Join InCommon

08
Nov.
2022

Grouper Software

Getting Off Script with Grouper

Share

Array

By Jason Rappaport, DevOps Engineer, Princeton University

Estimated reading time: 5 minutes

Note: Grouper is one of the software solutions that makes up InCommon’s Trusted Access Platform, the research and education solution for identity and access management (IAM). The InCommon Team appreciates community members’ willingness to share their deployment stories to benefit others as they undertake their own software implementations. Princeton University deployed Grouper in July 2022.

The Decision to Deploy Grouper into Azure 

Microsoft Azure was selected as the cloud provider for Grouper to align with organizational objectives. Our IAM team evaluated running Grouper within Azure Kubernetes Service (AKS) versus Azure App Services. Ultimately, we decided to go with Azure App Services as we didn’t need the orchestration provided within AKS. Azure App Services gave us sufficient capabilities to customize the container environment, capture the appropriate logs, and run application performance monitoring for container tuning. 

The Main Use Case: Eliminating Technical Debt 

One of the main use cases we were trying to address with Grouper was the elimination of technical debt. Specifically, we were trying to replace several dozen custom scripts that maintain dynamic active directory (AD) groups. These scripts are written in many different programming languages, running on different hosts, with different levels of logging and reporting (if any). When hosts are upgraded or business processes are changed, we find ourselves in a position of relearning what these scripts did, how they did it, and where they were located. Grouper has been eliminating this technical debt, centralizing our dynamic group management, while providing key operational data; e.g. logging, reporting, attestation, and understanding of why someone is or is not a member of a given group. 

For example, our LastPass provisioning process included a multi-term LDAP filter with 35 “or” statements for includes and one exclude, which took several breaths of fresh air to read out loud. It also wasn’t reusable. The script executing the LDAP filter was purpose built just for LastPass and had none of the capabilities that Grouper has natively (logging/reporting, attestation, etc). Early in our production rollout, we converted the LDAP filter over to Grouper using the standard application and policy templates. As a result of moving this use case to Grouper, it is now easy to understand the access control policy for LastPass by running the visualizer, and we have native attestation, logging, and reporting.     

Help from the Community 

The members of the Grouper community were key to our success, and we could not have deployed Grouper without them. The InCommon Grouper Slack channel provided us with a means to post implementation issues and get answers quickly.

Several members of the channel (inclusive of peer institutions and software developers) were even willing to jump on a Zoom call with us to help us figure out problems we encountered along the way. Without this support, our Grouper implementation would not have been as successful as it is. 

Get Access to the Grouper Slack channel and other resources. Join us for InCommon Grouper School. (2023 Schedule Coming Soon!)

Lessons Learned

First, I would recommend anyone deploying Grouper figure out a base infrastructure for running containers within a cloud provider. This base infrastructure should include application performance monitoring, cost monitoring, security monitoring, and the DevOps process to update your Infrastructure as Code (IaC) and container. From there, one can add Grouper specific requirements, such as a database and environmental variables passed into Grouper during runtime. 

Post implementation, we made several cost saving measures. Specifically, we decreased the performance characteristics of our Azure hosted Postgresql database and capped data logs going into Azure Log Analytics in our pre-production environments. We also moved our entire Grouper deployment from publicly accessible IPs to private IPs to improve our security posture. 

Finally, I would recommend developing a trust but verify methodology for updating your container images, particularly for production deployments. I put together an extensive process and shared it with the Grouper community on our wiki page. This process ensures that pre-update we are in a known working state, verifies the update actually worked, and post-update confirms that critical components are still operational. 

For more information about Grouper and InCommon’s Trusted Access platform, visit incommon.org/trusted-access

A Short Bio

Jason Rappaport
Jason Rappaport

Jason Rappaport is a DevOps engineer within the Enterprise Infrastructure Services department of the Office of Information Technology (OIT) at Princeton University. Although an OIT rookie (only four years of service thus far), Jason has an extensive IT background primarily in higher education (~18 years), but also experience working for corporations and government agencies. His education includes a master’s degree in information systems and an MBA from Drexel University as well as a bunch of certifications along the way. Personally, he enjoys long walks with his dog and taking stuff apart with no intention of putting it back together.

Fun Facts about Jason
His Favorite Superhero: Star-Lord from Guardians of the Galaxy 
How He Takes His Coffee: In the summer, iced. In the winter, tea with a huge amount of honey. 
Best IAM Advice He Ever Received (& from whom): When working on an issue, my IAM colleague Alex Willman often asks, “What if we flip this on its head?” His advice is typically given when at an impasse or when multiple options exist. That is, perhaps, we can address our issue if we look at our problem differently.