WLCG AuthZ Call

Thursday 26 Feb 2026, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

•  

Proposed agenda:

• TBC - in email

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Mar 12

Present: Adrian (APEL), Anders, Dave D, Donald, Enrico, Federica, Francesco, Maarten (notes), Matt, Mischa, Petr, Roberta, Stephan

Notes:

Mischa proposes a topic for discussion in the near future: issues surrounding the choice of CAs used for token issuers. We have never discussed what would be acceptable CAs / policies or done a corresponding risk assessment. The reason this matter came up now stems from a request from the DUNE VO to have the Amazon CA added to the directory in which the IGTF CAs are deployed, to allow ARC CEs to request tokens from an issuer having a certificate from that CA.

Notes added after the meeting:

• Those tokens presumably are for data management operations.
• ARC CE data management using tokens needs further discussion, in particular w.r.t. security implications.

Mischa will provide Maarten with further details and a dedicated meeting may then be scheduled in the course of March.

Next, Enrico summarizes the outcomes of the INDIGO IAM Community Meeting and Technical Hackathon held last week, following the timetable and the community notes linked near the top of the agenda page.

He starts by thanking the Imperial College team for organizing yet another very successful meeting in the growing series of such events, and all participants for contributing to it in various ways!

Quoting from page 11 in the INDIGO IAM Development Updates, the main ongoing developments are these:

• Optionally no longer store access tokens on database
• Migrate to latest Spring Security framework
• Hash client secrets on database
• New dashboard production ready
• Finalize MFA support
• Support OpenID Federation
• Conformance with AARC BluePrint Architecture and guidelines
• Integration with Open Policy Agent
• Enhance observability

Regarding the option to stop storing access tokens in the DB, Donald confirms it is also being looked forward to by STFC, as described in his talk.

Further testing was done by Berk, who reports his latest findings: with an IAM test instance using 9 pods he has already observed an access token rate of 1.8 kHz and further improvements are still expected with IAM >= v2.0! In particular, important performance gains are expected from the caching of very frequent queries, while optimization of the remaining DB usage will also reduce response times.

The CERN deployment and plans for the EOSC CERN Node were presented by Anders and there also was a presentation from IJCLab about their deployments and issues.

The migration to the latest Spring Security framework will be done in steps, to allow production experience to be gained gradually instead of having all changes at the same time.

The open issues that were considered for the hackathon are labeled as such in the IAM issue tracker.

Donald points out such workshop + hackathon events also are useful for service managers, who can profit from the presence of experts to get to understand their services better!

Stephan asks what the plans are for introducing OPA support? Enrico replies the highest priority is the migration to the new framework, in which OPA support will be integrated. He adds that OPA also is very important for CTAO, who may even be able to contribute to the effort, and that it also is needed by the RI SCALE EU project in which CNAF participates. The team already have operational experience with OPA thanks to its use in StoRM. Stephan concludes there is no schedule yet, but that we hope for significant progress by the end of the year? Francesco confirms that view.

Maarten adds that as far as WLCG is concerned, we would like to see v1.14 released ASAP, in particular to allow ATLAS to ramp up their use of tokens in FTS workflows to 100%, followed by v2.0 being released ASAP, in particular to allow OPA functionality to become available for user workflows next year. CMS currently look to be the most advanced with plans for user workflows, but there is a good chance other experiments and VOs will discover they need quite similar, and therefore generic, functionality. Berk adds that the CERN team should be able to make significant contributions to deployment and testing of OPA, the creation of associated dashboards, etc.

Finally, Maarten reports that the first version of the token usage risk assessment in the Token Trust & Traceability WG appears to have finished and that a formal report has started being drafted, ETA sometime April. Furthermore, the WLCG Token TF has been asked to provide a chapter on the transition to tokens for the WLCG Technical Roadmap: an advanced draft will be circulated also in the Authorization WG for comments.

Bonus: Maarten has provided the only EGI site, as far as we know, using HTCondor CE + Slurm with a modified version of their bespoke accounting script, to allow token-only jobs to be dealt with in the way Petr has implemented that for HTCondor CE + HTCondor. If other such sites were to pop up, the script would have to be generalized at some point, but we should be fine for now.