WLCG AuthZ Call

Thursday 15 Apr 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Announcements/Info
  • CMS user sync
• Discussions:
  • Groups semantic PR https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/2
  • WLCG Token Transition Timeline Comments https://docs.google.com/document/d/11fcZU8fEsfjDiSkjh95nVr4tNXLPCA_xwr2SwriBpiw/
     
• Parking lot
  • Standardisation of CE capability requirements https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/11
  • MyProxy Equivalent for tokens

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Participants: Hannah, David, Irwin, Jeny, Jim, Julie, Mine, Marcelo, Mischa, Petr, DaveK, Andrea, Maarten, James, Enrico, Brian, Federica, Joel, DaveD

Notes:

• IAM User sync
  • CMS
    • In place
    • Runs 2 times per day noon and midnight
    • New job in Openshift for CMS
    • Automatically linked to SSO account
  • Same script deployed for ATLAS but not active until duplicate account query is solved
    • Generic attributes are used and cannot be merged
    • Being looked at
    • Asked to continue with sync and skip duplicates
    • 7 duplicates, 20 service accounts
      • Service account email can replace owner's email to avoid collision
  • We need to provide client config files, i.e. rpms. Maarten normally provides rpms 
    • Can provide additional rpms for sites to install
    • Can also create new versions of standard rpms that include new VOMS servers (IAM VOMS endpoints must be reliable)
    • Safest solution, separate rpm for now during testing 
• Groups Semantics
  • Q on why wlcg.groups ? Talked about namespacing 
  • Broken link
• Token Transition Timeline Comments
  • in doc https://docs.google.com/document/d/11fcZU8fEsfjDiSkjh95nVr4tNXLPCA_xwr2SwriBpiw/edit#heading=h.lzdl5i6720lh
  • Brian to send details for hackathon 3/4 June
  • Discussion points emerging, should be discussed
    • Concern about power of tokens and impact if stolen 
    • "You could have the long-lived vault token owned only by root, and have a root process create a short lived one from that and store it as the unprivileged user" idea from DaveD
• David on central suspension

CMS LSC

cat /etc/grid-security/vomsdir/cms/voms-cms-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority

cat /etc/vomses/voms-cms-auth.app.cern.ch.vomses
"cms" "voms-cms-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch" "cms"

Actions: 

• Andrea to enable ATLAS user sync without duplicates
• Petr to fix duplicated accounts in ATLAS 
• Maarten to create new rpms for IAM VOMS endpoints (Andrea to provide endpoints, included in minutes)
• Brian to do some one-off VOMS tests with the new IAM VOMS endpoints
• Brian to remove the word VO and fix broken link
• Maarten to create a discussions doc for ongoing issues