etc:legacy:attribute:legacyAttribute_canvasSectionsType = "separate"
etc:legacy:attribute:legacyGroupType_LDAPVisible (marker)
    etc:legacy:attribute:legacyAttribute_lastLDAPUpdate = "event:20211025131428"
That comes from a group info program I have. (edited) Chris Hyzer  4 months ago
so this is assignable to groups?
etc:legacy:attribute:legacyGroupType_CanvasGroup 
and this is assignable to group assignments?
etc:legacy:attribute:legacyGroupType_CanvasGroupControlsPeter DiCamillo  4 months ago
Those are both different group types. It’s the attributes that are assigned to the group type assignments, such as
etc:legacy:attribute:legacyAttribute_canvasGroupTitle = "Intermediate Microeconomics"Peter DiCamillo  4 months ago
(The group types are assignable to groups.)Chris Hyzer  4 months ago
ok gotcha
Added to your saved itemsPeter DiCamillo  3 months ago
@mchyzer How are thing going with this? Will a new jsp be a workable solution?Peter DiCamillo  3 months ago
@mchyzer Making sure you saw my question.Chris Hyzer  3 months ago
yes it will be, I started working on it, not sure if it will be in 2.6.5 or 2.6.6...Peter DiCamillo  3 months ago
Great, thanksPeter DiCamillo  1 hour ago
@mchyzer Any update on this? Did it make it into 2.6.7?Chris Hyzer  13 minutes ago
such good timing!  :slightly_smiling_face:  we have a first pass of this in 2.6.8... I think there is more to do for 2.6.9 though...
https://todos.internet2.edu/browse/GRP-3890
Right now you can edit a boolean or a string value for an attribute assigned to a group.  I think we need the part where if you check the checkbox then more settings are available indented (e.g. assignment on assignment), right?Peter DiCamillo  8 minutes ago
Yes, when a group type is added, then the attributes associated with that type should  be editable.Chris Hyzer  2 minutes ago
and before the group type is added, then you dont even see the attributes right?  you see them when you check the box?
NewPeter DiCamillo  < 1 minute ago
Yes, that’s correct.  The attributes logically belong to their group type. 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Mar/22 ]

I think we can do this solely from looking at attribute structure...  but maybe we need configs to make it easier and more explicit?  e.g. indentSize (default to zero, but accept 1 also).  and showEl where you could put an expression and can eval that on submit?





[GRP-3865] inherited privilege rule should be invalid if assigning admin to everyentity (daemon fails) Created: 26/Feb/22  Updated: 26/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Ran rules daemon, changed 0 records, there were 1 errors.  All errors logged but here's one: edu.internet2.middleware.grouper.exception.GrantPrivilegeException: GrouperAll can't get a manage privilege.,
Exception in save: edu.internet2.middleware.grouper.Membership, edu.internet2.middleware.grouper.hibernate.ByObject@42970371,
Problem in HibernateSession: HibernateSession (36e10112): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7ff95b96),
Exception in save: edu.internet2.middleware.grouper.Membership, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: ImmediateMembershipEntry, tx type: null, membership: group: vivek:testGroup, subject: GrouperAll, field: admins, uuid: null, startDate: null, endDate: null, group name: vivek:testGroup, subject: Subject id: GrouperAll, sourceId: g:isa, privilege: admin,
Problem in HibernateSession: HibernateSession (4b3e6fb7): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (7ff95b96)
    at edu.internet2.middleware.grouper.Group$12.callback(Group.java:4384)
    at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:700)
    at edu.internet2.middleware.grouper.Group.internal_grantPriv(Group.java:4344)
    at edu.internet2.middleware.grouper.Group.grantPriv(Group.java:4308)
    at edu.internet2.middleware.grouper.rules.RuleCheckType$8.runDaemon(RuleCheckType.java:1091)
    at edu.internet2.middleware.grouper.rules.RuleDefinition$1.callback(RuleDefinition.java:359)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.rules.RuleDefinition.runDaemonOnDefinitionIfShould(RuleDefinition.java:352)
    at edu.internet2.middleware.grouper.rules.RuleEngine$3.callback(RuleEngine.java:558)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.rules.RuleEngine.daemon(RuleEngine.java:535)
    at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$4.runJob(GrouperLoaderType.java:367)
    at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:541)
    at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: edu.internet2.middleware.grouper.exception.UnableToPerformException: GrouperAll can't get a manage privilege.,
Exception in save: edu.internet2.middleware.grouper.Membership, edu.internet2.middleware.grouper.hibernate.ByObject@42970371,
Problem in HibernateSession: HibernateSession (36e10112): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (7ff95b96),
Exception in save: edu.internet2.middleware.grouper.Membership, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: ImmediateMembershipEntry, tx type: null, membership: group: vivek:testGroup, subject: GrouperAll, field: admins, uuid: null, startDate: null, endDate: null
    at edu.internet2.middleware.grouper.privs.AccessWrapper.grantPrivilege(AccessWrapper.java:174)
    at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164)
    at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164)
    at edu.internet2.middleware.grouper.privs.CachingAccessResolver.grantPrivilege(CachingAccessResolver.java:138)
    at edu.internet2.middleware.grouper.privs.AccessResolverDecorator.grantPrivilege(AccessResolverDecorator.java:164)
    at edu.internet2.middleware.grouper.privs.ValidatingAccessResolver.grantPrivilege(ValidatingAccessResolver.java:137)
    at edu.internet2.middleware.grouper.Group$12.callback(Group.java:4356)
    ... 15 more
Caused by: edu.internet2.middleware.grouper.exception.GrantPrivilegeException: GrouperAll can't get a manage privilege.,
Except 






[GRP-3862] refactor env and usertoken in the container logs Created: 25/Feb/22  Updated: 25/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

just sub in file doesnt need env var






[GRP-3850] make it easier to sync data from list of objects to SQL table Created: 24/Feb/22  Updated: 24/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

See the WS to SQL script daemon example






[GRP-3849] Improve MembershipFinder api Created: 23/Feb/22  Updated: 23/Feb/22

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.6.7
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There is not a way in gsh to find a subject's memberships in groups, in a way that is flexible and easy to use. Compared with the other chained finder classes, the MembershipFinder is much harder to use:

  • The wiki page on it is very terse
  • The Javadoc method and parameter descriptions are terse
  • The resulting object isn't a set of groups, which is what the user will generally want; instead it's a MembershipResult, which itself needs to be queried to get a list of MembershipSubjectContainers that then needs to be iterated to get the groups
  • The various settings interact and depend on each other in ways that are not documented, and not intuitive

 

It's not easy to determine what needs to be set for various queries. For example, If I wanted to find all the groups under a stem where a user has the read privilege:

 

new MembershipFinder().addStem("unc:app:temp:cer28").addField("readers").addSubject(mySubject).findMembershipResult()
 // => ERROR java.lang.RuntimeException: expecting a stem field since other part of the query involve stem memberships
 

 
That was just my first guess. The javadoc for addStem was "add a stem to look for." and no parameter description.

new MembershipFinder().assignScopeForGroup("unc:app:temp:cer28:%").addField("readers").addSubject(mySubject).findMembershipResult()
// => ERROR java.lang.RuntimeException: If you are filtering by group, then you must page groups

The Javadoc for assignScopeForGroup is "if paging for group, then also filter for member" which I don't understand. Why is paging necessary in order to filter?

So how to add paging? Nothing matching addPag* or assignPag*. Maybe it's assignQueryOptionsForGroup(QueryOptions)? Again, the javadoc "query options for group. must include paging. if sorting then sort by group" mentions paging being required.

new MembershipFinder().assignScopeForGroup("unc:app:temp:cer28:%").assignQueryOptionsForGroup(new QueryOptions().paging(1000, 0, false)).addField("readers").addSubject(mySubject).findMembershipResult()
// => Cant get a page size greater then 500! 1000
 
new MembershipFinder().assignScopeForGroup("unc:app:temp:cer28:%").assignQueryOptionsForGroup(new QueryOptions().paging(500, 0, false)).addField("readers").addSubject(mySubject).findMembershipResult()
//===> edu.internet2.middleware.grouper.membership.MembershipResult@1dee84bf
// SUCCESS!

All this should be more intuitive. In the GroupFinder, you can set a stem scope, set fields or privileges, and set a subject to find. The results are a Set of groups. Unfortunately, it does not appear from the source code that it can filter on immediate memberships.

new GroupFinder().assignSubject(mySubject).assignScope("unc:app:temp:cer28:%").assignFieldName("readers").findGroups()






[GRP-3848] provisioning DAO can acknowledge object as whole, and any nulls in attribute action acks should be automatically filled in Created: 22/Feb/22  Updated: 22/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3846] change SQL provisioner to insert memberships when inserting groups/entities if groupAttributes/entityAttributes Created: 22/Feb/22  Updated: 22/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3845] provisioning if attribute is not select but is insert, then do not insert the attribute when updating the object (except for memberships) Created: 22/Feb/22  Updated: 22/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3837] counts for provisioning in loader log Created: 18/Feb/22  Updated: 18/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Chris Hubing (internet2.edu), Drew Aschenbrener (ufl.edu)

 Description   
  • grouper loader log, full sync, adds/deletes/updates
      - completely wiped ldap
      - ran full sync
      - had deletes
      - no total

full, total should be objects in target (add memberships)

incremental, total should be clc records processed






[GRP-3835] wssec throwing error Created: 18/Feb/22  Updated: 18/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper_1   | tomee;catalina.out;${env:ENV};${env:USERTOKEN};2022-02-18 15:12:34,842 [localhost-startStop-1] INFO  org.apache.axis2.deployment.ServiceDeployer- The GrouperServiceWssec_v2_5.aar service, which is not valid, caused java.lang.NoSuchMethodError: org.apache.axiom.om.impl.OMNodeEx.setParent(Lorg/apache/axiom/om/OMContainer;)V






[GRP-3825] add a way to bootstrap config Created: 17/Feb/22  Updated: 17/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black  3 hours ago
Actually let me be a bit more specific and only talk about the SMTP external system registration/config for a moment. ( As an example of what I think @jasonrap is generally asking about. )
grouper.base.properties has a set of properties "mail.smtp.*" that allow you to deliver a file to the image that could configure the SMTP external system. However, it is a fairly special case. I don't know of anyone who would have more than one SMTP external system. But I guess it could happen?!?
Is there a generic way to do that kind of "bootstrapping configuration" with any external system?
Also I kind of thought the general direction was to "not use files to drive the configuration" at this point and instead push as much of it as possible into the DB?
Maybe there should be a generic way to register any external system so that it is loaded into the DB config?
Maybe a "on startup execute a directory of GSH files" ?
Maybe a way to "load a set of files into the DB" at container startup?
Maybe a way to execute "start script files from the DB" on Daemon startup?
This way programmatically the files could "add if not present" and "back off" if already defined, or keep stomping on the config and use the file to drive it. Their choice.
As well as not be limited to the current fixed java properties keys/files structure.
And the deployer would not need to do "anything special" on startup to get a new provisioner added. Update the file ( a copy/paste/tweak from a lower environment) and redeploy the service.
The same bootstrap topic applies to every other configuration setting too. ( Well, except for the DB and it's credentials. :slightly_smiling_face: )
REFs  in Jiras ? :
https://todos.internet2.edu/browse/GRP-3343
https://todos.internet2.edu/browse/GRP-3398
https://todos.internet2.edu/browse/GRP-3442 (edited) 






[GRP-2798] change container to slf4j .25 Created: 15/May/20  Updated: 17/Feb/22

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.34

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Andy Morgan(opens in new tab) Yesterday at 4:59 PM
I've got another weird one... We have 2 custom changelog consumers that we have been using for a long time. When trying to validate that they work correctly in v2.5, I've discovered that I can't get DEBUG logs out of them anymore. This worked in v2.4. Our consumers do the following:
package edu.oregonstate.iam.grouper.consumers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
...
public class KalturaChangeLogConsumer extends ChangeLogConsumerBase {
static Logger logger = LoggerFactory.getLogger(KalturaChangeLogConsumer.class);
...
logger.debug("Read config.properties: kalturaServiceUrl="+kalturaConfig.getServiceUrl());
And our log4j.properties is mostly baseline, but I added this:
log4j.logger.edu.oregonstate.iam.grouper.consumers = DEBUG
Which gives me output from v2.4 but not from v2.5.23. (edited)

 

 

Shilen Patel(opens in new tab) 1 day ago
That uses slf4j? I also noticed that the google provisioner which uses slf4j doesn't log properly. Haven't looked into it yet though.

Shilen Patel(opens in new tab) 1 day ago
But might be worth checking if org.apache.commons.logging.Log works?

Andy Morgan(opens in new tab) 1 day ago
Yeah, this is using slf4j

Andy Morgan(opens in new tab) 1 day ago
I added more details to the first post in this thread, btw

Chris Hyzer(opens in new tab) 1 day ago
I think tomee uses slf4j, so maybe you need to put a debug statement in its logfile? annoying. i wish everyone would use commons logging like grouper uses so we only need to support one logging framework. i think pspng might be in the same boat unfortunately...

Chris Hyzer(opens in new tab) 1 day ago
think you could either customize tomees logging config or switch to commons logging? :slightly_smiling_face:

Andy Morgan(opens in new tab) 1 day ago
In v2.5:
./lib/slf4j-jdk14-1.7.21.jar
./lib/slf4j-api-1.7.21.jar
./lib/slf4j-log4j12-1.7.21.jar
In v2.4:
./lib/grouper/slf4j-log4j12.jar
./lib/grouper/slf4j-api-1.7.25.jar
./lib/custom/slf4j-log4j12-1.7.25.jar
Older jars in v2.5?

Andy Morgan(opens in new tab) 1 day ago
I don't think I understand your statement about tomee, but I'll go try to figure it out... :slightly_smiling_face:

Andy Morgan(opens in new tab) 1 day ago
BTW, we could probably switch to a different logging framework in our consumers. They aren't that complicated.

Andy Morgan(opens in new tab) 1 day ago
Is there a "template" for a consumer? These consumers were written more than 5 years ago by a developer that doesn't work for us anymore, so I have no idea what she based them on originally.

Chris Hyzer(opens in new tab) 1 day ago
commons logging would be the best right now. the tomee log config is xml i believe

Chris Hyzer(opens in new tab) 1 day ago
we should make a consumer, template things have changed. want to send me the code and i can make suggesitons? :slightly_smiling_face: (edited)

Andy Morgan(opens in new tab) 1 day ago
Sure. What is your email address?

Andy Morgan(opens in new tab) 1 day ago
this code is currently in a private repo, so I don't have an easy way to share except send the file...

Andy Morgan(opens in new tab) 1 day ago
or send it to me in a direct message, if you want

Andy Morgan(opens in new tab) 1 day ago
I can't get DEBUG logs from pspng in v2.5 either (confirming Shilen's observation)

Andy Morgan(opens in new tab) 1 day ago
I emailed you, Chris.

Chris Hyzer(opens in new tab) 1 day ago
I updated this wiki with my recommendation... yours look pretty good though. :slightly_smiling_face:
https://spaces.at.internet2.edu/display/Grouper/Sample+change+log+consumer
it will be even easier once we get the new provisioning framework working, but that might help you if you want to tweak it :slightly_smiling_face:

Andy Morgan(opens in new tab) 7 hours ago
I was able to get DEBUG level logging working again by replacing the slf4j v1.7.21 jars with v1.7.25 jars. My Dockerfile looks like this:
RUN rm /opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/box-java-sdk-2.17.0.jar \
/opt/tomee/lib/slf4j-jdk14-1.7.21.jar \
/opt/tomee/lib/slf4j-api-1.7.21.jar \
/opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-jdk14-1.7.21.jar \
/opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-api-1.7.21.jar \
/opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-log4j12-1.7.21.jar
COPY --chown=tomcat:tomcat container_files/lib/slf4j-jdk14-1.7.25.jar /opt/tomee/lib/
COPY --chown=tomcat:tomcat container_files/lib/slf4j-api-1.7.25.jar /opt/tomee/lib/
COPY container_files/lib/ /opt/grouper/grouperWebapp/WEB-INF/lib/
(container_files/lib/ contains the 3 missing slf4j jars, v1.7.25)

Andy Morgan(opens in new tab) 7 hours ago
Reminder, Grouper 2.4 shipped with v1.7.25 jars

Andy Morgan(opens in new tab) 7 hours ago
But TomEE v7.0.7 ships with v1.7.21 slf4j jars

Chris Hyzer(opens in new tab) 7 hours ago
we had errors some some circumstances when the grouper jars conflicted with tomee jars

Chris Hyzer(opens in new tab) 7 hours ago
so we reverted the version

Andy Morgan(opens in new tab) 7 hours ago
yeah, I understand why you don't want to mix versions. That's why I replaced all instances of slf4j jars with the new version. I'm looking at slf4j diffs to see if I can find why it works in 1.7.25

Chris Hyzer(opens in new tab) 7 hours ago
looks like the key is tomee doesnt have slf4j-log4j12-1.7.21.jar

Chris Hyzer(opens in new tab) 7 hours ago
if you just remove that one file: /opt/tomee/lib/slf4j-log4j12-1.7.21.jar then does it all work as is? :slightly_smiling_face:

Andy Morgan(opens in new tab) 7 hours ago
Do you mean copy /opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-log4j12-1.7.21.jar to /opt/tomee/lib/?

Chris Hyzer(opens in new tab) 7 hours ago
you remove a bunch of jars from tomee but dont add them all back, see?

Chris Hyzer(opens in new tab) 7 hours ago
oh, wait, nevermind, im getting confused

Andy Morgan(opens in new tab) 7 hours ago
/opt/tomee/lib/slf4j-log4j12-1.7.21.jar isn't present in the Grouper image

Andy Morgan(opens in new tab) 7 hours ago
3 jars in grouper, only 2 of them in tomee :slightly_smiling_face:

Chris Hyzer(opens in new tab) 7 hours ago
gotcha

Chris Hyzer(opens in new tab) 7 hours ago
you copy three jars back to grouper with #25 ver?

Andy Morgan(opens in new tab) 7 hours ago
I'll play around some more to see what I can learn

Andy Morgan(opens in new tab) 7 hours ago
Yep. Sorry if it isn't super clear from my Dockerfile. I'm replacing all instances of slf4j 1.7.21 jars with the same jar from 1.7.25

Andy Morgan(opens in new tab) 7 hours ago
my container_files/lib/ has various things in it, including all 3 slf4j jars

Andy Morgan(opens in new tab) 7 hours ago
1.7.23 is broken, 1.7.24 works (logs at DEBUG)

Andy Morgan(opens in new tab) 7 hours ago
I don't see anything obvious in the release notes for 1.7.24 that relates to this

Chris Hyzer(opens in new tab) 7 hours ago
if that works we can change grouper to do that :slightly_smiling_face: (put .25 everywhere)

Andy Morgan(opens in new tab) 5 hours ago
If you think that's okay, then it saves me the effort of rewriting our consumers to use Apache Commons Logging. That's not a huge burden, except that slf4j is better... :slightly_smiling_face:

Andy Morgan(opens in new tab) 5 hours ago
btw, it fixes the lack of DEBUG logging for pspng as well

Andy Morgan(opens in new tab) 5 hours ago
I wonder, is it necessary to replace the tomee jars? What role does tomee's lib directory have on deployed webapps?

Andy Morgan(opens in new tab) 4 hours ago
Eh, I just updated our Dockerfile to switch all occurrences to 1.7.25 jars and it works fine. I'll remove this workaround when upstream is fixed. Since PSPNG is affected, Grouper should be updated/fixed somehow - either use 1.7.25 jars to change PSPNG to use another log library. (edited)

Andy Morgan(opens in new tab) 4 hours ago

  1. Replace slf4j with v1.7.25 to fix issue with DEBUG level logging
    RUN rm /opt/tomee/lib/slf4j-jdk14-1.7.21.jar /opt/tomee/lib/slf4j-api-1.7.21.jar /opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-jdk14-1.7.21.jar /opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-api-1.7.21.jar /opt/grouper/grouperWebapp/WEB-INF/lib/slf4j-log4j12-1.7.21.jar
    COPY --chown=tomcat:tomcat container_files/slf4j/slf4j-jdk14-1.7.25.jar /opt/tomee/lib/
    COPY --chown=tomcat:tomcat container_files/slf4j/slf4j-api-1.7.25.jar /opt/tomee/lib/
    COPY --chown=tomcat:tomcat container_files/slf4j/ /opt/grouper/grouperWebapp/WEB-INF/lib/

Andy Morgan(opens in new tab) 4 hours ago
container_files/slf4j/ contains the 3 jars that Grouper needs, btw



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 17/Feb/22 ]

is this fixed?

 





[GRP-1509] subject API diagnostics should test email address Created: 05/Apr/17  Updated: 17/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.3.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From: Black, Carey M. black.123@osu.edu
Sent: Tuesday, April 04, 2017 6:57 PM
To: Hyzer, Chris <mchyzer@isc.upenn.edu>; grouper-users@internet2.edu
Subject: RE: GrouperJndiSourceAdapter questions...

RE: setting email value

I already have this in my config. (But it is not working) Any other ideas of what I might be doing wrong?

<init-param>
<param-name>emailAttributeName</param-name>
<param-value>mail</param-value>
</init-param>

The LDAP source has a value for the attribute “mail” that is an email address. (example: black.123@osu.edu)

When I use the Subject API diagnostics page I see this in the output for my Subject ID:

Subject attribute 'mail' has 1 value: 'black.123@osu.edu'

  • with subject.getAttributeValue("mail")

REF: https://github.com/Internet2/grouper/blob/master/subject/conf/ldap.sources.xml.example

I do not see a sample for “emailAttributeName” and the format looks more like “Name_AttributeType”…..

REF: https://github.com/Internet2/grouper/blob/GROUPER_2_3_0-branch/subject/tests/edu/internet2/middleware/subject/provider/JNDISourceAdapterTest.java
Only test for “SubjectID_AttributeType”, “Name_AttributeType” and “Description_AttributeTyp”.
No email attribute looking value.

Is this just a “miss” in this API? (Or am I not seeing something?)






[GRP-3438] grouper gsh templates should take uuid or name for folders and groups Created: 28/Apr/21  Updated: 17/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Template question about the requiring uuid for things like folderUuidToShow. Would it not make more sense to base that off of name? Would help migrating configs between different environments.






[GRP-3672] config key error message Created: 22/Oct/21  Updated: 17/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.6.3
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes  6:45 AM
This started showing up in 2.6.3/4 - I didn’t notice in earlier versions.
grouper;grouper_error.log;dev;dev;2021-10-22 06:41:49,770: [ajp-nio-0.0.0.0-8009-exec-5] ERROR ConfigFileMetadata.findConfigItemMetdataFromConfig(499) -  - Same config key or regex is in multiple files: changeLog.consumer.awsJira.publisher.class, changeLog.consumer.messagingEsb.publisher.class






[GRP-3823] Add advanced filter to subject's memberships, where you can filter by object type Created: 16/Feb/22  Updated: 16/Feb/22

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.6
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The memberships tab for a subject may include a lot of intermediate groups which are not interesting to see. In order to trim the data to the more useful rows, there should be an advanced filter where you can include or exclude one (or more?) object types.






[GRP-3822] change container test to not use hsql Created: 16/Feb/22  Updated: 16/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3820] try provisioning diagnostics with dn override Created: 16/Feb/22  Updated: 16/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from liam






[GRP-3817] Grouper WS does not behave as expected with some attribute call request Created: 16/Feb/22  Updated: 16/Feb/22

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hubing (internet2.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I was hoping to be able to return a list of memberships for a user, but only if the group itself had a certain attribute (in this use case, we have one that marks that it's a "working group", so we can display to people in a separate UI that they are in said working groups). 

The way we do it now is to get a list of the person's groups, then we have to do a call to look at each group and see if it has that attribute on it. 

I was chatting with Chad about this in one call and trying to do something similar and we found a few things that he said we should capture in JIRA.

Here's what Chad said.

"There is likely a gap in what WS can do. I can get close, but don't get the results I expect
POST /grouper-ws/servicesRest/v1_6_000/subjects/GrouperSystem/memberships
{
  "WsRestGetMembershipsRequest":{
    "wsOwnerAttributeDefLookups": [
     

{         "name": "test:WSAttributeTest:comanagetemplate_actorDef"       }

    ]
  }
}
I don't know why it can search on an attributeDef and not an attributeName. But still it should return the group and it's not

{
  "WsRestFindGroupsRequest": {
    "wsQueryFilter":

{       "groupAttributeName": "test:WSAttributeTest:dumbMetadata",       "groupAttributeValue": "comanage",       "queryFilterType": "FIND_BY_EXACT_ATTRIBUTE"     }

  }
}

this should at least get the groups, but it (1) assumes its metadata on an assignment and not a direct value, and (2) for some reason prepends the attribute with "etc:legacy:attribute:legacyAttribute_", so your attribute would need to be in that folder"

 

 






[GRP-3781] add option to not provision groups with no members Created: 25/Jan/22  Updated: 16/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If this is selected, then empty groups will be removed from the target



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 16/Feb/22 ]
  1. If the group must have members in order to be considered provisionable
  2. {valueType: "boolean", order: 11600, defaultValue: "false", subSection: "group", showEl: "${operateOnGrouperGroups}"}
  3. provisioner.genericProvisioner.groupRequireMembers =

 





[GRP-3814] allow gsh scripts to take arguments Created: 14/Feb/22  Updated: 14/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I believe you and Chad answered my question re: passing parameters into gsh scripts, e.g. "gsh foo.groovy <params>". Hopefully you'll post something in the #incommon-grouper channel if that capability becomes available.

Thanks for making time for this.

Jim Tomlinson (he/him)






[GRP-3811] allow edit provisioner from provisioner details page (not just from main page) Created: 11/Feb/22  Updated: 11/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3807] grouper diagnostics showing too much info Created: 10/Feb/22  Updated: 10/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

using ?diagnosticType=daemonJobsOnly&includeOnly=loader_MAINTENANCE_cleanLogs yields a lot of "extra" lines that I'd expect to just be left out:






[GRP-3806] errors on gsh container start Created: 10/Feb/22  Updated: 10/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

[student@ip-172-31-38-154 maturity0]$ docker exec -it grouper-ui gsh
/usr/local/bin/gsh: line 3: prep_daemon: command not found
/usr/local/bin/gsh: line 4: prep_finish: command not found
/usr/local/bin/gsh: line 5: setupFiles: command not found
/usr/local/bin/gsh: line 6: runCommand_unsetAll: command not found 






[GRP-2820] allow customizable help url Created: 22/May/20  Updated: 08/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Richard Frovarp 10:57 AM
It would be nice to be able to change where that help link goes. We would rather have it go out to our KB. At the moment we've poked at the JSP, but that isn't a long term viable solution. Will probably have to stick a link at the top of the resulting page using the text config in the future.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Feb/22 ]

Matt votes for this





[GRP-3804] on edit membership screen remove checkboxes and just have text (i.e. unchecking direct member does nothing) Created: 08/Feb/22  Updated: 08/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3803] on group screen to show memberships of another group, allow to add a group (to add this group to that group) like subject screen Created: 08/Feb/22  Updated: 08/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3801] detect if subject attributes or source attributes are misspelled on subject api wizard Created: 05/Feb/22  Updated: 05/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3799] ldap provisioner should get the DN from the CN... (not group attribute) if there is no translation Created: 05/Feb/22  Updated: 05/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3798] make it easier to replace chars in attributes in provisioning Created: 05/Feb/22  Updated: 05/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. for ldap when you cant put a colon in a DN and need to replace with something else






[GRP-3796] make jdbc subject source for testing editable and store in database Created: 03/Feb/22  Updated: 03/Feb/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3789] loader should clean up empty folders Created: 31/Jan/22  Updated: 31/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Drew Aschenbrener Today at 11:15 AM
So our configuration for grouper loader jobs, automatically has it clean up empty groups (they are deleted). But what about empty folders? If a loader job is creating folders, and then you end up with a bunch of empty folders, what's the easiest way to clean that up?






[GRP-3788] do not set alternate names by default on moves Created: 31/Jan/22  Updated: 31/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3786] disable subject caching from ui if few results returned Created: 28/Jan/22  Updated: 28/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga  42 minutes ago
A way for us to notify grouper that netids / subject_identifier(0) had changed would be useful to us

 

Shilen Patel  8 minutes ago
If you resolve a subject in grouper (in certain ways), it updates subject_identifier0 and other stuff.  Maybe hitting one of the web services will do it?  Not sure if subject caching would interfere though.

Liam Hoekenga  5 minutes ago
looking them up in the UI didn’t do it

Shilen Patel  4 minutes ago
yeah "in certain ways" plus caching can possibly interfere.

Chris Hyzer  < 1 minute ago
maybe we should disable caching for UI if few results returned?






[GRP-3785] handle changed netIds in provisioning Created: 28/Jan/22  Updated: 28/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga Today at 2:56 PM
One of our provisioners is trying to provision someone who’s netid changed.  I can’t look them up in by their old netid, but I can using their new netid.  however, the subject_identifier0 column in GROUPER_MEMBERS has the old netid
The corresponding entries in GROUPER_SYNC_MEMBER also have the old netid.
Is this something that self corrects over time?  It seems to be stopping the provisioner in it’s tracks.. (edited) 

 

3 replies

Chris Hyzer  < 1 minute ago
the full sync fails or you are doing an incremental?

Chris Hyzer  < 1 minute ago
what does the subject resolve as?  whats in the grouper_members table for subjectIdentifier0?

Chris Hyzer  < 1 minute ago
yeah, we can address this but it might need a workaround at this point in time






[GRP-3780] grouper provisioning diagnostics fails on missing group dn. This is groupAttributes where memberships are subjectIds. Full sync works but diag fails Created: 25/Jan/22  Updated: 28/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Note: GcGrouperSyncMembership: GcGrouperSyncMembership(errorTimestamp = '2022-01-25 16:13:20.358', grouperSyncGroupId = '2bc67c99ee9641deaed009f775af7a9c', grouperSyncMemberId = 'b34fb1a38e844578a8c0557d7185988f', id = '1eb6d9104d8a411ebb0cae2c945da7bf', lastUpdated = '2022-01-25 16:13:20.367') (elapsed: 0:00:00.612)
Note: ProvisioningObjectChange: attributeName=hasMember, action=insert, oldValue=null, newValue=ming.ho@at.internet2.edu
Note: Error in group: Group(matchingId: "sandbox:aws:tsg:administrator", exception: java.lang.RuntimeException: There were 1 exceptions, throwing first exception,
Note: Group(matchingId: "sandbox:aws:tsg:administrator", provisioned: false, attr[cn]: "sandbox:aws:tsg:administrator", attr[hasMember]: HashSet(1): [0]: ming.ho@at.internet2.edu, insert attribute hasMember "ming.ho@at.internet2.edu"), provisioned: false, attr[cn]: "sandbox:aws:tsg:administrator", attr[hasMember]: HashSet(1): [0]: ming.ho@at.internet2.edu, insert attribute hasMember "ming.ho@at.internet2.edu"), java.lang.RuntimeException: There were 1 exceptions, throwing first exception,
Note: Group(matchingId: "sandbox:aws:tsg:administrator", provisioned: false, attr[cn]: "sandbox:aws:tsg:administrator", attr[hasMember]: HashSet(1): [0]: ming.ho@at.internet2.edu, insert attribute hasMember "ming.ho@at.internet2.edu")
Note: at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:476)
Note: at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroup(GrouperProvisionerTargetDaoAdapter.java:1220)
Note: at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroups(GrouperProvisionerTargetDaoAdapter.java:456)
Note: at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendInsertGroupAttributesMembershipIntoTarget(GrouperProvisioningDiagnosticsContainer.java:595)
Note: at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:206)
Note: at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)
Note: at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:53)
Note: at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:587)
Note: at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:227)
Note: at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:222)
Note: at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
Note: at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
Note: at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
Note: at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
Note: at java.util.concurrent.FutureTask.run(FutureTask.java:266)
Note: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Note: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Note: at java.lang.Thread.run(Thread.java:748)
Note: Caused by: java.lang.RuntimeException: No dn!,
Note: Error modifying entry server id: ldap, dn: null
Note: at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.internal_modifyHelper(LdaptiveSessionImpl.java:1160)
Note: at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.internal_modifyHelper(LdapSyncDaoForLdap.java:49)
Note: at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.processBatch(LdapSyncDao.java:281)
Note: at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.modify(LdapSyncDao.java:227)
Note: at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:440)
Note: ... 17 more11:20
Error: Adding entity to group in target:
java.lang.RuntimeException: There were 1 exceptions, throwing first exception,
Group(matchingId: "sandbox:aws:tsg:administrator", provisioned: false, attr[cn]: "sandbox:aws:tsg:administrator", attr[hasMember]: HashSet(1): [0]: ming.ho@at.internet2.edu, insert attribute hasMember "ming.ho@at.internet2.edu")
    at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:476)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroup(GrouperProvisionerTargetDaoAdapter.java:1220)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroups(GrouperProvisionerTargetDaoAdapter.java:456)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendInsertGroupAttributesMembershipIntoTarget(GrouperProvisioningDiagnosticsContainer.java:595)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:206)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:53)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:587)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:227)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:222)
    at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
    at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: No dn!,
Error modifying entry server id: ldap, dn: null
    at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.internal_modifyHelper(LdaptiveSessionImpl.java:1160)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.internal_modifyHelper(LdapSyncDaoForLdap.java:49)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.processBatch(LdapSyncDao.java:281)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.modify(LdapSyncDao.java:227)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:440)
    ... 17 moreNote: Debug info: (elapsed: 0:00:00.615) Ldaptive modify error: java.lang.RuntimeException: No dn!
    at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.internal_modifyHelper(LdaptiveSessionImpl.java:1160)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.internal_modifyHelper(LdapSyncDaoForLdap.java:49)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.processBatch(LdapSyncDao.java:236)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.modify(LdapSyncDao.java:227)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:440)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroup(GrouperProvisionerTargetDaoAdapter.java:1220)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroups(GrouperProvisionerTargetDaoAdapter.java:456)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendInsertGroupAttributesMembershipIntoTarget(GrouperProvisioningDiagnosticsContainer.java:595)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:206)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:53)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:587)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:227)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:222)
    at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
    at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)Ldaptive searchRequest: [org.ldaptive.SearchRequest@-1442926364::baseDn=, searchFilter=[org.ldaptive.SearchFilter@-1367234734::filter=(objectclass=*), parameters={}], returnAttributes=[hasMember], searchScope=OBJECT, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]
Ldaptive searchResponse: [org.ldaptive.Response@309049219::result=[org.ldaptive.SearchResult@-1951941189::entries=[[dn=[], responseControls=null, messageId=-1]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1]
Ldaptive searchResults: [org.ldaptive.SearchResult@-1951941189::entries=[[dn=[], responseControls=null, messageId=-1]], references=[]]
Ldaptive modify error: java.lang.RuntimeException: No dn!
    at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.internal_modifyHelper(LdaptiveSessionImpl.java:1160)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDaoForLdap.internal_modifyHelper(LdapSyncDaoForLdap.java:49)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.processBatch(LdapSyncDao.java:281)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.ldapSyncDao.LdapSyncDao.modify(LdapSyncDao.java:227)
    at edu.internet2.middleware.grouper.app.ldapProvisioning.LdapProvisioningTargetDao.updateGroup(LdapProvisioningTargetDao.java:440)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroup(GrouperProvisionerTargetDaoAdapter.java:1220)
    at edu.internet2.middleware.grouper.app.provisioning.targetDao.GrouperProvisionerTargetDaoAdapter.updateGroups(GrouperProvisionerTargetDaoAdapter.java:456)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.appendInsertGroupAttributesMembershipIntoTarget(GrouperProvisioningDiagnosticsContainer.java:595)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningDiagnosticsContainer.runDiagnostics(GrouperProvisioningDiagnosticsContainer.java:206)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:72)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:53)
    at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:587)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:227)
    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2ProvisionerConfiguration$1.callLogic(UiV2ProvisionerConfiguration.java:222)
    at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
    at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
    at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
    at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748) 



 Comments   
Comment by Shilen Patel (duke.edu) [ 28/Jan/22 ]

Unable to reproduce.  Added a test case that succeeds:

https://github.com/Internet2/grouper/commit/4c54ae275431fe89e7c3fe69ec58d240ba7f2eed

 

We'll see if anyone runs into this issue again and if so what their config looks like.





[GRP-3772] add a way to export provisioning config Created: 20/Jan/22  Updated: 20/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3771] dont join to grouper_field in hib3membershipDao if not needed or used or joined in where clause Created: 19/Jan/22  Updated: 19/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.6

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3770] remove add members button from add members screen (just have add) Created: 18/Jan/22  Updated: 18/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3769] provide a way to delete a person Created: 15/Jan/22  Updated: 15/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Reply…

Also send to incommon-grouper

incommon-grouper
Jason Peak, Michael Gettes, and you

Jason Peak 4 months ago
tl;dr; How can you best update Grouper when a person changes their username, which is used for Grouper’s subject_id here at oregonstate.edu ?
At Oregon State, we use a name-based institutional identifier for subject_id in Grouper. When someone changes their legal name, we allow them to have a new username. Part of that process is to programatically update name information in several systems, including Grouper.
We recently discovered that the Java we use to update Grouper when someone changes their username has probably been broken for a long time. It uses WsMemberChangeSubjectLiteResult, which seems to need both the new subjectId and the old subjectId to be resolveable in the subject source (we use LDAP) at the time it’s called. Since we’re renaming the object in LDAP, there’s never a moment when both names are in LDAP for Grouper to find.
We’re thinking of replacing our call to GrouperWS with a direct DB update along these lines: “UPDATE GROUPER_MEMBERS SET subject_id = :new_username WHERE subject_id = :old_username”. Is this a terrible idea :wink: ?

Chris Hyzer 4 months ago
unfortunately yes...

Chris Hyzer 4 months ago
i mean, that could work if the new subject doesnt have a record in the table yet, which might or might not be the case. I think we need to fix that service. What version are you? Can you get to the latest 2.5 or 2.6? :slightly_smiling_face:
You could call a GSH to change it... :slightly_smiling_face:
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517859#GrouperShell(gsh)-Memberchangesubject
Note, we probably need an example of finding the member ID without a resolvable subject... let me know if you want me to post that if GSH is the route you go?
Another option I was thinking about is a job that takes a SQL view of three cols, subject id "from", and subject id "to", and a timestamp. A grouper daemon would poll that and do the right thing.
However, that is good for merges, but what about splits (undo a merge). For a split should it use PIT and go back in time for both IDs? What about entitlements assigned between the split and merge? Gets complicated...

Jason Peak 4 months ago
Thanks Chris! We’re running 2.5.29, and having just spent 10 minutes skimming all the Jiras, we’re probably due for an upgrade.
If that doesn’t fix us, the GSH route could be an expedient workaround for the WS.

Chris Hyzer 4 months ago
I don’t think it will fix you. I will try to get this in the next release (not the one today)

Michael Gettes 4 months ago
@Jason Peak IMHO - you should still upgrade to better position yourself for future upgrades. The more often you do it - the easier it gets and the fear associated with it goes away.

Jason Peak 4 months ago
Yeah, thanks Michael, we’re definitely overdue.

Jason Peak 4 months ago
Chris, I appreciate your attention to it. The earliest I can imagine us getting Grouper upgraded is in the first week of October, so you know, take your time

Jason Peak 17 hours ago
Fast-forward to 2022…
Happy Friday all,
tl;dr; how can we delete a subject_id safely?
We ended up making direct DB updates to subject_id which has been fine, for the most part.
However, since Grouper doesn’t delete rows from grouper_members, I have to pick a different ‘new username’ every time I test our username change process on our test accounts. A day of heavy testing might require several username changes on our test account from old-username -> new-username (and then reset back to old-username again).
Our test accounts’ usernames are iamtest[1-7] - 8-char max allowed in our usernames. At this point, our grouper_members table is full of artifacts of old username change tests:
iamtesta
iamtestb
iamtestc

…we’re running out of letters!
We would like to clean this mess up with something like “DELETE FROM GROUPER_MEMBER WHERE SUBJECT_ID IN (…)”
How can we do this safely? (edited)

Chris Hyzer 17 hours ago
is the subject unresolvable that you want to remove? do they have any memberships or privileges?

Chris Hyzer 17 hours ago
you can remove from members, if you get a foreign key constraint we will need to use the usdu method to remove which deletes those things
New

Jason Peak 17 hours ago
they’re unresolvable, and these are test accounts, so we have zero concern about losing their history or privs or anything in grouper

Jason Peak 17 hours ago
I presume we’d also delete from grouper_pit_members in this case?

Chris Hyzer < 1 minute ago
@Shilen Patel at some point we can extract the logic to delete a person form the USDU and provide a method right?






[GRP-3767] bring duo users and data back to grouper (like zoom table) Created: 12/Jan/22  Updated: 12/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. push device






[GRP-3766] ldap provisioning filter should not search on same values Created: 11/Jan/22  Updated: 11/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga 5:31 PM
I’m still trying to figure this request out…
2022-01-11 17:05:00,546: [DefaultQuartzScheduler_Worker-8] INFO GrouperProvisioningLogCommands.infoLog(25) - - Command log for provisioner 'UMROOT_AD' - 'u8kwh9a3', retrieveGroups: Ldaptive searchRequest: [org.ldaptive.SearchRequest@-1449544525::baseDn=blablabla,DC=edu, searchFilter=[org.ldaptive.SearchFilter@-1460840430::filter=(|(extensionAttribute3=b3e9dabcc07bf)(extensionAttribute3=b3e9dabcc07bf))






[GRP-3764] improve provisioning search attributes Created: 10/Jan/22  Updated: 10/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chris Hyzer 4:58 PM
oh ok :slightly_smiling_face:
4:58
what do you mean search attributes required automatically?

Liam Hoekenga 4:59 PM
we had provisioner configurations where the search attribute wasn’t required
and when we were specifying our own search filters, the provisioner would die because it would complain that it couldn’t use a null object in an ldaptive search request
5:00
and then when we let grouper automatically determine the search filters, the search started working, because grouper used the string “null” in the search filter instead of using a null object
5:00
so, we updated our provisioning configuration such that search attributes are required, which gets around the null thing
5:01
I could search slack for the conversation
5:01
but it seems like if an attribute is going to be the search attribute for a object, it should be required






[GRP-3763] provisioning counts for sql do not work Created: 10/Jan/22  Updated: 10/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2022-01-09-22-12-39-262.png    




[GRP-3758] add failsafe attributes on group Created: 09/Jan/22  Updated: 09/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. min size, etc






[GRP-3757] list failsafes in grouper daily report Created: 09/Jan/22  Updated: 09/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3754] add more notification options Created: 07/Jan/22  Updated: 07/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chris Hyzer 1 day ago
We are revamping the failsafes in Grouper. A failsafe means configure default or specific thresholds for a job and if a problem arises the job will not run until the data problem is fixed or until an admin approves it. Notifications can be included. Here is a general failsafe wiki and a "SQL simple" wiki
https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+failsafe
https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+failsafe+-+SQL+simple
We will flesh this out more, and add to other types of loaders and provisioning framework for v2.6.6.
Feedback welcome
:thumbsup_all:
3
:eyes:
1

Justin Robinson 1 day ago
I’m super excited about this

Justin Robinson 1 day ago
One thing I’ve been wondering is - is there a way from a notification perspective to add in something like - call GSH template. The use case here is, perhaps I’m not a campus that wants email notifications, but instead I want to post a notice in Slack. The campus could craft a “notification GSH” that takes the message and sends it to the place they want the notification received

Chris Hyzer 1 day ago
uh... sure, we can add that in future :slightly_smiling_face:

Chris Hyzer 1 day ago
i mean, you can also just monitor an email box and take things about put in slack, but yeah

Chris Hyzer 1 day ago
i know you are just talking about an example, but grouper could also talk to slack too :slightly_smiling_face:

Justin Robinson 1 day ago
yep - i’m just thinking notifications logic generally. one thing we are probably going to do is pipe notifications to a queue. we have a notification service that allows for multiple channel broadcast and tracking.

Chris Hyzer 1 day ago
what type of queue?

Justin Robinson 1 day ago
rabbit

Chris Hyzer 1 day ago
what if grouper allowed this type of email address:
queueName@grouperMessagingSystem__myRabbitConfigId
And then what, sends a JSON with subject and body of message?

Yoann Delattre 4 hours ago
Also interested in a way to send a notification to slack instead of mail (we are using Mattermost here but it's compatible with the slack message).

Joel Rettinger 1 hour ago
@mchyzer That sounds like a great option for sending notifications to a message queue! or even as a general template style for a broader notifications option like queueOrChannelOrDefaultEtcOfExternalSystem@grouperSomeSupportedSystemType__myExtSystemConfigId, or a [list] of such endpoints
New

Joel Rettinger 1 hour ago
And/or like Justin was saying, the option for institutions to add their own "event handler scripts" for various situations.






[GRP-3751] issue provisioning diagnostics warning if reading from sync bucket but not writing to it Created: 06/Jan/22  Updated: 06/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3748] address the need to frequently bounce grouper container Created: 03/Jan/22  Updated: 04/Jan/22

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The developers have suggested that it might be advisable / desirable to bounce the grouper containers on a nightly basis.

It seems like this might be problematic when there are jobs that are spread through the day.

Could the need for frequent reboots be described / investigated?  (e.g. memory leaks?)



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/Jan/22 ]

yeah, memory leaks, if it works for a week, then do it weekly   You can use trial and error...  Also, you should look at the jobs and schedules and you should be able to find some time to bounce it so it doesnt conflict with a long running job...





[GRP-3732] delete old change log consumer entries Created: 15/Dec/21  Updated: 15/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Drew Aschenbrener Today at 3:50 PM
I'm not seeing any documentation regarding removing a deprecated change log consumer.
The consumer entry is no longer in grouper-loader.properties, but there is still a record in the 'grouper_change_log_consumer' table. Do you just delete the row manually, and then you are done? (edited)






[GRP-3731] dont check types table after a certain ddl version or upgrade step version Created: 14/Dec/21  Updated: 14/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Ross Wilper Yesterday at 11:25 AM
I just upgraded an instance from 2.6.5 to 2.6.5.1 and the UI container never finishes starting. The UI container logs ends with "Starting query cache at region: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3AttributeAssignDAO.FindbyID" and the SQL Server says "select count from grouper_types_legacy" Error relation "grouper_types_legacy" does not exist. (Looks like it worked after waiting a bit more) (edited)
5 replies

Ross Wilper 1 day ago
Looks like the daemon container failed at the same point, but the ws container seems ok

Ross Wilper 1 day ago
Ok... and then it seems to have recovered.. Wierd

Chris Hyzer 2 hours ago
which db do you use?

Ross Wilper 1 hour ago
Postgres

Chris Hyzer < 1 minute ago
i would think select * from a table that doesnt exist would be instaneous... we can fix this though






[GRP-3726] auto ddl message should be adjusted in 2.6 Created: 11/Dec/21  Updated: 11/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2021-12-10 20:58:51,305: [main] ERROR GrouperDdlUtils.autoDdl2_5orAbove(1784) -  - You should set grouper.hibernate.properties registry.auto.ddl.upToVersion to the recommended value of at least 2.5.* (whatever minor version you are on)     You can set registry.auto.ddl.dontRemindMeAboutUpToVersion to true to stop seeing this message 






[GRP-3725] config page should show container version and grouper version Created: 10/Dec/21  Updated: 10/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3719] "groups i manage" should show read/update groups Created: 09/Dec/21  Updated: 09/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3717] improve performance of property configuration in the UI Created: 09/Dec/21  Updated: 09/Dec/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.5
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The property management page in the UI is relatively slow to appear, approximately 20 seconds at our institution for grouper.properties to be loaded. This is so slow that it not only affects the wait time for the page to appear, but also impacts properties import. When importing properties, the import results in the green status bar are immediately displayed, and the page appears to be complete. But when you go to another page, the page may initially display, but will then be redirected later back to the property management page, which took a while to generate the summary page of all the properties. Apparently the ajax isn't cancelled so is still pending 20 seconds after going to a different page.

In our configuration, the configuration pages also randomly but consistently would bring down our UI server (which was admittedly tight on memory). Doing a profile while loading the configuration page shows that it uses up 150MB of ram for temporary objects that are then released for GC once the page loads. This seems like a lot, for a page that is just loading key/value pairs.

 






[GRP-3673] null group name causes errors on startup Created: 27/Oct/21  Updated: 08/Dec/21

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Erik Coleman  6:57 PM
I just fired up 2.5.58 in my test environment and I can't get Grouper to start. Seems like during startup I'm getting this exception. Anything in the database I should look for?
Grouper warning: cannot find group from config: Group contains people who can see the overall loader screen in Misc, and if they have VIEW on a group they can see the loader tab and functions: null
Grouper error: null, java.lang.RuntimeException: Group name must exist and must contain at least one stem name (separated by colons): 'null'
at edu.internet2.middleware.grouper.GroupSave.save(GroupSave.java:597)
at edu.internet2.middleware.grouper.Group.saveGroup(Group.java:388)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkGroup(GrouperCheckConfig.java:262)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkGroups(GrouperCheckConfig.java:1253)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:572)
at edu.internet2.middleware.grouper.misc.GrouperStartup$1.callback(GrouperStartup.java:345)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:292)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.init(GrouperServiceJ2ee.java:1114)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:106)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4538)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5181)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:614)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1822)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
grouper-api;grouper_error.log;aws-test;224588347132;2021-10-26 17:48:37,243: [localhost-startStop-1] ERROR GrouperCheckConfig.checkGroup(275) - - Problem with group: null
java.lang.RuntimeException: Group name must exist and must contain at least one stem name (separated by colons): 'null'
at edu.internet2.middleware.grouper.GroupSave.save(GroupSave.java:597)
at edu.internet2.middleware.grouper.Group.saveGroup(Group.java:388)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkGroup(GrouperCheckConfig.java:262)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkGroups(GrouperCheckConfig.java:1253)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:572)
at edu.internet2.middleware.grouper.misc.GrouperStartup$1.callback(GrouperStartup.java:345)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:292)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.init(GrouperServiceJ2ee.java:1114)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:106)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4538)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5181)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:614)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1822)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)






[GRP-3716] refactor container unit tests for new quickstart Created: 08/Dec/21  Updated: 08/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3708] Incremental loader: prevent extra full syncs Created: 30/Nov/21  Updated: 08/Dec/21

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Gail Lift Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Michael Gettes

 Description   

The incremental loader (https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+real+time+updates) will trigger a full sync when a transaction arrives for a group that did not previously exist. We would like an option that could prevent the full syncs from being triggered. If possible, we would like the incremental loader to create the group(s) with the transaction subject as a member. If only full sync can create groups, we would like some way to detect that memberships are pending the next sync (perhaps something in the grouper_incremental table row?).

Our HR data loader creates/updates a multitude of ref groups. To avoid creating bunches of groups that are unlikely to have members (eg, faculty in the plumbing shop department), we don't create some classes of ref groups until a member arrives. If the incremental loader sees a transaction for a group that doesn't yet exist, the new member is the only member. The 'true up' of a full sync is not required. Also, we don't want extra full syncs during the day. 

This was discussed briefly in the grouper slack channel on Nov 16, 2021.

 






[GRP-3608] Add audit entry of specific subject in group members tab Created: 13/Sep/21  Updated: 08/Dec/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.0
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-09-13-17-46-33-732.png    
Issue Links:
Related
is related to GRP-2430 add audit in membership drop down for... Open
is related to GRP-1845 Group "View audit log" should allow a... Open

 Description   

When investigating out when a particular subject was added to a group, getting the whole audit list for the group and looking through all the pages for the subject is cumbersome. (1) The audit entry table can be very large, and may perform poorly; (2) except for date, there is no filter in the audit entry view other than by date, so the user needs to scan through pages of entries to find the target.

 

From the membership view, getting the membership add/change/delete audit entries for a particular user in a group should be much faster than getting all the entries for the group.

 

Suggested:

 






[GRP-1214] Ability to export Audit report as CSV file Created: 14/Oct/15  Updated: 08/Dec/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.2.2
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jeffrey Crawford Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 1
Labels: audit, csv, export, log
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Red Hat EL 6



 Description   

We can download the members of a group as a CSV file, our security team would like that expanded to the audit log. It would be useful that the same filter criteria could be used so that a CSV would only contain the time frame of interest.






[GRP-3714] Allow externalized text in Types metadata Created: 07/Dec/21  Updated: 07/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Justin Robinson (iu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Often data owners or member descriptions will have the same or vastly similar text. When this is the case, it would be great to update it in one location for all areas used and to only set the values once.

Request: update Grouper Types metadata to pull from externalized text.






[GRP-3713] RFE: org specific daemon instances Created: 06/Dec/21  Updated: 06/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We'd like to allow unit / org level admins access to loader / provisioner settings.  We're worried about allowing them to do that on shared provisioner resources, but were thinking it might be acceptable if we could pin their jobs to specific daemon instances (that they're paying for?)






[GRP-3712] RFE: provisioners sharing load? Created: 06/Dec/21  Updated: 06/Dec/21

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the future, might it be possible for provisioners to share their queued work across multiple daemons?  We're concerned about provisioning operations getting blocked behind larger / slower operations






[GRP-3711] Nesting capable provisioners? Created: 06/Dec/21  Updated: 06/Dec/21

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Could / should the provisioning backends that understand nested groups be extended to allow for nested groups?

e.g.  provision your reference structure to an LDAP target, and then allow the provisioner to reference the local copy of those reference groups rather than syncing down the members of those reference populations every time they're included






[GRP-3709] gsh template error if delete the folder where the template runs Created: 06/Dec/21  Updated: 06/Dec/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Should be able to do something like this, or just show the parent folder if not there

 gsh_builtin_gshTemplateOutput.assignRedirectToGrouperOperation("operation=UiV2Stem.viewStem&stemName=penn:isc:ts:networking:service:sraVpn:service");






[GRP-3687] duo external system secret key should be password field Created: 06/Nov/21  Updated: 06/Nov/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 06/Nov/21 ]

its marked as password in the config file metadata





[GRP-3691] add command debug to sql provisioner Created: 06/Nov/21  Updated: 06/Nov/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3688] duo provisioner does not update description (provisioning framework) Created: 06/Nov/21  Updated: 06/Nov/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3675] add unicode types to client database api Created: 29/Oct/21  Updated: 29/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.5

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 29/Oct/21 ]

Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: Not expecting column type: -9,
sql:  select USER_KEY,USERNAME,LOWER_USERNAME from USER_MAPPING, 
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2344)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1741)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1615)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.selectList(GcDbAccess.java:1590)
	at edu.internet2.middleware.grouperAtlassianConnector.db.v2.AtlassianUserMappingV2.retrieveUserMappings(AtlassianUserMappingV2.java:47)
	at edu.internet2.middleware.grouperAtlassianConnector.db.AtlassianCwdVersion$3.retrieveUserMappings(AtlassianCwdVersion.java:192)
	at edu.internet2.middleware.grouperAtlassianConnector.db.GrouperAtlassianDataReconcile.retrieveAllFromAtlassian(GrouperAtlassianDataReconcile.java:810)
	at edu.internet2.middleware.grouperAtlassianConnector.db.GrouperAtlassianDataReconcile.reconcileGrouperAndAtlassian(GrouperAtlassianDataReconcile.java:419)
	at edu.internet2.middleware.grouperAtlassianConnector.db.GrouperAtlassianDataReconcile.main(GrouperAtlassianDataReconcile.java:72)
Caused by: java.lang.RuntimeException: Not expecting column type: -9,
sql:  select USER_KEY,USERNAME,LOWER_USERNAME from USER_MAPPING, 
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.retrieveObjectFromResultSetByIndex(GcDbAccess.java:2598)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.addObjectToList(GcDbAccess.java:2448)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.access$3(GcDbAccess.java:2422)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess$2.callback(GcDbAccess.java:1761)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess$2.callback(GcDbAccess.java:1)
	at edu.internet2.middleware.grouperClient.jdbc.GcDbAccess.callbackResultSet(GcDbAccess.java:2340)
	... 8 more
 
  





[GRP-3671] add Boolean as provisioning attribute type Created: 22/Oct/21  Updated: 22/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3668] add provisioning troubleshooting zip download Created: 21/Oct/21  Updated: 21/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

include the sanitized configs, version, stats, logs (from DB), etc






[GRP-3648] ran recent memberships full loader multiple times and it finds adds but they dont get applied? Created: 06/Oct/21  Updated: 20/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 06/Oct/21 ]

Comment by Chris Hyzer (upenn.edu) [ 20/Oct/21 ]

needs a view change





[GRP-3664] add subjectIdOrIdentifier to MembershipSave Created: 14/Oct/21  Updated: 14/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3657] add database to report CSV config Created: 08/Oct/21  Updated: 08/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Oct/21 ]

GrouperConfigType.retrieveReportDataByConfig()





[GRP-3656] report with bad cron gives error but still partially saves Created: 07/Oct/21  Updated: 07/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png     PNG File screenshot-2.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 07/Oct/21 ]

Comment by Chris Hyzer (upenn.edu) [ 07/Oct/21 ]





[GRP-3654] add file upload to GSH import Created: 07/Oct/21  Updated: 07/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3652] grouper deprovisioning should not fail if membership remove doesnt do anything, and shouldnt show disabled memberships Created: 07/Oct/21  Updated: 07/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3651] dont allow config keys with "secret" or other things that mean password Created: 06/Oct/21  Updated: 06/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

changeLog.consumer.M365PrivateDefault.syncAttributeName = *******






[GRP-3647] add a lookup table for view params (i.e. "etc" is configurable and doesnt work with "inst:etc" Created: 06/Oct/21  Updated: 06/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

CREATE OR REPLACE VIEW penngrouper.grouper_recent_mships_conf_v
AS SELECT DISTINCT gg.name AS group_name_from,
gaaagv_groupuuidfrom.value_string AS group_uuid_from,
gaaagv_recentmembershipsmicros.value_integer AS recent_micros,
gaaagv_groupuuidfrom.group_id AS group_uuid_to,
gaaagv_groupuuidfrom.group_name AS group_name_to,
gaaagv_includeeligible.value_string AS include_eligible
FROM grouper_aval_asn_asn_group_v gaaagv_recentmembershipsmicros,
grouper_aval_asn_asn_group_v gaaagv_groupuuidfrom,
grouper_aval_asn_asn_group_v gaaagv_includeeligible,
grouper_groups gg
WHERE gaaagv_recentmembershipsmicros.attribute_assign_id1::text = gaaagv_groupuuidfrom.attribute_assign_id1::text AND gaaagv_recentmembershipsmicros.attribute_assign_id1::text = gaaagv_includeeligible.attribute_assign_id1::text AND gaaagv_recentmembershipsmicros.attribute_def_name_name2::text = 'etc:attribute:recentMemberships:grouperRecentMembershipsMicros'::text AND gaaagv_groupuuidfrom.attribute_def_name_name2::text = 'etc:attribute:recentMemberships:grouperRecentMembershipsGroupUuidFrom'::text AND gaaagv_includeeligible.attribute_def_name_name2::text = 'etc:attribute:recentMemberships:grouperRecentMembershipsIncludeCurrent'::text AND gaaagv_recentmembershipsmicros.value_integer > 0 AND gaaagv_recentmembershipsmicros.value_integer IS NOT NULL AND gaaagv_groupuuidfrom.value_string IS NOT NULL AND gaaagv_includeeligible.value_string IS NOT NULL AND (gaaagv_includeeligible.value_string::text = 'T'::text OR gaaagv_includeeligible.value_string::text = 'F'::text) AND gg.id::text = gaaagv_groupuuidfrom.value_string::text;






[GRP-3646] obliterate stem had error Created: 06/Oct/21  Updated: 06/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File obliterateError.txt    




[GRP-3645] add swagger to grouper WS Created: 04/Oct/21  Updated: 04/Oct/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.1

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3643] Notification feed functionality to address long-running UI operations Created: 30/Sep/21  Updated: 30/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper UI, all versions.


CC:
Carey Black (osu.edu), Chad Redman (unc.edu), Erik Coleman (illinois.edu), Justin Robinson (iu.edu), Liam Hoekenga (umich.edu)

 Description   

Currently, long-running operations will result in an error message "×There was an error with your request. Click here to start over."  No error has occurred outside of the UI timeouts.  However, the user isn't notified that their operation is still processing, only when it completes.

 

A functional improvement to the UI would be a notification <div>, accessible from an icon in the upper right of the UI (similar to notification feeds in certain social platforms and admin consoles) from any page.  The feed would contain the user's recent activity(similar to that on the user's main page).  The feed would be modified to add an entry when when an operation  taking longer than a configurable amount begins, then another when an operation ends.






[GRP-2130] UI timeout page that the user is redirect to instead of leaving them "wherever" they are to have a fail on "first click" Created: 08/May/19  Updated: 30/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.3.0, 2.4.48, 2.5.57
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 4
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

My users (and I ) are often frustrated by the "CSRF warning" only to click a link and SSO back into the app. It would be a much better experience if the user would come back to a "your session has expired" page and know that the first click leads to a login process instead of being surprised by the process.

 

I have seen "security centric" apps that have UI timeouts built in.

When the timeout expires ( due to lack of use ) the browser auto redirect the user to a page that tells them their session has timed out and gives them a link to log back in. (and start a new session.)

 

I think it would be a good feature for Grouper UI to implement.






[GRP-3641] Visualization: If sibling count greater than set limit, display a node indicating truncation Created: 29/Sep/21  Updated: 29/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-09-28-23-39-07-539.png    

 Description   

Credit to Karl Amrhein for this suggestion.

If a group has a large number of groups as members, it's desirable to limit the number of siblings shown to make the drawing smaller. But there is no indication in the graph whether siblings are being truncated. So maybe add a pseudo-node indicating more groups exist? See one possibility below.

 






[GRP-3640] export to gsh should use new build patterns or abbreviate format Created: 24/Sep/21  Updated: 24/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 24/Sep/21 ]

add error handling and output to builder pattern classes (swallow exceptions)





[GRP-3638] Shore up "masking" of secrets in Configuration view Created: 24/Sep/21  Updated: 24/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Scott Cantor (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The PSPNG provisioner I guess depends on an LDAP property that ends in bindCredential instead of password, and the Configuration view in the UI of the loader properties doesn't mask it the way it does other property names it thinks are secrets. Seems like an obvious/simple fix. I'm aware that it would be masked if it were stored in the database directly, but that's not always the goal.






[GRP-3637] PSPNG not full-syncing AD groups with memberships above a certain number Created: 22/Sep/21  Updated: 22/Sep/21

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Blocker
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.4 and newer(at least)


Attachments: Text File grouper_error.log    

 Description   

PSPNG is encountering an issue during full-sync where groups whose membership requires paging to retrieve are not getting properly synced.  The issue occurs:

  1. if an existing group's membership is of a sufficient size that it requires paging
  2. There are existing members in the target population that are not members in the source population(i.e. Grouper)

LdapGroupProvisioner.doFullSync()'s initial LDAP lookup in results in the Actual values being 0.  This results in the function believing it only has an add to an empty group and will attempt to add existing members to the group, which will throw an AD Error ENTRY_ALREADY_EXISTS.  LdapSystem.performLdapModify will attempt to retry the mod and will re-read the object from AD again(using Ldap RangeEntryHandler), this time getting the correct membership.  However, rather than recalculate the delta between current and actual to determine the type of operation to perform, it calculates the delta of the group assuming the prior type of operation from the initial ldap read.  So if there's no additional members to add, the delta will be 0 and PSPNG assumes there's nothing more to be done.

 

PSPNG will compare the size of the memberships afterwards and see that the counts are still not correct.  It will then re-run the sync 2 more times before issuing the warning:

2021-09-21 06:01:21,906: [FullSyncer(pspng_campusOrgLdap)-Thread] WARN  FullSyncProvisioner.processQueueItem(466) -  - pspng_campusOrgLdap: FullSync of uncg:org:DEPT-ITS-23101:org:UNCG_Students_LMS_All/#113507(Existing) was done 3 times looking for stability, but the final one still required changes. There is a small possibility that realtime changes have been provisioned incorrectly and will be addressed during a future full sync.

PSPNG is aware that it's not syncing correctly and it reporting it as such, but with the correct logic, it should be able to resolve this on its own.
Attached is an example log detailing the issue.  Issue has been observed on multiple groups in multiple deployments.
grouper_error.log

 






[GRP-3636] add provisioning delete option to not sync objects where "provisionable" is removed but the grouper object still exists Created: 22/Sep/21  Updated: 22/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/Sep/21 ]

maybe we need a "sync object" column for "provisionable_pause_millis" which is the millis from 1970 that provisioning for this object was paused. That can be set in UI or when provisionable is removed or whenever...





[GRP-3634] add more loader logs in the message to be seen in ui Created: 22/Sep/21  Updated: 22/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/Sep/21 ]





[GRP-3631] add good descriptions to all LDAP provisioning elements Created: 20/Sep/21  Updated: 20/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. auto filters

we will document it but... the default will
search in the base DN
searchAll and searchOne will take into account any objectClasses on the object
searchAll will look for objects containing the search attribute (any value)
searchOne will look for a specific value of that attribute
if you dont like that, specify your own :slightly_smiling_face:






[GRP-3629] import error row number not correct Created: 20/Sep/21  Updated: 20/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Description   

says row 2 not row 3



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/Sep/21 ]





[GRP-3624] demo container exits with: Error: Can't drop privilege as nonroot user Created: 18/Sep/21  Updated: 18/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3623] cannot init registry since cannot find subject Created: 18/Sep/21  Updated: 18/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2021-09-18 15:09:57,330: [main] FATAL RegistryInstall.install(118) - - unable to initialize registry: null
java.lang.NullPointerException
at edu.internet2.middleware.grouper.GrouperSession.getMemberUuid(GrouperSession.java:862)
at edu.internet2.middleware.grouper.GrouperSession.validate(GrouperSession.java:825)
at edu.internet2.middleware.grouper.GrouperSession.validate(GrouperSession.java:574)
at edu.internet2.middleware.grouper.MemberFinder.findBySubject(MemberFinder.java:532)
at edu.internet2.middleware.grouper.MemberFinder.findBySubject(MemberFinder.java:515)
at edu.internet2.middleware.grouper.registry.RegistryInstall$1.callback(RegistryInstall.java:88)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.registry.RegistryInstall.install(RegistryInstall.java:83)
at edu.internet2.middleware.grouper.misc.GrouperStartup.initData(GrouperStartup.java:841)
at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:570)
at edu.internet2.middleware.grouper.misc.GrouperStartup$1.callback(GrouperStartup.java:345)
at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:292)
at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:172)
at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)






[GRP-3622] message for not provisionable before the provisioner has run Created: 18/Sep/21  Updated: 18/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

FROM:
No provisioning target is configured on this object or any parent folder

TO:
No provisioning target is configured on this object or any parent folder, Note: the provisioner has not run to propagate the provisionable inheritance






[GRP-3620] auto translate dn and rdn for flat and bushy with dn override Created: 17/Sep/21  Updated: 17/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3618] add oidc to grouper ui Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3617] jwt expiration 0 makes no sense Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3616] add jexl validation to jwt claims to only allow certain conditions Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3615] allow custom ui to be able to pass user into it Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3613] conslidate logging in container and allow pipes, local files, or both Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3584] membership provisioning screen says "in target no" when it is in target Created: 03/Sep/21  Updated: 15/Sep/21

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.6.0

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-09-03-13-36-30-941.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 03/Sep/21 ]





[GRP-3612] GSH templates support input type of 'find a Subject' and 'find list of Subjects' types Created: 15/Sep/21  Updated: 15/Sep/21

Status: Open
Project: Grouper
Component/s: GSH Templates, UI
Affects Version/s: 2.5.56
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful to reuse the existing 'add Member' UI structure and logic to allow a user to select a subject ( or a list of subjects) as an input to a GSH template.

Ideally the GSH template config could also add some limits/scopes to the searches too:

  • check boxes for the subject sources to search 
  • Maybe a "stem scope" would be helpful too ( for finding folders/groups )
  • It would be useful to be able to use the "gsh_builtin_*" values in this process too.
  • It would be useful to be able to use the "gsh_input_*" values in this process too.





[GRP-2430] add audit in membership drop down for memberships Created: 19/Nov/19  Updated: 13/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to GRP-3608 Add audit entry of specific subject i... Open




[GRP-1845] Group "View audit log" should allow a user to filter by more values than time Created: 25/Jul/18  Updated: 13/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.3


Issue Links:
Related
is related to GRP-3608 Add audit entry of specific subject i... Open

 Description   

Only being able to filter by dates is rather limiting.

Please also allow the UI user to filter by the following:

    Actor  ( grouper user/process that made the change )

    Member ( Member was affected by the change )

    Type of change ( add , delete[AKA: remove] , Exported, ... other actions??)






[GRP-3603] add provisioning target attribute value validation (e.g. for eduPersonEntitlement) Created: 13/Sep/21  Updated: 13/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 13/Sep/21 ]

and/or a way to apply the grouper validation to the target values...





[GRP-3596] UI attributeName owners filtering should support filtering on the values that are assigned. Created: 09/Sep/21  Updated: 09/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.54
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The filtering on the Attribute Name "view assigned owners" appears to only filter on the object names where the attribute Name is assigned.

It would be very helpful to also be able to "find" by assigned Value matching too.






[GRP-3595] improve daily report defaults Created: 09/Sep/21  Updated: 09/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Liam Hoekenga Today at 11:03 AM
Is daily.report.emailTo / daily.report.saveInDirectory a per report setting, or a central setting?
the MAINTENANCE_grouperReport daemon job is failing with this message:
Java.lang.RuntimeException: grouper-loader.properties property daily.report.emailTo or daily.report.saveInDirectory needs to be filled in
(edited)

1 reply

Chris Hyzer < 1 minute ago
thats just for the daily report. i think we need better defaults there






[GRP-3594] UI filter features should not clear as frequently as they do Created: 08/Sep/21  Updated: 08/Sep/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.6.0, 2.5.56
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Example ( but not the only one) is the UI for attribute assignments for an AttributeName.
.../UiV2Main.index?operation=UiV2AttributeDefName.viewAttributeDefNameAssignedOwners&attributeDefNameId=*

If you set a filter to get a sub set of the assignments.
Then make a change to one ( like removing one assignment).
The filter is cleared and the list is refreshed.

Either the refresh should be "optional", or the filter should be maintained and reused during the refresh.

I can see value in not doing the refresh constantly for the user. (UI performance to fetch almost the same list back each time.)  But that likely would require other UI dynamic actions for things like "remove" a row too.






[GRP-3593] Ability to do adds first during a loader job (rather than deletes Created: 07/Sep/21  Updated: 07/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Jonathan Johnson (unicon.net) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 4
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
James Babb (wisc.edu), Oakes Dobson

 Description   

The Grouper Loader processes group membership deletes before it processes group membership adds. For large groups (for which adds and deletes require more time & processing power), this can cause up to several hours of 'service flickering,' which is essentially users losing membership to a group that provides a service for the period of time it takes the delete and then the add to process. It might be better to process the adds before the deletes so that this service flicker doesn't take place.

We believe this is the spot in the code where the Grouper Loader chooses to process deletes before adds:

 https://github.com/Internet2/grouper/blob/GROUPER_2_5_BRANCH/grouper/src/grouper/edu/internet2/middleware/grouper/app/loader/GrouperLoaderType.java#L3321

Would it be possible to allow us to configure this so that we could tell the Grouper Loader to process the membership adds before the deletes? We understand that there are some situations in which it's better for deletes to occur before adds, but it would be nice to be able to have the choice to configure the loader to do adds before deletes.






[GRP-3559] Refactor UI templates to not depend on the UI Created: 04/Aug/21  Updated: 07/Sep/21

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0.patch, 2.5.0
Fix Version/s: 2.5.56

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to GRP-3041 Make the Template Feature available i... Open

 Description   

The classes for the UI templates – both the original app/gdg/policy and the new gsh ones – were written to only be usable from the UI. This means that they can't be called from GSH or from WS, without creating mock HTTPRequest and HTTPSession containers. It also makes it harder to write unit tests. The classes have been added to the edu.internet2.middleware.grouper.grouperUi.beans.ui package, even though they are not beans. This makes it harder to identify which classes are related to the template functionality, since they are mixed in with container bean classes that were originally meant to be for jsp templates.

 

See also GRP-3041 Make the Template Feature available in the WS API



 Comments   
Comment by Chad Redman (unc.edu) [ 04/Sep/21 ]

The application template is fine. But the policy template (GrouperTemplatePolicyGroupLogic) has references to GuiResponseJs, so that it can inject error messages. If these were changed to just throwing exceptions, it would be usable outside of the UI.

Comment by Chad Redman (unc.edu) [ 04/Sep/21 ]

Removed the dependence on GuiResponseJs.

Unfortunately, there is still a dependence on GrouperRequestContainer via GrouperTextContainer. This is in property keys like "policyGroupAllowDescription", which are EL expression that reference GrouperRequestContainer:

This group is the allow policy for the policy group "${grouperRequestContainer.stemTemplateContainer.currentServiceAction.argMap['overallGroupDisplayName']}".  This group should generally contain ref groups.

The only variables available to EL expressions used by GrouperTextContainer are grouperRequestContainer, servlet request, and textContainer itself. Variable grouperRequestContainer is null outside of the UI, so this returns a NPE from gsh. I don't see a way to inject stemTemplateContainer as a variable which is all it needs and doesn't require a http context. Is there any way to do text properties with EL that can avoid grouperRequestContainer while still supporting internationalization?

Comment by Chad Redman (unc.edu) [ 04/Sep/21 ]

An odd workaround for the ${grouperRequestContainer.stemTemplateContainer....} issue was to add a new variable `stemTemplateContainer` to the EL map. For some reason, EL evaluates ${grouperRequestContainer.stemTemplateContainer} to stemTemplateContainer if grouperRequestContainer is null.





[GRP-3592] GrouperProvisioningAttributeNames missing methods to retrieve provisioningMetadataJson and provisioningOwnerStemId Created: 06/Sep/21  Updated: 06/Sep/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.40, 2.6.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The various attributes in GrouperProvisioningAttributeNames have methods to retrieve the attributeDefName for them, except provisioningMetadataJson and provisioningOwnerStemId.

Also, it seems there are two methods that both retrieve provisioningMarker. Method retrieveAttributeDefNameBase() is used in production classes, and retrieveAttributeDefNameMarker() is used in test classes.This could eventually lead to inaccurate test results

  • retrieveAttributeDefNameBase -> provisioningMarker
  • retrieveAttributeDefNameMarker -> provisioningMarker (2 methods to retrieve the same defName?)
  • retrieveAttributeDefNameDirectAssignment -> provisioningDirectAssign
  • retrieveAttributeDefNameDoProvision -> provisioningDoProvision
  • retrieveAttributeDefNameStemScope -> provisioningStemScope
  • retrieveAttributeDefNameTarget -> provisioningTarget
  • ? -> provisioningOwnerStemId
  • ? -> provisioningMetadataJson





[GRP-3585] usdu failing on same subject identifier on unresolvable subjects Created: 03/Sep/21  Updated: 03/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There are subjects with the same subject identifier=abc, subjectIds=xy123,234yut.






[GRP-3581] the setting when assigning if provisionable for "policy groups only" should be a boolean control (radio or drop down) Created: 02/Sep/21  Updated: 02/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-09-02-17-11-58-811.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Sep/21 ]





[GRP-3580] deprovisioning full and incremental daemon should propagate attributes to attributes Created: 02/Sep/21  Updated: 02/Sep/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

and maybe folders?

uncomment GrouperDeprovisioningLogicTest.testUpdateDeprovisioningMetadata()






[GRP-2441] tree display performance with permissions turned on Created: 22/Nov/19  Updated: 26/Aug/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0, 2.5.54
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I prefer explicit permission models instead of implied.

 

Example: If there was a "folder view permission" then groups could be given access to see a folder. ( or "the magic All subjects thing" could be used too.)

 

To achieve the current implied  folder visibility design: ( or turn it off  at the root or at some level down the tree, if you don't ):

A rule (on the root folder) on folder create:
       create a "view folder group" for the new child folder.
       Add the child folder "view group" to have view to the parent folder ( by adding it to the parent folders "view folder group").

 

That way as folders are created and people are allowed to see a N level deep folder, they will automatically be able to see all the N-1 level deep folders above it back to the root.

 

Another rule could:
if a group/user can see an object in the a folder auto add them to the "view folder group" 

 

 

In this model a user might have access to something in a N level deep folder that they can not see the whole path too in the UI folder tree. ( Which is fine with me. ) They should be able to search and find, bookmark, find via services those things too.

I would expect the tree to "add parent folder(s) back up to the root" when a user "jumps" to an object from a search. ( Picture long chain of "closed" folders back to the root with only the children object(s) of the last folder being added to the tree. )

If a user selects a "higher level folder" that they don't have explicit access to, then they see nothing and nothing changes in the tree. ( no error, no message, must a "folder with a child folder".

All I am really talking about is making the permissions that drive the tree structure in the UI local to each folder so that a "search of a single folder's child folders/objects" is all that is ever needed for the "open" tree folder. 

When a folder is selected in the tree then becomes an "open folder" and then it's child objects are added to the tree and closed child folders are added to the tree as well.

 

It's a fairly big ask, but it makes the UI more "permission driven" and avoids "loading the whole tree" (at any time) to do it. 

 

And maybe other indexing approach could be done to "fix performance" too. However, this approach adds a feature that would allow users to have a simplified folder UI structure as well.  (And that could be achieved other ways too. I like using ACL's to provide the most flexibility to the deployer. )






[GRP-2604] WS query can return data that is out of scope of the query. Created: 27/Feb/20  Updated: 25/Aug/21

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.4.0, 2.5.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Setup to test:Setup to test:

  • Add a folder#1 Example: users:folders:USER_FOLDER:test-ws
  • And a group in the folder: users:folders:USER_FOLDER:test-ws:groupForWSRead
  • Add a subject to the group + SUBJECT_ID_VALUE to the group
  • Enable the WS user to read the users:folders:USER_FOLDER:test-wsOther:groupForWSRead group

 

  • Add a folder#2 Example: users:folders:USER_FOLDER:test-wsOther
  • And a group in the folder: users:folders:USER_FOLDER:test-wsOther:OthergroupForWSRead
  • Add a subject to the group + SUBJECT_ID_VALUE to the group
  • Enable the WS user to read the users:folders:USER_FOLDER:test-wsOther:OthergroupForWSRead group

 

Test it:

Do a WS call like the following: ( Non-existent stem in query)
/v2.3.000/subjects/SUBJECT_ID_VALUE/groups?wsLiteObjectType=WsRestGetGroupsLiteRequest&stemName=users%3Afolders%3AUSER_FOLDER%3Atest-wsBAD&stemScope=ALL_IN_SUBTREE

Results: return both groups. However the STEM asked for does not exist in Grouper, nor do the groups returned match the stem that was asked for.

 

NOTE: An empty set would be ideal, But an "Error" (something like stem not found) would be reasonable too.

 

NOTE: The query returns correct results ONLY when the stem that is asked for exists
If you make a WS call with an existing stem you will get only the groups from that stem.

 

/v2.3.000/subjects/SUBJECT_ID_VALUE/groups?wsLiteObjectType=WsRestGetGroupsLiteRequest&stemName=users%3Afolders%3AUSER_FOLDER%3Atest-ws&stemScope=ALL_IN_SUBTREE
     Only returns membership for users:folders:USER_FOLDER:test-ws:groupForWSRead

 

/v2.3.000/subjects/SUBJECT_ID_VALUE/groups?wsLiteObjectType=WsRestGetGroupsLiteRequest&stemName=users%3Afolders%3AUSER_FOLDER%3Atest-wsOther&stemScope=ALL_IN_SUBTREE
      Only returns membership for users:folders:USER_FOLDER:test-wsOther:OthergroupForWSRead

 

And if the WS users access is removed from the OthergroupForWSRead group

 

Then the query for the existing stem that the user can not access correctly

/v2.3.000/subjects/IDM800047602/groups?wsLiteObjectType=WsRestGetGroupsLiteRequest&stemName=users%3Afolders%3Ablack.123%3Atest-wsOther&stemScope=ALL_IN_SUBTREE
returns NO groups



 Comments   
Comment by Carey Black (osu.edu) [ 13/Jan/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 11/Mar/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 22/Apr/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 21/May/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 22/Jun/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 16/Jul/21 ]

Any idea when this can be fixed?

Comment by Carey Black (osu.edu) [ 25/Aug/21 ]

Any idea when this can be fixed?





[GRP-3408] update rabbitmq tls version Created: 22/Apr/21  Updated: 18/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Chris Hubing (internet2.edu)

 Description   

Chris Hubing (internet2.edu)
Should the default for grouper.messaging.system.rabbitmqSystem.tlsVersion be TLSv1.2? I was testing the AWS managed RabbitMQ service and it did accept a publisher connecting using 1.1.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/Apr/21 ]

 might be nice to have an example using an exchange, rather than a queue. I just switched ours to that, and it took me a little bit more time to figure out the right configuration than I would have thought.

 

changeLog.consumer.rabbitMqMessaging.publisher.exchangeType = TOPIC

changeLog.consumer.rabbitMqMessaging.publisher.messageQueueType = TOPIC

changeLog.consumer.rabbitMqMessaging.publisher.routingKey = grouper

changeLog.consumer.rabbitMqMessaging.publisher.queueOrTopicName = grouper

Comment by Chad Redman (unc.edu) [ 04/Aug/21 ]

This is the default since 2.5.34:

# to use TLS connection to rabbitmq, set to a specific version (e.g. TLSv1.2 or TLSv1), or "default" to let the amqp
# client library decide the optimal choice
grouper.messaging.system.rabbitmqSystem.tlsVersion = TLSv1.2

If the rabbitMQ server accepts 1.1, that's a configuration at the server. Is Grouper downgrading to 1.1 if tlsVersion is set to 1.2?





[GRP-3569] MembershipFinder should have assignEnabled(true) in API calls that expect enabled memberships Created: 17/Aug/21  Updated: 17/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-1104] maven build requires dependency (org.wso2.charon) not in Maven Central Created: 22/Jan/15  Updated: 16/Aug/21

Status: Open
Project: Grouper
Component/s: Exts
Affects Version/s: 2.2.1
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: David Langenberg Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

See https://github.com/Internet2/grouper/issues/20#issuecomment-71075672

Need to fix the pom.xml's so that the Grouper SCIM dependency on org.wso2.charon can handle the lack of those artifacts being in Maven Central



 Comments   
Comment by Julien Gribonvald (Inactive) [ 09/Mar/18 ]

This problem is really blocking as this library in version 1.0.0 doesn't exist anymore, it's really difficult to find it. So please also update wso2 library version !

Comment by cer28 [ 31/Mar/18 ]

The snapshot poms in both the 2.3 branch and master (2.4) branch have been adjusted. Charon isn't used in the grouper module anyway, so both it and wink were removed as dependencies. To satisfy the dependencies in grouperScim, the charon version in grouper-parent was changed from 1.0.0. to 2.1.3 (the latest version). It compiles ok, but the tests rely on configuration parameters that aren't in the source code. So please test and confirm that it works with this version.

Comment by cer28 [ 22/Oct/18 ]

Julien confirmed this is fixed for the API jar after dependencies removed.

Still need to verify SCIM is still working, if someone has expertise in this.





[GRP-3568] Subject diagnostics search fields remove default values "someSubjectId" etc. Created: 16/Aug/21  Updated: 16/Aug/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0.patch, 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-08-15-23-48-55-801.png    

 Description   

The subject diagnostics search fields all pre-fill the subject search fields:

  • subject ID: "someSubjectId"
  • Subject Identifier: "someSubjectIdentifier"
  • Search string: "first last"

These values are unlikely to find anyone, so the user has to go to the fields and overwrite them or delete the values, otherwise they will have errors. Why default values? If they need hints, we can add placeholder properties to the input fields (see mockup screenshot).

 

 






[GRP-3567] Log INFO->DEBUG or remove: SessionInitialiser "resources/grouper/ui-permissions.xml not found. Default permissions apply." Created: 12/Aug/21  Updated: 12/Aug/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If log4j is set to default to INFO level, the majority of the UI logs are:

[http-nio-8080-exec-1] INFO  SessionInitialiser.init(345) - resources/grouper/ui-permissions.xml not found. Default permissions apply.

The ui-permissions.xml message this refers to is not included by default, is not mentioned in the wiki, and the format is only explained in javadoc. If anyone used it, it was only activated for the GroupMembershipMenuFilter in either the admin or lite ui. So it's highly unlikely to exist, which means it shouldn't warrant being at INFO level. Personally I vote to delete it.






[GRP-3565] gsh templates should be able to use attributes for if run or who runs Created: 11/Aug/21  Updated: 11/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.54
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  1. Make built in attributes for
    grouperTemplateShow
    1. grouperTemplateShowConfigId (value is config id)
    2. grouperTemplateShowOnFolder (value is certainFolder or oneChildLevel or certainFolderAndOneChildLevel or descendants, or certainFolderAndDescendants).  Default is show on folder if not set
    3. grouperTemplateShowForGroups (value is comma separated group uuids or names that should see template)
  2. UI should calculate everything every 5 minutes and cache that, should not affect UI performance
  3. If a template is edited, clear all the caches on all UIs





[GRP-3566] When user not in WS allowed user group, error message states the policy group is "media.properties penn.uiGroup" Created: 11/Aug/21  Updated: 11/Aug/21

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.4.0, 2.4.0.patch, 2.5.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This error message goes back 2008, and Grouper version 1.3 or earlier. The "media.properties penn.uiGroup" is hard coded in GrouperServiceJ2ee.

user: 'xxxxxxx' is not a member of group: 'etc:access:ws:ws_users', and therefore is not authorized to use the app (configured in local media.properties penn.uiGroup






[GRP-3398] add ability to export non-base config from ui for a certain config file Created: 18/Apr/21  Updated: 10/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black 3:02 PM
I think the “UI config export” function only exports values in the DB?
A: Is that correct?
B: Is that expected?
C: If A=Yes, and B=Yes, then Any chance it could become a comprehensive/“effective values” file instead (in addition)?

Marwan Shaher 3:16 PM
+1 for C
a more definite answer will be from the dev team, but I think A is Yes. B is also Yes because the other parameters would come either from the “base” properties files or from overlay files baked into the image or mapped to the container. Encrypted values like passwords are exported as ****, not as their encrypted values. Again, I think the idea as explained somewhere in the wiki is to be able to save these into version control (edited)

Marwan Shaher 3:22 PM
the comprehensive export may not be used for importing back though unless the import functionality is completely reworked to recognize a parameter/value no matter what file it belongs to

Chris Hyzer 3:29 PM
Everyone please put config in DB :slightly_smiling_face: Yes its expected. I guess we could have an export for non-DB/non-Base configs at some point

Carey Black 3 days ago
It is on my TODO list. I think I am finally at the point that I am comfortable with it.
I would describe my current state as “in progress”.
Very few, but some of the config is in the DB. ( Which is admittedly not an ideal state either. )
:thinking_face:

 

Chris Hyzer 3 days ago
Its very liberating when you get there :slightly_smiling_face:

Chad Redman 3 days ago
I have a gsh script (of course ) that gets everything if someone is interested. It can filter on patterns and config origin too

Ryan Rumbaugh 3 days ago
I hesitate adding configs to the database because we have refreshed our production Grouper db to our test system and it was almost no impact because our configs are in Docker. If the configs were in the db then we would need to modify them using SQL? before starting the test system.

Erik Coleman 3 days ago
I think the biggest use-case for an export for us is to keep an "escrowed" copy of the current configuration for DR. Although more painful to update, at least before the file-based configs were tracked as Github revisions. But with the "liberating" ability to make on-the-fly database changes, there could be config drift that might not be recoverable if we were to have to re-spawn the database from scratch, not because we don't have a backup, but we might want to replicate our production config for testing. (edited)
:+1:
1

Chris Hyzer 3 days ago
I think some configs you will want to move over. Kind of need to go case by case. Also if external systems come from env vars then that helps too

Chris Hyzer 3 days ago
Dont you keep a DB backup for DR? If its in the DB, it will be there :slightly_smiling_face:

Erik Coleman 3 days ago
We do, I meant if we want to spawn a replica of the config for a brand-new instance for some sort of QA testing or whatnot. That's the cool thing about containers, but we could use an export of the config as a bootstrap for the new instance.

Chris Hyzer 3 days ago
would be nice if we had two buckets for DB config, one that is institution-wide, and one that is env-specific. We do have that flexibility built into the database structure, but need to put that in the UI and import/export. At some point we can flesh that idea out more
:heavy_plus_sign:
3
:grouper:
1

Erik Coleman 2 days ago
We've partially solved that with environment variables, but they only go so far, and it seems like some config entries don't support the Elconfig class to pull variables.

Chris Hyzer 2 days ago
what doesnt support elconfig?

Zachary Hanson-Hart 1 day ago
I've only seen Grouper as a container, and from the moment local prodding got a working config to allow us to log in to the ui, it has been deployed with gitlab-ci to a kubernetes cluster. The config files are deployed as a configMap, and mounted by all of the containers. We update the configmap when changes are made in version control. Changing config through the UI in prod is a no-no for us, because that configuration change is not reflected in version control (and DB value are lower priority than file values for us there!). Chris says it's possible to get the history from Grouper, but that's not our typical config management/version control system :wink: Don't get me wrong, being able to change the config in the UI is a fantastic feature (and the main benefit I see of config in the DB). We use the UI to poke at config changes in dev frequently. It's just that when we're happy with it, we put it in the appropriate config file in version control, and delete the value in the UI. (Being able to spit out the resulting non-default values would be super helpful for our use case). Our automated deployment takes care of the "keeping the files in sync" part that's often touted as the other major win of config in the DB. When the maturity level gets to a point that includes automated deployments, keeping the configuration in files make a lot of sense again.






[GRP-3563] Group DN override does not work with "flat" naming Created: 10/Aug/21  Updated: 10/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Container release 2.5.54



 Description   

DN override seems to be incompatible with flat naming.

The provisioner forces this naming pattern on groups when flat is chosen...

grouper/src/grouper/edu/internet2/middleware/grouper/app/ldapProvisioning/LdapProvisioningTranslator.java,  ~ line 56
} else if (ldapSyncConfiguration.getGroupDnType() == LdapSyncGroupDnType.flat) {
dn = GrouperUtil.ldapEscapeRdn(groupRdnAttributeName + "=" + fieldValueString) + "," + ldapSyncConfiguration.getGroupSearchBaseDn();

}
...which results in group names like...
cn=cn\=my-test-group\,ou\=User Groups\,ou\=Groups\,dc\=umich\,dc\=edu,ou=ManagedGroups,ou=Groups,dc=umich,dc=edu
 

Based on the code in LdapProvisioningTranslator, I don't believe the issue can be worked around with the "proper" Group field name - translation expression

 






[GRP-3549] import config should let you pick the file (not name correctly) Created: 29/Jul/21  Updated: 09/Aug/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.55
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3041] Make the Template Feature available in the WS API Created: 02/Dec/20  Updated: 04/Aug/21

Status: Open
Project: Grouper
Component/s: API, WS
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Bill Kaufman (internet2.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to GRP-3559 Refactor UI templates to not depend o... Resolved

 Description   

We are building features into the COmanage UI to enable simple users with the ability to see Grouper Groups they are part of and join or leave those they have the ability Optin-Optout of.

We would also like to enable folks with minor admin authZ such as Working Group chairs etc. be able to create Groups to support their collaborations.  Such groups would coincide with email lists, wiki spaces, Jira projects, etc.  Using Templates to build multi-group collaborations would make this a much simpler activity in the UI and provide consistency in the way these collaborations are created.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Dec/20 ]

when do you need it by?

also, can you give an example of a template.  i.e. what are the inputs.  and what actions in grouper it will kick off (e.g. which groups will be created where, which will be composites, and which will be added to other groups)?

is the expectation that if someone were to use this that they would need to setup some templates in Grouper, or would they be built in as comanage adapters of some sort?

 

Comment by Bill Kaufman (internet2.edu) [ 17/Dec/20 ]

Chris,

The sample pattern shown in these slides represents a basic way we would want to have a call to a template work.  https://docs.google.com/presentation/d/1pUckt52-r3_wZrV6gHuc3l_j8ZcQDv28Kygt_oGAwRo/edit?usp=sharing

 





[GRP-3558] group.properties should support configuration.autocreate.<all_object_types>.* Created: 03/Aug/21  Updated: 03/Aug/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.55
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

grouper.properties currently supports:

 configuration.autocreate.group.* to have groups (and parent stems?) auto created by default when the system starts.

 

I would like to see that feature expanded to support all grouper objects such that a default "skeleton" could be "hard coded" into the properties file such that on start the desired registry is initialized to the local deployers design.

Specifically all of these would be useful to be able to encode:

A way to build: * folders,

  • attributeDefs and attributeNames,
  • A special case of groups
    localEntities
    composites
  • privileges
    inherited privileges
    folder types
  • attribute assignments
  • reports
  • attestation
  • adding DB data with "direct SQL" (or other ways to add data to the JDBC subject source for testing)
  • etc.., etc…. ( Did I miss anything that can not be added to other *.properties files?)





[GRP-3557] When user not in WS allowed user group, should return 403 Forbidden instead of 500 Internal Server Error Created: 02/Aug/21  Updated: 02/Aug/21

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.4.0, 2.4.0.patch, 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When a user is not in the group set by ws.client.user.group.name, the response is 500 Internal Server Error. There isn't really an error, rather the user is forbidden. So the return code should be 403 Forbidden, so it can be distinguished from other kinds of errors.

(Commit a3bfcc44, affects Grouper 1.3+)






[GRP-3556] GSH Templates should skip the show/hide checks/logic if the template has no 'Jexl for showEl' on any inputs. Created: 30/Jul/21  Updated: 30/Jul/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Setting values on a GSH template can be slow. It appears to be due to a round trip to the server to validate the hide/show state for the inputs.

This enhancement would avoid that processing when it will not be used for any of the Template inputs.






[GRP-3555] 211.0: New JIRA: jsmith on first login sees “Added jsmith as a member of the Unknown group”. Probably the Ui Preferences group, do this as root so doesn’t show up in user’s recent actions Created: 29/Jul/21  Updated: 29/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3554] add ability to export non base config (not just db only) Created: 29/Jul/21  Updated: 29/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3553] installer should use https for training Created: 29/Jul/21  Updated: 29/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3552] Edit membership page shows form fields even if the user does not have update privs Created: 29/Jul/21  Updated: 29/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3551] export a provisioner config Created: 29/Jul/21  Updated: 29/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3548] new loader attributes not being created Created: 28/Jul/21  Updated: 28/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.52
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

And also this error due to which loader jobs are failingAnd also this error due to which loader jobs are failingedu.internet2.middleware.grouper.exception.AttributeNotFoundException: Cant find attribute: grouperLoaderDisplayNameSyncType at edu.internet2.middleware.grouper.Group.getAttributeValue(Group.java:2899) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.attributeValueOrDefaultOrNull(GrouperLoaderType.java:2496) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:443) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:344) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)37 replies
Chris Hyzer  4 hours agoI believe this is mentioned in the release notes for 2.5.53 and fixed in 2.5.54, can you please confirm?
Paul Rubenis  4 hours agoWe have upgraded to 2.5.54 and still see this error.
Chris Hyzer  3 hours agodo you see this attribute?image.png image.png

Sudheer Singidi  3 hours agoNo. We are not seeing it
Paul Rubenis  3 hours agoSo in our prod, 2.5.52, that attr does not exist either.
Paul Rubenis  3 hours agoBut those loader jobs do succeed.
Sudheer Singidi  3 hours ago@mchyzer IN 2019, We had similar issues where attributes were not created by default. SO you gave me few GSH commands to run..edu.internet2.middleware.grouper.misc.GrouperStartup.startup()If that doesnt work, try:edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType()
Sudheer Singidi  3 hours agoI ran these now, and I see that attribute now
Paul Rubenis  3 hours agoa number of new types were created it seems
Sudheer Singidi  3 hours agoyup
Sudheer Singidi  3 hours agoand things are looking good so far…verifying couple of other things
Chris Hyzer  3 hours agodo you have a full stack of was that the full stack?
Sudheer Singidi  3 hours agothat was the full stack if you are referring to the code block above
Sudheer Singidi  3 hours agoThis didn’t do anything:edu.internet2.middleware.grouper.misc.GrouperStartup.startup()
Sudheer Singidi  3 hours agoThis command seems to be creating those attributes. but the output was not helpful to understand whether it did something or notedu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType()
Sudheer Singidi  3 hours agoOutput:groovy:000> :load '/swadm/grouper-2.5.54/grouper.api/WEB-INF/classes/groovysh.profile'groovy:000> edu.internet2.middleware.grouper.misc.GrouperStartup.startup()===> falsegroovy:000> edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType()===> null
Sudheer Singidi  2 hours agoHow can we make sure that any new attributes in the future gets created by default ?
Sudheer Singidi  2 hours agoWe have this property set to true:loader.autoadd.typesAttributes
Chris Hyzer  2 hours agowhat do you have this set to in grouper.properties?legacyAttribute.attributeDef.prefix(edited)
Chris Hyzer  2 hours agoimage.png image.png

Sudheer Singidi  2 hours agoIt is set to :legacyAttribute.attributeDef.prefix=legacyAttributeDef_
Sudheer Singidi  2 hours agoin grouper.base.properties
Chris Hyzer  2 hours agoand its not in the database override right?
Sudheer Singidi  2 hours agoI don’t think so
Chris Hyzer  2 hours agocan you show me this screenshot?image.png image.png

Chris Hyzer  2 hours agoalso show me this screenshot (search for grouperLoaderGroupQuery and shoe results)image.png image.png

Sudheer Singidi  2 hours agoimage.png image.png

Sudheer Singidi  2 hours agoimage.png image.png

Chris Hyzer  1 hour agocan you run this script in GSH and let me know the value at each line?import edu.internet2.middleware.grouper.cfg.GrouperConfig;String attributeDefPrefix = GrouperConfig.retrieveConfig().propertyValueStringRequired("legacyAttribute.attributeDef.prefix");AttributeDefName legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderGroupQuery", false);legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderDisplayNameSyncType", false);Group adminGroup = GroupFinder.findByName(GrouperConfig.retrieveConfig().propertyValueString("groups.wheel.group"), true);adminGroup.getAttributeValue("grouperLoaderDisplayNameSyncType", false, false);Please also verify grouper version on GSH startupGrouper starting up: version: 2.5.54, build date: 2021/07/27 17:42:20 +0000, env: TESTHere is a sample outputgroovy:000> String attributeDefPrefix = GrouperConfig.retrieveConfig().propertyValueStringRequired("legacyAttribute.attributeDef.prefix");===> legacyAttributeDef_groovy:000> AttributeDefName legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderGroupQuery", false);===> AttributeDefName[name=penn:etc:legacy:attribute:legacyAttribute_grouperLoaderGroupQuery,uuid=657e5d343f024a359b81f3a239f7ca0c]groovy:000> legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderDisplayNameSyncType", false);===> AttributeDefName[name=penn:etc:legacy:attribute:legacyAttribute_grouperLoaderDisplayNameSyncType,uuid=1ff029f40ced467281ff9444cd68c211]groovy:000> Group adminGroup = GroupFinder.findByName(GrouperConfig.retrieveConfig().propertyValueString("groups.wheel.group"), true);===> Group[name=penn:etc:sysAdminGroup,uuid=02c9399a-04e2-48f5-862a-6f5f6b34dc45]groovy:000> adminGroup.getAttributeValue("grouperLoaderDisplayNameSyncType", false, false);ERROR edu.internet2.middleware.grouper.exception.AttributeNotFoundException:Group penn:etc:sysAdminGroup doesn't have attribute: grouperLoaderDisplayNameSyncType        at edu.internet2.middleware.grouper.Group.getAttributeValue (Group.java:2907)        at edu.internet2.middleware.grouper.Group$getAttributeValue.call (Unknown Source)
Sudheer Singidi  1 hour agoSure. Here’s the output:groovy:000> :load '/swadm/grouper-2.5.54/grouper.api/WEB-INF/classes/groovysh.profile'groovy:000> import edu.internet2.middleware.grouper.cfg.GrouperConfig;===> org.codehaus.groovy.tools.shell.CommandSupport, org.codehaus.groovy.tools.shell.Groovysh, edu.internet2.middleware.grouper., edu.internet2.middleware.grouper.app.gsh., edu.internet2.middleware.grouper.privs., edu.internet2.middleware.grouper.misc., edu.internet2.middleware.grouper.app.loader.ldap., edu.internet2.middleware.grouper.attr., edu.internet2.middleware.grouper.attr.assign., edu.internet2.middleware.grouper.attr.finder., edu.internet2.middleware.grouper.attr.value., edu.internet2.middleware.grouper.audit., edu.internet2.middleware.grouper.client., edu.internet2.middleware.grouper.entity., edu.internet2.middleware.grouper.externalSubjects., edu.internet2.middleware.grouper.group., edu.internet2.middleware.grouper.ldap., edu.internet2.middleware.grouper.app.loader., edu.internet2.middleware.grouper.xml., edu.internet2.middleware.grouper.registry., edu.internet2.middleware.grouper.app.usdu., edu.internet2.middleware.grouper.app.misc., edu.internet2.middleware.grouper.rules., edu.internet2.middleware.grouper.hibernate., edu.internet2.middleware.grouper.permissions., edu.internet2.middleware.grouper.util., edu.internet2.middleware.grouper.xml.export., edu.internet2.middleware.subject., edu.internet2.middleware.subject.provider., edu.internet2.middleware.grouper.userData., edu.internet2.middleware.grouper.messaging., edu.internet2.middleware.grouper.filter., edu.internet2.middleware.grouper.authentication., edu.internet2.middleware.grouper.j2ee., edu.internet2.middleware.grouper.cfg.GrouperConfiggroovy:000> String attributeDefPrefix = GrouperConfig.retrieveConfig().propertyValueStringRequired("legacyAttribute.attributeDef.prefix");===> legacyAttributeDef_groovy:000> AttributeDefName legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderGroupQuery", false);===> AttributeDefName[name=etc:legacy:attribute:legacyAttribute_grouperLoaderGroupQuery,uuid=e47d658db07340da97341e464647bdd6]groovy:000> legacyAttribute = GrouperDAOFactory.getFactory().getAttributeDefName().findLegacyAttributeByName("grouperLoaderDisplayNameSyncType", false);===> AttributeDefName[name=etc:legacy:attribute:legacyAttribute_grouperLoaderDisplayNameSyncType,uuid=0ae3a1ac6f6943b5b69c2a37ab92aa06]groovy:000> Group adminGroup = GroupFinder.findByName(GrouperConfig.retrieveConfig().propertyValueString("groups.wheel.group"), true);===> Group[name=etc:grouperadmins,uuid=ef9629bdb46045bb9c790d2cfbb29cff]groovy:000> adminGroup.getAttributeValue("grouperLoaderDisplayNameSyncType", false, false);ERROR edu.internet2.middleware.grouper.exception.AttributeNotFoundException:Group etc:grouperadmins doesn't have attribute: grouperLoaderDisplayNameSyncType        at edu.internet2.middleware.grouper.Group.getAttributeValue (Group.java:2907)        at edu.internet2.middleware.grouper.Group$getAttributeValue.call (Unknown Source)groovy:000>
Sudheer Singidi  1 hour agoand we confirmed that the version is 2.5.54
Chris Hyzer  20 minutes agocan you bounce your UI then?  I dont know why its finding the attribute now, but wasnt in your other stack?
Paul Rubenis  14 minutes agoWe ran the command :edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType()and it created the legacy attributes that were missing (edited) 
Paul Rubenis  13 minutes agoThe two issues in both dev/tst that we reported went away after running that cmd
Paul Rubenis  11 minutes agolegacyAttribute_grouperLoaderDisplayNameSyncBaseFolderName legacyAttribute_grouperLoaderDisplayNameSyncLevels legacyAttribute_grouperLoaderDisplayNameSyncType
Paul Rubenis  11 minutes agoThose were created
Paul Rubenis  8 minutes agoIn dev/tst we have 17 legacy attrs, in prd (2.5.52) we have 14@Shilen Patel there is no hard in running this right?  how should we handle this?  run that method more aggressively in startup?  or have an upgrade task for it?

edu.internet2.middleware.grouper.misc.GrouperStartup.initLoaderType()I dont know why penn and the demo server and our dev env didnt need this, something about the state of the conversion tables...  anyways, I added an upgrade step

 

 

 

 

 

 






[GRP-3545] gsh transaction issues with built in shortcuts Created: 27/Jul/21  Updated: 27/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black 4 days ago
v2.5.52 FWIW:
Not one easy to share
Basic flow was create a group.
Try to find a different group to add the first group to as a member. ( And the group does not exist.)
Ah.. here .. here is a short paraphrase… of what failed.. (not explicitly verified.. just me quickly simplifying the GSH script that failed. )
The template crated “newGroup” and errored out trying to add the membership. And the “transaction” was not rolled back.

 new StemSave(gsh_builtin_grouperSession).assignName("test:testStem2").assignCreateParentStemsIfNotExist(true).save();
addMember("a:b:c", "GrouperSystem");






[GRP-3541] problem removing attributes with hooks Created: 23/Jul/21  Updated: 23/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.54

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black  9:43 AM
2.5.52… can you try adding attestation to a group. Then try removing it?Carey Black  9:43 AM
2021-07-23 09:41:38,378: [ajp-nio-0.0.0.0-8009-exec-7] ERROR GrouperUiRestServlet.doGet(369) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Attestation.editGroupAttestationSave
java.lang.RuntimeException: Problem cloning field: class edu.internet2.middleware.grouper.hooks.beans.HooksAttributeAssignBean, attributeAssign, class edu.internet2.middleware.grouper.attr.assign.AttributeAssign,
Problem in HibernateSession: HibernateSession (5875f209): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (468fc879),
Exception in delete: edu.internet2.middleware.grouper.attr.assign.AttributeAssign, edu.internet2.middleware.grouper.hibernate.ByObject@6be48073,
Problem in HibernateSession: HibernateSession (4eb8cc17): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (468fc879),
Exception in delete: edu.internet2.middleware.grouper.attr.assign.AttributeAssign, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null,
Problem in HibernateSession: HibernateSession (6cd73ec9): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (468fc879),
 Problem deleting attribute assign: AttributeAssign[id=22fbe416798847edbfa908742083922f,action=assign,attributeDefName=etc:attribute:attestation:attestationDirectAssignment,ownerAttributeAssignId=3efc835414854f3da3594ef06b074ad2] ,
Problem calling method editGroupAttestationSave on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Attestation
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneFields(GrouperUtil.java:4399)
        at edu.internet2.middleware.grouper.util.GrouperUtil.clone(GrouperUtil.java:4361)
        at edu.internet2.middleware.grouper.hooks.beans.HooksAttributeAssignBean.clone(HooksAttributeAssignBean.java:70)
        at edu.internet2.middleware.grouper.hooks.beans.HooksAttributeAssignBean.clone(HooksAttributeAssignBean.java:32)
        at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils$1.callback(GrouperHooksUtils.java:424)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.schedulePostCommitHooksIfRegistered(GrouperHooksUtils.java:397)
        at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.schedulePostCommitHooksIfRegistered(GrouperHooksUtils.java:369)
        at edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils.schedulePostCommitHooksIfRegistered(GrouperHooksUtils.java:336)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.onPostDelete(AttributeAssign.java:2004)
        at edu.internet2.middleware.grouper.hibernate.ByObject.delete(ByObject.java:126)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic$10.callback(ByObjectStatic.java:675)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic.delete(ByObjectStatic.java:662)
        at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3AttributeAssignDAO.delete(Hib3AttributeAssignDAO.java:609)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssign$2.callback(AttributeAssign.java:743)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.delete(AttributeAssign.java:710)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.removeAttributeHelper(AttributeAssignBaseDelegate.java:649)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.removeAttribute(AttributeAssignBaseDelegate.java:617)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.removeAttribute(AttributeAssignBaseDelegate.java:375)
        at edu.internet2.middleware.grouper.app.attestation.GrouperAttestationJob.removeDirectGroupAttestation(GrouperAttestationJob.java:1845)
        at edu.internet2.middleware.grouper.app.attestation.GrouperAttestationJob.removeDirectGroupAttestation(GrouperAttestationJob.java:1792)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Attestation$5.callback(UiV2Attestation.java:572)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:1000)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1069)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1036)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Attestation.editGroupAttestationSave(UiV2Attestation.java:532)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5032)
        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4983)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1174)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:524)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Problem cloning field: class edu.internet2.middleware.grouper.attr.assign.AttributeAssign, valueDelegate, class edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneFields(GrouperUtil.java:4399)
        at edu.internet2.middleware.grouper.util.GrouperUtil.clone(GrouperUtil.java:4361)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.clone(AttributeAssign.java:795)
        at edu.internet2.middleware.grouper.attr.assign.AttributeAssign.clone(AttributeAssign.java:115)
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneValue(GrouperUtil.java:4430)
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneFields(GrouperUtil.java:4393)
        ... 66 more
Caused by: java.lang.RuntimeException: Unexpected class in clone method: class edu.internet2.middleware.grouper.attr.value.AttributeAssignValueDelegate
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneValue(GrouperUtil.java:4462)
        at edu.internet2.middleware.grouper.util.GrouperUtil.cloneFields(GrouperUtil.java:4393)
        ... 71 more 






[GRP-3537] Convert 'Veto if not group' rule into a hook that uses the Type=policy to enforce the "rule logic" Created: 21/Jul/21  Updated: 21/Jul/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.53
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I think being able to , by object type, enforce https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Veto+if+not+group logic would be useful for deployments.

 

Basically apply type="policy" to the group and the logic become active for that group.

Enable with something like this:
grouperHook.PolicyGroupsOnlyAllowGroupMembers.autoRegister=true






[GRP-3512] Unresolvable Subject UI paging not working Created: 28/Jun/21  Updated: 15/Jul/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.50
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When choosing to view unresolvable subjects and there are multiple pages to display, the pagination links "First|Prev|Next|Last" do not work, and you cannot select a different page size. As a result, I can only view the first 50 unresolvable subjects.



 Comments   
Comment by Erik Coleman (illinois.edu) [ 15/Jul/21 ]

This appears to be a condition that only happens under a certain sequence of events, which I haven't reproduced yet. Paging works, then quits.





[GRP-3527] make email notification templates a textarea Created: 14/Jul/21  Updated: 14/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3526] grouperClient bug when GROUPER_CLIENT_WS_PASSWORD is set Created: 14/Jul/21  Updated: 14/Jul/21

Status: Open
Project: Grouper
Component/s: grouperClient
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Marwan Shaher (colorado.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: grouperClient
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In newer versions (2.5.xx ) of grouperClient.jar, it doesn’t look like the “encrypt.key” parameter is recognized if the value for GROUPER_CLIENT_WS_PASSWORD is set to the path of the file with the encrypted password. It results in the following error:
 
 

 Error with grouper client, check the logs: Property encrypt.key in properties file: grouper.client.properties, has a blank value, it is required 
Jul 08, 2021 10:13:02 AM edu.internet2.middleware.grouperClient.GrouperClient main 
SEVERE: Property encrypt.key in properties file: grouper.client.properties, has a blank value, it is required java.lang.RuntimeException: Property encrypt.key in properties file: grouper.client.properties, has a blank value, it is required
at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase.propertyValueStringHelper(ConfigPropertiesCascadeBase.java:496)
...
...

 
 
 
The way to reproduce the error is as follows:
 

$ export GROUPER_CLIENT_WS_URL=https://grouper_web_server_address/grouper-ws/servicesRest 
$ export GROUPER_CLIENT_WS_LOGIN=login_username 
$ export GROUPER_CLIENT_WS_PASSWORD=/full/path/to/encrypted/password/file

 
 

  • set the “encrypt.key” property in grouper.client.properties to the full path of the encryption key file
     

    $ java -jar grouperClient.jar --operation=getMembersWs --groupNames=PATH:TO:GROUPER:GROUP

     
    The command works if the GROUPER_CLIENT_WS_PASSWORD is set to the actual password value instead, which of course is a security risk. This was encountered when running grouperClient on linux and MacOS (Catalina and Big Sur) hosts, with openjdk 11.0.2. It hasn’t been tried on a windows host. 
    I suspect the same may be true if GROUPER_CLIENT_LDAP_PASSWORD is set to a path instead of the actual password. 






[GRP-3525] automatically remove old reports Created: 14/Jul/21  Updated: 14/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3522] report should not save blank values in attributes Created: 14/Jul/21  Updated: 14/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3518] a non required gsh template input is giving an error when blank Created: 13/Jul/21  Updated: 13/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3505] builder pattern for MembershipFinder() and GroupFinder() should have filter for immediate/effective Created: 23/Jun/21  Updated: 01/Jul/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.47
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Using the chained version of MembershipFinder, you can pass in subjects and or groups, but can't filter on immediate/effective memberships. You need to get all the results and then look at each membership. Similarly, chained GroupFinder().assignSubject(subject) can add a subject to find memberships for a subject, but there is no option to filter on immediate/effective






[GRP-3508] find folders should validate parent stem name Created: 24/Jun/21  Updated: 24/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 if FIND_BY_PARENT_STEM_NAME query filter is given an invalid parentStemName (e.g. typo in path), it still returns SUCCESS but with an empty string. Is this by design, like a non-matching regexp returning 0 matches successfully? I somehow was expecting an error to be returned due to non-existent stem in the path.  this is via WsRestFindStemsRequest by the way






[GRP-3507] error in ui if added members while viewing audits, should either not have button there or start a session Created: 24/Jun/21  Updated: 24/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3504] Provisioning entity attribute gives error about missing group DN Created: 22/Jun/21  Updated: 22/Jun/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.52
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File grouper-loader.properties    

 Description   

GTE (Grouper training environment) module 201.4 is provisioning an eduPersonEntitlement calculated based on group name. It needs the group to calculate the entitlement value, but is not provisioning the group itself. Validation of the provisioner gives 2 errors:

 
Error: you need to have a group field named "name" which represents the DN
×Error: if you are operating on groups, then you must select or insert
Provisioner settings attached






[GRP-3503] GSH Templates for existing rules Created: 21/Jun/21  Updated: 21/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.52
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The use of Rules could be improved if:

  • A GSH template was created for each rule so that they could be applied in the UI with drop downs and security limits.
  • Each rule had its own "Grouper Authorization policy" so that admins could extend the use of the rules without modification to the default GSH template.

Example:

Group: ':etc:Disabled-date_activation_when_added_to_same_group' would be the user's who could run the GSH template that implements this rule for a selected group  (input, or when GSH templates can be attached to groups ) https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Disabled-date+activation+when+added+to+same+group






[GRP-3501] getName() can return nulls, but the code that call getName() cannot Created: 15/Jun/21  Updated: 15/Jun/21

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

tldr;

So the “getName()” method can return a null.And if the thing that is trying to use the value and does not protect against getting a null back then that thing using the null value blows up. ( That is the bug. )

-------------------------------

Carey Black  17 hours ago
java.lang.NullPointerException
at edu.internet2.middleware.subject.provider.SubjectImpl.getName(SubjectImpl.java:245)
I bet you have a subject that does not have a name in your Subject Source.
Add logging for this. // I think it should show you details about subject’s by source and ID. But it may still take some work to get the “problem” one…log4j.logger.edu.internet2.middleware.grouper.subj.cache.SubjectSourceCache = DEBUG
 
Liam Hoekenga  16 hours ago

The docs suggest that that shouldn’t be fatal

getName
public String getName()
Gets this Subject’s name.
Specified by:
getName in interface Subject
Returns:
name or null if not there

 

Carey Black  12 hours ago

yea.. “Returns name or null”… So the “getName()” method can return a null.And if the thing that is trying to use the value and does not protect against getting a null back then that thing using the null value blows up. ( That is the bug. )And your stack trace points right at it.
SubjectSourceCache.java:1873

if (attributes != null && attributes.containsKey(nameAttribute) && attributes.get(nameAttribute).size() > 0) {
When attributes.get(nameAttribute) is null then calling “.size()” on null is an NPE.Should have also had a
&& attributes.get(nameAttribute) != null
before the size check. Well, if the size check is really necessary at that point. ( An empty string seems like a string to me.  And a much better thing, maybe with a logged warning, to return instead of a null. )Basically the attributes Map has the key but no value. ( Which is exactly as documented for the .getName() that was called to add the name value to the Map. )



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 15/Jun/21 ]

Bad title / description.  Should be..

getName() can return nulls, but the code that call getName() cannot handle nulls





[GRP-3500] subject identifier 0 is stale in sync_member table Created: 10/Jun/21  Updated: 10/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

if it gets reassigned to another user, it causes problems






[GRP-3499] add option to delete from "unresolvable subjects" lookup screen Created: 10/Jun/21  Updated: 10/Jun/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File usdu2.png    

 Description   

Consider adding the option to delete an unresolvable subject from the "unresolvable subject search" interface.






[GRP-3138] add filter to usdu ui Created: 11/Feb/21  Updated: 10/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File udsu1.png    

 Description   

https://app.slack.com/team/U7G7ZS249Liam Hoekenga
 
Would it be hard to add a “filter” box to the USDU gui?



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 11/Feb/21 ]

It would be useful search against the same types of data that the normal search uses (i.e. subject ID, subject identifiers) instead of having to know the UUID.  Maybe something like the mocked up image?





[GRP-3463] Stem should have been created, and was, but still: Problem find stem by name: 'basis:people:roster:class:term-2218:phys:222' Created: 17/May/21  Updated: 04/Jun/21

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: 2.5.50
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Michael J Porter Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.5.50, level 3. Several grouper daemon containers running. Incremental loader also running


Attachments: Text File g2.txt     Text File g.txt    

 Description   

A full loader run was triggered for a job of type SQL_GROUP_LIST which could have created the stem, and it appears that an incremental loader was also running which likely did create the stem.  Unfortunately, the incremental loader rows have bene deleted.  However, by puling the audit log row that shows when the stem was created, and showing the related job logs, it might be possible to suggest that some sort of cache coherency issue is present when a stem is created in one daemon and looked for in another.



 Comments   
Comment by Michael J Porter [ 17/May/21 ]

I attached file g2.txt which contains the full-ish job log entry for the failing job.  The original file has some truncated columns.

Comment by Chris Hyzer (upenn.edu) [ 26/May/21 ]

seems like we need to make sure the incremental and full dont run at same time?

Comment by Michael J Porter [ 04/Jun/21 ]

Perhaps, but could an error like this also be triggered by a well timed action in the UI?  The stack suggests that a lookup was done for a stem, it was not found, and then it tried to create the stem.  This then threw a not-unique error because something else created the stem.  So, myself, I might just put an error handler in for that error and ignore it.  But, I also do not know a a lot (well, anything) about exception handling in Java.





[GRP-3489] status url should work if logged in as some level of admin (not check source IP). Created: 01/Jun/21  Updated: 01/Jun/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3106] Azure provisioner Unified Groups - support additional extended properties Created: 28/Jan/21  Updated: 17/May/21

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

To improve the usability and customizability of groups once they are in Azure AD, it would be great if we could assign additional parameters currently not supported by the connector. Namely these parameters in the Request Body:

allowExternalSenders (boolean) allows control of whether people outside the group can email to the group (default behavior is false)

autoSubscribeNewMembers (boolean) allows members of the group to be automatically subscribed to get emails (default behavior is false)

Interestingly, it appears this can only be called by a subsequent UpdateGroup call: [Update group - Microsoft Graph v1.0 | Microsoft Docs|https://docs.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0&tabs=http] Not sure this will work in a CreateGroup call.



 Comments   
Comment by Erik Coleman (illinois.edu) [ 17/May/21 ]

Microsoft has rolled out additional functionality to support groups being assigned to Azure roles, as documented here: [Use cloud groups to manage role assignments in Azure Active Directory | Microsoft Docs|https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept]  It would be ideal to support the ability to set the "isAssignableToRole" boolean flag upon group creation. This setting is immutable and set only on group creation. 





[GRP-3460] a callback grouper session block, that starts a session, will not be found in static grouper session Created: 15/May/21  Updated: 15/May/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3457] replace members with unresolvables should give message that wont proceed Created: 10/May/21  Updated: 10/May/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Justin Robinson 2 days ago
Greetings! We are running Grouper 2.5.39 and had a group of around 7500 users. We went to add members, import a list and put in 248 in the list and checked the box to replace members. It didn’t seem to make a change running it. We had expected it would remove anyone not in the list with those that were in the imported list. Is that the correct expectation?

Chris Hyzer 2 days ago
can you be a little more specific? did you upload file or paste in ids. did you specify the source? did you use subject ids or identifiers? what did the output say?

Chris Hyzer 2 days ago
i did a replace and it worked... let me know exactly what you did and i will try it

Chris Hyzer 2 days ago
yes, replace should remove subjects not in the list

Justin Robinson 2 days ago
We pasted in the ids. We tried specifying the source and tried without. We used a list of 248 subject identifiers and on a group that had ~7500.

Justin Robinson 2 days ago
i tried on a smaller list and it did perform as expected.

Chris Hyzer 2 days ago
smaller list of ids pasted in, or smaller group size, or both?

Justin Robinson 2 days ago
both - not a great comparison :slightly_smiling_face:

Justin Robinson 2 days ago
list was ~1300 and i said to keep one id

Justin Robinson 2 days ago
i’ll recreate the original setup and try that in our non-prod env and see how things go

Justin Robinson 2 days ago
ok - i recreated a larger group ~8k looking to remove all except using replace members ~250. in the first run and this one i had a few unresolvable subjects.

Justin Robinson 2 days ago
Screen Shot 2021-05-08 at 1.49.15 PM.png
Screen Shot 2021-05-08 at 1.49.15 PM.png

 

Chris Hyzer 2 days ago
can you make them resolve and try again? :slightly_smiling_face:

Justin Robinson 2 days ago
yep - that appears to be working

Justin Robinson 2 days ago
that completed successfully

Justin Robinson 5 hours ago
should this be a bug request?

Chris Hyzer 3 hours ago
you mean if you have unresolvables it should be more clear in notifiying you or do something else?

Justin Robinson 3 hours ago
Yeah, it doesn’t really say that because three were bad that the batch was thrown out

Justin Robinson 3 hours ago
And I thought regular adds (not replace) will add all users and just not those that were not resolvable. Seems like if that’s the case the replace should work similarly

Chris Hyzer 2 hours ago
The thought is, if you are adding, and some are bad, no harm no foul. But if you are replacing, its a little more important that the list be right since you might make an error. Removing people and expecting it to be replaced, but its not, could be a problem. Know what I mean?
New

Justin Robinson 2 hours ago
I see. I haven’t seen anything that really indicates that behavior.

Justin Robinson 2 hours ago
So if that’s expected then I do think some additional messaging would be helpful






[GRP-3456] add read logs in grouper to ui and ws Created: 10/May/21  Updated: 10/May/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford 3 days ago
Hi Team,
There is no such thing as a read audit correct? Meaning User A looked at Group B at <timestamp>. I Imagine it would be a crazy big audit table if it were.

Chris Hyzer 3 days ago
nope

Carey Black 2 days ago
Could it be added as a feature? ( Off by default? Or maybe limited to only log for a group of users? )

Chris Bongaarts (UMN) 1 day ago
alternative: good functional logging from a UI/WS perspective (user X ran WS GetGroupMembership on group Y) (edited)

Chris Bongaarts (UMN) 1 day ago
i can see our incident response people asking for this kind of information when discovering the scope of a data breach. i.e. for FERPA, notifying the one class list that was looked at rather than all the students who could have been looked at if a grouper admin account gets compromised

Chris Hyzer 1 day ago
yes we can add that to the list
New

Jeffrey Crawford 1 hour ago
yes logs would be fine. but I would argue that we need to consider WS as well as UI.






[GRP-3442] compare merge configs across envs Created: 30/Apr/21  Updated: 30/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Counting on a long list of "click here, type this, then click that..." to make changes in the UI has been the source of subtle inconsistencies in other applications in the past, leading to Production not actually running the thing that was built and tested in non-prod... Trying to avoid that and bake good habits into our workflow as we get up to speed with Grouper and deploy it in our Production environment.

Bruce Timberlake 3 days ago
It feels sort of like https://spaces.at.internet2.edu/display/Grouper/Import-Export could be a tool to use, but I'm not sure if that's what others do or would recommend, etc.

Bruce Timberlake 3 days ago
It feels like the .properties files and overlays would be the best way to manage changes, and is how we handle all of our other applications. But the docs say
In a patch to Grouper 2.4, and in Grouper 2.5+, Grouper allows configuration to be stored in the database rather than in configuration files. This is the recommended approach.
(edited)

Chris Hyzer 3 days ago
whats an example of something you are promoting? or a few examples?

Chris Hyzer 3 days ago
you can export a config file in the configuration screen, copy the part you want, and import that in new env (with configuration screen). do you have more things to migrate e.g. folders or groups? maybe a template would help or the grouper object sync
https://spaces.at.internet2.edu/display/Grouper/Syncing+objects+to+Grouper+from+SQL

Bruce Timberlake 3 days ago
I don't have anything specific yet, since we are just bringing up our first pilot user/application. It's currently in our Sandbox environment but we will have the other VMs prepared shortly. All my experience has been with templated properties files that get filled in with Ansible vars. We are trying to avoid point-click in the UI at all costs if possible, as that is not always repeatable depending on who does the work, etc. I can chat with Liam more to see if we can define it better, but I guess I was looking for the overall "philosophy" of managing configs through multiple environments... with ideas/examples of how people are doing it now in their own Production environments.

Jonathan Keller 3 days ago
We are in the same pilot phase - but I have had a number of the same concerns. At least for establishing the base structure of the servers, I've been creating GSH scripts which we can then promote to each environment as we move forward.
I created simple wrappers around the base GSH commands to make group addition one-liners. And I'm triggering the main GDG template from GSH and plan to do the same for creating the application level trees so we can deploy those across environments.

Jonathan Keller 3 days ago
It will probably be some manual setup in dev to practice, then delete the tree and script it up for replay there and in the testing and production environments.

Jonathan Keller 3 days ago
guh - this is what happens when your POC goes on too long. I apparently had written a GSH scriptable use of the "service" template.

Bruce Timberlake 3 days ago
I have to finish building up all of our environments so I can actually start using the app a bit. Liam's been doing all that work for us so far; a lot of this is conceptual-only knowledge for me at this point :slightly_smiling_face:

Bruce Timberlake 3 days ago
My main concern with gsh is that it gets run inside the containers, right, through an interactive shell? In addition to avoiding humans doing pointy-clicky in the UI for config management, I'm trying to avoid ever typing commands into an interactive shell on a container.
External, repeatable interactions invoked by the orchestration/config management tool of your choice (Ansible, Puppet, etc) is very much the preferred way for us if at all possible... I need to do some more reading I guess, to see if those scripts can be invoked externally somehow.
:100:
1

Carey Black 3 days ago
A lovely question. Well asked and full of possible opinionated answers to be given. :slightly_smiling_face:
I am not convinced that the “goal” of having the configs “match” is a good goal. There are going to at least be “value differences”. ( DB names, usernames, passwords, etc…)
And if you name things with an “ENV” prefix/suffix then those are really important and challenging to manage too.
However, I have actually been thinking about possibly using a config pattern that could keep the “main config” identical and allow for values to be environment specific too.
Config values set like this:
BLA_VALUE=<config_value for the ENV>
Grouper properties set this way:
bla.bla.bla = $$BLA_VALUE$$
REF: https://spaces.at.internet2.edu/display/Grouper/Grouper+configuration+files+and+overlays
Section “Refer to other properties in that config file”

Bruce Timberlake 3 days ago
Yes, definitely the environment specific difference need to be accounted for. Dev and Prod will never run in an "identical" configuration. But currently those differences are managed via the "docker run" script with a pile of "-e FOO=bar" lines :slightly_smiling_face: And opinions/options are most welcome!

Bruce Timberlake 3 days ago
And I'm not opposed to lots of -e switches, as I can manage that script and its contents with an Ansible/Jinja template.

Carey Black 3 days ago
Basically If the “Grouper properties” could all be in files. ( and identical )
Then that could all be source controlled and promoted with container release.
And the “Config values” could be imported with the UI so that the local env values are all supplied with $$sub_this_value$$ approaches.

Bruce Timberlake 3 days ago
We've been reading about the overlay files, but then there's that darned "Database is the recommended option" statement...

Carey Black 3 days ago
The approach that I am considering is to put the values in the UI, but the “structure” in the files.

Bruce Timberlake 3 days ago
I'm just super-leery of needing to do lots of point-click in the UI... that's just too error-prone in my experience and opinion... if it must be done, it must be. But I would love to just deal with .properties files that I can lay down with Ansible + Jinja templates so that all the config options are in a repository someplace, version controlled, and can be validated in "tripwire" mode at any time so you know what's running in a given environment.

Carey Black 3 days ago
And as far as the question of “GSH remote execution”…
GSH templates could be created.
And called from WS calls.
To add/change values on the server config. :slightly_smiling_face:

Bruce Timberlake 3 days ago
We've still got so far to go with Grouper, I may be asking this question too early. But we want to head off dangerous/dumb decisions early before they get baked into our systems and processes :slightly_smiling_face:

Jonathan Keller 3 days ago
We have not even attempted the automation step, but we would have the ability (perhaps via ansible) to ssh into the UI server during deployments to run incremental scripts. We do this on our databases now with Liquibase and its worked well for us.

Carey Black 3 days ago
RE: “to run incremental scripts”
I have considered the idea of a “lifecycle hook” to read a directory and “run scripts” from the container on startup too.
REF: https://spaces.at.internet2.edu/display/Grouper/Hooks

Carey Black 3 days ago
With the move of the project to “builder style commands” it makes that approach a lot more … approachable.

Carey Black 3 days ago
Likely would delay startup times… but that is the trade off.. “do lots of checks/creates” or “just start”.

Bruce Timberlake 3 days ago
Yeah, I'm fine with delayed startup times (within reason)... this looks like an interesting approach though.

Carey Black 3 days ago
However, a really fancy programmer could also use a kind of “version marker” in the scripts/directory to know if they need run the second time too. :slightly_smiling_face:

Jonathan Keller 3 days ago
tools like liquibase keep a log of all previously run sets - if we had a unique identifier attached to each script - then the checks could run fairly quickly

Bruce Timberlake 3 days ago
Thanks for the lead! I'm signing off for the day, so thanks to all for the info so far, and I look forward to hearing more about this in the future too!

Jonathan Keller 3 days ago
actually - doesn't grouper do that already for the DDL updates?

Carey Black 3 days ago
Yea.. but that is all “internal stuff”….. And your scripts likely would need its’ own “high water mark”…. that could go up before the grouper DDL marker would change.

Jonathan Keller 3 days ago
I just meant that the concept was already there within the grouper code - I would have expected this to be a separate layer

Carey Black 3 days ago
:shrug: internal implementation detail.
Not for use by “users”. :slightly_smiling_face:
But the idea is straight forward. :slightly_smiling_face:

Jonathan Keller 3 days ago
if I wanted to look into this, would the hooksInit() lifecycle hook be late enough in the process to attempt to run a GSH script?

Carey Black 3 days ago
I think that kind of depends on “what your doing”.
Some cases might need to be in “ddlInit” ( but likely none ),
Others are either in
grouperStartup, or hooksInit .
I think.. hooksInit is “the last one”… ( from memory )

Jonathan Keller 3 days ago
I looked at the other 3 - they seemed like they would be too early in the startup process from their name and comments.

Jonathan Keller 3 days ago
I was thinking of causing a GSH environment to spawn - however that can be done within a given server - then read in the scripts from a path - confirm which ones need to be run, and exec the new ones

Carey Black 3 days ago
well… to early or “just right”.
If you want to do some custom “DDL” (for grouper to use: Think hibernate customizations/additions) you might need the ddlInit phase.
However.. if you want to use GSH ( specifically, instead of just using the Grouper API with a config file of inputs…) then yea.. the JDBC connection needs to already be open and usable. ( AFAIK: hooksInit )

Carey Black 3 days ago
However there is a point where you are low enough in the system that GSH is an abstraction that costs you something to use too.

Jonathan Keller 3 days ago
I've noticed the overhead in starting GSH - but I would like for these to be scripts which can be tested manually, and then packaged up in the docker image for deployment

Carey Black 3 days ago
Meaning, your Hook could read your config file and “call java or JDBC, or anything you want it to do”. :slightly_smiling_face:
Yea. startup time ( per script ) would add up if you have N ( dozen ) to run every startup.

Jonathan Keller 3 days ago
I would likely make the checks for the files needing to be run be in the hook itself - only if there was something new would it instantiate a GSH environment
:+1:
1

Jonathan Keller 3 days ago
I haven't tried hacking grouper code directly - I'm going to have to look at the docs on how to do that.

Carey Black 3 days ago
Still running N would takes N*X seconds of startup time to add to the container.

Jonathan Keller 3 days ago
right - but if there were N scripts which contained configuration that we expected to be there on next startup - that would be ok. I think I would only have this run on the UI server...because of the need to access the templates. I've had problems with that on the non-UI servers

Jonathan Keller 3 days ago
not sure what to do about clustering...we were only going to have one UI server initially...bleh

Carey Black 3 days ago
GSH is a thin wrapper ( in groovy ) around the Java API. And the Java API would only be usable after the full hibernate connections were established too.

Carey Black 3 days ago
The “state” would need to be in the DB. ( As all good state should be. :slightly_smiling_face: ) (edited)

Jonathan Keller 3 days ago
yea - and need some sort of semaphore there to prevent scripts from running double - as the quartz scheduler handles for the daemon

Carey Black 3 days ago
maybe best done that way…
Or maybe the orchestration layer could play a role there?

Jonathan Keller 3 days ago
that I know nothing about...I think I've seen references in the docs

Carey Black 3 days ago
IMHO. Orchestration becomes another possible failure mode for the system.
If you bake it into the code/process (semephore) then the code/process should NEVER fail.
You would need to decide if the semephore is a blocking function for any other things starting up (or needing to be restarted after?) and what to do if that is those cases…
But if you plan your approach to be “safe to re-run” and “forward and backwards” compatible… It should all be good. :slightly_smiling_face:

Carey Black 3 days ago
You might even choose to use the Grouper internal messaging system too. :slightly_smiling_face:

Carey Black 3 days ago
And for a staring point to see how thin the GSH wrapper is… anything in that directory is a reasonable place to look.
https://github.com/Internet2/grouper/blob/master/grouper/src/grouper/edu/internet2/middleware/grouper/app/gsh/addComposite.java

Jonathan Keller 3 days ago
thanks for the info! I hope I have time to look into this

Chris Bongaarts (UMN) 3 days ago
you can also choose to have grouper NOT look in the database for configs, and rely exclusively on files, like in the good ole days. DB is recommended but the old way is still supported.

Chris Bongaarts (UMN) 3 days ago
(last i checked)
:yes:
1

Chris Hyzer 2 days ago
One goal of the UI wizards is to have a much more friendly interface with documentation and validation to configure Grouper. Using properties files has proven to be error prone, time consuming, confusing, and frustrating. If there are more features to add to the DB config to make it more palatable we are open to that. It seems like people want a checkbox to identify the config as environment specific as opposed to institution specific (e.g. prod vs test). If we add metadata like this then the export/import will probably need to be JSON...

Lacey Vickery 2 days ago
We went down this road last year, thinking we needed to keep everything in config overlays using env variables per instance and track changes in git. Since Grouper now supports config history and passing most configs that differ per instance as env variables to containers, I’ve ditched the overlays and just rely on docker env variables and config history if I need to roll something back. We do use GSH scripts to build out loaders/ref/basis groups so it’s repeatable across different environments. I don’t know that it’s worth the headache to try to automate all aspects of running grouper, it seems like there will inevitably be a point when you just need to do something in the UI (building reports for example) which makes sense from a distributed access management perspective.

Carey Black 2 days ago
RE: “If there are more features to add to the DB config to make it more palatable we are open to that.”
I think this would be helpful.
When an import of a config file ( via UI or API [Can that be done?] ) is done, then all of those changes are grouped/named with a single config “change/commit”. So that they could all be removed as a single unit/action.
While also preserving the ability to individually change single lines too.
NOTE1: Changing a single line could exclude it from the “config change/commit” rollback too. ( Very hard to deal with 3 way merge logic. :disappointed: )
OR
NOTE2: Or rolling back a would “just revert all settings in the set” regardless of other changes that might have been done after/outside of the “change/commit” too.
NOTE1 or NOTE2 : Projects choice. Document it and the deployer should be able to understand and operate accordingly. (edited)

Carey Black 2 days ago
@Lacey Vickery. I have even considered trying to use a ENV config value that would operate as a Prefix for other $$CONFIG_VALUE$$ logic. Though I have not yet validate that the below would work “as is”.. it might take a static method to do the last lookup…
The advantages are
The configs would be 100% together. ( All configs, for all envs )
That allows you to see where deviations exist too.
It could be file based. ( or programmatically and blindly loaded to an instance during a deploy event. )
Disadvantages a chain of substitutions to look through to see errors.
SAMPLE / Example of the idea:
ENV = PROD

  1. ENV = QA
  2. E NV = DEV
  3. config value mappings
    PROD.GRANT_ALL_OPTIN= false
    QA.GRANT_ALL_OPTIN = false
    DEV.GRANT_ALL_OPTIN = true
  4. grouper config with ENV specific values used from above
    grouper.env.name = $$ENV$$
    ….
    groups.create.grant.all.optin = ${GrouperConfig.retrieveConfig().propertyValueString(“$$ENV$$.$$GRANT_ALL_OPTIN$$“)
  5. NOTE: GrouperConfig would only work for grouper.properties. Other classes would be needed for other files. But I think they all exist in the code base.
  6. NOTE: I am not sure that the code currently would work with two $$ revs on the same line as each other. It may not resolve them properly as above. However, a static method that could be “ENV” aware could also be created.
  7. AKA:
  8. ${MyGrouperConfigFromEnv(“GRANT_ALL_OPTIN”)}
    #
  9. which would:
  10. propName = GrouperConfig.retrieveConfig().propertyValueString(“ENV”) + “.” + GrouperConfig.retrieveConfig().propertyValueString(“GRANT_ALL_OPTIN”)
  11. then
  12. return GrouperConfig.retrieveConfig().propertyValueString(propName)
    :shrug: just have not worked that hard at it yet. :slightly_smiling_face: ( “Other bigger fish to fry.” :slightly_smiling_face: )

Chris Bongaarts (UMN) 2 days ago
in the spirit of devops (since grouper is all containery now), config should be accessbile and maintainable as code. config files lend themselves to that well, db less so (but with import/export, is still eminently doable). whether version control, "commits", etc. are internal to grouper or external (one may want to keep one's grouper configs alongside their other app configs) should be a deployment choice (or I'd argue, the latter should be preferred so grouper can focus on being grouper and not Yet Another VCS)

Chris Bongaarts (UMN) 2 days ago
as for carey's idea above, a little syntactic sugar/macros/helper methods to simplify those kind of operations would be nice

Lacey Vickery 2 days ago
@black.123 That’s an interesting approach, I hadn’t considered using an env prefix to set values conditionally. I’ve migrated our configs to the DB and am not looking back now, lol. We don’t have a very mature docker/orchestration strategy so mounting configs wasn’t a great approach. At one point I was doing something sort of similar (like below), but it was difficult to keep up with all the config differences that way and I think not all classes supported this.
ws.authn.ldap.findUserBase = ${“DC=its,DC=” + java.lang.System.getenv().get(‘GROUPER_LDAP_HOST’) + “,DC=uncc,DC=edu”}

Carey Black 2 days ago
I think that using a “.elConfig” suffix always works. ( Across all of the grouper property hierarchy files… )
So you might need to tell the config reader that the value is a “JEXL expression” that way.
And frankly I kind of like that explicit “This is a script. It is ok to run it like a script.” specification in the config anyways.
Personal choice of “configuration over convention”. :slightly_smiling_face:
:+1:
1

Chris Hyzer 2 days ago
there is still the wizard issue, if you edit with wizard and you have elconfigs, then after hitting save, things revert back since elconfig takes precendence I think? I guess you just need to remember that. maybe it would help if there were a compare/merge configs across envs in UI :slightly_smiling_face:
New

Lacey Vickery 2 hours ago
I think a compare/merge configs would be great :wink:






[GRP-3440] change defaults for marking provisionable Created: 29/Apr/21  Updated: 29/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3410] other input’s available for replacement in the SQL string Created: 23/Apr/21  Updated: 28/Apr/21

Status: Open
Project: Grouper
Component/s: API, UI, WS
Affects Version/s: 2.4.48
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Are any other input’s available for replacement in the SQL string?

It would be interesting/useful to be able to show the use a list of “objects in the folder” ( object type could be driven by the structure/hard coded in the SQL or maybe by a previous input the user selected. )

A list of groups that start with user supplied string “good”( gsh_input_group_prefix )

SQL of next input could be something like:
  select distinct groups from my_group_view where name like “$$gsh_input_group_prefix$$%”

Exact SQL var syntax open to the whims of the project.  



 Comments   
Comment by Erik Coleman (illinois.edu) [ 28/Apr/21 ]

This would be useful if applicable to both SQL Loader jobs, as well as the SQL Table Sync!





[GRP-3434] override dn of group in ldap provisioning Created: 28/Apr/21  Updated: 28/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3423] do not allow stems with same name (case insensitive) by default Created: 26/Apr/21  Updated: 27/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.48

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This includes name, display name, and alternate name.

If you want to have stems with same name case-insensitive, set this in grouper.properties

grouperHook.StemUniqueNameCaseInsensitiveHook.autoRegister = false

To see if you have two stems with same name, run this query

select * from grouper_stems gs1, grouper_stems gs2
where gs1.id != gs2.id and 
(lower(gs1.name) = lower(gs2.name)
or lower(gs1.name) = lower(gs2.alternate_name)
or lower(gs1.display_name) = lower(gs2.display_name)
or lower(gs1.alternate_name) = lower(gs2.name)
or lower(gs1.alternate_name) = lower(gs2.alternate_name)) 






[GRP-3412] recentMembership jobs should not be subject to FailSafe logic Created: 24/Apr/21  Updated: 24/Apr/21

Status: Open
Project: Grouper
Component/s: API, daemon
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It took several hours to sort out what was going on with a recent membership job failing. One part was a local data condition.
The other part was that a "recent membership group" needed change in a way that violated the fail safe limits for a loader job.

 

I think that is a bug.

recentMembership jobs should be "reliable enough" (based on all the data being in/from Grouper) to not "get it wrong".
I request two things:

  1. the ability to mark a loader job as "except from failsafe limits".
  2. default recentMembership jobs to be marked as "except from failsafe limits"





[GRP-3411] GSH templates ( UI ) should support an input type of "Subject picker" Created: 23/Apr/21  Updated: 23/Apr/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.48
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be useful to be able to find subjects in user process of completing a GSH template.

Reusing the existing search features of the UI for "Add Members" "Member name or ID:" searches would be good.

Using the "search for an entity" UI might be better.
It would be nice to be able to limit the subject source for the user.
or
Let the user have a limited list of subject sources they can search.






[GRP-3409] when adding a group (e.g. with app template) do we need two audits, one for add one for edit?) Created: 23/Apr/21  Updated: 23/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-04-23-12-32-17-030.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 23/Apr/21 ]





[GRP-3406] clear out error codes in sync provisioning objects before printing in logs or diagnostics Created: 21/Apr/21  Updated: 21/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3407] if the ldap provisioning group name in groupAttributes is not translated, but has a group link, it should copy from the sync table Created: 21/Apr/21  Updated: 21/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3405] provisioning only validate fields for update during update, insert during insert Created: 21/Apr/21  Updated: 21/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2827] members tab from group screen doesnt work when editing reports Created: 26/May/20  Updated: 21/Apr/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3403] keep a bad subject log Created: 21/Apr/21  Updated: 21/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Carey Black 2 hours ago
I finally tracked this down! (Ugh)
I found a loader job that was pulling in a group from a System of Record that showed a “unresolvable subject” for the loader job. ( It happened to be an SQL loader job too. )
So I double checked the Subject ID’s from that table with my subject source (GSH script to loop over 17k subject ID’s and throw on any errors… one popped out as “Search is not unique” !?!?!
---> The LDAP Subject source had a duplicate for that Subject ID value!
Ugh. I reported it to our IDM team, they fixed the data.
And this AM.. my report now shows:
“unresolvable subjects: 0”
Yea! Order is restored to the Universe!
Just wanted to close the thread incase it helps anyone else find errors in their Universe like that. :slightly_smiling_face:
P.S. It would be much more ideal if such an error condition could be “forcibly logged” ( AKA: printed to a ’bad_subjects.log” file at all times) to make such things “much easier to find” too. :slightly_smiling_face:






[GRP-3401] grouper should not allow same object type with same case insensitive name by default Created: 19/Apr/21  Updated: 19/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.48

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 19/Apr/21 ]

When provisioning to certain target systems (e.g. LDAP) there are case-sensitivity issues. Grouper is planning to simplify those issues by:
Defaulting to not allow two objects with same type (e.g. group) in the same folder, with extensions that only vary by case. e.g. myGroup and mygroup, or myFolder and myfolder. You might already have this hook configured in grouper.properties, e.g. hook.group.unique.extension.caseInsensitive = true
This would be for groups, folders, attribute definitions, and attribute names (but across types all bets are off. you could have a folder and group with same name)
You could override (undo) this change when you upgrade (will have an upgrade instruction)
Existing conflicts would be grandfathered in, only new objects are checked, and no daemon would check previous objects
We will provide queries to see if you have existing issues and what those are, and you can decide to leave them, or merge or delete or rename
If people need this we could have a configuration of exceptions (or regex or patterns) so you could list an exception and then be allow to break this rule as needed
thoughts? (edited)





[GRP-3399] auto-configure an ldap external system test by finding the username (object scope) Created: 18/Apr/21  Updated: 18/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3392] show pre-template errors on screen in gsh template if configured to show Created: 16/Apr/21  Updated: 16/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. a bad regex

2021-04-16 15:50:28,093: [pool-2-thread-146] ERROR UiV2Template$2.callLogic(375) -  - error
java.util.regex.PatternSyntaxException: Illegal character range near index 4
^[a-ZA-Z0-9_, ]+$
    ^
        at java.util.regex.Pattern.error(Pattern.java:1969)
        at java.util.regex.Pattern.range(Pattern.java:2669)
        at java.util.regex.Pattern.clazz(Pattern.java:2576)
        at java.util.regex.Pattern.sequence(Pattern.java:2077)
        at java.util.regex.Pattern.expr(Pattern.java:2010)
        at java.util.regex.Pattern.compile(Pattern.java:1702)
        at java.util.regex.Pattern.<init>(Pattern.java:1352)
        at java.util.regex.Pattern.compile(Pattern.java:1028)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateInputValidationType$2.doesValuePassValidation(GshTemplateInputValidationType.java:28)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateValidationService.validateInputs(GshTemplateValidationService.java:346)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateValidationService.validate(GshTemplateValidationService.java:32)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateExec$1.callback(GshTemplateExec.java:315)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateExec$1.callback(GshTemplateExec.java:1)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1045)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1012)
        at edu.internet2.middleware.grouper.app.gsh.template.GshTemplateExec.execute(GshTemplateExec.java:289)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Template$2.callLogic(UiV2Template.java:366)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Template$2.callLogic(UiV2Template.java:1)
        at edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
        at edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
        at edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
[root@bba17c6c47254376bdfd3713f17fa135-2291675529 grouper]#  






[GRP-3389] save group (and stem?) should set parent display extensions if creating them Created: 15/Apr/21  Updated: 15/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

{
    "WsRestGroupSaveRequest": {
        "wsGroupToSaves": [
            {
                "wsGroup": {
                    "extension": "undergraduates",
                    "description": "ATMS 120 HB Fall 2021 Undergraduates",
                    "displayExtension": "Undergraduates",
                    "displayName": "Reference:Class Rosters:service:sandbox:2021 Fall:ATMS:120:HB:Undergraduates",
                    "name": "ref:roster:service:sandbox:120218:ATMS:120:120218_52474:undergraduates"
                },
                "createParentStemsIfNotExist": "T",
                "wsGroupLookup": {
                    "groupName": "ref:roster:service:sandbox:120218:ATMS:120:120218_52474:undergraduates"
                }
            }
        ]
    }
} 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 15/Apr/21 ]

this might work

WsGroupToSave.java

      groupSave.assignDisplayName(this.getWsGroup().getDisplayName());
 





[GRP-3388] add ability to have dynamic values for gsh template inputs Created: 15/Apr/21  Updated: 15/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. a jexl script






[GRP-3387] create a function with url to compare two groups Created: 15/Apr/21  Updated: 15/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Report:

Members in both A and B.  ( An intersection composite of A and B. )
 members only in Group A.  ( Group A -  Group B  )
 members only in Group B.  ( Group B  - Group A )

members in xor (a or b but not both)






[GRP-3386] add exclusive or composite type Created: 15/Apr/21  Updated: 15/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3372] add ability to call a gsh template from another template and consolidate output Created: 14/Apr/21  Updated: 14/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3370] add ability to have conditional attestation via script Created: 13/Apr/21  Updated: 13/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. check to see if any of the manual groups have members.  If not, then set the date automatically?






[GRP-3369] if you edit a value in the config editor it should use the unprocessed value Created: 12/Apr/21  Updated: 12/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

test this with a double dollar value that references something else






[GRP-3367] CompositeSave should allow "minus" and other words in addition to current words Created: 12/Apr/21  Updated: 12/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3366] CompositeSave chaining class should take groups in addition to group names Created: 12/Apr/21  Updated: 12/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3364] recent activity should escape html (e.g. edit externalized text) Created: 09/Apr/21  Updated: 09/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2903] Misc --> "All daemon jobs" filter option: List/sort jobs by "current/next run time" Created: 28/Jul/20  Updated: 08/Apr/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be useful to be able to see/find gaps in when jobs run.
I suggest a new filter option in  Misc --> "All daemon jobs" to list (order) jobs by "current/future run times" for jobs.

This can be helpful to:

   find "windows of time" to shutdown the daemon without interrupting jobs.

   And to verify the order that the jobs will be running. ( A human might notice a missing job in the list/sequence, or see "conflicts" between jobs too. )

 

If there was an option to only show "running jobs" and the next 5 jobs that will "start next" would also be a useful way to think/work with this idea too.



 Comments   
Comment by Carey Black (osu.edu) [ 08/Apr/21 ]

to only show "running jobs" <-- would be helpful to diagnose conditions like a loader process that dumped a lot of events on the system and other processes are chewing through the backlog of events....





[GRP-3355] Provide the specify the DN of a target LDAP group in the provisioner configuration Created: 07/Apr/21  Updated: 07/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We have the need to tie existing target LDAP groups to grouper groups.  A conversation with Chris and Shilen suggested that maybe an option could be added to the per-group provisioning options allowing the admin to specify / override the group's DN.



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 07/Apr/21 ]

"...have a built-in option for a provisionable metadata to override the DN..."





[GRP-3354] offer "skeletal" grouper provisioner project Created: 07/Apr/21  Updated: 07/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful if there were a skeleton of a grouper provisioner that institutions could use a basis to implement new provisioners.

Maybe an eclipse / maven project that could be imported into and IDE?

 



 Comments   
Comment by Liam Hoekenga (umich.edu) [ 07/Apr/21 ]

Carey Black (via slack): Any of the existing ones could be used as a pattern/starting point.
Maybe a good place to start would be by reading this: https://spaces.at.internet2.edu/display/Grouper/Grouper+generic+provisioner+framework ?





[GRP-3344] alphabetize template list Created: 04/Apr/21  Updated: 04/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-04-04-01-23-30-771.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/Apr/21 ]





[GRP-3343] check to see if a deleted config is in a config file and give a more accurate message Created: 03/Apr/21  Updated: 03/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Success: the property 'mail.from.address' was deleted from the database. Note, there still might be a configuration in a config file.






[GRP-3341] email addresses label should be bold in attestation Created: 03/Apr/21  Updated: 03/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-04-03-11-46-14-006.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 03/Apr/21 ]





[GRP-3326] object type daemon needs to be quicker Created: 30/Mar/21  Updated: 02/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  • provisioning
  • types
  • attestation
  • deprovisioning?
  • inherited privs (special case)

Shilen will test on large database.

GrouperProvisioningService.propagateProvisioningAttributes() pass in what to check (from full or incremental)

Incremental from GrouperProvisioningLogicIncremental

GrouperProvisionerGrouperDao has queries

? What if PIT not there?
– if data isnt there, and no PIT is there, it doesnt error out

? Do we need to change the "doProvision" equivalent

  • do not use views
  • remove code so when added in UI, it doesnt add provisioning attributes, it happens through daemon

Full: OTHER_JOB_grouperObjectTypeDaemon
Incremental: add

  • if attributes have no values, dont assign

Full
https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning%3A+identifying+groups+for+provisioning

  • wiki doesnt have exact queries
  • do not use transactions

In the finder methods, we can make a generic query to get all attributes (check one name value pair?)

Make AttributeAssignOnAssignFinder with generic methods

Take out current method on group create etc.

FULL
0. two "sync" incremental and full not at same time (CH)
1. get all folders with any type assignments
a. generic query, pass in attribute def name id of the marker attribute
b. return stemId, stemName, attribute def name, attribute value string, attribute assign on assign id?
2. get all folders with ancestor with direct
a. generic query, pass in attribute def name id of the marker attribute, and attribute def name of direct attribute
b. return stemId, stemName
3. get groups with attributes and type (all attributes)
4. get all group ids with ancestor that has a type (sub or one in query)
5. fix what needs to be fixes (individual). use transaction for each object.
6. try to absorb errors
7. let exception be thrown
========================
INCREMENTAL
0. Start with events that happened after the last successful full started
1. ESB events
2. Filtering similar events (group create, folder create, attribute value (un)assign to group, attribute value (un)assign to folder
3. Get attribute def names one time per run
4. Group add
a. Get all attributes currently on all the group
b. Get all ancestor attributes in one query if not retrieve already (save)
5. Folder add
a. Get all attribute on folder and ancestors (save)
6. Attribute value (un)assign
a. See if attribute name is relevant (toss if not)
b. Get attribute assign from PIT (skip if not there)
i. if the attribute assign id was already processed in this run, then skip
c. Query to get stemId if direct stem (toss if indirect)
i. If so, get all child folder attributes in one query
ii. Query all child group attributes (one query)
iii. One query to get all ancestor attribute (if not retrieved already)
d. If not stem, query to get groupId if direct group (if not, then toss) (toss if indirect)
i. If so, get self attributes (one query)
ii. One query to get all ancestor attribute (if not retrieved already)
7. Calculate and done
a. Pass to a method where you pass objects and ancestors and it corrects the assignments
b. Have a try/catch, fix one object method, use transaction for each object. (query and redo [optional])
8. log errors and move on if error (return last change log)

 

 

 

 






[GRP-3337] will compositeng rule remove a group is not employee (should ignore) Created: 02/Apr/21  Updated: 02/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3336] folder attestation validation (e.g. no email address) navigates away from form Created: 02/Apr/21  Updated: 02/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-04-02-10-22-48-918.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Apr/21 ]





[GRP-3335] get memberships json rest sample should have memberships in result (its blank) Created: 02/Apr/21  Updated: 02/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/getMemberships/WsSampleGetMembershipsRest_json.txt






[GRP-3334] allowedToUse configs show up in "remaining config" on config UI Created: 01/Apr/21  Updated: 01/Apr/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-04-01-11-33-56-050.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Apr/21 ]

Comment by Chris Hyzer (upenn.edu) [ 01/Apr/21 ]

grouper.properties

##################################
## Lockout groups.  Could be used for other things, but used for policy group templates at least
## if there is no allowed group, then anyone could use it
################################### group name of a lockout group
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
# grouper.lockoutGroup.name.0 = ref:lockout# allowed to use this lockout group.  If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse
 





[GRP-3333] update LDAP setting descriptions in the "external systems" UI Created: 31/Mar/21  Updated: 31/Mar/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.47
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The description for each of Batch Size, Count Limit, Time Limit, and Timeout is..

"optional (note, time limit is for search operations, timeout is for connection timeouts), most of these default to ldaptive defaults. times are in millis"

 

I think it would be more helpful to describe what each of those limits are for (and house batch size / count limit are different than "paged result size")






[GRP-3330] validate various azure provisioning constraints Created: 30/Mar/21  Updated: 30/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

displayName is required

displayName must be less than 256

description must be less than 1024

mailEnabled is required

mailNickname is required

displayName must be less than 64

securityEnabled is required






[GRP-3322] Cannot remove jobs from daemon jobs screen Created: 29/Mar/21  Updated: 29/Mar/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.46
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jobs removed via the daemon jobs UI don't stay removed.  They reappear.






[GRP-1737] Allow daemon jobs to be scheduled on different hosts Created: 19/Apr/18  Updated: 25/Mar/21

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Something else and not quartz
 
That config looks good to me.  Though I would prefer to do an EL (expression language) to be more flexible and be more consistent with other configs.
 
So it will run if it is in the whitelist and not in the blacklist?
 
Default is whitelist is *?
 
If a job is blacklisted everywhere, then diagnostics will throw an error since it hasn’t run, right?
 
Lets document this and do it after the release...
 
Thanks
Chris
 
----Original Message----
From: Shilen Patel [shilen@duke.edu]
Sent: Tuesday, April 17, 2018 1:16 PM
To: Hyzer, Chris <mchyzer@isc.upenn.edu>; Black, Carey M. <black.123@osu.edu>
Cc: grouper-core@internet2.edu
Subject: Re: [grouper-users] syncAllPITTables ... does not fix all of the things it finds... bombs before finishing...
 
Wait, are you saying you already solved this with Grouper or are you talking about something else? (
 
If you’re talking about something else, then how about something like this for Grouper?
 
scheduler.instance1.hosts = myHost, myHost2
scheduler.instance1.whitelist.regex = CHANGE_LOG_.*
scheduler.instance1.blacklist.regex = CHANGE_LOG_changeLogTempToChangeLog
 
scheduler.instance2.hosts = myHost3, myHost4, myHost5
scheduler.instance2.whitelist.regex = MAINTENANCE_., OTHER_JOB.
scheduler.instance2.blacklist.regex =
 
scheduler.instance3.hosts = myHost6, myHost7
scheduler.instance3.whitelist.regex = .* (everything else including the temp change log)
scheduler.instance3.blacklist.regex =
 
And then, yeah, the config can be the same everywhere and the daemon just checks the hostname to see what instance it is.  Oh and the UI would have to be updated too since you can schedule jobs there.  I think it would have to get the right scheduler instance and schedule it there and make sure it’s not scheduled with another.
 
Thanks!
 

  • Shilen
     
     
    On 4/17/18, 12:17 PM, "Hyzer, Chris" <mchyzer@isc.upenn.edu> wrote:
     
        At penn we have a similar thing but we have the job config, which runs on all nodes, or else you configure the node(s) that that job runs on.  By hostname.   Which is the opposite of the host config, which lists which jobs run there.  It is useful to have the same config everywhere...  know what I mean?
        
        You could do it your way though
        
        
        grouperLoader.host.1.name = myHost
        grouperLoader.host.1.jobs = pspng, this, that
        
        grouperLoader.host.2.name = myHost2
        grouperLoader.host.2.jobs = this, that, theOther
        
        As opposed to:
        
        grouperLoader.job.1.name = pspng
        grouperLoader.job.1.hosts = myHost
        
        grouperLoader.job.2.name = this
        grouperLoader.job.2.hosts = myHost, myHost2
        
        etc...
        
        ----Original Message----
        From: grouper-core-request@internet2.edu [grouper-core-request@internet2.edu] On Behalf Of Black, Carey M.
        Sent: Tuesday, April 17, 2018 12:10 PM
        To: Shilen Patel <shilen@duke.edu>
        Cc: grouper-core@internet2.edu
        Subject: [grouper-core] RE: [grouper-users] syncAllPITTables ... does not fix all of the things it finds... bombs before finishing...
        
        Shilen,
        
        Using “Instances” sounds right on target to me. Should be easy enough for people to understand.
         However, it might be easier if each instance becomes just a  “white list” then. If some kind of regex/pattern matching is supported, then that would likely be complicated enough. J
        


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Mar/21 ]

https://stackoverflow.com/questions/54456296/can-i-schedule-a-quartz-job-which-will-be-picked-by-a-specific-node-server





[GRP-3292] take out template run submit button when it is running (so not clicked twice) Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

put back if there is a validation problem






[GRP-3291] add filter to membership screen for PIT, search for people who were added after a certain date Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3290] filter out success gsh template messages if rolled back and not success Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3288] add button to print out script header in GSH template Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3287] labels should be bold like other screens in template input screen Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3286] add template name to "running template" progress screen Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3285] gsh template screen should show template name, and link to stem Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3284] add validation on gsh template inputs, cannot have same name Created: 22/Mar/21  Updated: 22/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3263] cannot assign end date on attribute def priv assigned to a group. Created: 18/Mar/21  Updated: 18/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

it navigates to the group membership screen for the group and gives this exception

 

Error: edu.internet2.middleware.grouper.exception.MemberAddException: membership cannot be circular, Exception in save: edu.internet2.middleware.grouper.Membership, edu.internet2.middleware.grouper.hibernate.ByObject@1945de94, Problem in HibernateSession: HibernateSession (5ac82fdb): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (2afb55d2), Exception in save: edu.internet2.middleware.grouper.Membership, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: ImmediateMembershipEntry, tx type: null, membership: group: test:testGroup, subject: 6582e92034274fa4a6277697f694618e, field: members, uuid: null, startDate: 2021-04-01 00:00:00.0, endDate: null, , group name: test:testGroup, subject: Subject id: 6582e92034274fa4a6277697f694618e, sourceId: g:gsa, field: members, Problem in HibernateSession: HibernateSession (6638c612): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (2afb55d2), Problem in HibernateSession: HibernateSession (450febca): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (2afb55d2), Problem in HibernateSession: HibernateSession (2a3eed0b): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (2afb55d2), Problem calling method saveMembership on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Membership






[GRP-3262] grouper report should make sure unique name Created: 18/Mar/21  Updated: 18/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Enter a name without a date in it and let it run a bit

 

2021-03-18 04:23:00,089: [DefaultQuartzScheduler_Worker-5] ERROR GrouperReportLogic.runReport(133) -  - Error occurred generating report for config name sdfgfs2021-03-18 04:23:00,089: [DefaultQuartzScheduler_Worker-5] ERROR GrouperReportLogic.runReport(133) -  - Error occurred generating report for config name sdfgfsedu.internet2.middleware.grouper.internal.dao.GrouperDAOException: Problem in HibernateSession: HibernateSession (3af17271): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (611f3ca),Exception in saveOrUpdate: edu.internet2.middleware.grouper.file.GrouperFile, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null at edu.internet2.middleware.grouper.hibernate.HibernateSession._internal_hibernateSessionCatch(HibernateSession.java:591) at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:713) at edu.internet2.middleware.grouper.hibernate.ByObjectStatic.saveOrUpdate(ByObjectStatic.java:363) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3GrouperFileDAO.saveOrUpdate(Hib3GrouperFileDAO.java:38) at edu.internet2.middleware.grouper.app.reports.GrouperReportLogic.runReport(GrouperReportLogic.java:123) at edu.internet2.middleware.grouper.app.reports.GrouperReportJob.runJob(GrouperReportJob.java:122) at edu.internet2.middleware.grouper.app.reports.GrouperReportJob.execute(GrouperReportJob.java:45) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)Caused by: org.hibernate.exception.ConstraintViolationException: could not execute batch,Exception in save: edu.internet2.middleware.grouper.file.GrouperFile, edu.internet2.middleware.grouper.hibernate.ByObject@6ecfbd24 at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:119) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.doExecuteBatch(BatchingBatch.java:97) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.execute(AbstractBatchImpl.java:147) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.executeBatch(JdbcCoordinatorImpl.java:214) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:611) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:456) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at

 

org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at edu.internet2.middleware.grouper.hibernate.ByObject.saveOrUpdate(ByObject.java:395) at edu.internet2.middleware.grouper.hibernate.ByObjectStatic$5.callback(ByObjectStatic.java:376) at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703) ... 7 moreCaused by: java.sql.BatchUpdateException: integrity constraint violation: unique constraint or index violation: GRPFILE_UNIQUE_IDX at org.hsqldb.jdbc.JDBCPreparedStatement.executeBatch(Unknown Source) at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch(NewProxyPreparedStatement.java:2544) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:110) ... 18 more2021-03-18 04:23:04,018: [DefaultQuartzScheduler_Worker-7] DEBUG EsbConsumer.processChangeLogEntries(550) -  - type: consumer, finalLog: false, state: done, consumerName: recentMemberships, totalCount: 4, currentSequenceNumber: null, publisherClass: edu.internet2.middleware.grouper.app.serviceLifecycle.GrouperRecentMembershipsChangeLogConsumer, tookMillis: 1






[GRP-3255] Support for RFC4373 "Bulk Update / Replication Protocol" (LBURP) Created: 17/Mar/21  Updated: 17/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Story Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://tools.ietf.org/html/rfc4373

"The Lightweight Directory Access Protocol (LDAP) Bulk Update/Replication Protocol (LBURP) allows an LDAP client to perform a bulk update to an LDAP server."

It's supported by eDirectory.  I don't know what (if anything) else supports it.






[GRP-3249] refactor validation in provisioning Created: 17/Mar/21  Updated: 17/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

make sure all validations are called in diagnostics and UI.

validate that group UI to require entities exists






[GRP-3246] add external system to diagnostics Created: 16/Mar/21  Updated: 16/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.45

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3245] add entity to select to diagnostics Created: 16/Mar/21  Updated: 16/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.45

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3235] object type assignment can cause rule issues Created: 13/Mar/21  Updated: 13/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File grouperJiraObjectType.txt    




[GRP-3232] config overrides and threadlocal overrides should be able to override a non ELconfig if the base file has ELconfig Created: 12/Mar/21  Updated: 12/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

it searches all files for ELconfig first!  It should look in each file for either EL config or normal config first






[GRP-3231] should not need a stem lookup to create a stem via WS Created: 12/Mar/21  Updated: 12/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

look that up from the stem to save...

      WsStemToSave wsStemToSave = new WsStemToSave();
      gcStemSave.addStemToSave(wsStemToSave);
      WsStem wsStem = new WsStem();
      wsStemToSave.setWsStem(wsStem);
      wsStem.setName(this.folderName);
 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 12/Mar/21 ]

Exception in thread "main" edu.internet2.middleware.grouperClient.ws.GcWebServiceError: Bad response from web service: resultCode: EXCEPTION, clientVersion: 2.5.37, wsStemToSaves: Array size: 1: [0]: WsStemToSave[Exception in thread "main" edu.internet2.middleware.grouperClient.ws.GcWebServiceError: Bad response from web service: resultCode: EXCEPTION, clientVersion: 2.5.37, wsStemToSaves: Array size: 1: [0]: WsStemToSave[  wsStem=WsStem[name=penn:isc:ait:apps:ngss:environments:dev:esb:folderToDelete],createParentStemsIfNotExist=true]
, actAsSubject: null, txType: NONE, paramNames: , params: null, java.lang.NullPointerException: Problem in HibernateSession: HibernateSession (4208da93): new, readonly, NONE, notActiveTransaction, session (null) at edu.internet2.middleware.grouper.ws.coresoap.WsStem.<init>(WsStem.java:103) at edu.internet2.middleware.grouper.ws.coresoap.WsStemSaveResult.<init>(WsStemSaveResult.java:53) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic$8.callback(GrouperServiceLogic.java:3672) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO$1.callback(Hib3TransactionDAO.java:66) at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO.transactionCallback(Hib3TransactionDAO.java:56) at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:87) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.stemSave(GrouperServiceLogic.java:3652) at edu.internet2.middleware.grouper.ws.coresoap.GrouperService.stemSave(GrouperService.java:1150) at edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.stemSave(GrouperServiceRest.java:1019) at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestPut$2.service(GrouperWsRestPut.java:150) at edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$3.service(GrouperRestHttpMethod.java:104) at edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:202) at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:1007) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:524) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) at edu.internet2.middleware.grouperClient.ws.GrouperClientWs.handleFailure(GrouperClientWs.java:745) at edu.internet2.middleware.grouperClient.api.GcStemSave.execute(GcStemSave.java:161) at edu.upenn.isc.esbUtilities.util.EsbPenngroupsClient.executeCreateFolder(EsbPenngroupsClient.java:331) at edu.upenn.isc.esbUtilities.util.EsbPenngroupsClient.main(EsbPenngroupsClient.java:65)





[GRP-3228] add root managers group which can read/update all Created: 11/Mar/21  Updated: 11/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-1575] Attestation view/approve inaccessible for non-wheel users Created: 10/Jul/17  Updated: 10/Mar/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.3.0.patch
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From: Redman, Chad
Sent: Wednesday, June 28, 2017 11:44 AM
To: grouper-users@internet2.edu
Subject: Non-wheel privileges for attestation access

We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist".

The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this is not desirable, as it now allows the user to edit attestation for any group.

Am I looking at this the wrong way?

Thanks!
-Chad



 Comments   
Comment by cer28 [ 02/Aug/17 ]

The users were waiting on a fix for this, so I debugged the source code to figure out exactly what was needed for a regular user to view the attestation or mark it as Reviewed.

To view the attestation page:

1) User needs to have Read on etc:attribute:attestation:attestationDef
2) User needs to have Read on etc:attribute:attestation:attestationValueDef
3) User needs both Read and Attribute Read on the group in question

Note that the button to mark it as reviewed shows up for these users, even though they don't have the update privilege that would make it work. They just get a user-unfriendly message about no access to the attribute definition. Checking for the correct permissions before showing the button would be helpful here.

To be able to mark the group as Reviewed:

1) User needs to have Read and Update on etc:attribute:attestation:attestationDef
2) User needs to have Read and Update on etc:attribute:attestation:attestationValueDef
3) User needs Read on the group in question (Update isn't necessary unless you want them to edit the membership)
4) User needs both Attribute Read and Attribute Update on the group in question

To simplify configuration slightly, we created a Readers group and an Updaters group, instead of granting individual permissions to the attribute definitions in etc:attribute. Any users who would be doing any kind of attestation work would be put into one of these groups. It's possible that it's safe to make access to the attribute definitions public, as you can only read or edit groups where you have attribute read/update anyway. We were just playing it safe there for now.

Comment by Carey Black (osu.edu) [ 10/Mar/21 ]

The details appear to be different in 2.5.39.
1) User does not need to have Read on etc:attribute:attestation:attestationDef
2) User does not need to have Read on etc:attribute:attestation:attestationValueDef
3) User needs both Read and UPDATE Attribute Read privileges on the group in question

   Without UPDATE privileges the user can view the attestation information, but not mark the group as attested.

Maybe this could be closed?

GRP-1609: attestation to new ui wizard (commit 9) Make attestation attribute defs readable by everyone
GRP-1609: attestation to new ui wizard (commit 8) Change to root session  while retrieving the attributes values

Might also be related:
GRP-1645 attestation read/update issues

 





[GRP-3217] gsh template view details throws exception Created: 05/Mar/21  Updated: 05/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3216] gsh template jexl validations should use the value variable with same type as input type Created: 05/Mar/21  Updated: 05/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3213] During a bulk import ( from the UI/WS ) to group(s) that are loaded by a loader job the loader job should "wait/skip the group" until the import is complete. Created: 04/Mar/21  Updated: 04/Mar/21

Status: Open
Project: Grouper
Component/s: API, daemon, UI
Affects Version/s: 2.5.39
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If a user is manually updating a group that is normally loaded via a loader with the "Import function" the loader job should "avoid conflicting" with the change the human/WS is making.

I found this while trying to manually correct a group that the loader was not updating due to failsafe limits.

I exported the correct current list and imported a file with "Replace existing members?" selected.

However during the process the loader job also started "correcting the group" too. So some of my changes  became errors in the UI.

It would be good to avoid the user confusion and to generally allow the "Human to win".






[GRP-3212] provisioning metadata booleans should be radios Created: 04/Mar/21  Updated: 04/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3211] use protocol for getting SSL certs in container Created: 04/Mar/21  Updated: 04/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes 12 hours ago
now, something to think about for the future??? maybe build into the grouper startup config the ability to use ACME to obtain certs? I hope it's obvious as to how this could make TLS config easier for a variety of scenarios. Something to consider, maybe?

 

Michael Gettes 12 hours ago
i can appreciate the complexity of ACME for a running environment of grouper so maybe just use ACME on startup and a periodic restart of Grouper (which has other challenges to quiesce if daemon is used - previously discussed and still desirable) and then regular updates of certs is solved.

Chris Hubing 11 hours ago
hehe, need to talk to paul about acme… we are using that in the CSP workbrench stuff to grab a real cert in the startup process of things being kicked off in an auto-scaling group.

Michael Gettes 11 hours ago
the "hehe". this means "good" or it's problematic? any excuse to speak with Paul is a good thing.

Chris Hubing 11 hours ago
no, it’s awesome and works.

Michael Gettes 11 hours ago
YAY!






[GRP-3210] Migrate existing subject sources to subject source templates Created: 03/Mar/21  Updated: 03/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

look for subject source in other configs and develop plan, in subject properties and not source-specific, get a handle on what’s out there






[GRP-3209] make the list of breadcrumb right clickable in the UI to the parts of the folder structure they are for. Created: 03/Mar/21  Updated: 03/Mar/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.43
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When you view a group or a stem in the UI the breadcrum links only work if you "left click" on them.

Please support right click and "open in a new tab".

NOTE: This could be generalized to a request for all "links" too.






[GRP-3203] subject source wizard attribute format to lower case should default false instead of no default Created: 02/Mar/21  Updated: 02/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3201] change attestation in UI to use the attestation save method chained classes Created: 02/Mar/21  Updated: 02/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3199] allow new composite on group which only has members with delete date Created: 01/Mar/21  Updated: 01/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3197] folder copy (and maybe group copy) has error (maybe with inherited privs) Created: 01/Mar/21  Updated: 01/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-03-01-11-49-29-969.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

copy privs

Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

2021-03-01 10:46:56,114: [ajp-nio-0.0.0.0-8009-exec-24] WARN  CacheConfiguration.isEternalValueConflictingWithTTIOrTTL(698) -  - Cache 'edu.internet2.middleware.grouper.grouperUi.serviceLogic.AttributeDefNamePic
ker.configCache' is set to eternal but also has TTI/TTL set.  To avoid this warning, clean up the config removing conflicting values of eternal, TTI and TTL. Effective configuration for Cache 'edu.internet2.midd
leware.grouper.grouperUi.serviceLogic.AttributeDefNamePicker.configCache' will be eternal='true', timeToIdleSeconds='0', timeToLiveSeconds='0'.
2021-03-01 10:50:15,937: [ajp-nio-0.0.0.0-8009-exec-24] ERROR GrouperUiFilter.doFilter(1180) -  - UI error
net.sf.json.JSONException: java.lang.reflect.InvocationTargetException
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:818)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at edu.internet2.middleware.grouper.util.GrouperUtil.jsonConvertToNoWrap(GrouperUtil.java:2185)
        at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiResponseJs.printToScreen(GuiResponseJs.java:80)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:398)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1173)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(PropertyUtilsBean.java:2128)
        at org.apache.commons.beanutils.PropertyUtilsBean.getSimpleProperty(PropertyUtilsBean.java:1279)
        at org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(PropertyUtilsBean.java:809)
        at org.apache.commons.beanutils.PropertyUtilsBean.getProperty(PropertyUtilsBean.java:885)
        at org.apache.commons.beanutils.PropertyUtils.getProperty(PropertyUtils.java:464)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:749)
        ... 89 more
Caused by: edu.internet2.middleware.grouper.exception.StemNotFoundException: membership stem not found
        at edu.internet2.middleware.grouper.Membership.getOwnerStem(Membership.java:3381)
        ... 99 more
 

Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

2021-03-01 10:52:38,122: [ajp-nio-0.0.0.0-8009-exec-8] ERROR GrouperUiFilter.doFilter(1180) -  - UI error
net.sf.json.JSONException: java.lang.reflect.InvocationTargetException
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:818)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at edu.internet2.middleware.grouper.util.GrouperUtil.jsonConvertToNoWrap(GrouperUtil.java:2185)
        at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiResponseJs.printToScreen(GuiResponseJs.java:80)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:398)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1173)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(PropertyUtilsBean.java:2128)
        at org.apache.commons.beanutils.PropertyUtilsBean.getSimpleProperty(PropertyUtilsBean.java:1279)
        at org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(PropertyUtilsBean.java:809)
        at org.apache.commons.beanutils.PropertyUtilsBean.getProperty(PropertyUtilsBean.java:885)
        at org.apache.commons.beanutils.PropertyUtils.getProperty(PropertyUtils.java:464)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:749)
        ... 89 more
Caused by: edu.internet2.middleware.grouper.exception.StemNotFoundException: membership stem not found
        at edu.internet2.middleware.grouper.Membership.getOwnerStem(Membership.java:3381)
        ... 99 more
2021-03-01 10:54:37,638: [ajp-nio-0.0.0.0-8009-exec-4] ERROR GrouperUiFilter.doFilter(1180) -  - UI error
net.sf.json.JSONException: java.lang.reflect.InvocationTargetException
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:818)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
        at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
        at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
        at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
        at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
        at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
        at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
        at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
        at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
        at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
        at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
        at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
        at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
        at edu.internet2.middleware.grouper.util.GrouperUtil.jsonConvertToNoWrap(GrouperUtil.java:2185)
        at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiResponseJs.printToScreen(GuiResponseJs.java:80)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:398)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1173)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(PropertyUtilsBean.java:2128)
        at org.apache.commons.beanutils.PropertyUtilsBean.getSimpleProperty(PropertyUtilsBean.java:1279)
        at org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(PropertyUtilsBean.java:809)
        at org.apache.commons.beanutils.PropertyUtilsBean.getProperty(PropertyUtilsBean.java:885)
        at org.apache.commons.beanutils.PropertyUtils.getProperty(PropertyUtils.java:464)
        at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:749)
        ... 89 more
Caused by: edu.internet2.middleware.grouper.exception.StemNotFoundException: membership stem not found
        at edu.internet2.middleware.grouper.Membership.getOwnerStem(Membership.java:3381)
        ... 99 more
2021-03-01 11:30:47,056: [ajp-nio-0.0.0.0-8009-exec-33] ERROR GrouperUiRestServlet.doGet(369) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem.stemCopySu
bmitedu.internet2.middleware.grouper.exception.StemAddAlreadyExistsException: Stem exists: penn:isc:nandt:services:aws:cognito:728710855597:NGSS_users_test,
Problem in HibernateSession: HibernateSession (472f516a): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (49df1112),
Problem calling method stemCopySubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem
        at edu.internet2.middleware.grouper.Stem.internal_addChildStem(Stem.java:2771)
        at edu.internet2.middleware.grouper.Stem$14.callback(Stem.java:4196)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.Stem.internal_copy(Stem.java:4160)
        at edu.internet2.middleware.grouper.StemCopy.save(StemCopy.java:131)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem.stemCopySubmit(UiV2Stem.java:542)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4746)
        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4697)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1173)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)2021-03-01 11:37:54,740: [ajp-nio-0.0.0.0-8009-exec-33] ERROR GrouperUiRestServlet.doGet(369) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem.stemCopySu
bmitedu.internet2.middleware.grouper.exception.MembershipAlreadyExistsException: membership already exists,
Problem in HibernateSession: HibernateSession (63539040): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (42b0136e),
Problem in HibernateSession: HibernateSession (667b7d5a): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (42b0136e),
Problem calling method stemCopySubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem
        at edu.internet2.middleware.grouper.Membership.onPreSave(Membership.java:1806)
        at edu.internet2.middleware.grouper.hibernate.ByObject.save(ByObject.java:209)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic$7.callback(ByObjectStatic.java:494)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic.save(ByObjectStatic.java:481)
        at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO.save(Hib3MembershipDAO.java:2226)
        at edu.internet2.middleware.grouper.privs.GrouperNonDbNamingAdapter.privilegeCopy(GrouperNonDbNamingAdapter.java:329)
        at edu.internet2.middleware.grouper.privs.NamingWrapper.privilegeCopy(NamingWrapper.java:257)
        at edu.internet2.middleware.grouper.privs.NamingResolverDecorator.privilegeCopy(NamingResolverDecorator.java:175)
        at edu.internet2.middleware.grouper.privs.NamingResolverDecorator.privilegeCopy(NamingResolverDecorator.java:175)
        at edu.internet2.middleware.grouper.privs.CachingNamingResolver.privilegeCopy(CachingNamingResolver.java:182)
        at edu.internet2.middleware.grouper.privs.NamingResolverDecorator.privilegeCopy(NamingResolverDecorator.java:175)
        at edu.internet2.middleware.grouper.privs.ValidatingNamingResolver.privilegeCopy(ValidatingNamingResolver.java:165)
        at edu.internet2.middleware.grouper.Stem.internal_copyPrivilegesOfStem(Stem.java:4328)
        at edu.internet2.middleware.grouper.Stem.access$900(Stem.java:187)
        at edu.internet2.middleware.grouper.Stem$14.callback(Stem.java:4201)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.Stem.internal_copy(Stem.java:4160)
        at edu.internet2.middleware.grouper.StemCopy.save(StemCopy.java:131)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem.stemCopySubmit(UiV2Stem.java:542)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4746)
        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4697)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:203)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1173)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:525)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)





[GRP-3196] folder copy is not copying groups Created: 01/Mar/21  Updated: 01/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-03-01-11-46-38-723.png     PNG File image-2021-03-01-11-47-43-346.png     PNG File image-2021-03-01-11-48-26-777.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

heres a folder

Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

copy

Comment by Chris Hyzer (upenn.edu) [ 01/Mar/21 ]

groups arent there





[GRP-3194] config id must be checked on screen where it is entered Created: 01/Mar/21  Updated: 01/Mar/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-03-01-02-38-21-939.png    




[GRP-3173] write large daemon logs to grouper_loader_log and be able to download Created: 26/Feb/21  Updated: 27/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3177] allow provisionable assignments even if provisioner is not valid. or give good error message Created: 27/Feb/21  Updated: 27/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3176] Help link page text out of date with UI Created: 26/Feb/21  Updated: 26/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: David Malia Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File helplink.png     PNG File outdated wording.png    

 Description   

So I'm finally getting around to upgrading from grouper 2.3, and noticed this in grouper 2.4, and see it still exists in grouper 2.5 looking at the grouperdemo site.

 

The help link is useful, but it looks like the text is left over from the old Admin UI, and could confuse new users of Grouper.

Example:

Grouper end-to-end secenarios

  • Find an entity or group by searching –
    • The first step is to click "Search" in the "My Tools" segment of the left menu.

That doesn't exist in the current GUI.

"Explore" doesn't exist in the current GUI.  "Group workspace" doesn't exist in the current GUI., "Entity workspace" doesn't exist either.

I'm sure someone proof reading it, can find some other inconsistencies.

Could it be added to the todo list to update the text to match the current GUI?

 






[GRP-3175] add inherited privileges to WS Created: 26/Feb/21  Updated: 26/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3166] change container env vars to have GROUPER_ prefix: ENV and USERTOKEN Created: 24/Feb/21  Updated: 24/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

will be backwards compatible






[GRP-3165] rules dont fire when enabled/disabled changes Created: 24/Feb/21  Updated: 24/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Rules question! I have a rule that is supposed to add a user to group B when they're removed from group A. Works great when I manually remove a user from Group A through UI, but it is NOT triggering when a dated membership expires in Group A. Any ideas? Does the ruleCheckType need to be different? 

 

Also look at flattened...



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 24/Feb/21 ]

From Brett





[GRP-3161] add url examples in database external system, or a url builder Created: 22/Feb/21  Updated: 22/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 22/Feb/21 ]

database driver should not be required





[GRP-3137] attestation email content (body) should be able to include more details about the group and/or memberships Created: 11/Feb/21  Updated: 21/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.40
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It has been requested that group descriptions could be included in the attestation emails.

However, it also would also be useful to support including meta data ( attribute Framework ) values on groups and/or Memberships too.

Having a flexible way to configure ( using templates with a set of known objects being passed into the template ) would be much more ideal.

Some of the membership details that have been discussed are:

  • Who added the membership
  • Create date, start date, and expiration dates
  • possibly other custom attributes on the membership as well


 Comments   
Comment by Chad Redman (unc.edu) [ 19/Feb/21 ]

The attestation emails current just enumerate the group/stem items. Do you mean these emails should now list membership data for them? What would you want it to look like?

We could add description and group name (the row in the email is using display name). Would member count, last attested date and attested by who be useful? There also isn't a template for the rows; it's just hardcoded to:

[index]. [object.displayName] (cc'd [addr1, addr2...])
[objectUrl]
 
(if objectCount > attestation.email.group.count)
There are [objectCount - end] more groups and/or folders to be attested.

Comment by Carey Black (osu.edu) [ 21/Feb/21 ]

Ideally the subject and body would be "template driven" and local deployers could modify the contents.
Most ideally there would be global templates with over rides at the group/stem level too.
  Meaning the group/stem may opt for a "special way to format that object in the email.

Also being able to control the "count limits", and what would happen when those limits are exceeded, would also be useful too.

Having the attestations objects (list of stems, list of groups) available to the global template would allow local modifications to the default emails.

Having object level "single object" templates would also allow for end user control of formatting by object too.
    I am picturing a "drop down list" of templates that the site allows the use of.
        default = current format
        "include description"
        "include description and show members with ".... 
        etc...

Being able to use attributes on the objects would also allow for inclusion of other custom data for the objects too.

Adding the full text of the descriptions for the stems/groups in the list was one specific ask from my users.
Adding the list of Members was also on the list "for some groups".
   And showing other membership details ( listed above, but not an exhaustive list ) were also desired.





[GRP-3155] config view should show value of EL (not for password) Created: 18/Feb/21  Updated: 18/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-02-18-13-55-42-440.png    




[GRP-3154] add provisioner option to log errors Created: 18/Feb/21  Updated: 18/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

log the first few errors every time?



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Feb/21 ]

dont mark job as success if fatal errors

Comment by Chris Hyzer (upenn.edu) [ 18/Feb/21 ]

dont print errors in logs for sync objects (red herring)





[GRP-3150] when looking at provisioner, have edit button (other buttons too?) Created: 15/Feb/21  Updated: 15/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3149] entity group link error should not appear Created: 15/Feb/21  Updated: 15/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Hey - are you around?  2.5.42 is giving me a new error message?
 
2:04
Error: if you are using 'entity link' you must translate an entity attribute to a sync field (recommended) or have an entity link script (less likely)Error: if you are using 'group link' you must translate a group attribute to a sync field (recommended) or have a group link script (less likely)






[GRP-3147] allow loader queries to be longer than 4k Created: 13/Feb/21  Updated: 13/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3144] subject wizard ldap search subject scope has one option Created: 12/Feb/21  Updated: 12/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3143] provisioning metadata should not be assigned if no metadata there Created: 12/Feb/21  Updated: 12/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Shilen Patel (duke.edu)

 Description   
   Metadata on assignment [ provisioningMetadataJson http://localhost:8400/grouper/grouperUi/app/UiV2Main.index?operation=UiV2AttributeDefName.viewAttributeDefName&attributeDefNameId=8dbde4959eb44bffbbec842e318aa58f] enabled {}





[GRP-3142] deleting an incremental daemon doesnt delete that daemon Created: 12/Feb/21  Updated: 12/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3141] if you edit a provisioning daemon config it doesnt show the provisioner config id Created: 12/Feb/21  Updated: 12/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3140] grouper instrumentation needs to clear out old server names Created: 11/Feb/21  Updated: 11/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-02-11-14-58-24-045.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 11/Feb/21 ]





[GRP-3139] ability to “run loader diagnostics” processes in a CI/CD pipeline Created: 11/Feb/21  Updated: 11/Feb/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.40
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If the loader diagnostics could be run from GSH then a CI/CD pipeline could kick of a GSH script and look for SUCCESS/FAILURE conditions.

 

Slack thread:
 Sudheer Singidi
 
All i’m trying to do is run loader diagnostics as part automated functional testing from CI/CD pipeline.And we are using a departmental account which doesn’t have ‘Admin’ privilege so it can’t access the ‘run loader diagnostics’ page.To get around this issue, I’m trying to use that configuration I’m referring to.I totally agree with what you are saying but if there is a better way to achieve what I’m trying to do, Please suggest.






[GRP-3135] Better error message for users not allowed to login to Grouper UI Created: 11/Feb/21  Updated: 11/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Olivier Salaün Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.4



 Description   

We configured Grouper-UI to borbid access to the GUI unless user is member of a "uiAllow" group:

grouper-ui.properties:require.group.for.logins=etc:administration:uiAllow

However when a user tries to login, though he's not listed in the uaAllow group he gets a very generic error message:

"There was an error with your request."

Wouldn't it make sense to have a better error message in this case?






[GRP-3132] attributes where subject has attribute_read should not see it in the results of the combobox while finding attributes to assign Created: 10/Feb/21  Updated: 10/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3131] folder privs should not show inherited attribute read/update if subject has create Created: 10/Feb/21  Updated: 10/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3129] view provisioning on subject throws grouper session error Created: 09/Feb/21  Updated: 09/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Error: There is no open GrouperSession detected. Make sure to start a grouper session (e.g. GrouperSession.startRootSession() if you want to use a root session ) before calling this method, Problem calling method viewProvisioningOnSubject on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning






[GRP-3098] Ability to limit provisioning to specific targets by group for UI Created: 22/Jan/21  Updated: 08/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We have apps that are multi-campus, and many that are not. We would like to prevent some apps from setting up a provisioning target to the "wrong" campus. For example, if I have an LDAP target called "Urbana", I would like to only allow the ability to provision to that target from a special group of admins. Multi-campus app admins might have access to multiple targets and that's OK. I sort of do that now by only permitting a group to have access to the "etc:pspng:provision_to" attribute, however I cannot limit the values that are input so it's "all or nothing". I'm hoping the new provisioning framework could provide a level of access control, not only to provision at all, but to only allow certain targets.






[GRP-3124] Ability to limit provisioning to specific targets by group for WS Created: 08/Feb/21  Updated: 08/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We have apps that are multi-campus, and many that are not. We would like to prevent some apps from setting up a provisioning target to the "wrong" campus. For example, if I have an LDAP target called "Urbana", I would like to only allow the ability to provision to that target from a special group of admins. Multi-campus app admins might have access to multiple targets and that's OK. I sort of do that now by only permitting a group to have access to the "etc:pspng:provision_to" attribute, however I cannot limit the values that are input so it's "all or nothing". I'm hoping the new provisioning framework could provide a level of access control, not only to provision at all, but to only allow certain targets.






[GRP-3122] provisioning incrementals finds multiple subjects with same matching id, but they are the same Created: 08/Feb/21  Updated: 08/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.42

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

10. Entity(matchingId: "yrewini", attr[uid]: "yrewini")
2021-02-08 14:12:13,367: [DefaultQuartzScheduler_Worker-1] DEBUG GrouperProvisioningObjectLog.debug(69) - - Provisioner 'MCommDevProv' (uu1eawyg) state 'end' type 'incrementalProvisionChangeLog':

{state=indexMatchingIdEntities, exception=java.lang.NullPointerException: Why do multiple entities have the same matching id??? Entity(matchingId: "abc123", attr[uid]: "abc123") null Entity(matchingId: "abc123", attr[uid]: "abc123") null at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningMatchingIdIndex.indexMatchingIdEntities(GrouperProvisioningMatchingIdIndex.java:213) at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provisionIncremental(GrouperProvisioningLogic.java:541) at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningType$2.provision(GrouperProvisioningType.java:77) at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogic.provision(GrouperProvisioningLogic.java:47) at edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioner.provision(GrouperProvisioner.java:511) at edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer.dispatchEventList(ProvisioningConsumer.java:91) at edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer.processChangeLogEntries(EsbConsumer.java:503) at edu.internet2.middleware.grouper.changeLog.ChangeLogHelper.processRecords(ChangeLogHelper.java:261) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$6.runJob(GrouperLoaderType.java:673) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJob(GrouperLoaderJob.java:465) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:345) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) , finalLog=true, queryCount=461, tookMillis=1519239, took=0:25:19.239}

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Feb/21 ]

Why do multiple entities have the same matching id???
Entity(matchingId: "abc123", attr[uid]: "abc123")
null
Entity(matchingId: "abc123", attr[uid]: "abc123")
null





[GRP-3121] Duo integration does not support more than one Duo environment ( sub account nor multiple accounts ) in configuration structure Created: 08/Feb/21  Updated: 08/Feb/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Duo CLC integration uses "fixed global" configuration keys ( java.properties ) to configure the Duo environment.

It would be better if a single Grouper environment could support N Duo environments.
 ( Maybe with some awareness of "parent-child" environments too. Some 'keys/identifiers' can not be shared across parent-child environments. )






[GRP-1747] Group 2.3 Function (UI button) --> View Audit Log SQL timeout Created: 27/Apr/18  Updated: 05/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.3.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chris,

 

I can inform you that for my search dropping the audit type id produced one more row being returned.

"Added attribute assignment"

 

So as long as the UI can display a row like that. ( or the other audit type id values) then I think that is a good solution. Seeing when attributes are assigned (and which was assigned) would seem like a good thing to see too.

Carey Matthew Black.123@osu.edu

 

(EDIT: I forgot to explicitly say: * The query performed well. ( < 1 second ) * )

 

----Original Message----

From: Hyzer, Chris <mchyzer@isc.upenn.edu>

Sent: Friday, April 20, 2018 4:27 PM

To: Black, Carey M. <black.123@osu.edu>; 

Subject: RE: Group 2.3 Function (UI button) --> View Audit Log SQL timeout

 

Add a jira please, when searching for uuids we don't need use audit_type_id at all, unless someone wants to debate that with me    This will be a quick fix...

 

Can you see if the query is fast without audit type id?

 

WHERE  (

this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string03 = '3574b587e41b46f19c2787ade9ab09ca')

 

Thanks!

Chris

 

----Original Message----

From: Black, Carey M.

Sent: Friday, April 20, 2018 4:01 PM

Subject: [grouper-core] Group 2.3 Function (UI button) --> View Audit Log SQL timeout

 

I think this is a bug / enchantment request. So let me describe what I see and what I think I know....

 

Env:  Grouper 2.3 on MariaDb ( Version: '10.2.14-MariaDB-log')

                Special note: " There is one other thing that might be of interest - it has a custom setting of optimizer_search_depth=0" REF: https://mariadb.com/resources/blog/setting-optimizer-search-depth-mysql

 However I don't think that setting is causing the issue.

grouper_audit_entry ( table) has 48 M rows right now. ( not even a full years' worth of an audit.)

  

When I use the UI, view a group and use the Function (UI button) --> View Audit Log

  The UI "hangs"... and eventually "times out".

 

I dropped down to the DB and watched the "process list" and was able to capture the SQL that was running.

 When I run that SQL "by hand" ... it takes... forever... ( I have not actually waited long enough for it to finish... But I have waited for an hour...)

 

However, I spoke with a more knowledgeable "not a DBA" person about the query and they suggested something interesting to try... and the query dropped to less than a second to finish!

 

 

Grouper generated SQL (formatted for readability instead of a single very long line...) "

SELECT this_.id                       AS id1_10_0_,

       this_.hibernate_version_number AS hibernat2_10_0_,

       this_.act_as_member_id         AS act_as_m3_10_0_,

       this_.audit_type_id            AS audit_ty4_10_0_,

       this_.context_id               AS context_5_10_0_,

       this_.created_on               AS created_6_10_0_,

       this_.description              AS descript7_10_0_,

       this_.env_name                 AS env_name8_10_0_,

       this_.grouper_engine           AS grouper_9_10_0_,

       this_.grouper_version          AS grouper10_10_0_,

       this_.int01                    AS int11_10_0_,

       this_.int02                    AS int12_10_0_,

       this_.int03                    AS int13_10_0_,

       this_.int04                    AS int14_10_0_,

       this_.int05                    AS int15_10_0_,

       this_.last_updated             AS last_up16_10_0_,

       this_.logged_in_member_id      AS logged_17_10_0_,

       this_.server_host              AS server_18_10_0_,

       this_.string01                 AS string19_10_0_,

       this_.string02                 AS string20_10_0_,

       this_.string03                 AS string21_10_0_,

       this_.string04                 AS string22_10_0_,

       this_.string05                 AS string23_10_0_,

       this_.string06                 AS string24_10_0_,

       this_.string07                 AS string25_10_0_,

       this_.string08                 AS string26_10_0_,

       this_.duration_microseconds    AS duratio27_10_0_,

       this_.query_count              AS query_c28_10_0_,

       this_.user_ip_address          AS user_ip29_10_0_,

       this_.server_user_name         AS server_30_10_0_

FROM   grouper_audit_entry this_

WHERE  (

        ( this_.audit_type_id = 'b51cc1fa35e74e9c91042c2b77951695' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '43c9e640be604bfcbe3501a094329381' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'd743e9e2cf484f909707f45e692a7143' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c84718a7d6ed486a8ec729119a414e48' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '6850d73f0cdc4b769e738df4321c1c7c' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '78d1dc004f624e1cb2e3b000d55fb739' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c5ed9cd3208a487187c22e788c5d252f' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '78d1dc004f624e1cb2e3b000d55fb739' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b51cc1fa35e74e9c91042c2b77951695' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '43c9e640be604bfcbe3501a094329381' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '6850d73f0cdc4b769e738df4321c1c7c' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c6169fb1308547a6b23bd8f83429e934' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '7c90939f260a4c4ba13b521ac456f3cb' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'cf7260265907443bbdb02314d9ce2ffc' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c5ed9cd3208a487187c22e788c5d252f' AND this_.string03 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '4432fe9a76b74d818595e60c7d17a3b8' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'cd273399dd9944e09d132b5bb3f9e0e9' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b3812b8c15b5421db52cfd4af1ee5817' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'f487688c07ee40f7beee911d51ead17c' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'cf7260265907443bbdb02314d9ce2ffc' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'f33ae045bd284dbc9a7e965dba1dccf5' AND this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'b3812b8c15b5421db52cfd4af1ee5817' AND this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '6f5a24dee4c34f8e8b4a77dddf814f0c' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'a0ec507ee6f14cf587e3a513c4217c43' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = 'bbec1c063df04e949fbffbd1fc5f2f39' AND this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde' AND this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' )

        )

ORDER  BY this_.last_updated DESC

LIMIT  50

"

 

 

 

However, if that where clause is rearranged to ( our improved version ) :

"

WHERE  (

this_.string04 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string02 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string01 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string06 = '3574b587e41b46f19c2787ade9ab09ca' OR

this_.string03 = '3574b587e41b46f19c2787ade9ab09ca')

AND

       ( ( this_.audit_type_id = 'b51cc1fa35e74e9c91042c2b77951695'  )

          OR ( this_.audit_type_id = '43c9e640be604bfcbe3501a094329381'   )

          OR ( this_.audit_type_id = 'd743e9e2cf484f909707f45e692a7143'   )

          OR ( this_.audit_type_id = 'c84718a7d6ed486a8ec729119a414e48'   )

          OR ( this_.audit_type_id = '6850d73f0cdc4b769e738df4321c1c7c'   )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde'   )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7'   )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56'   )

          OR ( this_.audit_type_id = '78d1dc004f624e1cb2e3b000d55fb739'   )

          OR ( this_.audit_type_id = 'c5ed9cd3208a487187c22e788c5d252f'   )

          OR ( this_.audit_type_id = '78d1dc004f624e1cb2e3b000d55fb739'   )

          OR ( this_.audit_type_id = 'b51cc1fa35e74e9c91042c2b77951695'   )

          OR ( this_.audit_type_id = '43c9e640be604bfcbe3501a094329381'   )

          OR ( this_.audit_type_id = '6850d73f0cdc4b769e738df4321c1c7c'   )

          OR ( this_.audit_type_id = 'c6169fb1308547a6b23bd8f83429e934'   )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56'   )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7'   )

          OR ( this_.audit_type_id = '7c90939f260a4c4ba13b521ac456f3cb'   )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde'   )

          OR ( this_.audit_type_id = 'cf7260265907443bbdb02314d9ce2ffc'   )

          OR ( this_.audit_type_id = 'c5ed9cd3208a487187c22e788c5d252f'   )

          OR ( this_.audit_type_id = '4432fe9a76b74d818595e60c7d17a3b8'   )

          OR ( this_.audit_type_id = 'cd273399dd9944e09d132b5bb3f9e0e9'   )

          OR ( this_.audit_type_id = 'b3812b8c15b5421db52cfd4af1ee5817'   )

          OR ( this_.audit_type_id = 'f487688c07ee40f7beee911d51ead17c'   )

          OR ( this_.audit_type_id = 'b68b2c7742a34acebc5216b29605da56'   )

          OR ( this_.audit_type_id = 'cf7260265907443bbdb02314d9ce2ffc'   )

          OR ( this_.audit_type_id = 'f33ae045bd284dbc9a7e965dba1dccf5'   )

          OR ( this_.audit_type_id = 'b3812b8c15b5421db52cfd4af1ee5817'   )

          OR ( this_.audit_type_id = '6f5a24dee4c34f8e8b4a77dddf814f0c'   )

          OR ( this_.audit_type_id = 'c9d6606c5cc34e93aca63c7673bf3db7'  )

          OR ( this_.audit_type_id = 'a0ec507ee6f14cf587e3a513c4217c43'   )

          OR ( this_.audit_type_id = 'bbec1c063df04e949fbffbd1fc5f2f39'  )

          OR ( this_.audit_type_id = '7d1806d5d17f46ecb222901ad6f2bcde'  )

        )

"

NOTE: The " this_.audit_type_id " part does have some dups in it. So it could be even shorter...

NOTE: I understand that the select is not strictly "identical". ( technically) However, the audit_type_id  value appears to be a foreign  key from grouper_audit_type.

                I think the general idea of the select is to show all of the  audit_type_id (values of interest) for the (in this case) "Group ID" that gets stuffed into the various String* columns.

( Why the groupID ends up in various columns... I don't know.. but I will assume there is a good reason for that .... variety.)

 

With this where clause the query returned in less than 100 ms !

 

So I am not sure where that query is constructed, or how to start to track it down... but I think it should be "reordered" so that it can work at scale. 

Carey Matthew Black.123@osu.edu

 

 



 Comments   
Comment by Carey Black (osu.edu) [ 05/Feb/21 ]

This continues to be an issue.

 

I was able to capture a "long running search" again and found that it took over 4 minutes to complete. ( Clearly not acceptable for any user. Nor the UI/browser timeout limits.)

I did a bit more playing with the SQL and I have verified these three things about the SQL that is being issued.

1) The current form is awful for performance. (now in container v2.5.39 using MariaDb )
2) If the query ignores the audit_type_id column then performance is good ( sub 1 second )
3) If the query puts all of the audit_type_id values into an "IN ('abc','def'...) clause then performance is good ( sub 1 second )  too!
AKA: 

where

this_.audit_type_id  in ('e4777eaa26b7409faa7952cdc7aad732','7373ed10d2ac4e28b6cb381fff852b9e','2fe264e912374e45b95f8467df272e8a','bb256be86bc345ec8cda51edd775b8ba','6850d73f0cdc4b769e738df4321c1c7c','e55e2e4502c94d34b3ec92ded0527d03','cd7e6bbd0ca64098826555740fb88312','43c9e640be604bfcbe3501a094329381','8f016b70706b4966b82d981fdd6d6c02','b51cc1fa35e74e9c91042c2b77951695','78d1dc004f624e1cb2e3b000d55fb739','b3812b8c15b5421db52cfd4af1ee5817','cf7260265907443bbdb02314d9ce2ffc','98b9e51894644776bd06a0796754666c')

AND (

  this_.string02='c142418a606547baa9b2e3250c3f0131'

  or

  this_.string01='c142418a606547baa9b2e3250c3f0131'

  or

  this_.string04='c142418a606547baa9b2e3250c3f0131'

  )

  order by this_.last_updated desc limit 50 

I don't know about the current version of Hibernate in the project, however, it looks like some version do support list of values being searched using the IN operator.





[GRP-3117] grouper sqs should take in region Created: 04/Feb/21  Updated: 04/Feb/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Paul Rubenis Yesterday at 5:02 PM
Wonder if anyone has experience with the aws sqs messaging in grouper 2.4. We set up an aws sqs, configured grouper-loader.properties and grouper.client.properties. This was after reviewing the Grouper docs and sample configs. The system (grouper) is trying to send a message to the aws sqs queue, but throws an exception. The exception is that a region is not set. Looking through the code for the GrouperMessagingSqsSystem.java class, I could not find anything in the builder of the aws client that is setting a region. So not sure if this is supposed to be a Grouper property that needs to be set or some environment variable set at the OS level...
9 replies

Carey Black 8 hours ago
Yes!!!!
I found a way around it… Likely not ideal…but it worked for me.
If others know of a “better way” ( like in Grouper config settings? ) PLEASE let us know. :slightly_smiling_face:
The AWS clients look in the users “home directory” for a folder named “.aws” ( the dot is important )
And a file named “config”.
Add your region setting there. :slightly_smiling_face:
[default]
region = us-east-2
HTH.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/Feb/21 ]

env var might work too

 

https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-region-selection.html

 





[GRP-3116] UI function to union/complement an id list with a group, without needing to create a temp group Created: 03/Feb/21  Updated: 03/Feb/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.0
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

To answer a policy question of which users from a list are in a group, the ways right now are (a) database query, (b) gsh script, or (c) create a temp group.

Creating a temp group is the one way that normal users can use, but requires them to be able to create a group.

Also, even for admins is extra steps to create a group to do the action, then delete it 10 seconds later.

 



 Comments   
Comment by Chad Redman (unc.edu) [ 03/Feb/21 ]

(d) export the group list, then compare in Excel. Normal users could do this one even if they can't create a group.

Comment by Chris Hyzer (upenn.edu) [ 03/Feb/21 ]

This already exists. There is an advanced membership query option where you setup the composites and who can use them. Let me know if you can’t find the docs for that

Comment by Chris Hyzer (upenn.edu) [ 03/Feb/21 ]

Should we put a link here and resolve this or is there something different needed?





[GRP-3107] Azure provisioner supply groupName or mailNickName JEXL via Attribute value/string Created: 28/Jan/21  Updated: 28/Jan/21

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

To create a new transformation of the group and email JEXL naming, I have to create a whole new set of parameters in grouper-loader.properties, and create another attribute to connect them. I then have to bounce the daemon container to make those take effect. I now have several different "profiles" to satisfy customer requirements. I feel like this would be more flexible if I could just specify the JEXL within a folder's assigned attribute, say "etc:attribute:o365:mailNickNameJexl". Then tell the config to use the value supplied in this attribute, rather than the one hard-coded in the grouper-loader.properties. This would allow me to centrally manage fewer attributes/configs, yet allow flexibility to the distributed admins to control the naming conventions needed for their folders to sync.






[GRP-3104] Misc --> "All daemon jobs" filter option: List all jobs with a failure status between a Start and End date/time value Created: 28/Jan/21  Updated: 28/Jan/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.40
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It can be hard to find "errors logs"/"messages" for jobs that failed in the past.

The ability to have those surfaced by 'status' and 'date' would be very helpful.






[GRP-2398] scheduler check should (un)schedule grouper loader other job changes Created: 01/Nov/19  Updated: 28/Jan/21

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I added an other job to database configuration.  then i ran the scheduler check.  it didnt schedule this job.  i started a daemon, then it scheduled it.

 

Would be nice to move in the direction where restarts (or just starts) arent required when changes to configs happen. Wonder if the scheduler daemon should do this (runs every 30 minutes), but also in the UI when the loader config is changed by the UI or import in UI, it could call the method too so the user doesnt have to wait 30 minutes?



 Comments   
Comment by Shilen Patel (duke.edu) [ 01/Nov/19 ]

Yup that makes perfect sense to me.   Right now, most of the jobs only get scheduled/unscheduled when the daemon is started.  Especially now with the config changes, a restart shouldn't be required.  So doing what you suggest sounds right to me.

Comment by Chris Hyzer (upenn.edu) [ 28/Jan/21 ]

Shilen, does the scheduler check daemon do this or is it a manual process (button on daemon screen)?

 





[GRP-3094] unescape $newline$ when editing configs in ui Created: 19/Jan/21  Updated: 27/Jan/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

replace \n with $newline$ when putting in textfield.

maybe if there are newlines it should be textarea






[GRP-3095] UI sorting of LDAP subject search results from a "free form" search Created: 21/Jan/21  Updated: 21/Jan/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Tim Darby Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.5.39



 Description   

University of Arizona's subject source is LDAP. When adding a member to a group in the UI, the "search on an entity" feature returns a list of CNs for people that don't appear to be in any particular sort order.

looking at the various properties in subject.properties and grouper-ui.properties, I don't see a way to specify a particular LDAP attribute that can be used for sorting this results of this search.

We use this for the free form search in subject.properties:
subjectApi.source.ldap.search.search.param.filter.value = (&(uid=%TERM%)(objectclass=person))






[GRP-3092] folder privs more actions button blank Created: 18/Jan/21  Updated: 18/Jan/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-01-18-18-19-07-594.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Jan/21 ]





[GRP-3091] Support unlimited count of favorites Created: 13/Jan/21  Updated: 13/Jan/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

REF: Grouper UI favorites and preferences user data.
https://spaces.at.internet2.edu/display/Grouper/Grouper+UI+favorites+and+preferences+user+data )
"
The JSON is stored in one attribute which has a max size of 4k characters, and the max number of elements is 30.  So if you have more than 30 favorites, they are in a queue by date, and the oldest one will fall off.
"






[GRP-3089] Advanced Membership UI: Ability to create a group based on the filtered result set. Created: 12/Jan/21  Updated: 12/Jan/21

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The new filtering is very valuable/helpful.

And it would be even more helpful if the results could be "saved as a new group". ( or maybe "exported as a list of identifiers" ?)

A rough idea of how the UI might work:

Add a feature to:
  "find an existing group"
    or
"find an existing folder" and enter a new group name
then
    a "save results to group" button?



 Comments   
Comment by Carey Black (osu.edu) [ 12/Jan/21 ]

Bonus idea:
It might even be nice to be able to "schedule the creation of a group" ( like Inherited Privileges UI ) based on a schedule.
    at a specific time
    against a folder with an "advanced Membership" search/conditions. ( thinking of using the 'Group Filter' sub feature specifically, but all could be used.)
    create a new group in a selected folder. with a naming pattern. ( likely include the run time of the group creation? )
    ability to preconfigure "privileges" to be added to the created group. ( Like Loader jobs can? )





[GRP-3086] Grouper Local Auth ( and the GrouperClient ) Created: 08/Jan/21  Updated: 08/Jan/21

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be useful if:

A)  User could use the UI and establish a personal WS password/certificate.
           ( Single factor, and LOCAL to grouper.)
B)   Uses WS password/certificate with grouperClient.

 
C) There was a Webservice password to change  method to
          Allow the current user to change their own password
          Allow an authorized "WebService password admin" to change "select other" users the passwords

D) A way to configure an auto expire ( time limit/bound ) the password/certificate.

E) Still require the user to be authorized to use WebServices. (AKA: grouper-ws.properties:ws.client.user.group.name )

Similar/Related to 
https://todos.internet2.edu/browse/GRP-2396



 Comments   
Comment by Carey Black (osu.edu) [ 08/Jan/21 ]

OH… and another detail….
    Can the WS contain should be able to be configured to do “LDAP” and “Local” Auth in the same container. ( Maybe try them in a known order?)





[GRP-3085] Is there a way to send an email to the member who was just added to the group? Created: 07/Jan/21  Updated: 07/Jan/21

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Rule question: RE: Email notification on flattened membership add to group
   Is there a way to send an email to the member who was just added to the group?
  AKA: The rule supports using JEXL to produce a CSV list of email addresses, but how do you get the new Member’s email address in the context of the JEXL?
 
 
Chris Hyzer:  we could add that, open a jira please






[GRP-3078] If external system test has multiple errors, UI only shows latest one Created: 31/Dec/20  Updated: 31/Dec/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I am guessing that GuiScreenAction.newMessage() doesn't stack?

 

edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2ExternalSystem.java:525

if (errors != null && errors.size() > 0) {
  for (String error: errors) {
    guiResponseJs.addAction(GuiScreenAction.newMessage(GuiMessageType.error, error));
  }
  return;
} else {
  guiResponseJs.addAction(GuiScreenAction.newMessage(GuiMessageType.success,
      TextContainer.retrieveFromRequest().getText().get("grouperExternalSystemConnectionTestSuccess")));
} 






[GRP-3077] When importing members into a group, OK button on the progress screen does not work Created: 31/Dec/20  Updated: 31/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.40

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When importing members into a group, OK button on the progress screen does not work






[GRP-3076] add provisioning configuration validation Created: 29/Dec/20  Updated: 29/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.40

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3074] when filling out the provisioning form, focus on the field that caused ajax, for accessibility Created: 24/Dec/20  Updated: 24/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.40

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3066] configuration "more" button for long values should be a readonly textarea Created: 21/Dec/20  Updated: 21/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently you can edit it






[GRP-3063] add shib libraries to library path Created: 18/Dec/20  Updated: 18/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Shilen Patel Today at 8:21 AM
Also, shouldn't
environment=LD_LIBRARY_PATH=/opt/shibboleth/lib64
be added to /opt/tier-support/supervisord.conf?  I noticed errors in the logs regarding libcurl.2020-12-18 08:10:54 CRIT XMLTooling.Config : libcurl lacks OpenSSL-specific options, this will greatly limit functionality
2020-12-18 08:10:54 ERROR XMLTooling.libcurl.InputStream : on Red Hat 6+, make sure libcurl used is built with OpenSSL






[GRP-3059] create a periodic report that finds similar ref / basis groups Created: 17/Dec/20  Updated: 17/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

for instance see if multiple employee groups exist that are the same or very similar






[GRP-3054] Show progress on large reference group additions Created: 15/Dec/20  Updated: 15/Dec/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.36, 2.5.37, 2.5.39
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Liam Hoekenga (umich.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When deletions take a long time, the UI will display a message...

    The delete operation is still being processed...

We've noticed when adding large reference groups to composite groups via the UI, the browser will spin for exactly 3 minutes, and then return to the UI having made no obvious changes.  If you wait an "appropriate" amount of time and then check the UI, the change will have been made. 

Please consider adding a message similar to the deletion message.  As it is now, the user doesn't know that their change wasn't just eaten and may try it repeatedly.






[GRP-3045] Grouper report incorrectly reports NON-SUCCESS for in progress jobs Created: 04/Dec/20  Updated: 04/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.37
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Grouper report will show "NON-SUCCESS" for jobs that are "in progress" at the time of the report run.
 
Example: 
"
----------------
LOADER JOBS WITH NON-SUCCESS
----------------
 
job:               MAINTENANCE__grouperReport
status:            STARTED, started: 2020-12-04 07:00:00.0 ()
ins/upd/del/tot:   0/0/0/0
error:             null
"

The report is run daily at 07:00. The most common offender is the 'MAINTENANCE_grouperReport', but other jobs that also start at the same time of the report show up from time to time too. ( including custom jobs and other "built in jobs" like: MAINTENANCE_rules , OTHER_JOB_timeDaemon, etc...)

I suggest the two approaches be taken to improve the usefulness/accuracy of the report.

1) "error: null" should be reported as "unknown" instead of "NON-SUCCESS" ( or maybe reported as "in progress" instead of based on any "completion status".

And it would also be useful if...

2) The report job could "sleep ( a new config value?) and check those jobs again" to try to give the "in progress jobs" sometime to complete. Yet, they still could be "unknown" after the sleep too. And that might be a good error condition to report.






[GRP-3044] grouper ws replace should throw error if user cannot READ Created: 03/Dec/20  Updated: 03/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2485] diagnostics with automatic quartz cron parsing and better thresholds Created: 13/Dec/19  Updated: 02/Dec/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Shilen Patel (duke.edu)

 Description   

e.g. if not overriden

A job that runs every 0-5 min, needs to have a SUCCESS within X (30 minutes?)

A job that runs every 5-30, needs to have a SUCCESS within Y (60 minutes?)

Anyways go through some rules iike that and have rules...

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 02/Dec/20 ]

Carey Black 15 minutes ago
I am not sure how you could intelligently guess what the ‘correct gap’ might be.
I can guess that most jobs “should never fail”.
But some “will from time to time” ( due to things like failsafes, etc…) and you may or may not want monitoring to catch those “from time to time” cases if they auto correct on the next N runs….
Personally, I would prefer a change how it is configured instead of a new “guess” being done.
(AKA: Move the config into the UI/config settings with the “Job”/“loader”/etc… auto set the value with the global default)

Chris Hyzer 3 minutes ago
yes for UI configs. the existing configs that are there would still work with a refactor. There are a few types of jobs, and we can discuss the defaults, and they will be configurable in your Grouper
often. e.g. runs more frequently than every few minutes. e.g. change log jobs. I think those types by default should see a success in the last 30 minutes by default. That 30 minute value can be configurable.
hourly. these should be able to tolerate a failure by default. But no success in 2.5 hours for example, and diagnostics failure
several times a day. if the last job failed, and no success in 4 hours, then fail
daily. needs a success in 1.5 days, and last try cant fail
weekly or longer. need a success on the schedule (e.g. weekly schedules need a success in the last 8 days for example), and if the last run failed, thats a failure
In addition, we should have retries configured for various types of jobs...





[GRP-3042] Group Membership delta with or restore from Point in Time data..... Created: 02/Dec/20  Updated: 02/Dec/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.37
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be amazing to be able to:

A) find and report on deltas (adds and removes) for group memberships with a previous Point in time for the group.  ( What happened since....)

B) full reset the membership to match a previous Point in time set. ( time machine ) 

C) Add missing from a previous Point in time set to the current set. ( restore lost souls without removing adds since the Point in time )

D) remove added since a previous Point in time set from the current set. ( remove erroneous adds without undoing removes since the Point in time )

Maybe a delta UI ( table ) could be created ordered by time with columns/buttons to auto select all "adds" or "removes". With two buttons to "undo" (adds) and/or "restore" (removes) based on the selected rows from the table. 






[GRP-3011] The “Search results” panel seems to not keep the 'Filter for' value and produces confusing results for the user. Created: 06/Nov/20  Updated: 01/Dec/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Search for anything in the upper right hand corner. Say the string “foo”.
The “Search results” panel opens with “foo” and Filter for: “Everything”, and a non-zero list of results.
Switch the Filter for to any other value and click Search.
  Either “nothing happens” ( no page repaint, search set is the same..)
    OR
   Filter for is reset to “Everything” and you get a search set for the “previous” value of ‘Filter for’ ??!!?It is just not working right….

Actually I think the 'Filter for' value is being “reset” to “Everything” after every search.

  So set it to “Folders” click search.
     I am now getting the results of “folders”… but the 'Filter for' value is also being reset to “Everything” as well. No errors in the javascript “console” AFAIK. 
 
 
If you manage to “double click” the search button then you would not get the list you wanted. What appears to happen is the 'Filter for' value is reset to “Everything” and you get that list back.



 Comments   
Comment by Chad Redman (unc.edu) [ 01/Dec/20 ]

Never mind, I had a typo in my search which explains lack of results Sometimes it's more strange than that, although I bet it's hard to reproduce. Sometimes my searches won't find anything in either the search bar or the form. But if I go to another page and then back it will find it.

Is there caching on the search results page? Or is the search value saved in the session? That would complicate things.





[GRP-3035] add a monitor to detect churn in attributes or memberships Created: 23/Nov/20  Updated: 23/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File membershipChurn.jpg    

 Description   

e.g. if a loader is adding members and another is removing






[GRP-3029] escape single quotes in logout url Created: 23/Nov/20  Updated: 23/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.38

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3027] document how to add a cert to the trust store in the container Created: 19/Nov/20  Updated: 19/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Do we need to mount cacerts?

 

wget https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class
 
java SSLPoke jira.example.com 443
 
openssl s_client -connect jira.example.com:443
 
openssl x509 -in ad_cert.pem -out ad_cert.der -outform DER
 
chmod +w $JAVA_HOME/jre/lib/security/cacerts
 
$JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file ad_cert.der -alias ad_cert
 
mkdir -p slashRoot/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security
 
docker cp grouper-ui:/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts slashRoot/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 19/Nov/20 ]

Note, this is for example useful when an LDAP doesnt have a cert that is chained from Java

Comment by Chris Hyzer (upenn.edu) [ 19/Nov/20 ]

# stash a pem file to add to the java cert store
echo QUIT | openssl s_client -showcerts -connect <hostname>:636 -servername <hostname> </dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > ./slashRoot/etc/opt/grouper/<stashed_cert>.pem 
 
/usr/lib/jvm/java-1.8.0-amazon-corretto/bin/keytool -import -trustcacerts -alias <alias_name> -file /etc/opt/grouper/<stashed_cert>.pem -keystore /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts -storepass <store_password> -noprompt \

Comment by Chris Hyzer (upenn.edu) [ 19/Nov/20 ]

Have a folder in container where "pem" files can be added to JVM

Comment by Chris Hyzer (upenn.edu) [ 19/Nov/20 ]

have an env var: GROUPER_QUICKSTART_ONLY_TRUST_SSL_ENDPOINTS=a.b.c:636,d.e.f:443

it can get the cert and put in trust store, a little easier, a little less secure?

 for quick start option, recommended is download file

Comment by Chris Hyzer (upenn.edu) [ 19/Nov/20 ]

-e GROUPER_EXTRA_CATALINA_OPTS='-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=password'

tho, if you put that in there, I get this if I connect to the daemon container…
bash: export: `-Djavax.net.ssl.trustStorePassword=password': not a valid identifier
GROUPER_EXTRA_CATALINA_OPTS=-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts
It updates the CA certs provided by the OS, and then I pointed grouper at the OS provided CA truststore





[GRP-3025] Visualization show recent memberships relations Created: 18/Nov/20  Updated: 18/Nov/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Show the relationship between a recent membership group and the group it pulls from. Maybe different arrows for whether it includes current members?






[GRP-3024] loader ldap groups from attributes needs like string required Created: 17/Nov/20  Updated: 17/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3023] gsh runoncebyjobname doesnt work for pspng full sync since its not an "otherjob" Created: 16/Nov/20  Updated: 16/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3017] add container version and maven version in diagnostics page Created: 10/Nov/20  Updated: 10/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford 3 hours ago
It looks like the ws diagnostic page just says grouperVersion: 2.5.37 (Without the .1 at the end) is that expected? (I usually use that to confirm the version)

 

Chris Hyzer 1 minute ago
yeah, this is a one-off. The grouper maven version is 2.5.37 (which is whats in the diagnostic page), but the container version is 2.5.38. Theres no really good solution with the quick turnaround security fixes...sorry about that. (edited)






[GRP-3014] upgrade tomee to 7.0.9 Created: 08/Nov/20  Updated: 08/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.38

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2549] Audit does not capture all direct Membership adds Created: 09/Jan/20  Updated: 05/Nov/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Steps to reproduce ( on v2.4 demo server)

userFolders:black.123@osu.edu:rules:StartGroup

ruleActAsSubjectId = GrouperSystem
ruleActAsSubjectSourceId = g:isa
ruleCheckOwnerName = userFolders:black.123@osu.edu:rules:StartGroup
ruleCheckType = membershipAdd
ruleThenEl = ${ruleElUtils.addMemberToGroupName("userFolders:black.123@osu.edu:rules:Second Group", memberId)}

userFolders:black.123@osu.edu:rules:Second GroupStartGroup "audit log" shows me adding you as a member. ( 2020/01/09 04:13 AM ... Uh... what TZ is that? should be 2020/01/08 23:13 EST. Hum...)
The rule fired and added a membership for you to "Second Group".
The audit log on "Second group" does not show any memberships being added. Yet you are a direct member of the group.

I really wanted to mark this as "blocking". ( It is preventing me from using rules to add memberships at this time. ) However, it is a feature that I am not yet dependent on, 



 Comments   
Comment by Carey Black (osu.edu) [ 05/Nov/20 ]

bump?





[GRP-3010] apache ssl stapling error Created: 05/Nov/20  Updated: 05/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2020-11-04 23:41:48
[ssl:error] [pid 131:tid AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 4C56 / notbefore: Apr 30 19:10:58 2020 GMT / notafter: Apr 30 19:10:58 2021 GMT]
[ssl:error] [pid 131:tid AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 4C56 / notbefore: Apr 30 19:10:58 2020 GMT / notafter: Apr 30 19:10:58 2021 GMT]2020-11-04 23:41:48
[ssl:error] [pid 131:tid AH02235: Unable to configure server certificate for stapling
[ssl:error] [pid 131:tid AH02235: Unable to configure server certificate for stapling2020-11-04 23:41:48
[ssl:error] [pid 131:tid AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 4C56 / notbefore: Apr 30 19:10:58 2020 GMT / notafter: Apr 30 19:10:58 2021 GMT]
[ssl:error] [pid 131:tid AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@ae6adddc724e,CN=ae6adddc724e,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 4C56 / notbefore: Apr 30 19:10:58 2020 GMT / notafter: Apr 30 19:10:58 2021 GMT]2020-11-04 23:41:48
[ssl:error] [pid 131:tid AH02235: Unable to configure server certificate for stapling
[ssl:error] [pid 131:tid AH02235: Unable to configure server certificate for stapling 

 

self signed cert?
 --> disable OCSP stappling with SSLUseStapling off in your VirtualHost section.

grouperScriptHooks.sh

grouperScriptHooks_setupFilesPost() {
  sed -i "s|# HSTS (mod_headers is required) (15768000 seconds = 6 months)|SSLUseStapling Off|g" /etc/httpd/conf.d/ssl-enabled.conf
  echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i \"s|# HSTS (mod_headers is required) (15768000 seconds = 6 months)|SSLUseStapling Off|g\" /etc/httpd/conf.d/ssl-enabled.conf  , result=$?"
} 

 






[GRP-3009] upgrade apache, 2.4.6 is old Created: 05/Nov/20  Updated: 05/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-3008] apache timeout to ajp Created: 04/Nov/20  Updated: 05/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

This is an intermittent error.  I click around, and then I get a UI error, and apache turns off for 60 seconds, then its back in business.  2.5.37, AWS, ECS, fargate.

Error:

[2020-11-04 15:48:44
[Wed Nov 04 15:48:44.841136 2020] [proxy_ajp:error] [pid 3322] (70014)End of file found: AH01030: ajp_ilink_receive() can't receive header
[Wed Nov 04 15:48:44.841136 2020] [proxy_ajp:error] [pid 3322] (70014)End of file found: AH01030: ajp_ilink_receive() can't receive header
 
2020-11-04 15:48:44
[proxy_ajp:error] [pid 3322:tid [client 1.2.32.4:33418] AH00992: ajp_read_header: ajp_ilink_receive failed, referer https://server.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain
[proxy_ajp:error] [pid 3322:tid [client 1.2.3.4:33418] AH00992: ajp_read_header: ajp_ilink_receive failed, referer https://server.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain
2020-11-04 15:47:50 [proxy:error] [pid 755:tid AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 60s
2020-11-04 15:48:44
[proxy_ajp:error] [pid 3322:tid (120006)APR does not understand this error code: [client 108.16.246.155:33418] AH00878: read response failed from 127.0.0.1:8009 (localhost), referer https://server.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain
[proxy_ajp:error] [pid 3322:tid (120006)APR does not understand this error code: [client 108.16.246.155:33418] AH00878: read response failed from 127.0.0.1:8009 (localhost), referer https://server.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain  

 

Link

https://github.com/PTAnywhere/ptAnywhere-api/issues/19



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/Nov/20 ]

this is something we tried at penn, but didnt work, in grouperScriptHooks.sh

grouperScriptHooks_setupFilesPost() {
  echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i \"s|protocol=\\\"AJP/1.3\\\"|protocol=\\\"AJP/1.3\\\" connectionTimeout=\\\"60000\\\" keepAliveTimeout=\\\"60000\\\" |g\" /opt/tomee/conf/server.xml  , result=$?"
  sed -i "s|protocol=\"AJP/1.3\"|protocol=\"AJP/1.3\" connectionTimeout=\"60000\" keepAliveTimeout=\"60000\" |g" /opt/tomee/conf/server.xml
} 

Comment by Chris Hyzer (upenn.edu) [ 05/Nov/20 ]

[root@3ef39ad23261474c92fda86496b666cc-3622380632 conf.d]# netstat -pan | grep 8009
tcp        1      0 127.0.0.1:34228         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        1      0 127.0.0.1:49274         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        1      0 127.0.0.1:49234         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        1      0 127.0.0.1:49216         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        0      0 127.0.0.1:49340         127.0.0.1:8009          ESTABLISHED -                   
tcp        1      0 127.0.0.1:49272         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        1      0 127.0.0.1:34252         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        1      0 127.0.0.1:49232         127.0.0.1:8009          CLOSE_WAIT  -                   
tcp        0      0 127.0.0.1:49338         127.0.0.1:8009          ESTABLISHED -                   
tcp        0      0 127.0.0.1:49296         127.0.0.1:8009          ESTABLISHED -                   
tcp        0      0 127.0.0.1:49298         127.0.0.1:8009          ESTABLISHED -                   
tcp6       0      0 :::8009                 :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49168         TIME_WAIT   -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49272         FIN_WAIT2   -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49338         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49232         FIN_WAIT2   -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49340         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49234         FIN_WAIT2   -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49298         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49296         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49274         FIN_WAIT2   -                   
tcp6       0      0 127.0.0.1:8009          127.0.0.1:49214         TIME_WAIT   -                   
[root@3ef39ad23261474c92fda86496b666cc-3622380632 conf.d]#  

Comment by Chris Hyzer (upenn.edu) [ 05/Nov/20 ]

Carey Black 10:01 PM
Would this be a change to your config? ap-proxy-connect-backend-disabling-worker-for-127-0-0-1
ProxyPass / http://backendserver:8080/ retry=0

https://stackoverflow.com/questions/23709832/ap-proxy-connect-backend-disabling-worker-for-127-0-0-1

Comment by Chris Hyzer (upenn.edu) [ 05/Nov/20 ]

  sed -i "s|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600 retry=0 |g" /etc/httpd/conf.d/grouper-www.conf
  echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i \"s|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600 retry=0 |g\" /etc/httpd/conf.d/grouper-www.conf  , result=$?"
 

Comment by Chris Hyzer (upenn.edu) [ 05/Nov/20 ]

Now I get:

[proxy:error] [pid 166:tid AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 0s

Comment by Chris Hyzer (upenn.edu) [ 05/Nov/20 ]

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass

Adding status=+I

  sed -i "s|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600 retry=0 status=+I |g" /etc/httpd/conf.d/grouper-www.conf
  echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i \"s|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600|ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600 retry=0 status=+I |g\" /etc/httpd/conf.d/grouper-www.conf  , result=$?"
 





[GRP-3007] Fix source code links in Javadoc site Created: 04/Nov/20  Updated: 04/Nov/20

Status: Open
Project: Grouper
Component/s: wiki
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The Source Code Management links to github in the javadoc site (https://software.internet2.edu/grouper/doc/2.5.x/grouper-parent/index.html) are going to https://github.com/Internet2/grouper which is incorrect. It should be including .../tree/<branch>/...

 






[GRP-3006] import of csv should allow group names specified Created: 01/Nov/20  Updated: 01/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Carey Black (osu.edu) [ 01/Nov/20 ]

Source was a slack conversation about membership CSV import in the UI being expanded to support import of memberships into multiple groups from a single CSV.

However, another "CSV" file variation would be to support creation of multiple groups from a CSV file too. ( Again useful for initial population/conversion and/or periodic manual re-sync processes done by "non-grouper admin" )





[GRP-3005] import from csv should allow mappings of columns Created: 01/Nov/20  Updated: 01/Nov/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2998] Daemon job page get job links working in new tab Created: 22/Oct/20  Updated: 22/Oct/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.36
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The daemon jobs page has a list of jobs, but to see the logs for a job you need to click on the link. The links only work when you click them directly. If you right click and open in a new tab, it's just another copy of the daemon jobs page. Also applies to the job options in the pull down menus.






[GRP-2995] ui-ws does not turn shib on Created: 20/Oct/20  Updated: 20/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2960] add dynamic update of grouper_ddl to end of ddl scripts Created: 22/Sep/20  Updated: 20/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

HSQL:

 

update grouper_ddl set db_version = 30, last_updated = to_char(CURRENT_TIMESTAMP, 'YYYY/MM/DD HH24:mi:DD'), history = substring((to_char(CURRENT_TIMESTAMP, 'YYYY/MM/DD HH24:mi:DD') || ': upgrade Grouper from V' || db_version || ' to V30, ' || history) from 1 for 3500) where object_name = 'Grouper';

 

MYSQL:

 

update grouper_ddl set db_version = 30, last_updated = date_format(current_timestamp(), '%Y/%m/%d %H:%i:%s'), history = substring(concat(date_format(current_timestamp(), '%Y/%m/%d %H:%i:%s'), ': upgrade Grouper from V', db_version, ' to V30, ', history), 1, 3500) where object_name = 'Grouper';

 

ORACLE:

 

update grouper_ddl set db_version = 30, last_updated = to_char(systimestamp, 'YYYY/MM/DD HH12:MI:SS'), history = substr((to_char(systimestamp, 'YYYY/MM/DD HH12:MI:SS') || ': upgrade Grouper from V' || db_version || ' to V30, ' || history), 1, 3500) where object_name = 'Grouper';

 

POSTGRES:

 

update grouper_ddl set db_version = 30, last_updated = to_char(current_timestamp, 'YYYY/MM/DD HH12:MI:SS'), history = substring((to_char(current_timestamp, 'YYYY/MM/DD HH12:MI:SS') || ': upgrade Grouper from V' || db_version || ' to V30, ' || history) from 1 for 3500) where object_name = 'Grouper';






[GRP-2988] make custom ui for logged in user more obvious Created: 14/Oct/20  Updated: 14/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Yes I'm the logged in user (as Grouper Admin), so the "For logged in user" column makes sense to me. I assumed the "Result" column was for the student I selected to view. I have a variable cu_duo_AllowedToManage. I just assumed it would be false in this case for the student record. (edited)

 

 

10:55
To be clear, if I login as the student, they do not have any special privileges, it just seems to me the manager page is incorrectly showing the state of that variable for some reason.
10:55
Or I'm misinterpreting something in the config.

Chris Hyzer 10:59 AM
you need to look at result and "for logged in user". so the result in the first two are for the user you are looking it, and the last two are for you. you can make another var for the non logged in user for manager if you want... just want to show all variables there, and some of them are for who is logged in...
10:59
some are for who is being searched

Erik Coleman 11:21 AM
Gotcha, so it's not as simple as looking at that column for the searched user, probably not necessary to fuss with another variable in my case but I think I understand. Perhaps in future if you can notate somehow those special variables to say that it applies to logged-in user and not the searched user.

Chris Hyzer 11:26 AM
its in the right column, it says for logged in user Yes :slightly_smiling_face: or do you mean make it more obvious? :slightly_smiling_face:

Erik Coleman 11:28 AM
I mean make it more obvious that that last 2 apply to me, and the others apply to the searched user. I see someone like our help desk getting confused about that.
11:28
And yes perhaps just a wording difference will suffice






[GRP-2987] Visualization for Privileges Created: 14/Oct/20  Updated: 14/Oct/20

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful to be able to visualize and through the privileges that a Grouper access control policy has over other grouper objects.

Displaying:
   Starting group
   Other objects that have it as a permission (and what permission they have over that object)
       folders, groups, attributeDef, localEntities (any grouper object )
   Folder that have this group in Inherited Privileges for child objects.
   Maybe (optionally include members of the Access Control Group in the visual report)

It would be helpful if that "picture" could also be created as a "Report" as well.






[GRP-2984] Allow a configuration option on a Member to alter the subject that is given "Admin" privileges on objects they create. Created: 13/Oct/20  Updated: 13/Oct/20

Status: Open
Project: Grouper
Component/s: API, UI, WS
Affects Version/s: 2.5.35
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently:

                When a Subject creates an object in Grouper the system currently assigns "Admin" privileges to that subject if they do not already get "Admin" from inherited privileges to the new object.

 

Proposed:

                It would be helpful, for many use cases, if a Member ( Grouper local cache of the Subject ) could have a configuration that would request that a different Subject be used instead of themselves.

               

                This would be effective with or without Inherited Privileges and should be used drive towards a "group" instead of a "person" being privileged to all objects.

 

Example cases:

                Subject is an "Admin" of a single application in Grouper.

                A WebService account (acting on behalf of a connected application/service)

 

                All things they create should default to being owned by a group (Subject) that manages that application instead of the direct subject that created the object.

 

It would also be helpful if this could be a "list" of values for users who manage more than one application in Grouper. (A "default" could be identified for a Member too.)

                The UI could default to the default value and allow the user to select from the list of configured values before/during the create process.

                WS could allow the user to supply a value during create or use the configured default value.

 

It would also be helpful if the default value could be selected based on "location in Grouper" too. (An attribute on a parent stem could help with the selection of the correct value for a Subject. )






[GRP-582] sync set tables Created: 18/Mar/11  Updated: 12/Oct/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: HEAD

Type: New Feature Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Should there be a script or loader job to sync the set tables in case they get out of sync?



 Comments   
Comment by Shilen Patel (duke.edu) [ 16/Oct/19 ]

This has come up again.  Currently thinking that the bad membership finder should sync all set tables.

Comment by Chris Hyzer (upenn.edu) [ 12/Oct/20 ]

https://github.com/Internet2/grouper/blob/GROUPER_2_5_BRANCH/grouper/src/grouper/edu/internet2/middleware/grouper/misc/SyncStemSets.java





[GRP-2977] allow status diagnostic types to be specified by url and not param Created: 07/Oct/20  Updated: 07/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

some load balancers can do question marks






[GRP-2972] grouper loader tab when no admin group gives stack Created: 05/Oct/20  Updated: 05/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2971] daemons should have descriptive comments Created: 03/Oct/20  Updated: 03/Oct/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

the list is confusing.  comments should be searchable






[GRP-2970] Loader exemption to fail-safe Created: 02/Oct/20  Updated: 02/Oct/20

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Justin Robinson (iu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When a fail-safe is set, it applies generally to all groups meeting the min criteria. Some loaders have an expectation to completely replace members on a regular cycle. In these cases, the threshold is tripped and changes do not flow through. The threshold check has performed flawlessly, but the resulting membership will not get updated until an administrator lets it through.

For these cases it would be ideal to have a mechanism where a loader can be exempted from fail-safe checks.






[GRP-2967] When exporting config files, do export passwords that are expression language Created: 26/Sep/20  Updated: 26/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When exporting config files, do export passwords that are expression language






[GRP-2966] Change enable/disable groups to just act on memberships Created: 24/Sep/20  Updated: 24/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   
  • No longer send group delete/add events to change log
  • No longer run hooks for group delete/add
  • No longer disable attribute assignments
  • No longer make certain queries not return the group if disabled

The idea is that the only impact on a disabled group is that the memberships on the group are disabled.

This would still send a change log event for the group being disabled/enabled and consumers can do something with that if they choose.






[GRP-2965] Attestation should optionally disable Memberships that are not attested after a grace period Created: 24/Sep/20  Updated: 24/Sep/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Attestation should have a second "time frame" for "how long a membership should stay active after it requires attestation.

 

Example:

Group needs attestation on 2020/09/01.

Group is configured with a "attestation membership grace period" of "15"  "days". ( would like to have optional units of ( "hours", "Days", "Months", "Years" ). And value ranges that start at a value of "zero" (numeric value).

When the group is marked "needs attestation" then the Membership disable date should be set to "now"+ "attestation grace period". And ( special case ) if "attestation grace period" = "zero" then disable the Memberships now.

When a group is attested and ( there is a membership grace period value in the attestation and the disable Membership date matches the date set by that math ) then clear the disable date for those memberships.
    NOTE: I am trying to only clear the date when it was auto set by attestation. And avoid cleaning it if it was manually altered/set by other processes.

I also noted a comment in the 2020/02/19 Group Call minutes that said this:
"

  • Shilen, disable groups, there is a fix needed
  • If you disable a group it disables every membership including privileges
  • If not a Grouper admin and you disable group, you won’t be able to re-enable
  • Probably Admin Privileges should not be removed

"

Please make sure that those users that can "attest" the group can continue to "attest a disabled group too". ( So they can "get it to be re-enabled" the memberships that were disabled by the grace period expiration. ) [ Or maybe that should be an additional option in the attestation feature? to Allow/Deny that function on "attestation of a disabled group"? ]



 Comments   
Comment by Carey Black (osu.edu) [ 24/Sep/20 ]

Note: It might also be useful to have attestation work on an individual Membership level instead of at the group level. ( So each Membership might have its own attestation date for the group. )





[GRP-2964] UI Config not sorting all values properly... Created: 23/Sep/20  Updated: 23/Sep/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.35
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File 2020-09-23_leftOutSome_otherJob_keys.png    

 Description   

"Other jobs" section does not  list all keys starting with "otherJob.". Some are left for the "Remaining config" section.






[GRP-2962] remove tomee ROOT directory Created: 23/Sep/20  Updated: 23/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

/opt/tomee/webapps/ROOT






[GRP-2957] grouper running as tomcat user has apache error on startup Created: 21/Sep/20  Updated: 21/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Carey Black (osu.edu)

 Description   

Carey Black  10:01 AM
RE: 2.5.35
  I don't normally pay any attention to the docker startup logs... ( So @Chad Redman thanks for reminding me to go read those too...)I see some odd things too... ( 2.5.35 is only in my test ENV right now...)I have apache "turned off"...  "GROUPER_RUN_APACHE=false"
grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_storeEnvVars) End store env vars in /opt/grouper/grouperEnv.sh
cp: cannot create regular file '/etc/httpd/conf/httpd.conf.pre_noindexes': Permission denied
grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_indexes) cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.pre_noindexes , result=1






[GRP-2956] Add user audit when enabling/disabling daemon jobs Created: 16/Sep/20  Updated: 17/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Also document everything that's audited on the wiki?



 Comments   
Comment by Carey Black (osu.edu) [ 16/Sep/20 ]

Maybe you could move it to a Grouper Attribute on the group? ( That is already audited by default and would get PIT data in place too.... )





[GRP-1825] descriptions of folders/groups/attributes/etc should format somehow Created: 15/Jun/18  Updated: 16/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

maybe replace newlines with br's?  or if there are newlines then preformatted?  not sure



 Comments   
Comment by mchyzer [ 15/Jun/18 ]

maybe have a better way to document folders

Comment by Richard Frovarp (ndsu.edu) [ 16/Sep/20 ]

This would be nice to have. The top of the description can be less technical. The lines below that could be more technical for various audiences reviewing. As mentioned in Slack, some more powerful processing options would be nice. Instead of just saying: Grants access to Bedework, one could turn that into a link to Bedework.





[GRP-2853] groovy gsh NPE Created: 22/Jun/20  Updated: 15/Sep/20

Status: Open
Project: Grouper
Component/s: gsh
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Francesco Malvezzi (unimore.it) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux grouper22 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-1~deb9u1-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)



 Description   

After upgrading to grouper-2.4 from grouper-2.3 groovy gsh is stuck with:

 

$ sudo rlwrap ./bin/gsh.sh
Detected Grouper directory structure 'api' (valid is api or webapp)
Using GROUPER_HOME: /opt/grouper.apiBinary-2.2.2
Using GROUPER_CONF: /opt/grouper.apiBinary-2.2.2/conf
Using JAVA: java
Using CLASSPATH: /opt/grouper.apiBinary-2.2.2/conf:/opt/grouper.apiBinary-2.2.2/dist/lib/grouper.jar:/opt/grouper.apiBinary-2.2.2/lib/grouper/*:/opt/grouper.apiBinary-2.2.2/lib/custom/*:/opt/grouper.apiBinary-2.2.2/lib/jdbcSamples/*:/opt/grouper.apiBinary-2.2.2/lib/ant/*:/opt/grouper.apiBinary-2.2.2/lib/test/*:/opt/grouper.apiBinary-2.2.2/dist/lib/test/*:/opt/grouper.apiBinary-2.2.2/src/resources
using MEMORY: 64m-750m
Grouper starting up: version: 2.4.0, build date: 2018/08/23 07:48:38, env: <no label configured>
grouperPatchStatus read from: /opt/grouper.apiBinary-2.2.2/grouperPatchStatus.properties
api patches installed: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96
grouper.properties read from: /opt/grouper.apiBinary-2.2.2/conf/grouper.properties
Grouper current directory is: /opt/grouper.apiBinary-2.2.2
log4j.properties read from: /opt/grouper.apiBinary-2.2.2/conf/log4j.properties
Grouper logs are not using log4j: class org.apache.commons.logging.impl.SLF4JLocationAwareLog
grouper.hibernate.properties: /opt/grouper.apiBinary-2.2.2/conf/grouper.hibernate.properties
grouper.hibernate.properties: grouper22@jdbc:oracle:thin:@oracle10g.dmz-int.unimo.it:1521:orasia
subject.properties read from: /opt/grouper.apiBinary-2.2.2/conf/subject.properties
sources configured in: subject.properties
subject.properties groupersource id: g:gsa
subject.properties groupersource id: grouperEntities
subject.properties ldap source id: unimore: personLdap
Subject API error: error with subject source id: unimore, name: LdapSourceAdapter, problem with getSubject by identifier, in subject.properties: serachType searchSubjectByIdentifier: , edu.internet2.middleware.subject.SourceUnavailableException: Ldap Exception: Problem with ldap conection: personLdap,
Error querying ldap server id: personLdap, searchDn: ou=people,dc=unimore,dc=it, filter: '(&(uid=grouperTestSubjectByIdentifierOnStartupASDFGHJ)(objectclass=unimoreAccount))', returning attributes: [Ljava.lang.String;@6eed46e9
 at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(LdapSourceAdapter.java:541)
 at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResults(LdapSourceAdapter.java:433)
 at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapUnique(LdapSourceAdapter.java:562)
 at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getSubjectByIdentifier(LdapSourceAdapter.java:236)
 at edu.internet2.middleware.subject.SubjectCheckConfig.checkConfig(SubjectCheckConfig.java:125)
 at edu.internet2.middleware.grouper.misc.GrouperCheckConfig$1.callback(GrouperCheckConfig.java:510)
 at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:974)
 at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:506)
 at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:315)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:157)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)
Caused by: java.lang.RuntimeException: Problem with ldap conection: personLdap,
Error querying ldap server id: personLdap, searchDn: ou=people,dc=unimore,dc=it, filter: '(&(uid=grouperTestSubjectByIdentifierOnStartupASDFGHJ)(objectclass=unimoreAccount))', returning attributes: [Ljava.lang.String;@6eed46e9
 at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:381)
 at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.list(LdaptiveSessionImpl.java:601)
 at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(LdapSourceAdapter.java:538)
 ... 10 more
Caused by: [org.ldaptive.LdapException@469391891::resultCode=NO_SUCH_OBJECT, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=people,dc=unimore,dc=it', providerException=javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=people,dc=unimore,dc=it']
 at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
 at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
 at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741)
 at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463)
 at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103)
 at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85)
 at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15)
 at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126)
 at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl$3.callback(LdaptiveSessionImpl.java:648)
 at edu.internet2.middleware.grouper.ldap.ldaptive.LdaptiveSessionImpl.callbackLdapSession(LdaptiveSessionImpl.java:375)
 ... 12 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=people,dc=unimore,dc=it'
 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3179)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
 at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846)
 at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
 at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
 at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
 at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
 at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.search(JndiConnection.java:806)
 at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:735)
 ... 19 more
Type help() for instructions
Exception in thread "main" java.lang.NullPointerException
 at edu.internet2.middleware.grouper.app.gsh.GrouperShell.grouperShellHelper(GrouperShell.java:257)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:168)
 at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)

 

By adding "gsh.useLegacy = true" in grouper.properties it works.

1) how to specify subjectIdToFindOnCheckConfig to avoid the stacktrace on startup?

2) which configuration files would you need to figure out the NPE?

 

thank you,

 

Francesco Malvezzi

 

 



 Comments   
Comment by Francesco Malvezzi (unimore.it) [ 29/Jun/20 ]

the stacktrace at startup was a mistake in the searchbase.

The correct way to specify the findSubjectByIdentifierOnCheckConfig

param in subject.properties is:

subjectApi.source.example.param.findSubjectByIdentifierOnCheckConfig.value = false

(if your LDAP source is name example).

 

Unfortunately, after fixing the startup issues, the groovish gsh still exits with:

**

Type help() for instructions
Exception in thread "main" java.lang.NullPointerException
        at edu.internet2.middleware.grouper.app.gsh.GrouperShell.grouperShellHelper(GrouperShell.java:257)
        at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:168)
        at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)

 
the logs don't show up anything at all.
 

 

Comment by Francesco Malvezzi (unimore.it) [ 15/Sep/20 ]

Please feel free to close this issue. Just moving forward to grouper-2.5.33 solved my problems. Maybe an unclean environment was to be blamed.





[GRP-2953] UI for attribute assignments on attributes should "pad" in a column for "Group" to keep the values and columns alligned Created: 09/Sep/20  Updated: 09/Sep/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File 2020-09-09_2.5.29.attr_assignment_on_assignment_with_values.png    

 Description   

The "Attribute Assignments" table that is show when assigning attributes to a Membership needs a bit of padding/spacing to make it make sense.

 

The "Enabled?" column sometimes has the "Assignment values" because there is no "Group" value for some rows.






[GRP-2952] Improve performance of object types on new stem/group create Created: 09/Sep/20  Updated: 09/Sep/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.33
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When creating a new stem or group, the object type logic is a performance hit that is noticeable on slower networks. On object creation, the logic looks through the tree of parent stems to see if there are any object types to copy to the new object. However, it does this by looping through each of the object types, for each of the stems. Each time, it does a lookup on the object type attributeDefs, which is cached, but still called potentially hundreds of times. Even when it's cached, it still goes through privilege checking to make sure the user has access to it.

This could be improved by:

  • scanning all the parent stems for any object type assignment, rather than looping through all the object types and seeing if any parent has it
  • doing all the object types in one pass, rather than looping each one and performing the same logic
  • caching the object def and names in local variables so it doesn't need to repeatedly look them up
  • using secure versions of lookups, since privileges should not be checked when copying an object type from a parent stem ( ? )





[GRP-2950] ddl deep check does not add views Created: 04/Sep/20  Updated: 04/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey Crawford 1:39 PM
maybe table locking, so only one node wins? Like I said before only prod did this, our sandbox, (Well that one only runs two services) but test, and qa didn't have this.
However one thing I think may be a bug is that the views were not included in the ddl from the gsh --registry --deep --check:
RROR: View 'grouper_pit_memberships_lw_v': Missing view.
ERROR: View 'grouper_pit_mship_attr_lw_v': Missing view.
ERROR: View 'grouper_pit_mship_group_lw_v': Missing view.
ERROR: View 'grouper_pit_mship_stem_lw_v': Missing view.
ERROR: View 'grouper_recent_mships_conf_v': Missing view.
ERROR: View 'grouper_recent_mships_load_v': Missing view.
1:40
I had to copy the view decorations from the other environment ( I copied it from our test DB instance)

Jeffrey Crawford 2:04 PM
Hey Chris I have some time to talk if you want more information.

Chris Hyzer 2:10 PM
i think im ok if you are :slightly_smiling_face:

Jeffrey Crawford 2:12 PM
Yes I'm good, just see if you can check the view issue in the deep check.
2:12
please :stuck_out_tongue:

 

 

 

 






[GRP-2946] grouper installer installContainer should chmod o+w on logs dir so container can access in certain envs (e.g. windows wsl) Created: 03/Sep/20  Updated: 03/Sep/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2944] There is a group that is used as a Deny group for 3644 composite groups. I can navigate to the folder with the group. But when I try to "open the group".... the browser "times out" at exactly 60 seconds. Created: 02/Sep/20  Updated: 02/Sep/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I have stumbled into an odd thing in my prod instance.

There is a group that is used as a Deny group for 3644 composite groups. I can navigate to the folder with the group. But when I try to "open the group".... the browser "times out" at exactly 60 seconds.  NOTE:  I believe there are no members in the group.

Any ideas on how to "fix that"?
 
Yes this is MYSQL... but other such "deny groups" can be displayed... so.....)
 v 2.5.29
LOL.. uh.. yea....
select count from grouper_composites gc where right_factor ="ad5c55b21c184823bbefd140d99aa99e"
– 3644
 

So it tops this query.. 
select right_factor , count from grouper_composites gc group by right_factor ORDER by count DESC
Next one is 1,492
 
I can display the second one on the list.
 So the "fail point" is somewhere between 1492 and 3644 for my env. 
 
( Or there is something else wrong with that group. )
 
I really don't know what the UI is doing that would be "slower" because the group is used in composites during the display of the group.
 
The group does have some memberships.... 13
select * from grouper_memberships_v gmv where GROUP_ID ="ad5c55b21c184823bbefd140d99aa99e"
4 are "immediate" [other groups]  ( others are effective, all subjects from our "person" subject API )
 
Oh.. strike that... those are all Privileges.... ( LIST_TYPE= "access", LIST_NAME = [ "admins", "readers", "updaters" ] )No "members" list.






[GRP-2845] JDBCSourceAdapter2 and getSubjectIdentifierAttributesAll breaks subject cache Created: 11/Jun/20  Updated: 26/Aug/20

Status: Open
Project: Grouper
Component/s: subject API
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Zachary Hanson-hart Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

master branch on gitlab, 2.5.29 image, presumably previous versions as well.


Attachments: Text File [GRP-2845].patch    

 Description   

The JDBCSourceAdapter2 falls back to the JDBCSourceAdapter implementation of getSubjectIdentifierAttributesAll, which uses config parameters that aren't loaded by JDBCSourceAdapter2, resulting in getSubjectIdentifierAttributesAll to always only return the subject ID. This causes problems in the subject cache leading to errors like:

In subject source: personSource the identifier: 'xxxx' can find subject: 'yyyy', but the attribute for that identifier is not configured in the subject source. In order for caching to be effective, please list all identifier attributes in the subject source. You can configure to suppress this log message in subject config.

For the JDBCSourceAdapter2, there is no way for this to be accomplished with the current code. Implementing getSubjectIdentifierAttributesAll for the jdbc2 adapter is easy, so I'll implement and submit a PR on gitlab.



 Comments   
Comment by Jonathan Johnson (unicon.net) [ 26/Aug/20 ]

For some reason, my PR attempts are giving me line ending problems. I've attached the patch





[GRP-2939] PITAttributeDefFinder method symmetry broken compared to AttributeDefFinder Created: 20/Aug/20  Updated: 20/Aug/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

PITAttributeDefFinder

  has 6 methods

AttributeDefFinder
  has 23 methods

 

I was specifically working on a changeLogConsumer and wanted to use

PITAttributeDefFinder.findByNameAsRoot(...)   But it does not exist.

Maybe there was a shift in how these "Finders" were intended to be used but all the Finders did not get the same attention?






[GRP-2936] delete large group can cause errors Created: 17/Aug/20  Updated: 17/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 2020-08-17 15:18:26,234: [Thread-38] INFO  EventLog.info(156) -  - [bf382128e19c43d7b508fd25cafda6e5,'IDM800047602','person'] delete group: 'OSU:WebLoginService:d91d059d92c7ccfc3185420a5f8aceff0ed8d99c:ref:kmdcust:kmdata-1588-reporting-health-sciences-library' (1697ms)
2020-08-17 15:27:22,313: [Thread-39] ERROR UiV2Stem$4.run(2247) -  - Error obliterating folder: 'OSU:WebLoginService:d91d059d92c7ccfc3185420a5f8aceff0ed8d99c:ref:kmdcust'
edu.internet2.middleware.grouper.exception.GroupDeleteException: Problem in HibernateSession: HibernateSession (43c01472): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Exception in list: (class edu.internet2.middleware.grouper.Composite), ByHqlStatic, query: 'select c from Composite as c, GroupSet as gs, Field as f where gs.memberGroupId = :group and ( c.leftFactorUuid = gs.ownerGroupId or c.rightFactorUuid = gs.ownerGroupId ) and gs.fieldId = f.uuid and gs.fieldId = :field', cacheable: false, cacheRegion: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3CompositeDAO.findAsFactorOrHasMemberOfFactor, tx type: null, tx type: nullBind var[0]: 'Param (class java.lang.String): 'group'->'ed42feeffc7e46b6ae70ebc846ba2592'Bind var[1]: 'Param (class java.lang.String): 'field'->'6142a7efff744cfd8a9dae4058c5d64b', ,
Exception in delete: edu.internet2.middleware.grouper.Membership, edu.internet2.middleware.grouper.hibernate.ByObject@7270790a,
Problem in HibernateSession: HibernateSession (7c1bdf16): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Exception in delete: edu.internet2.middleware.grouper.Membership, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: ImmediateMembershipEntry, tx type: null,
Problem in HibernateSession: HibernateSession (4657063e): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Problem in HibernateSession: HibernateSession (4cf9cafe): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66), stem name: OSU:WebLoginService:d91d059d92c7ccfc3185420a5f8aceff0ed8d99c:ref:kmdcust:kmdata-1430-system-reporting-–-all-osu, group extension: kmdata-1430-system-reporting-–-all-osu, group dExtension: Reporting – All OSU, uuid: ed42feeffc7e46b6ae70ebc846ba2592, ,
Problem in HibernateSession: HibernateSession (63abdaa8): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (1b980f66)
        at edu.internet2.middleware.grouper.Group$6.callback(Group.java:2076)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.Group.delete(Group.java:1975)
        at edu.internet2.middleware.grouper.Stem.deleteGroups(Stem.java:5522)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem.stemDeleteSubmitHelper(UiV2Stem.java:2327)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Stem$4.run(UiV2Stem.java:2242)
        at java.lang.Thread.run(Thread.java:748)
Caused by: edu.internet2.middleware.grouper.internal.dao.GrouperDAOException: Problem in HibernateSession: HibernateSession (43c01472): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Exception in list: (class edu.internet2.middleware.grouper.Composite), ByHqlStatic, query: 'select c from Composite as c, GroupSet as gs, Field as f where gs.memberGroupId = :group and ( c.leftFactorUuid = gs.ownerGroupId or c.rightFactorUuid = gs.ownerGroupId ) and gs.fieldId = f.uuid and gs.fieldId = :field', cacheable: false, cacheRegion: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3CompositeDAO.findAsFactorOrHasMemberOfFactor, tx type: null, tx type: nullBind var[0]: 'Param (class java.lang.String): 'group'->'ed42feeffc7e46b6ae70ebc846ba2592'Bind var[1]: 'Param (class java.lang.String): 'field'->'6142a7efff744cfd8a9dae4058c5d64b', ,
Exception in delete: edu.internet2.middleware.grouper.Membership, edu.internet2.middleware.grouper.hibernate.ByObject@7270790a,
Problem in HibernateSession: HibernateSession (7c1bdf16): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Exception in delete: edu.internet2.middleware.grouper.Membership, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: ImmediateMembershipEntry, tx type: null,
Problem in HibernateSession: HibernateSession (4657063e): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66),
Problem in HibernateSession: HibernateSession (4cf9cafe): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (1b980f66)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession._internal_hibernateSessionCatch(HibernateSession.java:591)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:713)
        at edu.internet2.middleware.grouper.hibernate.ByHqlStatic.list(ByHqlStatic.java:407)
        at edu.internet2.middleware.grouper.hibernate.ByHqlStatic.listSet(ByHqlStatic.java:458)
        at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3CompositeDAO.findAsFactorOrHasMemberOfFactor(Hib3CompositeDAO.java:78)
        at edu.internet2.middleware.grouper.Membership.processPostMembershipDelete(Membership.java:2116)
        at edu.internet2.middleware.grouper.Membership.onPostDelete(Membership.java:2006)
        at edu.internet2.middleware.grouper.hibernate.ByObject.delete(ByObject.java:126)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic$10.callback(ByObjectStatic.java:675)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.hibernate.ByObjectStatic.delete(ByObjectStatic.java:662)
        at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO.delete(Hib3MembershipDAO.java:2247)
        at edu.internet2.middleware.grouper.Membership$2$1.callback(Membership.java:580)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1024)
        at edu.internet2.middleware.grouper.Membership$2.callback(Membership.java:570)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.Membership.delete(Membership.java:564)
        at edu.internet2.middleware.grouper.Membership$3.callback(Membership.java:1458)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        at edu.internet2.middleware.grouper.Membership.internal_deleteAllField(Membership.java:1437)
        at edu.internet2.middleware.grouper.Membership.internal_deleteAllFieldType(Membership.java:1544)
        at edu.internet2.middleware.grouper.Group$6$1.callback(Group.java:2015)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
        at edu.internet2.middleware.grouper.GrouperSession.internal_callbackRootGrouperSession(GrouperSession.java:1024)
        at edu.internet2.middleware.grouper.Group$6.callback(Group.java:2011)
        ... 6 more
Caused by: org.hibernate.exception.LockAcquisitionException: could not execute batch
        at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:524)
        at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
        at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
        at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:119)
        at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.doExecuteBatch(BatchingBatch.java:97)
        at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.execute(AbstractBatchImpl.java:147)
        at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.executeBatch(JdbcCoordinatorImpl.java:214)
        at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:611)
        at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:456)
        at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
        at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
        at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282)
        at edu.internet2.middleware.grouper.hibernate.HibUtils.evict(HibUtils.java:536)
        at edu.internet2.middleware.grouper.hibernate.HibUtils.evict(HibUtils.java:471)
        at edu.internet2.middleware.grouper.hibernate.HibUtils.evict(HibUtils.java:450)
        at edu.internet2.middleware.grouper.hibernate.ByHql.list(ByHql.java:382)
        at edu.internet2.middleware.grouper.hibernate.ByHqlStatic$2.callback(ByHqlStatic.java:417)
        at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
        ... 30 more
Caused by: java.sql.BatchUpdateException: Lock wait timeout exceeded; try restarting transaction
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
        at com.mysql.jdbc.Util.getInstance(Util.java:408)
        at com.mysql.jdbc.SQLError.createBatchUpdateException(SQLError.java:1163)
        at com.mysql.jdbc.PreparedStatement.executeBatchSerially(PreparedStatement.java:1778)
        at com.mysql.jdbc.PreparedStatement.executeBatchInternal(PreparedStatement.java:1262)
        at com.mysql.jdbc.StatementImpl.executeBatch(StatementImpl.java:970)
        at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch(NewProxyPreparedStatement.java:2544)
        at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:110)
        ... 44 more
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
        at com.mysql.jdbc.Util.getInstance(Util.java:408)
        at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:952)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3973)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3909)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2527)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2680)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484)
        at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1858)
        at com.mysql.jdbc.PreparedStatement.executeUpdateInternal(PreparedStatement.java:2079)
        at com.mysql.jdbc.PreparedStatement.executeBatchSerially(PreparedStatement.java:1756)
        ... 48 more 






[GRP-2931] add allowedRequestAttributesPattern to ajp connector Created: 10/Aug/20  Updated: 10/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 

allowedRequestAttributesPattern=".*"

{{}}

https://serverfault.com/questions/1005548/getting-error-403-with-tomcat-7-0-100-and-apache-server-2-4-when-using-secret{{}}






[GRP-2927] Nesting privilege sets of groups ( instead of members of a group ) Created: 08/Aug/20  Updated: 08/Aug/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

A new feature that would open up many more possibilities with Grouper:
   Allow a Privilege set of a group to be added as "members of another group".

Sometimes it is useful to be able to add "Admins of Group X" to another group. However, the only current way to achieve that is to only have "one group that is admin" on "Group X" and then to add that group. 

However, if a Group's membership in another group could be of a flavor like:
    Members
    or 
    A privilege value of the group ( AKA: Admin, Updater, Read, View, Opt-in, Opt-out, etc...)

Then as the "updaters" are added to via normal Grouper Privilege management on the group the right access controls would continue to flow for the "updaters".






[GRP-2925] recent memberships should not use a view which is built on top of another view Created: 07/Aug/20  Updated: 07/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

mysql doesnt like that






[GRP-2924] add tomee option in container for address to listen on Created: 07/Aug/20  Updated: 07/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

in server.xml address=""






[GRP-2923] deleting folder in ui can crash container Created: 05/Aug/20  Updated: 05/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Zachary Hanson-Hart
Running 2.5.29 when deleting a folder with dozens of groups with many users (up to 800k) through the UI, the UI pod stops working.  Sometimes there's a heap OOM error, sometimes no errors just the shib sp restarting over and over.  The service does not respond.  I've given the following environment variables.
env:

  • name: MEM_START
    value: 512m
  • name: MEM_MAX
    value: 3072m
  • name: GROUPER_MAX_MEMORY
    value: 3g
    Is anyone else running into a UI that stops working?  Why would this consume RAM on the UI container?





[GRP-2835] automate CSV group load Created: 02/Jun/20  Updated: 04/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Tommy Doan Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Can group load from CSV be automated? That could be helpful for us, and save having to setup an ETL job through a different team to load the data into a database first.



 Comments   
Comment by Chad Redman (unc.edu) [ 04/Aug/20 ]

Take a look at the Wiki page at https://spaces.at.internet2.edu/display/Grouper/Grouper+loader+with+CSV+data+sources. The csvjdbc driver in particular is easy to set up and works well with simple queries. This does work as a grouper-loader connection, so that loader jobs can be used against specific csv files within a single folder defined in the connection. All you need to do is add the csvjdbc jar to the libraries and set up the connection. You can try it with gsh first, to confirm whether it will work with the queries you want.





[GRP-2919] Support assigning Azure Administrative Unit in group creation Created: 04/Aug/20  Updated: 04/Aug/20

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently in public preview, Azure AD supports the concept of groups being assigned to administrative units, a means to assign administrative control. We would like to be able to delegate Grouper's control of groups using this method, rather than have full Group read/write role in the entire tenant (a security recommendation). We basically need another changelog consumer parameter to specify an administrative unit (perhaps by ID), which then could be used after creating the group to assign the administrative ID to a group.  In Microsoft Graph, the operation would be like this: 

{{Http request POST /administrativeUnits/{Admin Unit id}/members/$ref }}

{{Request body { "@odata.id":"https://graph.microsoft.com/beta/groups/

{id}

" }}}

 






[GRP-2917] add zoom user deprovisioning Created: 03/Aug/20  Updated: 03/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2916] add zoom loader for user types Created: 03/Aug/20  Updated: 03/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2915] add zoom loader for roles Created: 03/Aug/20  Updated: 03/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2914] add zoom loader for groups Created: 03/Aug/20  Updated: 03/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2913] jdbc source adapters cant have more than one subject identifier to cache Created: 03/Aug/20  Updated: 03/Aug/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2904] addSubjectAttributes not seen in attribute messages Created: 28/Jul/20  Updated: 28/Jul/20

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.5.32
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

containers



 Description   

i have a desire to show the subjectId of an attribute assignment in messages sent. I have set “changeLog.consumer.rabbit.publisher.addSubjectAttributes = netId” but I do not see the netId from my subject source in these messages. I have confirmed I see netId in membership messages.






[GRP-2902] add helper views for custom ui for membership analysis Created: 26/Jul/20  Updated: 26/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

create or replace view penn_membership_analysis1_v as
select gg.id as group_id, gg.name as group_name, gg.extension as group_extension, 
gg.display_extension as group_display_extension, gm.id as member_id, gm.subject_id, gm.subject_source as subject_source_id,
case when exists 
  (select 1 from grouper_memberships_lw_v gmlv where gmlv.group_id = gg.id and gmlv.member_id = gm.id and gmlv.list_name = 'members')
  then 'T'
  else 'F'
  end as is_user,
  (select min(ppmlv.the_start_time/1000000) from grouper_pit_groups gpg, penn_pit_memberships_lw_v ppmlv, grouper_pit_members gpm, grouper_pit_fields gpf
where gpg.id = ppmlv.owner_group_id and gpg.source_id = gg.id and ppmlv.member_id = gpm.id
and gpm.source_id = gm.id and gpf.name = 'members' and gpf.id = ppmlv.field_id and ppmlv.the_active = 'T')
  as user_start_secs_since_1970,
case when exists
  (select 1 from grouper_pit_groups gpg, penn_pit_memberships_lw_v ppmlv, grouper_pit_members gpm, grouper_pit_fields gpf
where gpg.id = ppmlv.owner_group_id and gpg.source_id = gg.id and ppmlv.member_id = gpm.id
and gpm.source_id = gm.id and gpf.name = 'members' and gpf.id = ppmlv.field_id)
  then 'T'
  else 'F'
  end as has_been_in_group,
    (select max(ppmlv.the_end_time/1000000) from grouper_pit_groups gpg, penn_pit_memberships_lw_v ppmlv, grouper_pit_members gpm, grouper_pit_fields gpf
where gpg.id = ppmlv.owner_group_id and gpg.source_id = gg.id and ppmlv.member_id = gpm.id
and gpm.source_id = gm.id and gpf.name = 'members' and gpf.id = ppmlv.field_id)
  as user_end_secs_since_1970
from grouper_members gm, grouper_groups gg 

 

Audit memberships

create or replace view penn_audit_add_membership_v as
select gm_user_using_grouper.name as user_using_grouper_name, to_timestamp(gaev.audit_entry_last_updated/1000) as the_timestamp,
gm_acted_on.subject_id as user_acted_on_subject_id, gaev.string07 as group_name, gaev.string06 as group_id,
gm_acted_on.name as user_acted_on_name, gm_acted_on.id as user_acted_on_member_id, gm_acted_on.subject_source as user_acted_on_subject_source_id,
gm_user_using_grouper.id as user_using_grouper_member_id, gm_user_using_grouper.subject_id as user_using_grouper_subject_id,
gm_user_using_grouper.subject_source as user_using_grouper_subject_source
from grouper_audit_entry_v gaev, grouper_members gm_acted_on, grouper_members gm_user_using_grouper
where gaev.audit_category = 'membership' and gaev.action_name = 'addGroupMembership'
and gaev.string03 = 'members' 
and gaev.string04 = gm_acted_on.id and gaev.logged_in_member_id = gm_user_using_grouper.id; 

 

mship help

create or replace view penn_custom_ui_mships_help_v as
select group_id, group_name, group_extension, group_display_extension,
member_id, subject_id, subject_source_id, is_user,
user_start_secs_since_1970, has_been_in_group, user_end_secs_since_1970,
case when user_start_secs_since_1970 is null then 'F'
when (extract(EPOCH from clock_timestamp()) - user_start_secs_since_1970/60)>30 then 'T'
else 'F'
end as is_user_for_30_min,
to_timestamp(user_start_secs_since_1970) user_start_timestamp,
to_timestamp(user_end_secs_since_1970) user_end_timestamp
from penn_membership_analysis1_v
order by lower(group_display_extension); 

 

mship

create or replace view penn_custom_ui_mships_v as
select group_id, group_name, group_extension, group_display_extension,
member_id, subject_id, subject_source_id, is_user,
user_start_secs_since_1970, has_been_in_group, user_end_secs_since_1970,
is_user_for_30_min, user_start_timestamp, user_end_timestamp,
case when is_user = 'T' then
  'User has been in group ' || group_extension || ' since ' || to_char(user_start_timestamp, 'YYYY/MM/DD HH24:MI')
when has_been_in_group = 'T' then
  'User was in group ' || group_extension || ' until ' || to_char(user_end_timestamp, 'YYYY/MM/DD HH24:MI')
else
  'User has never been in group ' || group_extension
end as mship_desc,
case when is_user = 'T' and is_user_for_30_min = 'T' then
  'User has been in group ' || group_extension || ' since ' || to_char(user_start_timestamp, 'YYYY/MM/DD HH24:MI') || ' and is provisioned to WebLogin.'
when is_user = 'T' and is_user_for_30_min != 'T' then
  'User has been in group ' || group_extension || ' since ' || to_char(user_start_timestamp, 'YYYY/MM/DD HH24:MI') || ' and pending provisioning to WebLogin.'
when has_been_in_group = 'T' then
  'User was in group ' || group_extension || ' until ' || to_char(user_end_timestamp, 'YYYY/MM/DD HH24:MI')
else
  'User has never been in group ' || group_extension
end as mship_shib_desc
from penn_custom_ui_mships_help_v;
 

 

imm disabled date

create view penn_imm_mship_disabled_date_v as
select to_char(to_timestamp(immediate_mship_disabled_time/1000),'YYYY/MM/DD HH24:MI') as disabled_time, gg.name as group_name,
gm.subject_source as subject_source_id, gm.subject_id as subject_id
from grouper_memberships_all_v gmav, grouper_groups gg, grouper_fields gf, grouper_members gm
where gmav.owner_group_id = gg.id and gmav.field_id = gf.id and gf.name = 'members'
and gmav.member_id = gm.id and mship_type = 'immediate' 






[GRP-2901] grouper loader in threads does not run as GrouperSysAdmin Created: 23/Jul/20  Updated: 23/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Beth Halsema Today at 10:17 AM
We are running Grouper 2.5.29. And the full stack trace is:
edu.internet2.middleware.subject.SubjectNotFoundException: Subject not
found: 'g:gsa': 'df251773bd594a7286e78f3df87a1337',
Problem in HibernateSession: HibernateSession (3d9cd943): notNew,
notReadonly, READ_WRITE_NEW, activeTransaction, session (563b0606),
Problem in HibernateSession: HibernateSession (6f399f5b): new, notReadonly,
READ_WRITE_NEW, notActiveTransaction, session (563b0606),
Problem saving group:
app:office365:groups:courses:service:ref:AAE_20300_0_1_systemOfRecord,
thread: 5e088747
at
edu.internet2.middleware.grouper.subj.cache.SubjectSourceCache.getSubjectFromCacheOrSource(SubjectSourceCache.java:1261)
at
edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXmlResolver.java:310)
at
edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResolver.java:143)
at
edu.internet2.middleware.grouper.subj.ValidatingResolver.find(ValidatingResolver.java:105)
at
edu.internet2.middleware.grouper.SubjectFinder.findByIdAndSource(SubjectFinder.java:548)
at
edu.internet2.middleware.grouper.SubjectFinder.findByOptionalArgs(SubjectFinder.java:381)
at
edu.internet2.middleware.grouper.SubjectFinder.findByPackedSubjectString(SubjectFinder.java:1369)
at
edu.internet2.middleware.grouper.rules.RuleThenEnum$10.fireRule(RuleThenEnum.java:769)
at
edu.internet2.middleware.grouper.rules.RuleThen.fireRule(RuleThen.java:241)
at
edu.internet2.middleware.grouper.rules.RuleEngine$2.callback(RuleEngine.java:463)
at
edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
at
edu.internet2.middleware.grouper.rules.RuleEngine.fireRule(RuleEngine.java:455)
at edu.internet2.middleware.grouper.Stem$5.callback(Stem.java:2454)
at
edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
at
edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2347)
at
edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2319)
at
edu.internet2.middleware.grouper.Stem.internal_addChildGroup(Stem.java:2301)
at
edu.internet2.middleware.grouper.GroupSave$1$1.callback(GroupSave.java:607)
at
edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
at edu.internet2.middleware.grouper.GroupSave$1.callback(GroupSave.java:498)
at
edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO$1.callback(Hib3TransactionDAO.java:66)
at
edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.java:703)
at
edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO.transactionCallback(Hib3TransactionDAO.java:56)
at
edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:87)
at
edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransaction.java:106)
at edu.internet2.middleware.grouper.GroupSave.save(GroupSave.java:489)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.syncOneGroupMembership(GrouperLoaderType.java:2770)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.syncGroupLogicForOneGroup(GrouperLoaderType.java:1994)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.access$200(GrouperLoaderType.java:119)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$13.callLogic(GrouperLoaderType.java:1873)
at
edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$13.callLogic(GrouperLoaderType.java:1863)
at
edu.internet2.middleware.grouper.util.GrouperCallable$1.callback(GrouperCallable.java:203)
at
edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
at
edu.internet2.middleware.grouper.util.GrouperCallable.callLogicWithSessionIfExists(GrouperCallable.java:200)
at
edu.internet2.middleware.grouper.util.GrouperCallable.call(GrouperCallable.java:166)
at java.util.concurrent.FutureTask.run(FutureTask.java:

 

3 replies

Chris Hyzer 5 minutes ago
when you select * from grouper_groups where id = 'df251773bd594a7286e78f3df87a1337' you get the group: security:coursesReaders, right?

Beth Halsema 2 minutes ago
This ID and error are following are addition of GrouperSysAdmin to the coursesAdmins group. This ID is associated with the coursesUpdaters group. Which is referenced in the rule in the service folder.

 

 

you dont have to add GrouperSysAdmin to any of those groups, this is a bug. We can fix this in the next release. As a workaround set grouper-loader.properties

loader.use.groupThreads = false

Beth Halsema 2 minutes ago
When we didn't add GrouperSysAdmin to the coursesAdmins group, the error was associated with the ID for the coursesReaders group.






[GRP-2900] ChangeLogEvent should be able to get to AuditEntry that created it. Created: 22/Jul/20  Updated: 22/Jul/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The edu.internet2.middleware.grouper.changeLog.ChangeLogEntry has the "contextId" value for the action that created the ChangeLogEntry. However, there appears to be no "obvious" way to get the corresponding  edu.internet2.middleware.grouper.audit.AuditEntry.

Maybe the ChangeLogEntry could have a new method ".getAuditEntry()" that would return the indicated AuditEntry object?

It also might be helpful if there were also a generic way to "find AuditEntry object(s)" by only the "contextId" value too.

Maybe the edu.internet2.middleware.grouper.audit.UserAuditQuery should support something like ".addAuditTypeFieldValue("contextid", "xxxxxxx")" or maybe  a list of "contextId" values to build a report specific to a set of contexts?






[GRP-2731] ddl history says 62 instead of 32 Created: 01/May/20  Updated: 22/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.34

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2020/04/30 13:55:49: upgrade Grouper from V31 to V62,



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 04/May/20 ]

not able to reproduce this... maybe it is already fixed?  need to know what version this was going from and to

Comment by Chris Hyzer (upenn.edu) [ 20/May/20 ]

upgrade from 2.4 to reproduce





[GRP-1807] grouper folder names limited to 255 but should be longer Created: 14/May/18  Updated: 22/Jul/20

Status: Reopened
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: 2.5.34

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

 

 

From: Rory Larson rlarson1@unl.edu
Sent: Friday, May 11, 2018 9:49 PM
To: Hyzer, Chris <mchyzer@isc.upenn.edu>; grouper-users@internet2.edu
Subject: RE: Grouper name length limits?

 

This is only a demo for now, and certainly I can abbreviate if necessary.  But having to do so seems to defeat the purpose of having a full name.  The project is to build an institutional hierarchy from the top university level down to the bottom-level department or reference group eight or ten levels deep, and some offices/departments/programs tend to have rather lengthy names, since there is no common English word by which to call them.  But I would imagine that political sensitivities might be ruffled if I start chopping the names of people’s favorite departments down to something reasonable.

 

It’s not a huge issue at the moment, but I did want to get a feel for where things stood on this.  Is that a varchar-256 limitation that can’t be made bigger because it would double the size of the database?

 

Thanks,

Rory

 

 

From: Hyzer, Chris <mchyzer@isc.upenn.edu>
Sent: Friday, May 11, 2018 7:29 PM
To: Rory Larson <rlarson1@unl.edu>; grouper-users@internet2.edu
Subject: RE: Grouper name length limits?

 

I Created a 2.2 extension longer than 50…  but yes looks like there is a full name constraint of 256... can you abbreviate somehow?

 

test:x123456789012345678901234567890123456789012345678901234567890:y123456789012345678901234567890123456789012345678901234567890:z123456789012345678901234567890123456789012345678901234567890:a123456789012345678901234567890123456789012345678901234567890

 

 

From: grouper-users-request@internet2.edu [grouper-users-request@internet2.edu] On Behalf Of Rory Larson
Sent: Friday, May 11, 2018 7:26 PM
To: grouper-users@internet2.edu
Subject: [grouper-users] Grouper name length limits?

 

Hello,

 

Using the UI for Grouper 2.2, I'm trying to mock up a fairly deep tree of administrative hierarchy, and it looks like I'm running into limits on name length.  For an immediate folder name, it seems that the entry box cuts you off at 50 characters.  For the fully scoped name, I seem to be hitting a limit of about 250 or 256 characters, beyond which it simply fails to create the folder and gives an error message.

 

I was wondering if anyone would care to comment on this.  Is this an intentional constraint to meet a resource trade-off?  Is it a limit that can be modified locally, or is it baked into Grouper?  Will these limits continue into future versions of Grouper?

 

Thanks,

Rory

 



 Comments   
Comment by mchyzer [ 14/May/18 ]

In order to make this work you need to change the three cols in the grouper_stems table to be 1024 (name, display_name, alternate_name), and if mysql you need to drop and recreate the indexes to be partial indexes since max index size in mysql.  Here is example mysql DDL, though, it might be different in your database.  I generated this with sqlyog.

 

DROP INDEX stem_alternate_name_idx ON grouper_stems;
DROP INDEX stem_displayname_idx ON grouper_stems;
DROP INDEX stem_name_idx ON grouper_stems;
 
ALTER TABLE grouper_stems
CHANGE `name` `name` VARCHAR(1024) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, 
CHANGE `alternate_name` `alternate_name` VARCHAR(1024) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, 
CHANGE `display_name` `display_name` VARCHAR(1024) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL;
 
CREATE INDEX stem_alternate_name_idx ON grouper_stems (alternate_name(255));
CREATE INDEX stem_displayname_idx ON grouper_stems (display_name(255));
CREATE INDEX stem_name_idx ON grouper_stems (NAME(255));

 

Comment by mchyzer [ 14/May/18 ]

you need to set this in the grouper.properties

 

# if you want to change the max size for groups/folders/attributeDefs/attributeDefNames. Note, cant be larger than the
# database column and unicode might take extra chars. i.e. if you want to make it smaller that is fine.
# this is for object name and display name
# the default is 1024 or 900 for SQL server
grouper.groupName.maxSize = 
grouper.nameOfAttributeDef.maxSize = 
grouper.nameOfAttributeDefName.maxSize = 
# default for stem name in 2.3 and before is 255: GRP-1807: grouper folder names limited to 255 but should be longer
grouper.stemName.maxSize =

Comment by mchyzer [ 14/May/18 ]

fixed in patch: grouper_v2_3_0_api_patch_105





[GRP-2329] UI loader job does not select all valid PSPNG ldap configurations Created: 18/Sep/19  Updated: 22/Jul/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: 2.5.34

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

REF:

https://spaces.at.internet2.edu/display/Grouper/Grouper+Provisioning%3A+PSPNG?focusedCommentId=159973496#comment-159973496

"

If you use .ldapUrl, for instance, you can't create an LDAP loader job from the UI. It's looking for ".url" not ".ldapUrl" so the paragraph won't be visible.  Note the pattern on 286 in GrouperLoaderContainer.java. 

"



 Comments   
Comment by Carey Black (osu.edu) [ 22/May/20 ]

I suggest a single consistent set of properties be chosen by the project and that the consistencies include all "target systems". 
   AKA:  "username" , "password" etc... should be used if the target is "LDAP", "SQL", "Messaging", or the next greatest target "frabnuts".





[GRP-2896] driver is not required in database config, or needs more documentation Created: 21/Jul/20  Updated: 21/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2889] grouper installer does not install the container Created: 20/Jul/20  Updated: 20/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

~ $ docker logs gsh

/usr/local/bin/entrypoint.sh: line 14: [: too many arguments

/usr/local/bin/entrypoint.sh: line 22: exec: gsh -registry -check -runscript -noprompt: not found

executing gsh -registry -check -runscript -noprompt






[GRP-2779] review unit tests, can we integrate in test-compose? Created: 10/May/20  Updated: 20/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.31

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hubing (internet2.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Grouper+v2.5+container+unit+tests






[GRP-2885] Configuration UI sorting, grouping and filtering Created: 16/Jul/20  Updated: 16/Jul/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Erik Coleman (illinois.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be more helpful if there was a way to do any of the following in the configuration UI:

(A) Filter only on certain filled-in attributes, such as only those in database, or in .properties file and/or the ability to suppress anything with <NotSet>.

(B) Sort parameters alphabetically. There seems to be randomness in how they are sorted.

(C) Group together all parameters by subclass. ie., changelog.consumer.<consumerID> or subjectAPI.source.<sourceid> params are sometimes together, but some others are way at the bottom of the list, in no particular order. Would be nice to be able to see (or even visually collapse) the list of params specified for a particular subject source. 






[GRP-2883] Subject API backed by local RDMBS cached data Created: 15/Jul/20  Updated: 15/Jul/20

Status: Open
Project: Grouper
Component/s: subject API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jeffrey F Williams: (paraphrase)
I want to  display a user's manager as an attribute when you look them up in Grouper.  I resolve the manager attribute ( from the Subject filter) which is a DN of the manager user object (person), but I'd rather have their displayName from the Manager user object.

Carey Black: 
I have been tempted ( but have not yet enough to actually do it ) to cache the LDAP data into a DB table structure and just refresh the DB tables a few times a day. And flip the LDAP Subject API into a JDBC Subject API.

I would loose the "instant discovery" of hitting the LDAP source directly, but I would gain the ability to stash more attributes too. And in Jeffrey's case, he could create a view that would auto include the Manager details with the "employee" data too. ( Views are really good at join conditions. Ldap filter, not so much. )

@mchyzer  If you want to make an enhancement....  Ready to bump the Subject api from v1 ? 
How about a Subject API that allows you to cache data into Grouper RDBMS tables.
         Such that the subject resolution would check the tables, If the date on the cached data is "to old" (config value for the Subject source) would then fall through and do a "refresh LDAP search" (and update the RDBMS cache) then return results from a configuration driven RDBMS view?  Meaning, update the cache for the subject then go look in a view for the "final answer".  ( I can have all of what I want that way. And so can Jeffrey too!  )






[GRP-2881] simple new LDAP provisioner Created: 10/Jul/20  Updated: 10/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Shilen Patel (duke.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2871] Grouper provisioner configuration UI tasks Created: 03/Jul/20  Updated: 03/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Implement https://spaces.at.internet2.edu/display/Grouper/Grouper+generic+provisioner+UI+tasks






[GRP-2868] add obliterate to stem delete WS Created: 01/Jul/20  Updated: 01/Jul/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Jonathan Stout Today at 2:20 PM
i’m trying to delete a stem and all it’s groups using DELETE - /stems/stem:name, but i’m getting back
deleting stems.edu.internet2.middleware.grouper.exception.StemDeleteException: cannot delete stem with child groups
I see it can be done via the frontend. is there some params i need to pass along?

 

2 replies

Erik Coleman 4 minutes ago
It's been a while, but I used to use the obliterateStem call: obliterateStem(stem name, testOnlyBoolean, deleteFromPointInTimeBoolean) (Grouper v2.0.2+)

Jonathan Stout 3 minutes ago
is there a rest endpoint for that?



 Comments   
Comment by Carey Black (osu.edu) [ 01/Jul/20 ]

Shudder...  The idea of a program going wild and obliterating the wrong thing... Ugh. ( Can that WS be the first one that can be disabled too?  )





[GRP-2867] Show membership create date and who created the membership on the "Edit membership and privileges" sub page Created: 01/Jul/20  Updated: 01/Jul/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It is really hard to find who created a membership and when the membership was created in the UI.

One place it could be surfaced would be the "Edit membership and privileges" sub page.
 ( aka... ?operation=UiV2Membership.editMembership&groupId= ..... )

That page already gets data about the subject ( Unique ID, Email, Name, Description ) and shows any 'Start date' or 'End date' for the membership.

I would like to see the create date and who created the membership as well.

Or it could be added to the group member List in "advanced" mode?






[GRP-2866] show group loader info with different access level Created: 30/Jun/20  Updated: 30/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

(matt) While you are doing docs.... can you answer this question?When I ( wheel ) look at a group populated by a loader job I see:"This group is managed by loader group... It was last fully loaded on Tue Jun 30 15:53:31 EDT 2020. Summary is: total: 95 inserted: 0 deleted: 0 updated: 0"But "normal users" don't see that info?!!     Can that be extended to normal users too?    It appears that you need to be "admin" on the group to see the line of info.
    But it would be useful information to know when a group was last loaded for anyone who has a dependency on the group.
    Maybe that could be changed to ... View?






[GRP-2865] subjectId (not identifier) required in hasMember Created: 30/Jun/20  Updated: 30/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://grouperWs.apps.upenn.edu/grouperWs/servicesRest/v2_4_000/groups/penn%3aisc%3aait%3aapps%3adreamFactory%3aservice%3apolicy%3adreamFactoryActive/members

 

{
"WsRestHasMemberLiteRequest":

{ "subjectIdentifier":"mchyzer" }

}

 

content type: application/json; charset=UTF-8

 

{"WsRestResultProblem":{"resultMetadata":

{"success":"F","resultCode":"EXCEPTION","resultMessage":"Problem with request: uri: /grouper-ws/servicesRest/v2_4_000/groups/penn:isc:ait:apps:dreamFactory:service:policy:dreamFactoryActive/members, method: POST, decoded url strings: 0: 'v2_4_000', 1: 'groups', 2: 'penn:isc:ait:apps:dreamFactory:service:policy:dreamFactoryActive', 3: 'members',\nedu.internet2.middleware.grouper.ws.exceptions.WsInvalidQueryException: The field 'subjectId' is required\n\tat edu.internet2.middleware.grouper.ws.util.GrouperServiceUtils.pickOne(GrouperServiceUtils.java:305)\n\tat edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.hasMemberLite(GrouperServiceRest.java:600)\n\tat edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGetGroup$1.service(GrouperWsRestGetGroup.java:95)\n\tat edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGet$1.service(GrouperWsRestGet.java:125)\n\tat edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$1.service(GrouperRestHttpMethod.java:57)\n\tat edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:202)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:741)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:969)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat edu.upenn.isc.proxyWrapper.ProxyWrapperFilter.doFilter(ProxyWrapperFilter.java:50)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\tat org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)"}

,"responseMetadata":{"serverVersion":"2.4.0","millis":"5"}}}






[GRP-2860] group filter should allow ad hoc group that the use can READ Created: 25/Jun/20  Updated: 25/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2859] group filter should have option to not return group objects Created: 25/Jun/20  Updated: 25/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2020-06-25-14-11-42-382.png    

 Description   

the "group filter" in the group membership list to not return group subjects, only non group subjects?  i.e. if someone is deprovisioning, and looks for people not active, and it returns policy groups, then they could accidentally remove the group, know what i mean?  maybe its a training issue and just a point of confusion... but just thinking out loud about a request from a user at penn.  i.e. the three groups in the list below wouldnt show up

can this be an option in config?

 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Jun/20 ]

Comment by Chris Hyzer (upenn.edu) [ 25/Jun/20 ]

i would think option would default to true





[GRP-2858] add rule if enum for if group has membership (immediate or effective) Created: 25/Jun/20  Updated: 25/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

thisGroupHasEnabledMembership

also, what is difference between "thisGroup" or "group"






[GRP-2857] Users with "Create" privileges in a folder can see "Reports" on the "More Actions" button.. .only leads to an error message. "Error: not allowed to administer folder:" Created: 25/Jun/20  Updated: 25/Jun/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When a user with only "Create" privileges on a folder try to use the "Reports" function on the "More Actions" ( menu/button ) the user is given an error of:
         "Error: not allowed to administer folder: ..."

If the user can not use the option, then it should be suppressed from the UI for the user.






[GRP-2854] too many queries when creating group Created: 23/Jun/20  Updated: 23/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File first-jstack.rtf     File second-jstack.rtf    

 Description   

Hi Chris,

I hope you're doing well. We are planning to put Grouper in prod this week, but suddenly started noticing major performance issues in our test env primarily when creating new groups (either individually or as part of a template). For example it takes about 20 sec to create a new empty group (no members) and several minutes to create a new app template structure. Our DBA enabled profiling and says the query (below) is run 3000 times when a new group is created in the UI. I did recently change the subject db connection settings from to the loader.properties file settings you mentioned in the forums and a lot of new groups were created to handle grouper->google provisioning, but those provisioner Google settings are not currently in this env. I have also noticed the following null attribute entries in the INFO logs: Hib3AttributeDefNameDAO.findByIdSecure(160) - - AttributeDefName not found: null.

I tried enabling debug but it was so chatty and I'm really not seeing any errors on the Grouper side at all. Do you have any ideas what might be causing this or tips to point me in the right direction? Thanks for your help!

---- Query running 3,000 times —
select distinct membership0_.membership_id as membersh1_28_0_, membership0_.immediate_membership_id as immediat2_28_0_, membership0_.group_set_id as group_se3_28_0_, member1_.id as id1_26_1_, membership0_.hibernate_version_number as hibernat4_28_0_, membership0_.owner_id as owner_id5_28_0_, membership0_.owner_attr_def_id as owner_at6_28_0_, membership0_.owner_group_id as owner_gr7_28_0_, membership0_.owner_stem_id as owner_st8_28_0_, membership0_.member_id as member_i9_28_0_, membership0_.field_id as field_i10_28_0_, membership0_.immediate_field_id as immedia11_28_0_, membership0_.via_composite_id as via_com12_28_0_, membership0_.membership_creator_id as members13_28_0_, membership0_.membership_create_time as members14_28_0_, membership0_.group_set_creator_id as group_s15_28_0_, membership0_.group_set_create_time as group_s16_28_0_, membership0_.context_id as context17_28_0_, membership0_.group_set_parent_id as group_s18_28_0_, membership0_.via_group_id as via_gro19_28_0_, membership0_.depth as depth20_28_0_, membership0_.mship_type as mship_t21_28_0_, membership0_.immediate_mship_enabled as immedia22_28_0_, membership0_.immediate_mship_enabled_time as immedia23_28_0_, membership0_.immediate_mship_disabled_time as immedia24_28_0_, member1_.hibernate_version_number as hibernat2_26_1_, member1_.subject_id as subject_3_26_1_, member1_.subject_source as subject_4_26_1_, member1_.subject_type as subject_5_26_1_, member1_.context_id as context_6_26_1_, member1_.subject_identifier0 as subject_7_26_1_, member1_.sort_string0 as sort_str8_26_1_, member1_.sort_string1 as sort_str9_26_1_, member1_.sort_string2 as sort_st10_26_1_, member1_.sort_string3 as sort_st11_26_1_, member1_.sort_string4 as sort_st12_26_1_, member1_.search_string0 as search_13_26_1_, member1_.search_string1 as search_14_26_1_, member1_.search_string2 as search_15_26_1_, member1_.search_string3 as search_16_26_1_, member1_.search_string4 as search_17_26_1_, member1_.name as name18_26_1_, member1_.description as descrip19_26_1_ from grouper_memberships_all_v membership0_ cross join grouper_members member1_ cross join grouper_fields field2_ where membership0_.owner_group_id=$1 and membership0_.member_id=$2 and membership0_.field_id=$3 and membership0_.member_id=member1_.id and membership0_.immediate_mship_enabled='T'


Lacey Vickery | Identity & Access Management
UNC Charlotte | Information Technology Services
9201 University City Blvd. | Charlotte, NC 28223
Phone: 704-687-7064 | Office: Kennedy 301-C38
Lacey.Vickery@uncc.edu | https://itservices.uncc.edu






[GRP-2850] grouper ddl when "etc" folder is moved need to be adjusted Created: 16/Jun/20  Updated: 16/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2320] ability to limit daemon jobs by host/process Created: 11/Sep/19  Updated: 15/Jun/20

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.3.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Because some jobs ( CLC, OtherJob, PSPNG, etc...) need more RAM/CPU it would be helpful to be able to partition jobs into "sets" and have some daemon instance only process jobs from some of those sets.

Being able to control this can be a cost savings to deployments. ( Especially if they are a cloud based deployment where RAM and CPU equates directly to money. Spent.)

 

Example. If there  are one (or more) large loader job that takes 3 GB of ram to cache/load data into memory then those jobs require the "high water mark" of Ram and could be identified as a set. (let's call that set "large") However, it is also possible that there are lots of other tasks/jobs that only require "1 GB" of ram.  (let's call that set "normal") The "normal" jobs could be run on on more daemon's with smaller hardware size/scale OR on the "large" daemon loaders too. However, if the "Large" job is run on a "small" daemon then it would fail with not enough RAM, or end up swapping to disk and performing very badly at best.






[GRP-2847] Grouper provisioner configuration in UI Created: 15/Jun/20  Updated: 15/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Implement https://spaces.at.internet2.edu/pages/viewpage.action?pageId=168693840

and https://spaces.at.internet2.edu/display/Grouper/Grouper+LDAP+provisioner+in+v2.5






[GRP-2725] update pit memberships view to show valid rows Created: 28/Apr/20  Updated: 11/Jun/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g.

 SELECT concat(concat(ms.id, ':' ),  gs.id) AS membership_id,
          ms.id AS immediate_membership_id,  ms.source_id AS membership_source_id, gs.id AS group_set_id, ms.member_id,
          gs.field_id, ms.field_id, gs.owner_id, gs.owner_attr_def_id, gs.owner_group_id, gs.owner_stem_id,
          gs.active, gs.start_time, gs.end_time, ms.active, ms.start_time, ms.end_time, gs.DEPTH, gs.parent_id AS group_set_parent_id,
          case when gs.start_time > ms.start_time then gs.start_time else ms.start_time end as the_start_time,
          case when gs.end_time is null then ms.end_time when ms.end_time is null then gs.end_time when gs.end_time < ms.end_time then gs.end_time else ms.end_time end as the_end_time,
      case when gs.end_time is null and ms.end_time is null then 'T' else 'F'  end as the_active
     FROM grouper_pit_memberships ms, grouper_pit_group_set gs
    WHERE ms.owner_id = gs.member_id AND ms.field_id = gs.member_field_id
          and (
          -- membership start overlaps the gs
          (ms.start_time >= gs.start_time and (gs.end_time >= ms.start_time or gs.end_time is null))
          -- membership end overlaps the gs
          or (gs.start_time <= ms.end_time and (ms.end_time >= gs.start_time or ms.end_time is null))
          -- membership inside the gs
          or (ms.start_time >= gs.start_time and (ms.end_time <= gs.end_time or gs.end_time is null))
          -- gs inside membership
          or (gs.start_time >= ms.start_time and (gs.end_time <= ms.end_time or ms.end_time is null)))






[GRP-2842] Move check config items to upgrade tasks so check config isn’t run on every startup Created: 10/Jun/20  Updated: 10/Jun/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2834] support "dark mode" in chrome Created: 31/May/20  Updated: 31/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Michael Gettes 10:11 AM
FWIW - Chrome has a dark mode you can “force” on in chrome://flags - if you turn it on some aspects of the color scheme are problematic - like the text at the bottom of a group view and the text used in visualization to name two. I know, this can all be customized - but dark mode is still the rage and I think getting this to work better in the popular browsers with features coming would be “smart” for grouper. Keep in mind that MS Edge and Opera also use the Chrome engine and have the same problem.

 

 

Carey Black 10:19 AM
:slightly_smiling_face: good find. I need to go look at that. :slightly_smiling_face:

Michael Gettes 10:22 AM
there are different dark modes - it doesn’t appear any of those different modes make much of a difference with the problem. I suspect this is easily solvable for someone who understands how the color inversions are handled and what we need to use for fonts/backgrounds. (on a different note - still hoping for getting back lost screen real estate - i have an open ticket on this to allow for moving the left nav out of the way and to enable the full screen width).



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 31/May/20 ]

I think something like this needs to happen though it didnt work

@media (prefers-color-scheme: dark) {
  .gradient-background {
    background-color: black;
    color: #ccc;
  }
} 





[GRP-2622] more tab with loader option should only show for grouper admins Created: 25/Mar/20  Updated: 29/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When I attempt to view the loader of a group, I get Error: Problem calling method loader on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader



 Comments   
Comment by Olivier Salaün [ 29/May/20 ]

We have the same issue with Grouper 2.4.0 (grouper_v2_4_0_api_patch_89.state grouper_v2_4_0_ui_patch_55.state).
According to https://lists.internet2.edu/sympa/arc/grouper-users/2017-03/msg00055.html group admins should be able to have access to the synchronization page since:

  • we did not override the default uiV2.loader.* properties from grouper-ui-ng.base.properties
  • user has admin privileges on the group

User has a Synchronization submenu in "more info" tab, but when he follows the link to operation=UiV2GrouperLoader.loader he gets an error "Erreur: Problem calling method loader on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader".

Extract from the grouper logs:

==> grouper_error.log <==
2020-05-29 13:44:01,453: [ajp-nio-9520-exec-6] ERROR GrouperUiRestServlet.doGet(359) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.loader
 
java.lang.NullPointerException: Problem calling method loader on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader
	at edu.internet2.middleware.grouper.grouperUi.beans.ui.GroupContainer$4.callback(GroupContainer.java:658)
	at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:976)
	at edu.internet2.middleware.grouper.grouperUi.beans.ui.GroupContainer.isCanAdmin(GroupContainer.java:653)
	at edu.internet2.middleware.grouper.grouperUi.beans.ui.GrouperLoaderContainer.isCanSeeLoader(GrouperLoaderContainer.java:2359)
	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.loader(UiV2GrouperLoader.java:687)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4196)
	at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4147)
	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:326)
	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:197)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1139)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.jasig.cas.client.util.HttpServletRequestWrapperFilter.doFilter(HttpServletRequestWrapperFilter.java:71)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:236)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)





[GRP-2832] workflow , approval ... membership audit row does not show who approved the membership. ( It is blank. ) Created: 28/May/20  Updated: 28/May/20

Status: Open
Project: Grouper
Component/s: API, workflow
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Audit log information for a membership created as the result of an approval flow does not document who created the membership.

Audit issues like this are "blockers" for my use of any feature.






[GRP-2831] Instrumentation throws an error Created: 27/May/20  Updated: 27/May/20

Status: Open
Project: Grouper
Component/s: daemon
Affects Version/s: 2.5.29
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2020-05-27T12:26:23+00:00 WS:test java.lang.RuntimeException: Multiple assignments exist: AttributeDefName[name=etc:attribute:instrumentationData:instrumentationDataInstanceLastUpdate,uuid=1060747341184983b8e41163da900eec], assign, AttributeAssign[id=739ebf3c09a54eb2a2e5183207cc2895,action=assign,attributeDefName=etc:attribute:instrumentationData:instrumentationDataInstances:e1bb4d6518bb4ad7822b642e78db0a79,
2020-05-27T12:26:23+00:00 WS:test group=Group[name=etc:attribute:instrumentationData:instrumentationDataInstancesGroup,uuid=e4ba1834a3774017baef0139e36fcfdd]]
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.retrieveAssignmentHelper(AttributeAssignBaseDelegate.java:280)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.retrieveAssignment(AttributeAssignBaseDelegate.java:260)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.internal_assignAttributeHelper(AttributeAssignBaseDelegate.java:504)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.assignAttribute(AttributeAssignBaseDelegate.java:472)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.assignAttribute(AttributeAssignBaseDelegate.java:461)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.assignAttributeByName(AttributeAssignBaseDelegate.java:564)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.assign.AttributeAssignBaseDelegate.assignAttributeByName(AttributeAssignBaseDelegate.java:184)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.attr.value.AttributeValueDelegate.assignValue(AttributeValueDelegate.java:77)
2020-05-27T12:26:23+00:00 WS:test at edu.internet2.middleware.grouper.instrumentation.InstrumentationThread$1.run(InstrumentationThread.java:177)
2020-05-27T12:26:23+00:00 WS:test at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
2020-05-27T12:26:23+00:00 WS:test at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2020-05-27T12:26:23+00:00 WS:test at java.lang.Thread.run(Thread.java:748)
2020-05-27T12:26:23+00:00 WS:test grouper-api;grouper_event.log;;;2020-05-27 08:26:23,208: [pool-11-thread-1] ERROR InstrumentationThread$1.run(185) - - error in thread






[GRP-2828] auto stop or restart daemon when not doing work after X days Created: 26/May/20  Updated: 26/May/20

Status: Open
Project: Grouper
Component/s: API, daemon
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The “finding a window to restart” is the fundamental issue - we shouldn’t have to find a window - but have a capability where grouper daemons would restart when not in the middle of doing work.  it could be they just "restart" or “end” and it is the responsibility of the container orchestration to start another.

Could be possible to stop or restart to be triggered based on "signal" from user somehow

 

Note, this could be for UI/WS/Scim also






[GRP-2826] make gsh addGroup idempotent (and other operations?) using GroupSave Created: 24/May/20  Updated: 24/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2822] in installer for installing container ignore sources.xml line Created: 23/May/20  Updated: 23/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Note: you need to change the search sql in the jdbc source in the grouperApi/conf/sources.xml... the change is in the comments in that file






[GRP-2821] grouper database migration should drop foreign keys and indexes first Created: 22/May/20  Updated: 22/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Granted it does not delete data though...  assumes empty tables

 

Alex Poulos  1 hour agoAlex Poulos  1 hour agolooks like it got blocked by mail filter: can you send it to me on slack (or box/dropbox, etc.)?

 

Alex Poulos  3 minutes agok, got a full stack here for you.
Alex Poulos  3 minutes agojava.lang.RuntimeException: error at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.saveBatchHelper(GrouperDdlDataMigration.java:660) at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.saveBatch(GrouperDdlDataMigration.java:627) at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.syncTable(GrouperDdlDataMigration.java:418) at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.migrateDatabase(GrouperDdlDataMigration.java:258) at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration$migrateDatabase$1.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117) at groovysh_evaluate.run(groovysh_evaluate:3) at groovysh_evaluate$run.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at groovysh_evaluate$run.call(Unknown Source) at org.codehaus.groovy.tools.shell.Interpreter.evaluate(Interpreter.groovy:78) at org.codehaus.groovy.tools.shell.Evaluator$evaluate.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at org.codehaus.groovy.tools.shell.Groovysh.evaluateWithStoredBoundVars(Groovysh.groovy:258) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.callCurrent(PogoMetaMethodSite.java:59) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:174) at org.codehaus.groovy.tools.shell.Groovysh.execute(Groovysh.groovy:199) at org.codehaus.groovy.tools.shell.Shell.leftShift(Shell.groovy:122) at org.codehaus.groovy.tools.shell.Shell$leftShift$0.call(Unknown Source) at org.codehaus.groovy.tools.shell.ShellRunner.work(ShellRunner.groovy:95) at org.codehaus.groovy.tools.shell.InteractiveShellRunner.super$2$work(InteractiveShellRunner.groovy) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1224) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:132) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuper0(ScriptBytecodeAdapter.java:152) at org.codehaus.groovy.tools.shell.InteractiveShellRunner.work(InteractiveShellRunner.groovy:134) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.callCurrent(PogoMetaMethodSite.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:158) at org.codehaus.groovy.tools.shell.ShellRunner.run(ShellRunner.groovy:59) at org.codehaus.groovy.tools.shell.InteractiveShellRunner.super$2$run(InteractiveShellRunner.groovy) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1224) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:132) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuper0(ScriptBytecodeAdapter.java:152) at org.codehaus.groovy.tools.shell.InteractiveShellRunner.run(InteractiveShellRunner.groovy:93) at java_lang_Runnable$run.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117) at org.codehaus.groovy.tools.shell.Groovysh.run(Groovysh.groovy:607) at edu.internet2.middleware.grouper.app.gsh.GrouperShell.grouperShellHelper(GrouperShell.java:341) at edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:178) at edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:31)Caused by: org.hibernate.exception.ConstraintViolationException: could not execute batch at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:119) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.doExecuteBatch(BatchingBatch.java:97) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.execute(AbstractBatchImpl.java:147) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.executeBatch(JdbcCoordinatorImpl.java:214) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:611) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:456) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.saveBatchHelper(GrouperDdlDataMigration.java:655) ... 68 moreCaused by: java.sql.BatchUpdateException: Batch entry 0 insert into grouper_attr_assign_action (hibernate_version_number, attribute_def_id, context_id, created_on, last_updated, name, id) values (1, '22097cfc7cba47bd853d3fef3d8f52c4', 'af4f960cb46e47a0ab2435558475c61b', 1586867863941, 1586867863941, 'assign', '00bfccfa127d430a994bb153ed5837b2') was aborted: ERROR: insert or update on table "grouper_attr_assign_action" violates foreign key constraint "fk_attr_assn_attr_def_id"  Detail: Key (attribute_def_id)=(22097cfc7cba47bd853d3fef3d8f52c4) is not present in table "grouper_attribute_def".  Call getNextException to see other errors in the batch. at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHandler.java:148) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2191) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:472) at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:791) at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedStatement.java:1563) at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch(NewProxyPreparedStatement.java:2544) at org.hibernate.engine.jdbc.batch.internal.BatchingBatch.performExecution(BatchingBatch.java:110) ... 77 moreCaused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "grouper_attr_assign_action" violates foreign key constraint "fk_attr_assn_attr_def_id"  Detail: Key (attribute_def_id)=(22097cfc7cba47bd853d3fef3d8f52c4) is not present in table "grouper_attribute_def". at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2477) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2190) ... 82 moreelapsed: 00:01:30.012, state: error, table: grouper_attr_assign_action, rowsTo: 0, rowsFrom: 63, insertingBatch: 0ERROR java.lang.RuntimeException:error        at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.saveBatchHelper (GrouperDdlDataMigration.java:660)        at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.saveBatch (GrouperDdlDataMigration.java:627)        at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.syncTable (GrouperDdlDataMigration.java:418)        at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration.migrateDatabase (GrouperDdlDataMigration.java:258)        at edu.internet2.middleware.grouper.ddl.GrouperDdlDataMigration$migrateDatabase$1.call (Unknown Source)
Alex Poulos  2 minutes agoguess I should clear things out and retry, may not have cleared
Chris Hyzer  < 1 minute agoyeah there are foreign keys there...
Chris Hyzer  < 1 minute agomaybe the script should disable those, but right now it expects to start clean






[GRP-2819] allow consistent formats of image and css overrides Created: 22/May/20  Updated: 22/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I just re-checked... I have the property css.additional=grouperExternal/public/assets/css/umt_grouper_overrides.css so that's good... the html source that comes up has this ref:
<link href="grouperExternal/public/assets/css/umt_grouper_overrides.css" rel="stylesheet" type="text/css" />
... shouldn't that look like "../../grouperExternal/public/assets/css/umt...css"?

Chris Hyzer 5:01 PM
see my comment above at 3:49
New

Josh O'Dowd 5:08 PM
sorry, I didn't put that together, because grouper had auto-prefixed the "../.." on my previous URI values.
5:10
so for instance, on the image file property I did not include the "../.." but grouper prefixes it and voila! my image shows and the page source is:
src="../../grouperExternal/public/assets/images/um-logo.png"

Josh O'Dowd 5:20 PM
There we go:
image.png
image.png

5:23
so for the image file, I put the file in grouperExternal/public/assets/images and set the image.organisation-logo=grouperExternal/public/assets/images/um-logo.png
... but for the css file, in grouperExternal/public/assets/css, I had to prefix the css.addtional with '../../'
ultimately both URI refs in the page source were prefixed with '../../'

Josh O'Dowd 5:35 PM
Last part on this look-n-feel part is that in v2.4 we were overriding the property "grouperAppName" in the grouper.text.en.us.properties file. That one doesn't seem to be part of database config yet... unless I'm mistaken?






[GRP-2818] messaging to ws bridge not work for multiple configs Created: 21/May/20  Updated: 21/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

this looks like it would only process the last one

public class MessageConsumerDaemon implements Job {
  
  /**
   * logger 
   */
  private static final Log LOG = GrouperUtil.getLog(MessageConsumerDaemon.class);
 
 
  /**
   * @see Job#execute(JobExecutionContext)
   */
  @Override
  public void execute(JobExecutionContext jobExecutionContext) throws JobExecutionException {
    
    Pattern pattern = Pattern.compile("^grouper\\.messaging\\.([^.]+)\\.messagingSystemName$");
    GrouperLoaderConfig grouperLoaderConfig = GrouperLoaderConfig.retrieveConfig();
    
    String configName = null;
    
    String actAsSubjectId = null;
    String actAsSubjectSourceId = null;
    String messagingSystemName = null;
    String queueOrTopicName = null;
    String routingKey = null;
    String exchangeType = null;
    String messageQueueType = null;
    Integer longPollingSeconds = null;
    
    for (String propertyName : grouperLoaderConfig.propertyNames()) {
      Matcher matcher = pattern.matcher(propertyName);
      if (matcher.matches()) {
 
 
        configName = matcher.group(1);
        
        messagingSystemName = grouperLoaderConfig.propertyValueString(propertyName);
        if (StringUtils.isBlank(messagingSystemName)) {
          LOG.info("No messaging system name found so not going to connect to any queue or topic.");
          return;
        }
        
        queueOrTopicName = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".queueOrTopicName");
        routingKey = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".routingKey");
        exchangeType = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".exchangeType");
        messageQueueType = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".messageQueueType");
        actAsSubjectSourceId = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".actAsSubjectSourceId");
        actAsSubjectId = grouperLoaderConfig.propertyValueString("grouper.messaging."+configName+".actAsSubjectId");
        longPollingSeconds = grouperLoaderConfig.propertyValueInt("grouper.messaging."+configName+".longPollingSeconds", 1);
      }
    } 






[GRP-2816] address tomee errors on startup Created: 21/May/20  Updated: 21/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There are some ERROR level logs during TomEE startup, all related to TagLib, like this:
ERROR OpenEJB.startup- Unable to load tag library tag class: org.apache.taglibs.request.LogTag



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 21/May/20 ]

Andy Morgan 9 hours ago
I've been digging on this. These "Unable to load tag library tag class" errors are caused by files in WEB-INF/tld. For example, taglibs-datetime.tld triggers all the errors beginning with org.apache.taglibs.datetime. Grouper 2.4 and 2.5 don't have datetime.jar, but I found this in Grouper 2.3:

  1. find . | grep datetime
    ./WEB-INF/lib/taglibs-datetime.jar
    ./WEB-INF/tld/taglibs-datetime.tld
    When hunting for more information, I found out that datatime and request are both on a list of taglibs that have been retired: http://attic.apache.org/projects/jakarta-taglibs.html
    Perhaps the jars were removed sometime between Grouper 2.3 and 2.4, but the tld files were mistakenly left behind. I'm not sure where the taglibs-datetime.tld and taglib-requests.tld files are added to the Grouper container.

 

Andy Morgan 8 hours ago
The final error is for edu.internet2.middleware.grouper.ui.ELTileRecorderTag. When I search Grouper's github, I find 3 hits for ELTileRecorderTag. It seems to be coming from a class in grouper-legacy-ui.

Andy Morgan 8 hours ago
I don't find ElTileRecorderTag.class in 2.5.29's grouper-ui.jar, though.

Andy Morgan 8 hours ago
Somewhat related, TomEE ships with taglibs-standard 1.2.5 jars. Grouper 2.5 has WEB-INF/lib/standard-1.1.2.jar.

Chris Hyzer < 1 minute ago
ok i will capture this in the jira and track these down at some point. thanks!





[GRP-2815] add ability to set log level in container, adjust defaults Created: 21/May/20  Updated: 21/May/20

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Andy Morgan 14 minutes ago
I wonder how many people look very closely at the logs during startup... I'm mildly annoyed by how verbose they are because it makes it harder to identify any problems when they occur.

Andy Morgan 14 minutes ago
There are a lot of INFO level hibernate logs during startup, plus various INFO and WARN logs related to ehcache, for example.

Andy Morgan 13 minutes ago
it's not high priority, but maybe logging can be tweaked to hide more things or resolve WARN issues

Chris Hyzer < 1 minute ago
i think grouper should log warn and above and other things should log error and above... :slightly_smiling_face: maybe we can make that an option...






[GRP-2814] config custom tag should have nowrap on the required indicator Created: 20/May/20  Updated: 20/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2020-05-20-18-43-28-241.png    

 Comments   
Comment by Chris Hyzer (upenn.edu) [ 20/May/20 ]

 





[GRP-2812] tomcat can wait until other services are up before starting Created: 20/May/20  Updated: 20/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Chris Hyzer(opens in new tab) May 14th at 4:57 PM
right now grouper can sleep for seconds before starting, but we could also wait for a port to be up or something?
Also sent to the channel

Chris Hubing(opens in new tab) 10 hours ago
koranda asked for something like this, which i put into a branch for him to test… but he never seemed to

Chris Hubing(opens in new tab) 10 hours ago
while ! ./bin/gsh.sh -runarg getSources() >/dev/null ; do echo waiting for grouper subject sources to start; sleep 1; done;

Chris Hyzer(opens in new tab) < 1 minute ago
oh yeah i remember that :slightly_smiling_face: i can try to add something like that to the container..






[GRP-2810] allow overlays of script hooks Created: 20/May/20  Updated: 20/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

first step is copy script hooks file in workflow

Lacey Vickery(opens in new tab) Yesterday at 1:47 PM
Trying to use the custom shell hooks in 2.5.28, I should just need to mount a file to the container under /usr/local/bin/grouperScriptHooks.sh, right? I’m trying to override the grouperScriptHooks_finishPrepPost() function, but it doesn’t seem to execute. Am I missing a step?
#!/bin/sh
# called after the Grouper container config files are generated and massaged
# before the processes are started
grouperScriptHooks_finishPrepPost() {
 sed -i “s|https://sp.example.org|test|g” /etc/shibboleth/shibboleth2.xml
 echo “ran custom script hook”
}Chris Hyzer(opens in new tab)  11 hours ago
there is a slight issue that we need to work out.  Are you not making a subimage?Chris Hyzer(opens in new tab)  11 hours ago
you are mounting to slashRoot right?Chris Hyzer(opens in new tab)  11 hours ago
until #30, maybe mount that exact file to the exact file, not using slashroot, since the slashroot happens after the sciprts are loaded from that file (currently).  know what i mean?Chris Hyzer(opens in new tab)  11 hours ago
or if you do a subimage, should work fine (if copying in image to the location and not to slashroot).  again, this is temporaryLacey Vickery(opens in new tab)  11 hours ago
Gotcha, I’ll try that and yes I’m not making a subimage, just mounting off slashRoot.Lacey Vickery(opens in new tab)  11 hours ago
Mounting the exact file to /usr/local/bin instead of slashRoot works, thanks!Chris Hyzer(opens in new tab)  10 hours ago
again, we will fix this soon so you dont have to do that, but its a workaround...  






[GRP-2808] add container option to change users when running tomcat as user e.g. in demo server Created: 19/May/20  Updated: 19/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2801] provide ability to turn off full-sync of groups during pspng incremental Created: 15/May/20  Updated: 15/May/20

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

provide a switch to turn off fullsync within the PSPNG incremental consumer.   i have several groups of roughly the same size (460k sourced from elsewhere) and when pspng thinks something is wrong (which is almost always) a fullsync takes about 45m so the incremental comes to a screeching halt.  I run full-syncs every night - they take about 50m.  The idea is to let every other aspect of pspng continue but when a fullsync is sparked within the incremental (i am hoping we can discern this) (gettes)






[GRP-2791] starting from gsh does not initialize database connections correctly Created: 13/May/20  Updated: 15/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

WARNING: named-config with name 'dbConn1' does not exist. Using default-config.
May 13, 2020 9:11:52 AM com.mchange.v2.log.slf4j.Slf4jMLog$Slf4jMLogger$WarnLogger log
WARNING: named-config with name 'dbConn1' does not exist. Using default-config extensions.
 



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 15/May/20 ]

Shilen Patel(opens in new tab)  1 day agoShilen Patel(opens in new tab)  1 day agoThis is a bit strange on an instance that's using Oracle as its db and working otherwise.  (I'll look more later but just fyi)

 

 

Shilen Patel(opens in new tab)  1 day ago2020-05-13 16:03:50,704: [DefaultQuartzScheduler_Worker-9] ERROR ConfigPropertiesCascadeBase.logError(1022) - - Error checking for changes in configs (will use previous version): grouper.propertiesjava.lang.RuntimeException: Problem reading config: 'database:grouper' at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase$ConfigFile.retrieveContents(ConfigPropertiesCascadeBase.java:755) at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase.filesNeedReloadingBasedOnContents(ConfigPropertiesCascadeBase.java:1147) at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase.retrieveFromConfigFileOrCache(ConfigPropertiesCascadeBase.java:1089) at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase.retrieveConfig(ConfigPropertiesCascadeBase.java:105) at edu.internet2.middleware.grouper.cfg.GrouperConfig.retrieveConfig(GrouperConfig.java:357) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.membersFlashCacheableBySubjectId(Hib3MemberDAO.java:1223) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.membersFlashCacheRetrieveBySubjectId(Hib3MemberDAO.java:1349) at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MemberDAO.findBySubject(Hib3MemberDAO.java:300) at edu.internet2.middleware.grouper.MemberFinder.internal_findOrCreateBySubject(MemberFinder.java:710) at edu.internet2.middleware.grouper.MemberFinder.internal_findBySubject(MemberFinder.java:626) at edu.internet2.middleware.grouper.MemberFinder.internal_findBySubject(MemberFinder.java:611) at edu.internet2.middleware.grouper.GrouperSession.start(GrouperSession.java:486) at edu.internet2.middleware.grouper.GrouperSession.startRootSession(GrouperSession.java:426) at edu.internet2.middleware.grouper.GrouperSession.startRootSession(GrouperSession.java:444) at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:89) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)Caused by: java.lang.RuntimeException: error at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigMap(ConfigDatabaseLogic.java:341) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigInputStream(ConfigDatabaseLogic.java:157) at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase$ConfigFileType$1.inputStream(ConfigPropertiesCascadeBase.java:588) at edu.internet2.middleware.grouperClient.config.ConfigPropertiesCascadeBase$ConfigFile.retrieveContents(ConfigPropertiesCascadeBase.java:748) ... 16 moreCaused by: java.lang.RuntimeException: No suitable driver found for jdbc:oracle:thin:@host:port:IMSPRD at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigLastUpdatedFromDatabaseHelper(ConfigDatabaseLogic.java:1253) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigLastUpdatedFromDatabase(ConfigDatabaseLogic.java:1201) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveOrCreateLastUpdatedRecord(ConfigDatabaseLogic.java:369) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigMap(ConfigDatabaseLogic.java:288) ... 19 moreCaused by: java.sql.SQLException: No suitable driver found for jdbc:oracle:thin:@host:port:IMSPRD at java.sql.DriverManager.getConnection(DriverManager.java:689) at java.sql.DriverManager.getConnection(DriverManager.java:247) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.connection(ConfigDatabaseLogic.java:638) at edu.internet2.middleware.grouperClient.config.db.ConfigDatabaseLogic.retrieveConfigLastUpdatedFromDatabaseHelper(ConfigDatabaseLogic.java:1227)

 

Chris Hyzer(opens in new tab)  1 day agosee your connect string is messed up... why?

 

Shilen Patel(opens in new tab)  1 day agoi removed the host/port.  other than that, i think the connect string is good?

 

Chris Hyzer(opens in new tab)  1 day agothis might be the same problem as the GSH database one: https://todos.internet2.edu/browse/GRP-2791   IF you can reproduce this that would be good.  I think it has to do with the client and the API getting database configs a little differently and we need to harden that so it gets connections from the API each time and the client doesnt ever try to do its thing when running with the API...

 

Shilen Patel(opens in new tab)  17 hours agook (and i haven't seen that error again even after restarts)





[GRP-2796] provide an option such that when i select a folder/group from the graph ui that it opens it in a new window? Created: 14/May/20  Updated: 14/May/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.28
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Please, provide an option such that when i select a folder/group from the graph ui that it opens the folder/group in a new window?
Discussed with Chad on slack - hence this ticket.






[GRP-2794] grouper_loader_log start/stop/other operations Created: 13/May/20  Updated: 13/May/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: 2.5.27
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From Slack: a capability to allow creating/updating entries in the grouper loader log

Michael Gettes Today at 17:13
could we get a “startup” and “shutdown” entry written to the loader log for loader/ws/ui/scim? happy to submit a jira.
11 replies
Chris Hyzer 1 hour ago
you want the container event to write to the loader log? (edited)
Michael Gettes 1 hour ago
Hmm. Good question. Hadn't thought about it more generically.
Chris Hyzer 1 hour ago
what were you talking about?
Michael Gettes 1 hour ago
Just have the "app" do it on start/stop. The app itself really only knows if it cleanly stopped.
Michael Gettes 1 hour ago
But I can appreciate what you suggested.
Chris Hyzer 1 hour ago
i think we need a new component in grouper that can log things to the database but im not sure cramming in the loader (aka daemon) logs is the way to go
Chris Hyzer 1 hour ago
but yes, file a jira, and we can capture that for however we implement it
Michael Gettes 1 hour ago
I think I will yield to your good judgement.
Michael Gettes 1 hour ago
Will file the jira
Chris Hyzer 1 hour ago
i think we need to capture various optional things, startup and shutdown are some of those. i think it should log errors. maybe some things about the ui or ws. and mechanisms that limit the logging so it doesnt overlog, auto clean up, UI screens, notifications on errors, and doing this in another thread and batched so it doesnt slow anything down. what do you think?
Michael Gettes 1 hour ago






[GRP-2792] add ability to decrypt file in container e.g. for ssl keys Created: 13/May/20  Updated: 13/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2605] Selecting a group from the graph UI fails to display the group Created: 27/Feb/20  Updated: 12/May/20

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0
Fix Version/s: 2.5.28

Type: Bug Priority: Major
Reporter: Michael Gettes (ufl.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

latest image: a93u56w11p12


Issue Links:
Duplicate
is duplicated by GRP-2753 Visualization can't open object throu... Resolved

 Description   

viewing the graphUI (visualization) and i select a group from the UI and I get a blank-ish page (header only) and the following in the log:

2020-02-27T18:18:08+00:00 UI:dev httpd;access_log;grouper_dev;ui;10.247.10.209 - gettes@ufl.edu [27/Feb/2020:13:18:08 -0500] "POST /grouper/grouperExternal/public/OwaspJavaScriptServlet HTTP/1.1" 200 55 "https://groups-dev.it.ufl.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=ajaxError" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36 OPR/67.0.3575.31"
2020-02-27T18:18:08+00:00 UI:dev grouper-api;grouper_event.log;;;2020-02-27 13:18:08,778: [ajp-nio-8009-exec-7] ERROR GrouperUiFilter.doFilter(1146) - - UI error
2020-02-27T18:18:08+00:00 UI:dev net.sf.json.JSONException: java.lang.reflect.InvocationTargetException
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:818)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:274)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray._processValue(JSONArray.java:2513)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.processValue(JSONArray.java:2538)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.addValue(JSONArray.java:2525)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray._fromCollection(JSONArray.java:1056)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONArray.fromObject(JSONArray.java:123)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.AbstractJSON._processValue(AbstractJSON.java:240)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._processValue(JSONObject.java:2655)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.processValue(JSONObject.java:2721)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setInternal(JSONObject.java:2736)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.setValue(JSONObject.java:1424)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:765)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject._fromBean(JSONObject.java:699)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.fromObject(JSONObject.java:172)
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.util.GrouperUtil.jsonConvertToNoWrap(GrouperUtil.java:1703)
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.grouperUi.beans.json.GuiResponseJs.printToScreen(GuiResponseJs.java:80)
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:388)
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:197)
2020-02-27T18:18:08+00:00 UI:dev at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
2020-02-27T18:18:08+00:00 UI:dev at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2020-02-27T18:18:08+00:00 UI:dev at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1139)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
2020-02-27T18:18:08+00:00 UI:dev at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
2020-02-27T18:18:08+00:00 UI:dev at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
2020-02-27T18:18:08+00:00 UI:dev at java.lang.Thread.run(Thread.java:748)
2020-02-27T18:18:08+00:00 UI:dev Caused by: java.lang.reflect.InvocationTargetException
2020-02-27T18:18:08+00:00 UI:dev at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2020-02-27T18:18:08+00:00 UI:dev at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2020-02-27T18:18:08+00:00 UI:dev at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2020-02-27T18:18:08+00:00 UI:dev at java.lang.reflect.Method.invoke(Method.java:498)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(PropertyUtilsBean.java:2127)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.commons.beanutils.PropertyUtilsBean.getSimpleProperty(PropertyUtilsBean.java:1278)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(PropertyUtilsBean.java:808)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.commons.beanutils.PropertyUtilsBean.getProperty(PropertyUtilsBean.java:884)
2020-02-27T18:18:08+00:00 UI:dev at org.apache.commons.beanutils.PropertyUtils.getProperty(PropertyUtils.java:464)
2020-02-27T18:18:08+00:00 UI:dev at net.sf.json.JSONObject.defaultBeanProcessing(JSONObject.java:749)
2020-02-27T18:18:08+00:00 UI:dev ... 87 more
2020-02-27T18:18:08+00:00 UI:dev Caused by: edu.internet2.middleware.grouper.exception.StemNotFoundException: membership stem not found
2020-02-27T18:18:08+00:00 UI:dev at edu.internet2.middleware.grouper.Membership.getOwnerStem(Membership.java:3341)
2020-02-27T18:18:08+00:00 UI:dev ... 97 more



 Comments   
Comment by Chad Redman (unc.edu) [ 12/May/20 ]

Duplicated by GRP-2753. The underlying issue was creating a grouper session outside of a try/finally block.





[GRP-2616] Add optional Content-Security-Policy header to UI Created: 17/Mar/20  Updated: 12/May/20

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.0
Fix Version/s: 2.5.28

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The Content-Security-Policy header tells the browser which external sites a page is allowed to access for css, javascript, images, etc. It can get flagged by security scans as missing. Tomcat by default sets some reasonable security headers, but the CSP isn't one of them, or even supported at all at the server level. Everyone needing this in Tomcat is expected to write their own servlet filter to add it.

 



 Comments   
Comment by Chad Redman (unc.edu) [ 17/Mar/20 ]

This is the csp header that is working for us at UNC. Grouper needs inline javascript including evals.

frame-ancestors 'none'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';

 

Comment by Chad Redman (unc.edu) [ 07/May/20 ]

This could have been done with a grouper property, and then adding some code in GrouperUiFilter to add the header. But creating a separate Filter class is more effective, because it can be configured to apply to all pages, not just the ones covered by the GrouperUiFilter.

To enable, add this to web.xml:

    <filter>
        <filter-name>ContentSecurityPolicyFilter</filter-name>
        <filter-class>edu.internet2.middleware.grouper.ui.ContentSecurityPolicyFilter</filter-class>
        <!-- default value is already suitable for Grouper
        <init-param>
            <param-name>value</param-name>
            <param-value>frame-ancestors 'none'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';</param-value>
        </init-param>
        -->
    </filter>
    <filter-mapping>
        <filter-name>ContentSecurityPolicyFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping> 





[GRP-2753] Visualization can't open object through links Created: 05/May/20  Updated: 12/May/20

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0.patch, 2.5.0
Fix Version/s: 2.5.28

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates GRP-2605 Selecting a group from the graph UI f... Resolved

 Description   

I thought I had added the visualization links to the CSRF whitelist, but I don't see it. This needs /grouperUi/app/UiV2Visualization.groupView?* added to the whitelist, and then the errors should stop.



 Comments   
Comment by Chad Redman (unc.edu) [ 06/May/20 ]

The real issue was that it was starting a new Grouper static session. Through a lot of dependent code, this caused the json builder for ajax to convert the user to a member, which had memberships, which threw errors when calling EVERY get method on a membership. Solution seems to be to put the session in a try/finally block.





[GRP-2700] get memberships member paging first page is size 1 Created: 20/Apr/20  Updated: 12/May/20

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

[mchyzer@flash pennGroupsClient-2.4.0]$ java -jar grouperClient.jar --operation=getMembershipsWs --groupNames=test:testGroup --subjectAttributeNames=PENNNAME --debug=true --sourceIds=pennperson --pageSizeForMember=2 --pageNumberForMember=1 --sortStringForMember=m.id 
Reading resource: grouper.client.properties, from: /home/mchyzer/grouper/pennGroupsClient-2.4.0/grouper.client.properties
WebService: connecting as user: 'xxxxx'
WebService: connecting to URL: 'https://endpoint.school.edu/grouperWs/servicesRest/v2_4_000/memberships'################ REQUEST START (indented) ###############POST /grouperWs/servicesRest/v2_4_000/memberships HTTP/1.1
Connection: close
Authorization: Basic xxxxxxxxxxxxxxxx
User-Agent: Jakarta Commons-HttpClient/3.1
Host: grouperWs.apps.upenn.edu:-1
Content-Length: 413
Content-Type: text/xml; charset=UTF-8<WsRestGetMembershipsRequest>
  <wsGroupLookups>
    <WsGroupLookup>
      <groupName>test:testGroup</groupName>
    </WsGroupLookup>
  </wsGroupLookups>
  <subjectAttributeNames>
    <string>PENNNAME</string>
  </subjectAttributeNames>
  <sourceIds>
    <string>pennperson</string>
  </sourceIds>
  <pageSizeForMember>2</pageSizeForMember>
  <pageNumberForMember>1</pageNumberForMember>
  <sortStringForMember>m.id</sortStringForMember>
</WsRestGetMembershipsRequest>################ REQUEST END ############################### RESPONSE START (indented) ###############HTTP/1.1 200 OK
Date: Mon, 20 Apr 2020 20:40:52 GMT
Content-Type: application/xml;charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Strict-Transport-Security: max-age=15768000
X-Grouper-resultCode: SUCCESS
X-Grouper-success: T
X-Grouper-resultCode2: NONE<WsGetMembershipsResults>
  <wsMemberships>
    <WsMembership>
      <membershipId>3a078951145840049ae65d3d3a57e2af:44cb710cfe1c44bfb6241733c3dd4ef2</membershipId>
      <immediateMembershipId>3a078951145840049ae65d3d3a57e2af</immediateMembershipId>
      <listName>members</listName>
      <listType>list</listType>
      <membershipType>immediate</membershipType>
      <enabled>T</enabled>
      <memberId>3fd098df-f4b6-4f0b-ab8c-2b6c81cd1972</memberId>
      <groupId>dbfa18c3-a025-47b6-a9a0-be5ac02e8270</groupId>
      <subjectId>10031144</subjectId>
      <subjectSourceId>pennperson</subjectSourceId>
      <groupName>test:testGroup</groupName>
      <createTime>2020/04/20 16:01:21.611</createTime>
    </WsMembership>
  </wsMemberships>
  <subjectAttributeNames>
    <string>PENNNAME</string>
  </subjectAttributeNames>
  <wsGroups>
    <WsGroup>
      <extension>testGroup</extension>
      <typeOfGroup>group</typeOfGroup>
      <displayExtension>testGroup</displayExtension>
      <description>testGroup</description>
      <displayName>test:testGroup</displayName>
      <name>test:testGroup</name>
      <uuid>dbfa18c3-a025-47b6-a9a0-be5ac02e8270</uuid>
      <alternateName>testdd:testGroupdd</alternateName>
      <idIndex>197979</idIndex>
    </WsGroup>
  </wsGroups>
  <wsSubjects>
    <WsSubject>
      <resultCode>SUCCESS</resultCode>
      <success>T</success>
      <id>1234</id>
      <name>XX</name>
      <sourceId>pennperson</sourceId>
      <attributeValues>
        <string>xx</string>
      </attributeValues>
    </WsSubject>
  </wsSubjects>
  <resultMetadata>
    <resultCode>SUCCESS</resultCode>
    <resultMessage>Found 1 results involving 1 groups and 1 subjects</resultMessage>
    <success>T</success>
  </resultMetadata>
  <responseMetadata>
    <resultWarnings></resultWarnings>
    <millis>43</millis>
    <serverVersion>2.4.0</serverVersion>
  </responseMetadata>
</WsGetMembershipsResults>################ RESPONSE END ###############
Output template: Index: ${index}: ${type}: ${ownerName}, subject: ${wsSubject.id}, list: ${wsMembership.listName}, type: ${wsMembership.membershipType}, enabled: ${wsMembership.enabled}, available variables: wsGetMembershipsResults, grouperClientUtils, index, wsMembership, type, ownerName
Index: 0: group: test:testGroup, subject: 10031144, list: members, type: immediate, enabled: T
Elapsed time: 905ms
[mchyzer@flash pennGroupsClient-2.4.0]$  



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 12/May/20 ]

hmmm, i wrote this test in 2.5.27 which does not fail:

 

GrouperServiceLogicTest.testGetMembershipsPagingForMember





[GRP-1285] move javadoc links from the wiki to grouper.io Created: 21/Apr/16  Updated: 12/May/20

Status: Open
Project: Grouper
Component/s: wiki
Affects Version/s: None
Fix Version/s: None

Type: Documentation Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Dependency
has dependent GRP-2009 Update published javadoc Resolved

 Description   

look on Grouper wiki for Java doc links and change them to https://internet2.github.io/grouper/
Note, needs to be done after migration to new i2 github



 Comments   
Comment by Chad Redman (unc.edu) [ 25/Aug/19 ]

May need an admin to do a global find and replace. I don't think I have this feature. For WS the changes to make are:

 

From: https://cdn.rawgit.com/Internet2/grouper/master/grouper-ws/grouper-ws/doc/api/XXXX.html?view=co
To: https://internet2.github.io/grouper/master/grouper-ws-parent/grouper-ws/apidocs/XXXX.html

From: http://anonsvn.internet2.edu/cgi-bin/viewvc.cgi/i2mi/trunk/grouper-ws/grouper-ws/doc/api/XXXX.html
To: https://internet2.github.io/grouper/master/grouper-ws-parent/grouper-ws/apidocs/XXXX.html

 

But should also look for any other references to http://anonsvn.internet2.edu which are broken links. Links to cdn.rawgit.com may not need changing, since no other javadoc besides WS is in the main branch (that I know of)

Comment by Chad Redman (unc.edu) [ 12/May/20 ]

New permanent link is homepage: http://software.internet2.edu/grouper/doc/master/grouper-parent/index.html . The github.io links should be replaced with a redirect





[GRP-2778] review re-org container commit Created: 10/May/20  Updated: 10/May/20

Status: Open
Project: Grouper
Component/s: container
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hubing (internet2.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

please review last commit to v2.5.28 container which re-orgnizes files and completes a lot of recent requests






[GRP-2775] group restore and graph counts over time. Created: 08/May/20  Updated: 09/May/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.27
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

from slack:
recently i got bit by a source system providing bad data (10k deletes from a loader job). the team responsible for the data is challenged to get the data back. I did get the data (most of it) restored from PIT queries. But, this got me thinking about an effective UI and capabilities for handling “restore” of group data. Does a document exist that contains such ideas? does anyone want have such a conversation? From playing with some queries and thinking through what i needed to solve my problem (operationally focused) I am thinking an Apple TimeMachine restore approach would probably be best and think we have all the data needed to make it happen. I think we would need 3 capabilities with the appropriate UI on top.
1) a “point in time” restore. restore the membership of a group to what it was at a selected viable time.
2) “play forward” all changes forward from a viable time for the group.
3) “play backward” from now to a viable time for a group.
The play options are needed so downstream changelog consumers reprocess in order. as we know, order matters in identity operations.
oh - one other thing - a useful side effect would be to see a graph of membership counts on a group over time.
example of idea (not to be implemented this way cuz i know this isn't right):
This is done against mysql:
select gpg.name,
FROM_UNIXTIME (round(gpmav.membership_start_time/1000/1000),'%Y/%m/%d') start,
CASE WHEN gpmav.MEMBERSHIP_END_TIME is null THEN ' ACTIVE' ELSE FROM_UNIXTIME (round(gpmav.membership_end_time/1000/1000) ,'%Y/%m/%d') END end,
COUNT(gpg.name) count
from
grouper_pit_memberships_all_v gpmav,
grouper_pit_members gpm,
grouper_pit_fields gpf,
grouper_pit_groups gpg
where
gpmav.member_id = gpm.id
and gpm.subject_source = 'UFperson'
– and gpg.name = 'basis:Identity:Student:Graduating:2020'
and gpg.name = 'App:MFA:service:ref:Student_Emailings:Sent'
and gpmav.owner_group_id = gpg.id
and gpmav.field_id = gpf.id
group by start,end
order by start, end



 Comments   
Comment by Carey Black (osu.edu) [ 09/May/20 ]

I generally like this whole idea. What I am concerned about is the complexity of "time travel".
   If you "rewind", move forward and "rewind even farther than the first time" would that all work?  That makes my head hurt a bit.... 

RE: 1) a “point in time” restore.
Maybe "a “point in time” restore. " could actually
    undo/reverse all the events that happened from "now" in a revers order as "new changes"?
Example of  5 events in the CLC  Time order:
   T1   = grouper create
   T2    = Add member A
   T3   = Add Member B
   T4  = remove Member A
   T5 =  Add Member C
 ( Where T1<T2...< T5 )

If the "restore to T3" was selected then the process would create new events ( changes to the group ) of
  remove Member C
  Add Member A

Basically "automatically pressing the "undo" button on events from the PIT log of group. And the new events would be sent to CLC as "normal".

Then you end up with a branch in the timeline at T2 where a new "T6" starts. 
More stuff happens....

If you then "rewiind" to T1 at some later date I would think that T3,T4 and T5 should NOT be in the "undo button of events" list. ( But they would be in the linear timeline from T100 back to T1. )  So maybe it could be done.. if a PIT is marked as "already undone" then it could be skipped later......

I guess I think this really should be the same as "3) “play backward”" IMO.

If the point of "restore to a point in time" is to just "get the old list of members" an "replace the group with that set" Then lots of "add/removes" might be skipped which could break CLC's until a "full sync" process squares things up again.

And if that is the desire... then how about a way to "export members to file from a Point in time"? Then the user could "throw file at server" or figure out the delta and do something else on the remote side too.

If there was also a "delta between point in time X and point in time Y" that could be helpful to see the "adds/removes" across time. ( And might be helpful to correct errant systems due to other kind of "external to Grouper" issues. ( System restore due to external systemDB failure, etc...)

RE: 2) “play forward”
    This sounds like a "Say it again Sam." to me. 
   Which seems like it could be useful if a specific CLC needed to be caught up again ( correct errant systems due to other kind of "external to Grouper" issues. ) But if all CLC saw the events again that might not always work out well.  Hum...





[GRP-2777] Rules that set disabled/enabled dates need to support partial "days" Created: 08/May/20  Updated: 08/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

[https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Disabled-date+activation+when+added+to+same+group
]

 

You should be able to disable/enable a membership in less than a "full day".






[GRP-1465] Folder/Group Structure template Created: 18/Jan/17  Updated: 08/May/20

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All (Feature request)



 Description   

It would be very helpful if a Grouper install could be configured to have a set of "predefined structures" that could be used to quickly create a new variant of that predefined structure.

I am trying to use "folder1:XXX" to show relitive group/folder names" and "REF:...: " to show absolute references to things outside the scope of "folder1:..."

A very simple example of a template:

This is a single folder template. ( but it could be a structure of folders)
It has two groups in the folder. ( each folder could have N groups/members predefined or have empty memberships)

The "folder1:Users" group is a subtraction of "folder1:Allowed" - ( folder1:App Exclude Group + REF:REF2:REF4:REFN...:"master Exclude group")

Folder1

-->Users ( A Group in "Folder1", that is "Allowed" - "Excluded" groups)
^(Exclude member of) --Excluded (Group, "Master Exclude Group" + "App Exclude Group")
^Member is "master Exclude group"
(hard ref to existing group outside of "Folder1")
^Member is "App Exclude Group"
^( Include members of) -Allowed (Group)
-->Admins (A group in Folder1)
--> Admins are granted permissions ("X") at the Folder1 level, "Y" for the "Allowed", and "Z" for the "Excluded"

The string for "Folder1" would be definable as the "New template" is created in the UI. [ It would be great if the strings could have a "variable replacement model"
The template could define a "variable marker" Maybe something like "$$$" or "###" that wraps the string to replace. That way the folder could be named "APP-$$$New App Name$$$" and the user could be prompted for the new string for "New App Name" during the "template create" process. (And the resulting folder would be named "APP-BOBsApp".)

It would also be greate if ANY name in the template should support this kind of "place holder"/"Prompt string" concept. And the value should only be prompted for once. AKA: only one "New App Name" value will be collected, but it will be substituted into as many folder/groups/attribute values where the $$$New App Name$$$ exists in the template.

However, the sub groups/folders and their predefined permissions (relative to "Folder1") would not be editable during the creation of the "APP-BOBsApp" folder. And the predefined members of other groups outside of "Folder1" would be auto added to the new folder/groups being built.
This can allow for external hard references to be pre-granted privs/access that could be designed to be used in the new structure.

This would allow a "Grouper Admin" to "template" a structure (of folders/groups) that would be created (new) or referenced existing (hard coded from outside of "folder1"). This "Template" could be identified as a "folder" (or Group) template. Then Users who are allowed to "Add" (group or folders) could select a template in the "Add a new Folder/Group/Template" process.

If the logic is done generically enough, an "Extract Template" could also be added to use existing folder/group structures to create a new Template too. ( Basically clone what exists, make relative reference where possible and leave all other "external refs" in tact as "hard coded" pointers in the template. A Grouper Admin could then refine/correct the template as needed to make it more generally useful.)

I am picturing a "template" folder/branch similar to the Grouper Administration -->attribute folder to store the template definitions and allow the Grouper Admins to edit/maintain them there.






[GRP-2766] provide for deleting empty groups in UI Created: 07/May/20  Updated: 07/May/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.27
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

From Slack:
much like there is the option to delete: “Delete 1 folders if they are empty” in the UI - could we get the same option for empty groups?



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 07/May/20 ]

can you please give a specific flow of what screen and button and text and options the user should see?    Thanks!





[GRP-2770] review recent commits to grouper container Created: 07/May/20  Updated: 07/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hubing (internet2.edu) [ 07/May/20 ]

They seem ok to me. Commit to a non-prod looking branch and let Jenkins do its build, test and push. And, I can test it.





[GRP-2761] add the ability to stash all custom files/configs into the DB. Created: 07/May/20  Updated: 07/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If
the grouper DB could hold all customization's to a grouper instance in it's DB.
  AND 
Just before INITIAL startup of the JVM is spun up could connect to the DB. Extract the customization and "refresh" the local filesystem with the contents from the DB.

then

the setup/customization's/maintenance of the image would become be greatly reduced for deployers. ( since all the data/files are in the DB instead of the image. )

Off the top of my head I can think of these items as examples:

  • CSS file(s)
  • custom image(s)
  • custom JS file(s)
  • custom jar file(s) (for hooks/CLC/etc...)
  • log4j.properties
  • configs to enable/disable hooks

Also ( maybe ) the ability to reset a local auth password ( from the DB config data) on startup could be useful too. ( Thinking about that one special "when everything else can't login" account....)

There likely need to be a way to "skip this step" on INITIAL container startup too.
   To avoid a "death spiral" due to some DB content that breaks the startup process entirely.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 07/May/20 ]

Chris Hubing (internet2.edu)   please give feedback and assign back to me

Comment by Chris Hubing (internet2.edu) [ 07/May/20 ]

It's an interesting idea and seems like it would take more work in the upstream Grouper code than the container (e.g.  interface to upload the logo). 

Some initials thoughts:

If this could make a breaking change, someone would to know how to revert the db instead of just a config file in version control (maybe it's not that big of a deal if you're doing decent DB snapshots).

SQL injection could cause an attacker to be able to insert something that could be copied out to somewhere on the filesystem. Could this be for any arbitrary file or just limited to the path in the Grouper app area?.. and, ya know... don't let SQL injection happen.

Both of those don't seem that big of a deal. Some code would have to be written to connect to the DB in the grouper.hibernate.properties and do the appropriate call, yank out the artifact and create in the specified location. Would that be best for java to do, since you already have that initial thing written, or could it just be a gsh argument (e.g. gsh copycustomizations). 

Those are my thoughts, now assigning back to Hyzer.

 





[GRP-2746] never do the same push to dockerhub twice Created: 04/May/20  Updated: 07/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hubing (internet2.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

To make the builds immutable, is there a way to change jenkins to not push to dockerhub if there is already a build with that tag there?



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 07/May/20 ]

or only build if tag applied, not by any commit





[GRP-2704] Providing alternate ways of providing Azure userPrincipalName instead of auto generating Created: 22/Apr/20  Updated: 06/May/20

Status: Resolved
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.27

Type: New Feature Priority: Minor
Reporter: Amit Poddar Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Chris Hyzer (upenn.edu)

 Description   

Hi,

It was great news when azure provisioner was announced today with support for Unified groups. I was waiting to use it, but one small restriction does not make it usable for us. It looks like userPrincipalName is generated from <uid>@<tenant.id>. There is an option to configure the first part, but looks like the second part is not configurable. 

We use AzureADSync to sync our users and the userPrincipalName in our case is yale.edu but the tenant id is yaleedu.onmicrosoft.com. The cloud users will have the later as a suffix to there userPrincipalName, but user synchronized from on-premise AD using Azure AD sync will have yale.edu as the suffix. 

Would it be possible to provide a possible list of domain values for the UPN suffix, and maybe a priority order to try to find a user or at least provide a way to specify the Azure UPN as a attribute on the subject directly so that the code does not have to generate the UPN

Thanks,

Amit 

(Yale University)

 



 Comments   
Comment by Amit Poddar [ 22/Apr/20 ]

Hi,

It looks like there is a parameter called domain, which by default is set to tenantId, that I can set which is used for adding users to a group. But in remove member method, the code seems to be directly using tenantId instead of domain. I would have assumed that domain would be used in both places, and then my requirement will be met. Would it be considered a bug, or am I missing something?

Thanks,

Amit

Comment by Chad Redman (unc.edu) [ 23/Apr/20 ]

The removeMembership () method using tenantId instead of domain is a bug. I'll work on this. I think longer term there may be use for a jexl. For example different principals depending on the subject, fallback to alternate attributes, or string manipulation of the attribute value.

Comment by Amit Poddar [ 23/Apr/20 ]

Hi,

In my opinion, longer term adding the feature that one of the subject attribute provides a complete userPrincipalName could be much simpler, where the the userPrincipalName logic could be hosted inside the subject source.

What's your opinion?

Thanks,

Amit

Comment by Chad Redman (unc.edu) [ 24/Apr/20 ]

Something like this?

subject.getAttributeValue('azurePrincipal') ?: subjectIdValue + '@' + domain 

So it will just use azurePrincipal if it's defined, otherwise it will construct based on the existing method. Could something like that be used with your subject source?

There is a lot of flexibility in the expression. Just one example, look it up from a hash map keyed on an attribute.

subjectIdValue + '@' + ({'WGA': 'wga.school.edu', 'WGR': 'west-gr.edu'}.get(subject.getAttributeValue('school')) ?: 'default-domain.edu')

Comment by Amit Poddar [ 24/Apr/20 ]

Hi,

In our case as of now, the first option makes sense since we have the UPN in our subject source already. But I can see the value of the expression you are suggesting for other cases and maybe in our case also in future.

Maybe a combination of both could be a long term solution, why choose if we can have both?

Thanks,

Amit

Comment by Chad Redman (unc.edu) [ 01/May/20 ]

Added both `upnAttribute` and `subjectJexl`. If the first property is defined as a subject's attribute, it will use it directly and skip any calculations. The subjectJexl will work as noted above. If the result of either of these is blank, it will fall back to another method, in the order of upnAttribute -> subjectJexl -> idAttribute + domain.

Comment by Amit Poddar [ 06/May/20 ]

Chad,

Does the version 2.5.27  have all the changes mentioned?

https://repo1.maven.org/maven2/edu/internet2/middleware/grouper/grouper-azure-provisioner/2.5.27/grouper-azure-provisioner-2.5.27.jar

Comment by Amit Poddar [ 06/May/20 ]

Ignore my comment, I just realized the version is in the header. Stupid me.

 

Thanks

Comment by Amit Poddar [ 06/May/20 ]

Chris,

I had created this Jira, but we are running 2.4 so I cannot use the container. Is there a way to get a new version of provisioner jar, or should I have to build from source?

Thanks,
Amit





[GRP-2735] Ui loader diagnostics for SUBJECT_ID_OR_IDENTIFIER reports error Created: 02/May/20  Updated: 05/May/20

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.4.0, 2.5.0
Fix Version/s: 2.5.27

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Wiki states that a group loader can have a column for SUBJECT_ID_OR_IDENTIFIER. However, when running diagnostics in the UI, there is an error.

SQL:

SELECT user_id AS SUBJECT_ID_OR_IDENTIFIER  FROM training_management WHERE user_id IS NOT NULL UNION ALL SELECT internet_id AS SUBJECT_ID_OR_IDENTIFIER FROM training_management WHERE user_id IS NULL AND internet_id IS NOT NULL; 

 

Error

java.lang.RuntimeException: Column not found: SUBJECT_IDENTIFIER,Problem calling method loaderDiagnosticsRun on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader    at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset$Row.getCell(GrouperLoaderResultset.java:1514)    at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.getCell(GrouperLoaderResultset.java:1587)    at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperLoader.loaderDiagnosticsRun(UiV2GrouperLoader.java:2570)    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)    at java.lang.reflect.Method.invoke(Method.java:498)    at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4238)    at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4189)    at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:327)    at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:198)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
... 

 

 






[GRP-2747] grouper startup should use DB locking (like DDL) when creating objects Created: 04/May/20  Updated: 04/May/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2736] Membership tab ( on Members, Groups, etc...) should have more "sort/filter" options Created: 02/May/20  Updated: 02/May/20

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I find myself often wanting to answer questions like:
   What changed for this Stem/Group/Member recently?
   What portion of this Stem/Group/Member is from "Stem 'X' " ?
   What portion of this Stem/Group/Member recently?
   Who changed this Stem/Group/Member recently?
   Limit by Subject Source would also be very helpful. ( To find nested groups, or only members from a given source. )

If the default filter options could allow / help a user know the above it would be much more helpful than the existing UI list filtering. 

Specifically, the following would be helpful:
  Order by:   [ default Sort, Create date [DESC/ASC], Stem [DESC/ASC], Create User [DESC/ASC], Modified by User [DESC/ASC] ]

  Limit to:  ( prefer drop-down lists based on values from the data set,
                  But could be free form too, just not as user helpful that way. )
      Create date: (All, on, before, between, since ) (like on the audit info sub panel )
      Modified data (All, on, before, between, since) (like on the audit info sub panel )

      Created by user : Null allowed for "all" or a drop-down lists of all users who created the object(s) being filtered. Examples: Creators of all members in a group, Creators of all objects in a Stem, 
       Modified by user : Null allowed for "all" or a drop-down lists of all users who last modified the object(s) being filtered. Examples: Modifiers of all members in a group, Modifiers of all objects in a Stem, 






[GRP-2727] don't display the "+ Add members" button on a composite group Created: 28/Apr/20  Updated: 28/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If the user does not have "update" to the composite then the "+ Add members" button is not displayed.

However if they do have "update"  ( on the group ) then the user can push the button and it displays a message "Note: you cannot add members to a composite group. You can add members to one of the factors. Click more to see composite information."

This is not really helpful to a user. ( It is producing confusion. )

It seems more helpful to either:
       Have the button auto redirect the UI to the other page.  ( Not really suggested. )
     OR 

     Hide the button for composite groups regardless of Update privileges to the group. ( Please, do this. )



 Comments   
Comment by Carey Black (osu.edu) [ 28/Apr/20 ]

Carey Black
Hey.. if you want to get real fancy...For a composite ... bring up a visualization of the composite that indicates the groups that the user can update. Then they could "navigate to the right spot" as part of clicking the button.What to do that?
 
Chris Hyzer
are they editing a policy group?
 
Carey Black
Maybe. Or not..
A composite can be any level of group math. ( Same "problem" exists as long as the group in question is a composite. ) 

Chris Hyzer
  of course.  anyways, i dont think the answer is "you cant add members here due to technology reasons, here are some groups that the technology allows you to add members to, but since you dont know what you are doing, you will probably be guessing there as well.  good luck"
i think maybe an attribute that identifies the additions group and subtractions group, and the add member will just add there or remove from there...   weve talked about that sort of thing before...

Carey Black

I am very ok with attribute driven flows in the UI. ( A bit harder to maintain than a visualization..... but it is better than the current message box too. )
Chris Hyzer
the visualization will show what is possible and they can hunt around.  the attributes will lock in the access ad hoc changes...

Carey Black
And since the Grouper gods are so benevolent and generous... both options?   ( configured by attributes on the composite )





[GRP-2726] add parameters to pit attribute value view so it shows value rows Created: 28/Apr/20  Updated: 28/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g. 

SELECT gpaav.id AS attribute_assign_value_id,
          gpaa.id AS attribute_assign_id,
          gpaa.attribute_def_name_id,
          gpaa.attribute_assign_action_id,
          gpaa.attribute_assign_type,
          gpaa.owner_attribute_assign_id,
          gpaa.owner_attribute_def_id,
          gpaa.owner_group_id,
          gpaa.owner_member_id,
          gpaa.owner_membership_id,
          gpaa.owner_stem_id,
          gpaav.value_integer,
          gpaav.value_floating,
          gpaav.value_string,
          gpaav.value_member_id,
          case when gpaav.end_time is null and gpaa.end_time is null then 'T' else 'F'  end as active,
          case when gpaav.start_time > gpaa.start_time then gpaav.start_time else gpaa.start_time end as start_time,
          case when gpaav.end_time is null then gpaa.end_time when gpaa.end_time is null then gpaav.end_time when gpaav.end_time < gpaa.end_time then gpaav.end_time else gpaa.end_time end as end_time
     FROM grouper_pit_attribute_assign gpaa,
          grouper_pit_attr_assn_value gpaav
    WHERE gpaa.id = gpaav.attribute_assign_id
     and (
          -- membership start overlaps the gpaav
          (gpaa.start_time > gpaav.start_time and (gpaav.end_time > gpaa.start_time or gpaav.end_time is null))
          -- membership end overlaps the gpaav
          or (gpaav.start_time < gpaa.end_time and (gpaa.end_time > gpaav.start_time or gpaa.end_time is null))
          -- membership inside the gpaav
          or (gpaa.start_time > gpaav.start_time and (gpaa.end_time < gpaav.end_time or gpaav.end_time is null))
          -- gpaav inside membership
          or (gpaav.start_time > gpaa.start_time and (gpaav.end_time < gpaa.end_time or gpaa.end_time is null)))
 






[GRP-2721] add daemon configuration UI screen Created: 26/Apr/20  Updated: 26/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

https://spaces.at.internet2.edu/display/Grouper/Daemon+configuration






[GRP-2720] By default, the status page shouldn't show information like group names Created: 26/Apr/20  Updated: 26/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Shilen Patel (duke.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

One concern is that groups that can be displayed on the status page may not have public view access so everybody should not be privileged to know that those groups even exist.

By default, the status page is publicly available right now.

Note that some enhancements have already been done in GRP-2719.






[GRP-2715] fix registry deep check, it tries to add foreign keys twice Created: 24/Apr/20  Updated: 24/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2706] allow loader diagnostics to run from command line Created: 23/Apr/20  Updated: 23/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2683] Package base properties into their respective jars Created: 15/Apr/20  Updated: 22/Apr/20

Status: Resolved
Project: Grouper
Component/s: API, provisioning, UI, WS
Affects Version/s: None
Fix Version/s: 2.5.23

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If you use grouper jars outside of the container, you no longer need to have the base properties file in the classpath.  Just use the jar and you can have the non base properties file in the classpath.  In fact, if you use a base properties file in your classpath, you might want to remove it, so when you upgrade the jar you automatically get the new base properties (in the jar).  If you need to refer to the base properties file, you can unzip the jar and grab it, or you can git it from git.



 Comments   
Comment by Chad Redman (unc.edu) [ 15/Apr/20 ]

The only one missing properties was the grouper jar. These are now added to the jar:

  • grouper-loader.base.properties
  • grouper-ui-ng.base.properties
  • grouper-ws-ng.base.properties
  • grouper.base.properties
  • grouper.cache.base.properties
  • grouper.hibernate.base.properties
  • grouperText/grouper.textNg.en.us.base.properties
  • grouperText/grouper.textNg.fr.fr.base.properties
  • morphString.base.properties
  • subject.base.properties

GrouperClient and activeMq already had their base properties packaged.

Comment by Chris Hyzer (upenn.edu) [ 16/Apr/20 ]

i assume this will be fixed in 2.5.23.  





[GRP-2416] folder menu tree add options to limit attributeDef and attributeDefNames Created: 09/Nov/19  Updated: 17/Apr/20

Status: Resolved
Project: Grouper
Component/s: UI
Affects Version/s: 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0
Fix Version/s: 2.4.0.patch, 2.5.0

Type: New Feature Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There are existing grouper-ui properties to limit the number of stems (uiV2.treeStemsOnIndexPage:30) and groups (uiV2.treeGroupsOnIndexPage:30) that are displayed in the folder menu tree. The tree also displays attributeDef and attributeDefName items. But there is a hard limit of 10 items, and this is in Java code and not configurable.



 Comments   
Comment by Chad Redman (unc.edu) [ 09/Nov/19 ]

master branch 24e90474. Should this be a 2.4 patch?

Comment by Chad Redman (unc.edu) [ 17/Apr/20 ]

2.4 patch grouper_2_4_0-a84-u52-w10-p12





[GRP-2668] Azure provisioner can't remove members if idAttribute != "uid" Created: 12/Apr/20  Updated: 17/Apr/20

Status: Resolved
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.5.20
Fix Version/s: 2.5.23

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Regression happened during refactoring. When setting idAttribute to a fields other than the default "uid", the Azure provisioner can add members, but can't remove them.






[GRP-2669] Azure provisioner add optional proxy setting Created: 12/Apr/20  Updated: 17/Apr/20

Status: Resolved
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.5.20
Fix Version/s: 2.5.23

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Proposed:

changeLog.consumer.o365.networkProxyType = http
changeLog.consumer.o365.networkProxyHost = 127.0.0.1
changeLog.consumer.o365.networkProxyPort = 8888



 Comments   
Comment by Chad Redman (unc.edu) [ 17/Apr/20 ]

+ #changeLog.consumer.o365.proxyType = [http | socks]
+ #changeLog.consumer.o365.proxyHost =
+ #changeLog.consumer.o365.proxyPort =

 

Does not support authenticated SOCKS5 at this point.





[GRP-2670] Azure provisioner add optional property for group visibility Created: 12/Apr/20  Updated: 17/Apr/20

Status: Resolved
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.5.20
Fix Version/s: 2.5.23

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Groups in azure have a visibility of Private, Public, or Hiddenmembership. The default is Public, which is not always desired.

Note, this only matters for Unified groups, so is dependent on GRP-2671






[GRP-2691] Azure provisioner add configurable mail nickname and description Created: 17/Apr/20  Updated: 17/Apr/20

Status: Resolved
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.5.22
Fix Version/s: 2.5.23

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The Azure changelog provisioner, as developed by Unicon, defaults the mail nickname to the group uuid with no way to change it. This should be easily configurable with Jexl expressions.

It also defaults the group description to the Grouper group uuid. For normal membership add/deletes, it can get the Azure id from the o365GroupId attribute. But for group deletions, the PITGroup description was a quick way to retrieve the Azure groupId from the deleted Grouper group without navigating associated PITAttribute queries. This can be refactored to use the PITAttributeAssignValue of the o365GroupId, thus removing the dependence on group description, and freeing it up for arbitrary values.






[GRP-2690] Group configuration to limit total number of memberships Created: 16/Apr/20  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: API
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

There are times that limiting the number of members in a group has value.

It would be helpful to have data driven (attribute based) limits that could control the
       subject source(es)
       and number ( MAX and MIN)  of subjects from those sources for a given group.

      and a "only subject sources" list too.

Suggested: Throw a veto of the membership add when a violation happens.
     Advanced option: Make the veto configurable to a "warning" and send email instead of a veto.

Example uses:
     MIN = 2    --> prevent having a group with only one member. Useful for "admin" groups.
     MAX = 50  --> useful for limiting due to licensing or other external limits on a provisioned service

     source "g:isa" could be excluded ( by setting MAX =0 ) if nesting groups are disallowed.
     source "g:gsa", could be excluded ( by setting MAX =0 ) if nesting groups are disallowed.
     source "grouperEntities", could be excluded ( by setting MAX =0 ) if grouper Entities are disallowed.

etc....

I picture a set of attributes like:
   groupLimits
           sourcesAllowed =  "gisa,g:gsa,jdbc"    // only allow these three sources as members
           sourceMaxLimit  =  "g:isa=0"              // limit direct and indirect membership adds
           sourceMaxLimit  =  "g:gsa=0"
           sourceMaxLimit  =  "jdbc=50"

NOTE: if multiple subject sources need to be limited, then having "ref groups" ( that are each limited to a smaller number)  that are embedded in other ref groups with the total max enforced there.






[GRP-2489] add optional entity (subject) input to group or folder visualization Created: 18/Dec/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File GRP-2489Idea0.png     PNG File GRP-2489Idea.png     PNG File image-2019-12-19-10-03-09-646.png    

 Description   

 

you take a policy, you input a person, and it lights up red and green with where the user is in or not in groups. you can more easily see why the user is in or is not in the policy...

 

  1. In folder and group visualization, add an optional input field (not in settings, not persisted) combobox for an entity
  2. Use the same style as other forms.
    1. Label is: "Visualize for entity"
    2. Hint under combobox is: "Show if the entity is a member of each other group.  Use this to troubleshoot or analyze membership."
    3. The combobox should be like the entity combobox in adding members.  Should also allow "search for an entity" just like the add members combobox.
  3. If there is an entity inputted, then after finding which groups will be on the visualization, do as few calls as possible (in batches of 900, that might already be in the MemberFinder API), and see if the entity is in each group or not (direct or indirect)
  4. The visualization should indicate this by having something like a green checkmark or a red X on each group, and in the Legend
    1. The Legend should mention the entity (when explaining what the green checkmark and red X are) in question by listing the description only (if the name is in the description), or the name and description (if the name is not in the description)
  5. Have a link named "Visualization" in the "Choose action" drop down next to memberships of groups
  6. Have a similar link in the "Choose action" drop down next to memberships in the folder level tab "Group memberships for groups in this folder"
  7. Have a link in an actions menu (new) in the "Trace membership" screen


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 19/Dec/19 ]

Jeffrey Williams (uncg.edu)  Yes, there are multiple ways to analyze a membership.  Maybe there should be a link there too.  But dont you think the entity combobox should be at the top of the visualization screen instead?  Thanks

Comment by Jeffrey Williams (uncg.edu) [ 19/Dec/19 ]

Some thoughts:

I like the idea of this functionality and think it is great for illustrating to others how an entity's membership flows through a policy.  Do we think there is a desire to have a traceMembership style of presentation as well?  It's possible the two can be combined on one page, but a separate presentation would certainly work.

 

Next thing I thought of was where more casual users would have occasion to ask this question.  First that came to mind was while using the the membership filter. During filtering events where a filter for an entity returns 0 results, but a user would like to know why a user isn't there(screengrab illustrates a population group, which may also be applicable), a link could be presented to kick off the analysis for that particular entity.

 

Also, if a user knows an entity is not in a policy up front and wants to know why, perhaps we can re-use the filter menu and add an additional drop-down to switch between filtering actions and policy membership analysis? 

  • Switching to analysis updates the memberShip type drop-down to contain a list of analysis options(currently a list of one for this functionality, but leaves room for future expansion
  • (not pictured)Submit button value updates to "Search"
  • User enters entity value(potentially validated in a manner similar to the add members combobox?) and clicks Search
  • Same analysis as in Jira description above
  • One of two results can be returned
    • user is taken to the results visualization page as is in the description.
    • User is taken to a result page similar to UiV2Membership.traceMembership where:
      • if an entity is a member of the policy, it's a standard traceMembership, nothing exciting there.
      • If an entity is not a member:
        • ...and was not a member of any population groups that contribute to the policy, a simple note along the lines of "entity not found in policy population groups" is probably sufficient.
        • ...and was excluded at some point, loop through the policy population groups that the entity is a member of and describe at what point their membership was excluded e.g. entity X was a (membership type) member of group (group name) which is a (membership type) of group (group name).... that was a factor of composite group (group name) that excluded entity (entity name)  because:
          • complement: entity was a member of deny group (deny Group Name)
          • intersect: entity was not a member of group (group Name

 

Comment by Chris Hyzer (upenn.edu) [ 19/Dec/19 ]

yes, the more the better as far as where to look for features

Chad, lets discuss this before starting

Comment by Jon Miner [ 26/Dec/19 ]

I love this idea, both ways.  The visualization would be great (and drilling down ad infinitum), but our support (service owners and HD) often just want to look at a group and see which of the groups (presumably ref groups, but maybe just other groups they've created) someone is in or isn't in, not recursing.

I'm comfortable (especially in v1) making them click in to the next group (assuming they have READ, if not, they can't) to continue looking, as it'll help reduce confusion and assumptions (especially from HD who can see a bunch of things that they don't necessarily understand).





[GRP-2490] permission names not in left tree menu Created: 18/Dec/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

I sent an email that I didnt want to be in Jira with an example screenshot...



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 18/Dec/19 ]

 

From: Hyzer, Chris
Sent: Wednesday, December 18, 2019 3:29 PM
To: Redman, Chad <chad_redman@unc.edu>; grouper-core@internet2.edu
Subject: RE: chad, why permissions not in left menu?

 

Well the jira is there we can troubleshoot at some bug roundup, no biggie.  Maybe the AttributeDefNameFinder defaults to “attribute” type…

 

From: Redman, Chad <chad_redman@unc.edu>
Sent: Wednesday, December 18, 2019 3:28 PM
To: Hyzer, Chris <mchyzer@isc.upenn.edu>; grouper-core@internet2.edu
Subject: RE: chad, why permissions not in left menu?

 

They should show up if they are returned by AttributeDefNameFinder() and have ATTR_VIEW_PRIVILEGES for the subject (unless there is a bug). Are permission names different enough that they wouldn't be returned by that? I'm not familiar with them. They just happen to have the same icon?

 

From: grouper-core-request@internet2.edu [grouper-core-request@internet2.edu] On Behalf Of Hyzer, Chris
Sent: Wednesday, December 18, 2019 2:46 PM
To: grouper-core@internet2.edu
Subject: [grouper-core] chad, why permissions not in left menu?

 

Does left menu show attribute names but not permission names (which are a type of attribute name)?  See its not in left folder?





[GRP-2491] add "implies action" visualization Created: 18/Dec/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

For an attribute definition, if it is of type "permission", then add a "More actions" menu item that is "Visualization"

That subpage should allow two possibilities

  1. Visualize action directed graph
  2. Visualize permission name directed graph (another jira)

Here is example from legacy applet just for reference, doesnt need to be anything like this

https://www.youtube.com/watch?v=DzBvOteaXJM

Actions should point from the action that implies the other action to the action it implies (container to containee)

The permission actions UI tab should have a simple link to Visualize all actions

These visualizations should have similar controls as the other visualizations where it has max elements (e.g. 1000), and can share or have other configs as needed.  Simpler the better though

 






[GRP-2492] add "implies resource" visualization Created: 18/Dec/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

For an attribute definition, if it is of type "permission", then add a "More actions" menu item that is "Visualization"

That subpage should allow two possibilities

  1. Visualize action directed graph (another jira)
  2. Visualize permission name directed graph

Here is example from legacy applet just for reference, doesnt need to be anything like this

https://www.youtube.com/watch?v=DzBvOteaXJM

Attribute names that are from a permission def which is of type "permission" should have a Visualize button in the "More actions" that visualizes that one permission name in both directions (implies and implied by)

These visualizations should have similar controls as the other visualizations where it has max elements (e.g. 1000), and can share or have other configs as needed.  Simpler the better though

Link the visualization from the resource hierarchy screen

 






[GRP-2493] add Grouper permission role hierarchy visualization Created: 18/Dec/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chad Redman (unc.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

For groups that are roles, in the existing visualization screen, there should be a submenu to be able to visualize role hierarchies.  arrows from roles to the roles whose permissions they absorb

e.g. from Superadmin -> Admin

For folders, in visualization, have a visualization option in the visualization screen that allows visualization for all roles in that folder (and subfolder).  find groups which are also roles in one query.

link from role hierarchy screen

UiV2Main.index?operation=UiV2Role.roleEditInheritance&groupId=8496






[GRP-2663] minor updates to DDL Created: 09/Apr/20  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: 2.5.22
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Update the tests and remove from print statements

                            1. Running static SQL
                          1. Running DDL utils





[GRP-2413] Allow loader jobs to be triggered by another job completion, not time-based Created: 07/Nov/19  Updated: 16/Apr/20

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: 2.4.0
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Currently, loader jobs are all time-based. So if it depends on the results of another loader job, and the job takes longer than expected, the second job could be acting prematurely on old data. So the only option is to schedule them far apart, and hope the first job doesn't run too long.

This issue can be solved by having a job that is triggered by the success of another job. Since the job is dependent on the data created by another job, it should be triggered any time the first job runs, even if it is kicked off at an arbitrary time.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 16/Apr/20 ]

note you can easily do this with an other job gsh script

https://spaces.at.internet2.edu/pages/viewpage.action?pageId=166661325





[GRP-2673] have table in db that keeps track of when caches should be refreshed Created: 13/Apr/20  Updated: 13/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Right now in the DB config we use a config entry that indicates if any config has changed.  this should be in a separate table so we arent having point in time churn when we keep track of dbConfig point in time

This is in config item:

grouper.config.millisSinceLastDbConfigChanged 

 

This would be a two col table with a label and an integer (millis since 1970).  The label can be used for things to know when something is updated.  The grouper JVM can centrally poll this whole table every so often (min 10 seconds configurable, and as needed) to see when things have changed.

grouper_cache_notification

Col: label varchar(30) PK and index

Col: millis_since_1970_when_changed index

 






[GRP-2674] grouper config in database should be able to store more than 4k Created: 13/Apr/20  Updated: 13/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

hits limit when storing large keys in config






[GRP-2667] external systems in ui Created: 11/Apr/20  Updated: 11/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified





[GRP-2664] all daemon jobs screen add filter by number of changes Created: 10/Apr/20  Updated: 10/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In a loader job that runs frequently, there are a lot of log rows that don't show anything interesting. If it had the ability to filter out logs where there were no changes, it would make it quicker to locate the runs where the job made some change.

Maybe separate filters for add/update/delete, for minimum count to include in the results?






[GRP-2662] installer says registry init was not successful but it was Created: 09/Apr/20  Updated: 09/Apr/20

Status: Open
Project: Grouper
Component/s: grouperInstaller
Affects Version/s: 2.5.22
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File gshOutput.txt    

 Description   

Note: chris made some ddl changes, maybe that was it.  Are we waiting 20 seconds after thinking a container is done?  I think there is a delay there

 

Waiting for docker command to finish.
Waiting for docker command to finish.
Waiting for docker command to finish.
docker database initialization logs are at: /opt/grouperInstaller/docker_logs_init_db_2020_04_09_06_01_54_421.log
Could not find success in docker logs. Look in the logs at the location above and make sure there are no exceptions.  

 

Here is the full log

[root@ip-172-30-3-152 logs]# more /opt/grouperInstaller/docker_logs_init_db_2020_04_09_06_01_54_421.log
sending incremental file list
opt/grouper/grouperWebapp/WEB-INF/classes/grouper.client.properties
opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
opt/grouper/grouperWebapp/WEB-INF/classes/morphString.properties
opt/grouper/grouperWebapp/WEB-INF/classes/subject.propertiessent 3,749 bytes  received 116 bytes  7,730.00 bytes/sec
total size is 3,190  speedup is 0.83
executing /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt
Detected Grouper directory structure 'webapp' (valid is api, apiMvn, webapp)
Using GROUPER_HOME:           /opt/grouper/grouperWebapp/WEB-INF
Using GROUPER_CONF:           /opt/grouper/grouperWebapp/WEB-INF/classes
Using JAVA:                   /usr/lib/jvm/java-1.8.0-amazon-corretto/bin/java
Using CLASSPATH:              /opt/grouper/grouperWebapp/WEB-INF/classes:/opt/grouper/grouperWebapp/WEB-INF/lib/*
using MEMORY:                 64m-750m
Grouper starting up: version: 2.5.22, build date: 2020/04/09 02:45:22 +0000, env: <no label configured>
grouperPatchStatus read from: /opt/grouper/grouperWebapp/WEB-INF/grouperPatchStatus.properties
No patches detected to be installed
grouper.properties read from: /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
Grouper current directory is: /opt/grouper/grouperWebapp/WEB-INF
log4j.properties read from:   /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
Grouper warning, it is detected that you are logging edu.internet2.middleware.grouper as ERROR and not WARN level.  It is recommended to log at at least WARN level in log4j.properties
Grouper is logging to file:   console, /opt/grouper/logs/grouper.log, at min level ERROR for package: edu.internet2.middleware.grouper, based on log4j.properties
grouper.hibernate.properties: /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
grouper.hibernate.properties: grouper_v2_5b@jdbc:mysql://database-1.cstlzkqw179p.us-east-1.rds.amazonaws.com:3306/grouper_v2_5b?useSSL=false############## Running static SQL
subject.properties read from: /opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
sources configured in:        subject.properties
subject.properties internalsource id:g:isa
subject.properties groupersource id: g:gsa
subject.properties groupersource id: grouperEntities
[root@ip-172-30-3-152 logs]#  

 

 

docker logs gsh attached






[GRP-2652] add changelogconsumer queue count to diagnostics output Created: 08/Apr/20  Updated: 08/Apr/20

Status: Open
Project: Grouper
Component/s: WS
Affects Version/s: 2.5.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Michael Gettes (ufl.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

2.5 latest - please consider adding the queue/backlog count to the WS status diagnostics.
the realtime SQL viewer I have shows something like:
--------------------------------------------------------+

Consumer Age To_Go Last Updated

--------------------------------------------------------+

psp_UFADdev_ePEnt 8:32:58 7,829 2020-04-07 13:33:03
psp_UFADdev 8:32:59 7,829 2020-04-07 13:33:01
psp_Dept 8:33:09 7,829 2020-04-07 13:32:52
syncGroups 02:55 0 2020-04-07 22:03:06
grouperRules 03:01 0 2020-04-07 22:03:00
rabbit 03:09 0 2020-04-07 22:02:52

--------------------------------------------------------+

the 7829 is the number of entries to be processed by the changelog consumer. Would like to enable nagios monitors to look for threshold in the queue count to notify of problems.

An entry such as
SUCCESS loader_CHANGE_LOG_consumer_psp_UFADdev: Not checking, there was a success from before: 2020/04/07 21:43:32.000, expecting one in the last 30 minutes (154ms elapsed)
in the diag output could include something like backlog(7829) in the output.



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 08/Apr/20 ]

number of records might not be ideal.  it might be 100k but will be processed in a minute.  maybe the amount of time it has been processing?  its going to change before too long since we hopefully will be processing records out of order...

 





[GRP-2556] invitation: option to not try and add user to external subjects source if they exist Created: 16/Jan/20  Updated: 06/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.20

Type: Improvement Priority: Minor
Reporter: Paul Caskey (internet2.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CC:
Chris Hubing (internet2.edu), Erin Murtha (internet2.edu)

 Description   

We would like to use Grouper's invitations, but, in our case, our system will force all users to register before getting to any of the apps.  So, when a user arrives at the Grouper UI to accept an invitation, they will always exist in the main/ldap subject source.  We'd like Grouper to check to see if the user exists in other subject sources before adding them to the external subjects source (which triggers an error when they already exist in a different source).



 Comments   
Comment by Chris Hyzer (upenn.edu) [ 06/Apr/20 ]

you need to add this to grouper-ui.properties (or config in database) with source(s) which could contain users you are looking for:

inviteExternalMembers.searchSourcesForMatchesBeforeAdding = a,b,c 





[GRP-2643] add option in install container to use Dockerfile Created: 05/Apr/20  Updated: 05/Apr/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Ask if the user wants to use a dockerfile, 

If it doesnt exists in the root install direcotry whatever they identified (parent dir of slashRoot?), if there is no Dockerfile, create one, and start it out with:

this matches the version you decided on from release notes
FROM i2incommon/grouper:2.5.19 
 
# set how much memory you want.  3g is good for WS and UI, 12g for a large ldap provisioning daemon env
ENV CATALINA_OPTS="-XX:+UseG1GC -Xmx3000m -XX:+UseStringDeduplication"  

Maybe tell them to hit <Enter> when they are done customizing...  then build the container (ask them for name), and go from there?

 

This is not urgent, so when you are bored






[GRP-2633] Status url ( maybe something in the UI for "admin/Wheel only users") to verify the current group version with the "latest info" about that version. Created: 01/Apr/20  Updated: 01/Apr/20

Status: Open
Project: Grouper
Component/s: UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Since the current plan is for people to manually check a wiki page it would be helpful if that was baked into the "Grouper monitoring" process too.

This would allow deployed versions to:

  • become aware of "issues" that surface (ERROR MSG?)
    and 
  • become aware of "new versions" that are stable and they might want to upgrade to ( thinking a INFO type message)
  • maybe include the info in the daily email report too? 





[GRP-2632] java.lang.RuntimeException in a LDAP_GROUP_LIST loader that worked correctly in grouper 2.3 Created: 01/Apr/20  Updated: 01/Apr/20

Status: Open
Project: Grouper
Component/s: grouperLoader
Affects Version/s: 2.4.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Nicolas Marcotte (usherbrooke.ca) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We are currently migrating/upgrading our grouper 2.3 to the containerized 2.4 and we have run into a major difference of behavior between the LDAP implementations of Grouper 2.3 and the two from 2.4^1^ that cause a loader that used to run correctly on 2.3 to produce the following stack trace:

java.lang.RuntimeException: java.util.NoSuchElementException: Error querying ldap server id: ldapr, searchDn: ou=groupes,dc=something,dc=ca, filter: '(cn=filter*)', returning subject attribute: member
	at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.initForLdapListOfGroups(GrouperLoaderResultset.java:752)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderType$10.runJob(GrouperLoaderType.java:1011)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.runJobLdap(GrouperLoaderJob.java:642)
	at edu.internet2.middleware.grouper.app.loader.GrouperLoaderJob.execute(GrouperLoaderJob.java:337)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: java.util.NoSuchElementException: Error querying ldap server id: ldapr, searchDn: ou=groupes,dc=something,dc=ca, filter: '(cn=filter*)', returning subject attribute: member
	at java.util.ArrayList$Itr.next(ArrayList.java:862)
	at edu.internet2.middleware.grouper.app.loader.db.GrouperLoaderResultset.initForLdapListOfGroups(GrouperLoaderResultset.java:689)
	... 5 more

This exception occurs when an attribute declared in "Extra LDAP attributes"2 ** is absent in some results rows (it is normal for optional attributes to be absent). I initially traced the bug to that faulty construct in GrouperLoaderResultset :

String attributeValue = groupAttribute.getStringValues().iterator().next();

And I feel that the correct patch would be to add the following condition :

if(!attribute.getValues().isEmpty())

before https://github.com/Internet2/grouper/blob/5e07ec70005ef066acf9505bcb7329a5a6c9a991/grouper/src/grouper/edu/internet2/middleware/grouper/ldap/ldaptive/LdaptiveSessionImpl.java#L759 and https://github.com/Internet2/grouper/blob/5e07ec70005ef066acf9505bcb7329a5a6c9a991/grouper/src/grouper/edu/internet2/middleware/grouper/ldap/vtldap/VTLdapSessionImpl.java#L541

 

 

  1. using VTLdapSessionImpl or LdaptiveSessionImpl does not changes the outcome
  2. etc:attribute:loaderLdap:grouperLoaderLdapExtraAttributes





[GRP-2547] Remove full-sync at startup option Created: 09/Jan/20  Updated: 01/Apr/20

Status: Resolved
Project: Grouper
Component/s: daemon
Affects Version/s: 2.4.0
Fix Version/s: None

Type: Bug Priority: Trivial
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Grouper 2.4 container image



 Description   

An old holdover from PSP that gives the user the option of doing a full-sync at startup is logging at each startup.  Not many(or any) have used its functionality and since it's from the old incarnation, should most likely be removed.



 Comments   
Comment by Jeffrey Williams (uncg.edu) [ 01/Apr/20 ]

Resolved via commit 0585b65 on 2/06/2020.  Tagged for Grouper 2.5.5 release.





[GRP-2631] gsh command that will replace a left or right group in a composite without having to rebuild it Created: 01/Apr/20  Updated: 01/Apr/20

Status: Open
Project: Grouper
Component/s: gsh
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Jeffrey Williams (uncg.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

N/A



 Description   

 Note: assignCompositeMember(CompositeType, leftGroup, rightGroup), rebuilds it for the user in the function.  The question becomes: how well does that scale and if it causes significant population churn with large factor groups as the composite is replaced?






[GRP-2624] grouper client should be able to refer to subject attributes by name Created: 25/Mar/20  Updated: 25/Mar/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

e.g.

 ${wsSubject.getAttribute("EMAIL")}

 






[GRP-2623] copying a group with attributes doesnt copy attributes Created: 25/Mar/20  Updated: 25/Mar/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

only copies legacy attributes?  maybe more options there?






[GRP-2621] installer upgrade from 2.3 to 2.4 will create a ui/ws WEB-INF/lib/grouper folder and put some jars there Created: 25/Mar/20  Updated: 25/Mar/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

move those jars to the parent folder and its fixed

this log message shows that this is the problem:

 Grouper ddl object type 'Grouper' has dbVersion: 0 and java version: 31
Grouper ddl object type 'Subject' has dbVersion: 0 and java version: 1
Grouper database schema DDL requires updates
(should run script manually and carefully, in sections, verify data before drop statements, backup/export important data before starting, follow change log on confluence, dont run exact same script in multiple envs - generate a new one for each env),
script file is:
/opt/grouper/apache-tomcat-8.5.12/logs/ddlScripts/grouperDdl_20200325_15_15_03_630.sql
Grouper warning: cannot find class com.amazonaws.ResponseMetadata, perhaps you are missing jar: aws-java-sdk-core-1.11.529.jar
Grouper warning: cannot find class com.amazonaws.services.kms.AbstractAWSKMSAsync, perhaps you are missing jar: aws-java-sdk-kms-1.11.533.jar
Grouper warning: cannot find class com.amazonaws.services.s3.AbstractAmazonS3, perhaps you are missing jar: aws-java-sdk-s3-1.11.529.jar
Grouper warning: cannot find class com.amazonaws.services.sns.util.SignatureChecker, perhaps you are missing jar: aws-java-sdk-sns-1.11.567.jar
Grouper warning: cannot find class com.amazonaws.services.sqs.AmazonSQSAsyncClientBuilder, perhaps you are missing jar: aws-java-sdk-sqs-1.11.567.jar
Grouper warning: cannot find class org.apache.commons.csv.QuoteMode, perhaps you are missing jar: commons-csv-1.6.jar
Grouper warning: cannot find class org.apache.commons.vfs2.cache.NullFilesCache, perhaps you are missing jar: commons-vfs2-2.4.1.jar
Grouper warning: cannot find class org.dom4j.Attribute, perhaps you are missing jar: dom4j-2.1.1.jar
Grouper warning: cannot find class org.apache.http.client.utils.URIBuilder, perhaps you are missing jar: httpclient-4.5.8.jar
Grouper warning: cannot find class org.apache.http.Consts, perhaps you are missing jar: httpcore-4.4.11.jar
Grouper warning: cannot find class com.fasterxml.jackson.annotation.JacksonAnnotation, perhaps you are missing jar: jackson-annotations-2.9.8.jar
Grouper warning: cannot find class com.fasterxml.jackson.core.Base64Variant, perhaps you are missing jar: jackson-core-2.9.8.jar
Grouper warning: cannot find class com.fasterxml.jackson.databind.AbstractTypeResolver, perhaps you are missing jar: jackson-databind-2.9.8.jar
Grouper warning: cannot find class com.jcraft.jsch.Identity, perhaps you are missing jar: jsch-0.1.55.jar
Grouper warning: cannot find class org.jsoup.SerializationException, perhaps you are missing jar: jsoup-1.12.1.jar
Grouper warning: cannot find class org.ldaptive.AbstractConfig, perhaps you are missing jar: ldaptive-1.1.2.jar






[GRP-2620] sql sync must have columns in same order (if *) Created: 25/Mar/20  Updated: 25/Mar/20

Status: Open
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chris Hyzer (upenn.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Chris Hyzer (upenn.edu) [ 25/Mar/20 ]

workaround is just specify the columns

Comment by Chris Hyzer (upenn.edu) [ 25/Mar/20 ]

rowsWithEqualData=0 (even if there are rows with similar data)

Comment by Chris Hyzer (upenn.edu) [ 25/Mar/20 ]

you might need to edit the grouper_sync entry to set the last incremental index processed to get the incremental working





[GRP-2614] ChangeLogConsumerBaseImpl group_updateGroup does not handle description changes et. al. Created: 14/Mar/20  Updated: 14/Mar/20

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.3.0, 2.4.0, 2.5.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Chad Redman (unc.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The ChangeLogConsumerBaseImpl listener for group_updateGroup handles cases of a group rename. However, if some group property such as the display name or description changes, it's logged as "invalidPropertyChanged" and ignored. But it should be up to a subclass to decide whether it should handle change in these properties.

There is a stub method in the class for updateGroup(). But it is moot for subclasses to implement this, since no changelog events call it.






[GRP-2506] Add group name to membership attribute assignments screen Created: 25/Dec/19  Updated: 14/Mar/20

Status: Reopened
Project: Grouper
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Vivek Sachdeva (google.com) Assignee: Vivek Sachdeva (google.com)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

on this screen you should have a column for group
https://grouper.apps.upenn.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2MembershipAttributeAssignment.viewAttributeAssignments&groupId=dbfa18c3-a025-47b6-a9a0-be5ac02e8270&subjectId=10021368&sourceId=pennperson

 
if you are on the group / members tab, the "Actions" drop down shouldfor each membership should have "attribute assignments" and it should link to the same screen as the member screen membership attribute assignments: https://grouper.apps.upenn.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2MembershipAttributeAssignment.viewAttributeAssignments&groupId=dbfa18c3-a025-47b6-a9a0-be5ac02e8270&subjectId=10021368&sourceId=pennperson
 
for that drop down you need read_attr or admin or update_attr
 
 
on the group screen, under "more actions" add a "Membership attribute assignments" button which looks like the "Attribute assignments" screen but with group column, and entity column, and a column that says "assignment type" which is "direct" or "any membership". new screen.
 
when assigning a membership attribute from the subject add a group combobox (which defaults to current group)
 



 Comments   
Comment by Vivek Sachdeva (google.com) [ 14/Mar/20 ]

-Duplicate of https://todos.internet2.edu/browse/GRP-2143-

Ignore the comment above. It's not a duplicate of GRP-2143

 

 





[GRP-2612] Can not create ldap group when target system users are not required Created: 10/Mar/20  Updated: 11/Mar/20

Status: Open
Project: Grouper
Component/s: provisioning
Affects Version/s: 2.4.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Zachary Hanson-hart Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

TIER container 2.4.0-80-u51-w10-p11-20191118



 Description   

In LdapGroupProvisioner.java, in function createGroup, when it finds the values for the membership attribute, it does not honor needsTargetSystemUsers = FALSE, and categorically sets LdapUser ldapUser = getTargetSystemUser(subject). This call to getTargetSystemUser fails, and the group never ends up being created. 

Perhaps add a branch in the loop over initialMembers around line 348, like:

if (!config.needsTargetSystemUsers()) {
String membershipAttributeValue = evaluateJexlExpression("MemberAttributeValue", config.getMemberAttributeValueFormat(), subject, null, grouperGroup, null);
if ( membershipAttributeValue != null )

{ membershipValues.add(membershipAttributeValue); }

}
else

{ ... code using getTargetSystemUser() }

(I don't know if config.needsTargetSystemUsers() is the right thing to check; I'm not very familiar with the code base).



 Comments   
Comment by Zachary Hanson-hart [ 11/Mar/20 ]

I submitted PR #109 on gitlab to merge iisimaginary:GRP-2612





[GRP-2611] Loader jobs should be able to add attributes and values to Groups or memberships that are loaded Created: 06/Mar/20  Updated: 06/Mar/20

Status: Open
Project: Grouper
Component/s: API, UI
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Carey Black (osu.edu) Assignee: Chris Hyzer (upenn.edu)
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It would be helpful to be able to load "meta data" onto groups and/or memberships via loader jobs.

 

use cases could include data (for groups or memberships) like:

  "Last refreshed/updated"
  "expire after date"
  "Don't use before"
  "also related to"






Generated at Thu Mar 28 16:31:36 UTC 2024 using Jira 9.4.15#940015-sha1:bdaa9cbecfb6791ea579749728cab771f0dfe90b.