WLCG AuthZ Call

Wednesday 24 Oct 2018, 15:00 → 16:30 Europe/Zurich

31/S-027 (CERN)

Proposed agenda:

1. Privacy policy update
2. VO Interviews Update
   1. LHCB
   2. ATLAS
   3. ALICE
   4. CMS
3. Pilot CERN deployment update
4. JWT Token Catalogue Document sign-off https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit 
5. Schema document comments https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Outstanding Actions:

• Hannah - ping Mischa/Brian/Paul/Nicolas to clarify Qs on JWT Catalogue

• Hannah - ask Dave and Mischa how to handle this potential conflict between RCAuth providing certificate DNs vs RCAuth taking information from IdPs to generate DNs

• Romain - in Tuesday meeting ask management board on importance of keeping user records in WLCG AAI indefinitely (may also be possible to keep a subset of data that won't change?)

Attendees: Brian, Hannah, Romain, Andrea, Linda, Ioannis, David, Maarten, Mischa, Nicolas

Notes:

• Privacy Policy
  • Is stuck with HR
  • Add a comment to the privacy statement that the source of some information may vary
  • Add RCAuth as an external party with whom data is shared
• VO Interviews
  • LHCB is done - they have some specific requirements that maybe we haven't considered so far, e.g. adding authorisation within the Dirac infrastructure. Dirac is a shared tool with other users so have their own authZ. Federico Stagni is Dirac expert.
  • ATLAS - Alessandro di Salvo & Alessandro di Girolamo & Rucio folk (Mario Lassnic)
  • ALICE - Maarten & Miguel
  • CMS - Brian & he will include others (Stefano)
• Pilot deployment 
  • Ioannis for EGI-Checkin-in
    • Building some ansible scripts
    • Experimenting on the cloud
    • Will take a couple more days
    • 5 VMs, 2 for failover
    • Would like a schema for the DB since they are mocking this atm with COManage
      • Laurence Field can tell us more about the view, would need a green light from them (different credentials per experiment, different view)
      • We could test within the groups as a first step
      • Andrea could create a DB on demand instance that mocks the HR DB and could be shared by the two pilots
  • Andrea for INDIGO-IAM
    • Requested DB, in progress
    • Tried Openshift, registration in progress, some trouble to get the documentation
    • Requested openstack tenant in the meantime
• JWT Profiles 
  • We should have a more formal signoff
  • Do we *need* federation? Should clarify. Some confusion between resource servers and clients and how/whether they should be registered. It is possibly to do fully decentralised but would lose capability to do some revocation. 
  • The profiles have significant overlap, can we combine? 
  • Can we make the subject opaque (as per our requirements)? 
  • Later
    • Signoff table
    • Footnotes

Action:

• Hannah go to HR in person
• Hannah modify privacy statement for version 0.1
  • Add a comment to the privacy statement that the source of some information may vary
  • Add RCAuth as an external party with whom data is shared
• Maarten read through LHCb interview in detail
• Andrea to set up a mock HR db and share details
• Ask Paul to clarify on mailing list whether macaroons can be sent over unencrypted channels
• Andrea add text on workflows to JWT Profile
• Hannah schedule call specifically to talk about token formats (2 calls in November)