/
2020-08-21 - System Operations and Management SIG Agenda and Notes

2020-08-21 - System Operations and Management SIG Agenda and Notes

Date

Attendees

Goals

Discussion items

TimeItemWhoNotes
5WelcomeIngolf
 27 SAML SSO authentication

 There is still the need for discussion.

Which strategy are we going to go / recommend ?

https://discuss.folio.org/t/saml-sso-features-and-strategy/2891

Meeting Notes:

Goals: Participate in Campus SSO authentication; right now: authentication = authorization; maybe it is O.K. because we have permissions.

Goal: Be federation aware. If you are in OpenAthens.

Does the project want to have a model that is maintaining authentication and authorization ? Or do we want to rely on a 3rd party feature. Everyone runs either nginx od Apache. Possibly use mod_apache. Shibboleth SAML integration with Apache is quite robust. There is an option for nginx; this is more convoluted and quite fragile.

In a perfect world we could use Apache mod_saml; but most people use nginx. Need a tradeoff between development and deployment practice.

Folio trusts the identity of the users that login in from the Discovery layer. The Discovery has proven access of the user, already.

Most (or all) implemeters use NGINX, none is known to use Apache.

What are the real deployment needs from this groups's perspective ? Let's not discuss the implementation details here.

Who uses CSO ? Michelle at Lehigh has moved to use SAML.

There's a package called pac4j.

There is a Shibboleth plugin for nginx: https://github.com/nginx-shib/nginx-http-shibboleth . It is somewhat unstable. It looks like it is in fairly active development. It might not be a bad idea to see what happens.

  • Test of nginx - http - Shibboleth plugin (it has a reputation for being unstable); that might be old information; It is subject to re-evaluation.

There is another ticket for seeding identities from an IdM.

Stephen: Most people rely on an external identity provider.

"Staff" are all patrons, anyway, in Folio.

Tod is asking for Feedback on the discuss post.

27Automatic migration tests for Goldenrod

FOLIO-2662 - Getting issue details... STATUS

Can we draw conclusions ?

I think we need to document  this for a broader audience, if a viable procedure is being established.

E.g. "Load PostgreSQL extensions in the public schema of each RMB module's database"

or "deploy the "create-upgrade-diku/tamu" K8s Job to the appropriate upgrade testing namespace"

Update/Notes: 

For the most part, most of the problems are closed. Anton, Bug Fest team, POs and others helped a lot as we ran into problems. There are a few outstanding issues during upgrades, e.g. something in mod-pubsub , other places, but in overall success in dealing with these issues.

We still need the documentation for migrations

See also Q2 2020 (Goldenrod) Release Notes, actions you need to take before upgrade are spelled out, there's a table with functional areas and action required.

There is no guaranteed set of layers.

There are some baselines: things that you have to upgrade first.

Things are documented in the "Action required" column of the Release Notes.


Topics for next meetingsIngolf

Action items

  •