WLCG AuthZ Call

Thursday 8 Jan 2026, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

•  

Proposed agenda:

• TBC - in email

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Jan 22

Present: Anders, Dave D, Dave K, Donald, Federica, Francesco, Hannah, Linda, Maarten (notes), Patrick, Petr, Roberta, Stephan

Apologies: Adrian, John, Tom

Notes:

Dave D describes how the JWKS cache proposal has made very good progress since our previous meeting in December. A few things have been simplified. For example, the file names in the cache will be based on the full SHA256 hash of the issuer URL, instead of imitating what is done for CA hashes in our certificate directories. There is one unanswered question: why might an expiration time need to be expressed as a floating point number? Hopefully Brian can soon answer it. He already created a tool to manipulate such caches and adjusted the scitokens-cpp library to let it make use of them.

Next, Patrick and Anders report on the IAM service updates at CERN. The new feature allowing e-mails to be sent to VO admins whenever a certificate is added or removed led to crashes for which an urgent fix was developed and deployed. Also, the feature allowing an account to be marked as a service account had a problem that is fixed in the latest release v1.13.3. A fix is being tested for the issue that causes multiple AUP reminders to be sent, which has been particularly annoying for owners of service accounts, Petr points out, but since those can finally be marked as such, the fix can just be part of the next feature release. Roberta confirms the AUP handling code checks the account type now.

Maarten asks about the plans for getting v1.14 released, which in particular should allow access tokens no longer to be stored in the DB. Roberta answers that various patches are still being tested. Anders adds the idea was for the release details to be discussed at the hackathon on Feb 18-20. Francesco adds that basic maintenance of the code base is also needed. For example, the replacement of MITREid with Spring Authorization Server. Such things are tested on different branches that will first have to be reconciled with the master to allow them to be merged.

Francesco recalls a Docker image was made available for Berk e.g. to measure the performance when access tokens are no longer stored. Maarten replies the results were already reported: Berk found a 10% performance increase, while a much bigger difference was expected, but perhaps there still are some knobs to tune. The maximum rates seen so far were ~1 kHz, which may just be sufficient for ATLAS and LHCb (CMS are not concerned). Francesco replies that further improvements will be investigated once the move to Spring Authorization Server has been completed, to avoid having to spend such efforts twice. Patrick adds that the move itself may already help! Hannah asks if ATLAS foresee stress tests in the near future? Petr answers there is no token stress test planned yet, but a "meta-data" stress test of the FTS-4 is foreseen for this year.

For the record: Anders has deployed a new IAM instance for a small VO, viz. the SHiP experiment at CERN.

Next, Maarten invites Stephan to present in one of our upcoming meetings the CMS vision for user workflows, to allow:

• others to take inspiration;
• potential issues and/or alternative approaches to be discussed;
• common aspects to be factored out, e.g. in profile updates.

Stephan refers to the CHEP 2024 paper on the CMS Token Transition. He points out that CMS is waiting for advances in the support of experiment-specific scopes that are needed for experiment-specific services, particularly in the IAM policy engine, which is tied to the planned move to Open Policy Agent (OPA).

Next, Francesco informs us of a new VOMS release in EPEL that in particular fixes IAM VOMS-AA error messages in the C++ client that were OK in the Java client. He adds that the VOMS server is maintained, while the VOMS-Admin server is frozen, but Mischa established that it actually works OK on EL8, giving a viable workaround to those communities that still need it.

Next, Petr reports he managed to get a VOMS proxy from IAM using a certificate from a CA not in IGTF. Such a proxy will be rejected by grid services configured to support only IGTF CAs, but should IAM have refused to deal with such a proxy in the first place? Francesco answers the NGinX service in front of VOMS-AA is configured to accept both IGTF and system CAs; he will check if that is on purpose.

Finally, Petr asks if a GGUS ticket was opened for the CAnL and GridSite maintainers to provide releases for EL10? Maarten answers he contacted the maintainers via e-mail, but received no reply, adding they had already indicated a few years ago they want to stop supporting those products. As rpms do exist for recent Fedora releases, EL10 rpms may not require a lot of work. However, whether the code actually works on EL10 remains to be seen. Petr will follow up.

Our next meeting is currently foreseen for Jan 22.