Documentation

API documentation

Supported services

Perun components

Release Notes

  • Perun can now automatically store/update additional attributes along with users identity from IdP and certificates. List of attributes is configurable.
  • Attributes from IdPs are now passed as AJP attributes and not HTTP headers to Perun.
  • Updated Spring 4 platform to latest version including all library dependencies, updated Oracle DB driver.
  • Logging framework changed from Log4j to Logback.
  • Removed dependency on specific Tomcat container version to ease future infrastructure updates.
  • When registration form is set to auto-approval mode, perform check against module, if application can be approved. Previously used only in manual-approval mode.
  • Registrations to the group, can be approved only, when member is not SUSPENDED, DISABLED or EXPIRED in a VO. In such case, member must submit membership extension request first.
  • Greatly speed up loading of groups and subgroups by optimizing attribute authz resolving.
  • Disable selection on indirect group members in GUI, when only remove action is available since they can't be removed from the group.
  • Show VO name and id on Resource detail page.
  • Use sorting, when publishing users cert DNs.
  • Group manager can now see hidden form items on applications when approving/rejecting them.
  • Notification about future membership expiration are now sent month before expiration and not 30 days. This better matches most VO settings. Also notification is not sent to user, if is already expired/disable or is still outside grace period (can't submit request for membership extension).
  • Added support for large attributes: LargeString and LargeArrayList data type (Oracle DB is still limited to 4000 bytes for normal String and ArrayList types).
  • Added generic support for BLOB data when synchronizing members from SQL DB. BLOB is converted to base64 encoded string and must be store in LargeString attribute type.
  • Optimize service provisioning scheduling, increased concurrent jobs.
  • Extended default timeout for response in CLI (still might be limited by server settings).
  • Improved parsing of name from plain input.
  • Updated project language level to Java 8. Removed all MyBatis and Groovy, implement necessary logic in plain Java
  • Added support for boolean attribute values in CLI, unified way of table printing (cli output).
  • Great speed improvement when synchronizing thousands of users from XML external source.
  • Allow updating core attributes (e.g. users name) when synchronizing from external source.
  • Check on existence of similar users before registration submission (used on anonymous access to the reg. form).
  • Initial support for UserExtSource attributes - means we can store additional data about user identity (not just identifier).
  • Speed up service propagation in Dispatcher/Engine, default planing delays were halved.
  • Added new group attribute 'groupMembersFilter' which can be used, if group is synchronized with LDAP/AD and common ext source filter for all groups is not desired.
  • When creating service account (member) in a GUI, allow to set account owners only from the same VO. For now, external users can be still added/removed manually later.
  • Protection against null/zero UTF8 responses from service provisioning scripts (couldn't store result data).
  • Added GUI for managing group relations (hierarchy). It's on Group detail, sub-tab Relations.
  • Synchronization of large groups with thousands of users is now much more quicker.
  • VO and Group setting "From email" used in registration notifications was changed to "Reply-to email". Each Perun instance sends mails using own address as a sender to prevent mail rejection on destination servers.
  • Group can now have own mail footer for registration notifications. If not set, but used, VOs footer is used instead.
  • Support for per-VO RT queues when user request quota change.
  • When required, you can now view raw error data in Error report widget in GUI.
  • Further support for OIDC and ProxyIdp.
  • API fixes to prevent wrong group creation.
  • Perun can now handle eduroam login-namespace creating accounts, managing passwords.
  • Updated transaction management to better support PostgreSQL DBs.
  • Fixed missing "Invite" button on group members tab in GUI.
  • Groups can be now dynamically included into others. Meaning all members of 'included' group will become members of 'parent' groups. Groups outside of direct hierarchy can be included too and Perun prevents creation of a cycle. There is no need to use perun synchronizer component for this purpose anymore. For now CLI tools are provided for setting inclusion relation, GUI will come soon.
  • Support MitreID for Oauth2 (drop OIDC).
  • CLI tools were updated to support printing of wide characters (UTF-8) on newer systems (backward compatible).
  • Added CLI tools for setting and inspecting bans on Resources.
  • Resources now must have unique names for same VO and Facility.
  • Fix to perun synchronizer to prevent concurrent run for the same group.
  • Mail addresses in notifications can now have labels like: "CESNET support" <perun@cesnet.cz>
  • GUI will handle groups with 1000+ members better. Doesn't load them all, allow search, removed filtering.
  • Support for "radio buttons" on VO/Group registration forms.
  • On registration form, when select/combo box has more then 10 items to choose, show popup search box to find proper value when typing.
  • On Groups-SubGroups detail page in GUI show whole sub-groups hierarchy, not just one level as it was until now. Synchronization state is also shown.
  • Improved handling of login-namespaces when setting passwords. They can be more customized in a future.
  • Support for handling VOOT as source of user identities.
  • Improved dispatcher and engine components to survive various exception cases, which might cause them to stop without notice.
  • New GUI applications in Bootstrap3 design for registration, password reset and identity consolidation were deployed.
  • Deployed Admin GUI simplification for VO managers.
  • All Perun audit messages are processed in a batch which speeds up all state changing operations.
  • Added basic support for new user type - Sponsored/Guest users.
  • When creating new service member, VO manager is automatically assigned as an owner and can't be removed before all configuration is done. Also warnings are shown, when user is removing himself from service identity.
  • Perun support Oauth2 authentication provided by Apache module.
  • Optimized generating of data for services for 10000+ users.
  • {mail} can be used as a placeholder for users mail in registration notifications.
  • Added CLI tools to export VO/Group members with default or specified list of their attributes in a nice table.
  • LoA (level of assurance) provided by users external identity will now expire in a time (typically IdPs). Since we can't technically tell if users identity is still valid, until used by a user to access Perun, identities unused more than a year will not be used when calculating users LoA.
  • Basic support for banning users on specified resources and facilities (not by security teams, but managers). Bans can expire in a time.
  • Group synchronizer was optimized to better handle big number of user entries.
  • Fixed concurrent operations in GUI so resizing shouldn't freeze it anymore.
  • Engine service propagation was thoroughly measured in order to find places for future optimization.
  • We are currently testing UI changes which should help new admins to manage vo / group membership better.
  • Group managers can add new people directly to their groups from external sources (when such source is assigned to group by VO manager).
  • Added support for ContactGroups on Facilities (for now CLI only). ContactGroup gather references to other Users, Groups and Owners with a comment of their relation with Facility (e.g. roots, maintenance, security,). This will replace simple connection Facility-Owners in a future.
  • Added support for Security Teams (for now CLI only). Security team members can add other users to blacklist. Each Facility manager can specify to which SecurityTeams he trust. When Perun pushes ACL to facility, blacklisted users are omitted / disabled on target facility.
  • Perun now stores also STDOUT (not just STDERR) when pushing data to facilities so you can see, what happened on tasks results tab in GUI.
  • Users are now allowed to remove their own external identity (Shibboleth IdP, old certificate etc.) on user profile. It can be later added using identity consolidator app.
  • Perun can now run also in a system-wide Tomcat container.
  • Added initial support for Google groups service. Perun can synchronize existing group members or push new ones from itself in order to manage access to shared documents. You need to have own GoogleApps account for this to work.
  • VO manager can add new VO members directly to selected groups (on Group detail page - members - add - switch to 'add to VO and group').
  • Perun can create and manage user accounts in ActiveDirectory which adds wide support for many Microsoft services.
  • Dispatcher component now has configurable scheduler, so we can speed up services propagation on instances with less services/users.
  • Services status displayed on facility detail in GUI is now more clear, using only states: NONE -> PLANNED -> PROCESSING -> DONE or ERROR.
  • We can automatically generate user login in a form firstName.lastName[opt-number] so user is not forced to choose one on registration form. Collisions are avoided using optional numbering (feature is optional per login-namespace).
  • Facility now has description field.
  • Service user accounts can be created without any credentials or with custom certificate identity.
  • Better support for UTF-8 encoding in our CLI tools.
  • Better filtering in GUI. Partial match is now offered, e.g. facilities, where you can filter by part of the hostname.
  • When adding new member to VO manually, internal and external sources are searched together and results are displayed in one table.
  • Fixed GUI bug on user profile when setting preferred shell.
  • Support for new service Sympa and more clean deb/rpm packaging of slave scripts.
  • Dispatcher component is now included to RPC (server part of Perun) which makes Perun easier to deploy.
  • Support for member-group attributes which can store service related data about member in a group.
  • Perun can now manage user accounts in Active Directory using it's LDAP interface.
  • Added service for managing Drupal web site accounts for Elixir project and variations of LDAP service.
  • Improved user recognition in Registrar. We now don't offer users with similar, yet different name.
  • Improved service propagation and unified configuration of Engine and Dispatcher components.
  • All Perun components can be now automatically started when machine is restarted (using init.d scripts).
  • Unified display of service state on facility. Now we can see state of service propagation on facility on same tab where we can perform force propagation or block/unblock specific service. Also service now has only single-line entry.
  • Fixed display of attribute value in GUI. Previously following characters were not visible/editable: " ' < >.
  • We speed up attributes authorization which helps greatly when listing large number of vo/group members by not perun admins.
  • Added proper API documentation for Perun RPC as part of our web. Now all methods are covered including param/response examples. We will keep improving this documentation.
  • Updated documentation and examples for Perun`s PHP binding.
  • Our administrative GUI dropped support for Opera browser < 15 (before transition to WebKit).
  • Recognition of user credentials was fixed, it previously caused problems with identity consolidation.
  • We unified param reading from URL/JSON, you can now specify list properties without need to append "[]" after property name.
  • Deployed new version of Perun mini applications under new url /apps/app_name/authz/.
  • Notifications can now dynamically select template based on user preferred language setting.
  • Notification about account expiration can be sent also 1 day before the expiration date.
  • Speed of group synchronization was improved for LDAP and XML.
  • On Group sync detail display also timestamp of last successful sync., not just last try. Also more informative errors are displayed in GUI.
  • Perun can now manage access to Hadoop server using new services hadoop_base and hadoop_hsfd.
  • Identity info on applications management is now displayed in more human readable way (display CN of certificates, translate IDP name from URL). Original value which can be used for debug are still visible on application detail page.
  • Perun registration GUI, notifications and application forms can now be translated into other languages. One core language (english) and one native language (e.g. czech) is supported.
  • Added support for new idp attributes in registrar: IDP Category and Affiliation.
  • When pushing new service configuration to the client, use waitmax, which can kill blocked processes.
  • Added support for long operations in GUI. If you don't close opened tab in GUI or browser window, application checks for your operation results even after 5 minute timeout caused by web server.
  • Added button to force group synchronization from sync detail window in GUI, also improved display of information about group synchronization (better time format, proper last sync. state recognition).
  • Implemented more robust name parsing when processing data from IDP or certificate.
  • Updated SSH keys service to set correct permission on files and folders.
  • Registration notifications now use new format of tags: {tagName} or {tagName-authz}. This allows us to choose authentication method dynamically by specifying part after the dash or use default by leaving it out.
  • Added support for copying registration forms and notifications to administrative GUI.
  • Synchronization of group members with external source now skips invalid users with wrong data in ext. source.
  • Creating new member now correctly check VO membership rules with added support for "doNotAllowLoa" where you can prevent untrusted users from applying for your VO.
  • Fixed resizing of inner tabs in GUI which prevented from seeing whole table, e.g when adding member to group.
  • Fixed user recognition on registration forms and changed places, where is consolidation offered. Fixed return link on consolidation page.
  • Added support for new user role, which allow us to handle eduGAIN needs in group and resources management.
  • We also created simple one-purpose demo app for group / user management.
  • Administrative GUI is now not limited by 30s timeout, server error codes are properly handled and message is show to users.
  • Users can now set their list of preferred unix group names. When user account is propagated to facility, default group is determined based on available groups where user is member and his preferences.
  • We have added support for manual re-sending of registration notifications to project / group managers.
  • Information about group synchronization and it's last state is now present in group tables in administrative GUI.
  • Fixed workflow of registration with redirects. We also support auto-submit forms, where data are gathered from IdP/Certificate and submitted without user intervention (just visiting registration page).
  • Optimized registration form management, support for custom URL for mail validation links.
  • Added warning for older browsers, that they are not supported by administrative GUI.
  • Added support for mail invitations to VOs and groups.
  • You can send invitation mail with link to application form to users of Perun, which are not yet members of your VO or group.
  • You can also send invitation to anonymous users (set custom email address).
  • Check for duplicate users was updated when approving new applications. It's more precise and display useful information like name, organization and email to help person recognition.
  • Added new service k5login_generic. By this service you can grant access to specific user account by Kerberos authentication to multiple users.
  • Documentation of Perun APIs and core was greatly updated and is available at the top of this page.
  • Synchronization of group members between Perun and external source can be now authoritative.
  • If member is removed by synchronization from the last authoritative group in VO, then his membership in VO is disabled (group membership for other groups is kept).
  • If member is synchronized only in non-authoritative groups (by VO/group setting), then membership is not changed even when removed from all groups (stay as active member of VO).
  • Quotas for storage space are now supported by fs_project service.
  • Users can now reset their forgotten password even when they don't have any other identity registered in Perun.
  • Workflow with applications to group was optimized to save your time. When group`s application form is set to auto-approve but submitted application was not approved (e.g. user was not yet member of VO) then all such applications are approved after application to VO is approved.
  • You can now synchronize users and groups with Sqlite external source (file).
  • Many updates to user experience in Perun`s administrative GUI.
  • Your VO`s short name can now be 32 chars long and can contain dots.
  • New service ldap can be used to propagate user data to LDAP for purpose of end-services like Eduroam.
  • LDAP can be used as backend storage for user passwords when required on application forms.
  • Added new component auditer-exporter. It can be used to get audit messages for further processing by tools like ElasticSearch
  • Perun was optimized to transfer less data between server and GUI to speed up your work on slow connection.
  • Added new service fs_project.
  • Service creates on selected resources special directory for projects.
  • Project are realized by groups, for each project group service creates sub-directory.
  • Names, permissions and owners of these sub-directories are implemented by attributes.
  • Added new role VoObserver.
  • User authorized by this role is able to see all data, which are accessible to VO Manager, but he is not permitted to change it.
  • Applications:
    • newly user can log out from registration form, in case of error (application is not saved) user can by displayed button come back to filled registration form (he needs not all fill again).
    • better check for user's identity duplicities (newly e-mail address is checked too), error message for administrator is more understandable, so he can know how to solve this duplicity. In case that user fill the academic degrees, these are saved after approving of application.
  • GUI
    • redesign of user's detail: user can change degrees and titles by himself, he can set by himself preferred mail, shell and timezone. He cane remove himself from mailinglist, if he has service identities he can switch his identity, for his service identity he can add login from different namespace (if it is not occupied).
    • from now publication can be removed if user enters it by differrent identity (but HIS identity), unfortunately it is not possible on recenty entered publications (we should to fill user_id into DB tables by hand for each publication). Slightly updated wizard for entering of publications (check of input, better check of duplicity)
    • more secure and designing tuned check of accessibility of login during creating or adding of service identity.
  • Also groups can be assigned as the administrators of the VO.