Using this approach to configuration files can make Grouper more easily deployable across environments, and more easily upgradable. In the future we can add this feature to other config files as well.
Both of these are located on the class path in the default package. Generally all the default settings will be located in the base file, and only the things that are overridden are in the grouper.properties.
If you do not want to use the base and the overlay in the class path, you can specify which files are used for the properties. This must be specified in the base or config file.
Note, it is recommended to include the class path base properties, though it is up to you. You can specify the number of seconds that the config file will be checked to see if there are differences.
This is not a trivial check, so it is recommended not to be more often than every 60 seconds. If it is 0 then it will be checked each time a config paras is referenced.
Note, this is another properties that must be specified in the base or config file, it cannot be put in other places specified in the hierarchy. You can specify the property key in such a way that you can have value include expression language scrip lets.
If you want a config to be pulled from an environment variable, do this: That will cause the property “somethingWhatever” to have the value “c:\dev_inst\java” or whatever it is set to.
$ echo $ GROUPER _ENV Configuration in the database makes the configuration consistent in an environment (otherwise the config files need to be kept in sync for the UI servers, Is servers, daemons, and GSH).
This will only be a config file in the class path or on the file system. There can be JSON configuration metadata in the config files to help the UI correctly display and validate the configs.
From ENIM ConfigItemMetadataType, the type of the valueformElement (new in 2.5 build)String text for most things and password for sensitive items text, text area, password, dropdown;From ENIM ConfigItemFormElementoptionValuesStringif this is a dropdown then this is the option values available Blank line separates items and sections Config file comment and item has documentation.
Item keys and values are separated by an equals and optional whitespace. In the grouper client (since that is where the hierarchical config code is), have the logic to retrieve the configuration from the database.
If should NOT use anything from the grouper API or anything that uses grouper client config (basically don't use anything except maybe Morph encryption in the grouperClient, and external libraries e.g. c3p0 pooling). So the configuration cannot use the API or there is a circular logic problem in looping and bootstrapping.
Config.secondsBetweenUpdateChecks), then just return the cached (in memory) config If it has been longer, then see if the last full refresh has been longer than grouper. Config.millisSinceLastDbConfigChanged If the last refresh is before that value, then do a full refresh Note, Grouper can clear the cache when any property (besides grouper.
Config.millisSinceLastDbConfigChanged) is changed Note: grouper. These topics are discussed in the Grouper API” training series.
The Grouper API is provided both as a binary and source distribution. This section describes all the Grouper API configuration files and important settings.
Auto-load memberships from external SQL sources, register notification consumers, validate Grouper Rules, update enabled/disabled flags, etc The Grouper v1.5.0 package includes the JDBC driver for Held v126.96.36.199.
Sample JDBC drivers are located in lib/jdbcSample (e.g. for Oracle, MySQL, and PostgreSQL). General Property Settings Grouper uses Hibernate to persist objects in the Groups Registry.
Database-specific settings are configured in cone/ grouper.hibernate.properties, which has pre-populated examples for Held, MySQL, Oracle, and PostgreSQL. Classname of a Hibernate dialect, for setting platform specific features.
Utf8mb4 is not recommended because the database engines in MySQL/MariaDB that support transactions have limitations on the length of prefixes for indices. The default setting of 1 is required for full ACID compliance and logs are written and flushed to disk at each transaction commit.
With a setting of 2, logs are written after each transaction commit and flushed to disk once per second. Database Allow changes and Deny Some database operations (such as dropping tables or recreating data during tests) require confirmation of a prompt asking whether to continue.
It is possible to automatically allow or deny these database operations in cone/ grouper.properties : Database Tuning Analyzing Tables to Improve Query Performance Whenever a lot of changes are made to the data in the Groups Registry database (including upgrades of Grouper), you should analyze your database tables to improve query performance.
So the query plan may be built on the assumption that it can safely do a Nested Loop iteration through the few rows returned. But it is a plausible example that the Grouper subject is granted read access to many these groups.
With database histograms, values are put into a fixed number of bins. If the column data is heavily skewed toward one value, that value will occupy one or more bins by itself, and the query analysis can use that information to get a rough estimate on the cardinality of a filter on that column.
Grouper uses Subject API compliant “source adapters” to integrate with external identity stores. These may represent people, other groups, computers, applications, services, most anything for which you manage identity.
Each source adapter connects with a single back-end store using JDBC or Jedi. Grouper makes no specific assumptions about the schema of any subject types.
Three types of source adapters are included in the Grouper API v1.5.0 package. JDBCSourceAdapter and JNDISourceAdapter classes are included in subject.jar, and GrouperSourceAdapter is built along with the Grouper API.
For JDBC, if you can make a table/view where each subject is represented as one row of the view, then the more powerful GrouperJdbcSourceAdapter2. For Jedi, Up contributed a source adapter which should give better performance.
How would I identify myself to Grouper if I wished to opt-in to a list or manage a group? Grouper accommodates subject identifier issues in two ways.
These are never exposed by the API, but are associated with externally supplied subject identifiers within the Groups Registry. Similarly, when a membership in the Groups Registry is to be expressed elsewhere, the identifier used for group members can be translated by a provisioning connector by use of the Subject API into one that is suitable in the provisioned context.
It would be nice if subject id's and identifiers are unique across sources, though this is not required. Subjects should be resolvable for as long as you want users to be able to search for them or view them on the UI.
If Grouper should try and detect and log configuration errors on startup, in general this should be true, unless the output is too annoying or if it is causing a problem Auto-create groups (increment the integer index), and auto-populate with users (comma separated subject ids) to bootstrap the registry on startup (note: check config needs to be on).
Mail settings (optional, e.g. for daily report from the loader) When a new group or naming stem is created, any of its associated privileges can be granted by default to the subject.
If a property has the value “true” then ALL is granted that privilege by default when a group or naming stem is created. If you have a deployment where privacy among Grouper users is important, you should consider changing those to false so that access to see or view memberships of groups must be explicitly assigned.
Super-user Privileges Grouper has another special “subject” called GrouperSysAdmin that acts as a super-user. As of version 1.3.1 the name attribute of Grouper and GrouperSystem can be set through the properties below.
Also, performance of the system will be drastically reduced if external privileges are used, since internal privilege management can join tables in one query to securely select from the registry. If you want to store privileges externally, another option is provisioning the internal access adapter settings and table data from an outside system.
Notifications / change log if we should insert records into grouper _change_log_temp when events happen If not (and not using this column for other custom reasons), you will reduce the number of queries by setting this to false.
If you want Grouper to make sure the loader type and attributes exist if not there, set this. If you have other databases to query (e.g. an external data warehouse, etc), you can configure the db credentials here.
This is a daily email that gets sent to you about your grouper health, including status about all the loader jobs in the last day. If there is something you would like to change in a config file, and it is common, and there is no env var, please notify the Grouper team, and we can discuss adding a variable for it.
Grouper could provide an empty shell script with some pre-defined functions. Functions in here will be called at various points in the Grouper container startup workflow.
The main function is grouperScriptHooks_finishPrepPost which can adjust config files after Grouper is done with them but before processes start. Note you still need to pay attention on upgrades but in general this should be a pretty stable way to adjust config files or run commands...
This is risky to replace existing config files since if Grouper changes the file in a subsequent container, and you do not incorporate those changes in your overlay, then the configs will diverge and bad things can happen. This is a good approach but still needs to be checked on upgrades and cannot be used on files that are generated or massaged by the Grouper startup.
This repo can also be cloned and the container built locally. In particular, in subject.properties, *.paras.base.value should be adjusted to only contain the Run (Relative Distinguished Name), not the full DN.
Latest patch specific tags with date timestamp* (i.e. 2.4.0-80-u51-w10-p11-20191118) Grouper is an enterprise access management system designed for the highly distributed management environment and heterogeneous information technology environment common to universities.
It should be noted that these examples will not run independently, but required additional configuration to be provided before each container will start as expected. If the daemon/loader container dies unexpectedly, it may be due to memory constraints.
Refer to the Grouper Shell/Loader” section below for information on how to tweak memory settings. Runs the Grouper Web Services in a standalone container.
Runs the Grouper UI and Web Services in a combined container. Docker Secrets starting with the name grouper _ should take precedence over these files.
Note that the default property name has been changed by appending.config. The expression allows deployed to use a file containing only the database password as a Docker Secret and reference the file name via the GROUPER _DATABASE_PASSWORD_FILE environment property.
Of course, using Grouper's Morphing functionality is supported and likely is the best option, but does require more effort in setting it up. Bind mounts can be used to connect files/folders on the Docker host into the container's file system.
Unless running in swarm mode, Docker Secrets are not supported, so we can use a bind mount to provide the container with the configuration files. Deployed should NOT use this method to store sensitive configuration files.
/etc/HTTP/cone.d/re-enabled.cone : Can be overlaid to change the TLS settings when running Grouper UI or Web Service. /etc/shibboleth/ : location to overlay the Shibboleth SP configuration files used by the image.
Secrets starting with grouper _, ship_, and HTTP_ have special meaning. , which will copy the grouper.properties to the Docker client's present working directory.
Here is a list of significant web endpoints that deployed should be aware of: Using standard methods, create a MariaDB Server and an empty Grouper database.
Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
Using standard methods, create a MariaDB Server and an empty Grouper database. Also, it is possible to just connect directly to the container, creates the DDL, and copy it out.
This is necessary if your DBA's would prefer to manually execute the DDL to create the schema objects: Note: A less privileged database user maybe used when running the typical Grouper roles.
The Shibboleth SP needs to be configured to integrate with one or more SAML IDs. Reference the Shibboleth SP documentation for specific instructions, but here is information on generating an encryption key/cert pair and mounting them (all of which are environment specific) and the shibboleth2.xml into the container.
Add the following to the UI service creation command to mount the environment specific settings: Content found after the preface will be specific to the application and sits logging configuration.
For the “user defined token” string, use the environment variable of Undertaken. It is recommended that the various morphing files be associated with the containers as Docker Secrets.
Grouper UI has been pre-configured to authenticate users via Shibboleth SP. As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
Configure a report on a group or folder This report will have a iron that will run like loader jobs run Reports consist of an SQL to run in a database, generating a CSV file Note: it is a best practice to put the SQL in a view and call the view from grouper. You need to use a file system (if you have a shared file system among all grouper component Jams), or Amazon AWS S3.
Note we need to harmonize this with While's group and folder reports. Only for wheel group Can pick a report to edit or can add a new.
Clickable from Report screen or drop in some report screens Can see screen if wheel user or in the reportViewers group for the report Show list of most recent 100 report logs from grouper loader log table Should be a table that looks like the grouper loader log screen Should have exception stack if there was an error The report will take the SQL and columns and make a CSV with all the results.
Note, the actual report will not be attached in the email for security reasons. In 2.4 we don't want to add a new table to store files, so for people who want to use this feature the only option will be AWS S3 buckets or file system with the report encrypted.
Escape things in groovysh with single backslash. Gsh is now a core part of the Grouper API and so is always compatible with the current release.
In GSH for Grouper 2.4 and above, to not print the value of every line, use this: If the temporary directory used by your JVM doesn't allow execution of executables (e.g. the directory has the no exec option set), then you may run into an error starting GSH.
Otherwise, it will determine it based on GROUPER _HOME MEM_START: Override the default XMS Java parameter (initial Java heap size) MEM_MAX: Override the default XML Java parameter (maximum Java heap size) Classmate: Will prepend to the constructed class path GSH_JVMARGS: Additional arguments to pass to Java GSH_CYGWIN: (since 2.4.0 API patch 3) if set and not blank, the script will convert paths and the class path to Windows-style, for use with Windows Java under Again GSH_QUIET: (since 2.4.0 API patch 3) if set and not blank, will not output preliminary diagnostic information before starting Java, other than errors Grouper API methods Any Grouper API method can be directly invoked just by referencing it, inclusive of the class in which it is defined.
Groups group(parent stem name, extension, displayExtension) This can be handy to print the group.genome() values for all groups that are found.
Member change subject supersession = Supersession.startRootSession();subject = findSubject(“10021368”);member = MemberFinder.findBySubject(supersession, subject);subject = findSubject(“10021366”);member.changeSubject(subject); Change the subject, but don't delete the old member.
Do this if the way which deletes the old member doesn't work due to foreign keys. Don't do any of the work, just print a report to the screen of what will be done.
So when you call obliterates(name, false, true), it will first obliterate the actual stem, then sleep and keep checking if the changeLogTempToChangeLog job has completed. When it completes, it will obliterate from the point in time data.
In 2.4.0.API.41+ patch, this will also create the id, name, description, and login id attribute (unless grouper.properties create.attributes.when.creating.registry.subjects is false) RegistrySubject.addOrUpdate(supersession, id, type, name, nameAttributeValue, login id, description, email)In 2.4.0.API.41+ patch, add a registry subject like subject, but specify the attribute values of name, login id, etc.g.
Transactions facilitate all commands succeeding or failing together, and perhaps some level of repeatable reads of the DB (depending on the DB). If there is an open transaction and an exception is thrown in a command, GSH will shut down so that subsequent commands will not execute outside a transaction.
Run an attribute definition loader job It took a couple of hours to catch up on a few days of changes, but it seems to be back to normal.
Look at it and remove lines that don't apply... then run in GSH I want all groups in a certain folder which do not have an ADMIN privilege assigned to my application service principal, to assign that privilege.
Retrieve assignments for the attribute “school:attar:students:artsAndSciences” Note: The disableLoaders.GSH script does not change the state of the loader jobs.
Rather it only prints (outputs) GSH scripts that you can later execute to do disable/enable for the jobs on the system at the time. Note: After running either of the scripts that are output, you need to restart all grouper daemon instances to make the changes effective.
(So you might choose to stop them before running the “DISABLE” or “RESTORE” script. That order is not strictly required.) Note well: The method used to “disable” the jobs is to alter the quartz schedule for the job to be a fixed time in the distant future.
In Grouper 2.3 the UI can delete inherited privileges rules. To delete a rule, find it in the database in grouper _rules_v.
NOTE: You can also use the AttributeAssignFinder.Sindbad(String id, boolean exceptionIfNull) to find attribute assignments from the logs too. The returned AttributeAssign object will show you the stem/group that the attribute is attached to.
Otherwise, you can skip the initial Setup screen by tapping on 4 edge points on screen starting from upper left corner clockwise. You can also “fix” this by enabling Wi-Fi from notification bar as seen in this YouTube video.
ROM OS Version: 7.1.2 Nougat Based On: Lineages Building from Source Here are the instructions to build from source: Make sure that your LINUX based computer is set up for developing Android ROMs; you can read how here.
EDIT: Nice use of MEGA though, that is honestly my favorite file hosting site files don't expire for a very long time you only have to log in once a year to keep everything its fast and stable I don't want to jinx it, and I hope I can keep this performance for more than a few days (only having to strip once a week would be nice).
I'm surprised that android runs better than slim 7 on the grouper. I don't want to jinx it, and I hope I can keep this performance for more than a few days (only having to strip once a week would be nice).
I'm surprised that android runs better than slim 7 on the grouper. I got the idea of building android for Grouper because I have it on my phone as well and its rock solid. I was wondering if people would like to use Mega as a file host.
I tried using Android File Host, but there were some issues and I couldn't open an account. I will make an additional upload on Drive or another file host.
I got the idea of building android for Grouper because I have it on my phone as well and its rock solid. I was wondering if people would like to use Mega as a file host. I tried using Android File Host, but there were some issues and I couldn't open an account.
I made an additional upload link on Google Drive. Clean installed and everything seems to be at least as good as Lineage OS plus more feature to boot.
Ooh nice mate, I just got a Nexus 7 today and I'm looking for a fresh 7.1.2 ROM to try on it. The reason why I chose India's kernel is that it seems to provide a relatively good experience and the battery seems to last longer between charges.
Hello, I am new to this, and trying to put fresh life into my old tablet (NEXUS 2012) I know this ROM is for the grouper version, I have tilapia, I hoped I could install this and not use the 3G features, but Tarp errors saying “device is tali pa and ROM is grouper is there a way to force Tarp to install, or will it simply not work unless I use a tilapia ROM, any help would be appreciated, thanks. Hello, I am new to this, and trying to put fresh life into my old tablet (NEXUS 2012) I know this ROM is for the grouper version, I have tilapia, I hoped I could install this and not use the 3G features, but Tarp errors saying “device is tali pa and ROM is grouper is there a way to force Tarp to install, or will it simply not work unless I use a tilapia ROM, any help would be appreciated, thanks.
Hey there, For now, I modified this ROM so that it could be compatible with Tilapia without 3g. Hi, Thanks for the reply, just tried the downloads and get the same fault Tarp still thinks the ROM is grouper and won't install it.