WLCG AuthZ Call

Thursday 2 Apr 2020, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Schedules for CMS IAM instance
• Follow up Client Tools Technical Investigation
• Group membership in schema discussion (see emails)

Call details (assuming Vidyo does not work):

Topic: WLCG Call

Time: Apr 2, 2020 03:00 PM Zurich

Join Zoom Meeting
https://cern.zoom.us/j/209171638

Meeting ID: 209 171 638

One tap mobile
+41432107108,,209171638# Switzerland
+41315280988,,209171638# Switzerland

Dial by your location
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +41 43 210 70 42 Switzerland
        +33 7 5678 4048 France
        +33 1 7037 2246 France
        +33 1 7037 9729 France
Meeting ID: 209 171 638
Find your local number: https://cern.zoom.us/u/alblAtfty

Join by SIP
209171638@188.185.71.219

Join by H.323
188.185.71.219
Meeting ID: 209 171 638
 

Attendees: Hannah, Brian, IanC, Mischa, Andrea, DavidC, Tom, Nicolas, Julie, Linda, Mine, Irwin, DaveK, Burt, Will

Notes:

• CMS IAM
  • CMS IAM instance being set up at CERN
    • IAM on Openshift, with NGINX in front 
    • DB from CERN's DB on demand
    • HR DB API also running on Openshift 
  • Aim to complete by end of April
  • https://cms-auth.web.cern.ch
  • Openshift Project already set up 
  • Jira project https://its.cern.ch/jira/projects/WLCGTOKENS 
  • TO DO
    • Much later can decide on external DNS load balancers to rename endpoints
    • CERN SSO integration
    • Monitoring and logs to Elastic Search in progress
    • Need Grid host cert on VOMS endpoint but currently blocked by CA policy (and technical limitations) on Openshift
  • Currently IAM only integrates with VOMS 3 and not VOMS 2 due to bug
  • We are going to need to do training with VOMS maintainers (possibly in May)
    • Andrea has some documentation already
    • Need to understand what they are expected to do? Register? Migration? Large scale onboarding? 
  • AUP: WLCG already using the WISE AUP, we can just point people to this
  • Currently CMS users link their DN to their CERN account, can we get the DN directly into CMS IAM?
    • Unfortunately seems that people really still need a CERN account and cannot fully use Federated Identity
• Client Tools Technical Investigation
  • Ask all to read through and comment
  • Policy requirements should lead discussion
  • Ask DavidG if there are any (generic) guidelines for public vs private clients etc
    • https://www.eugridpma.org/guidelines/trustedstores/
    • https://www.eugridpma.org/guidelines/aaops/
  • This tool should be relevant for both WLCG and CERN, involve more CERN members
• Groups in WLCG Schema
  • Paul M raised Qs about group membership in profile, expression and request
  • Should clients enforce hierarchical structuring of groups? 
    • Andrea's opinion, should keep simple to allow use of generic libraries etc 
      • Prefers that groups are matched on string matching only
    • Brian prefers the logic in the clients (but it does get complicated outside a flat hierarchy scenario) 
  • Could implement group hierarchy knowledge in IAM 
  • Either way there is not much hierarchy going on in WLCG so this is low risk
  • Summary: suggest that token issuers do hierarchical group membership, relying parties must only use groups asserted in tokens (no calculations) and only use standard scope style string matching (plus remove VOMS-like text from schema)

Actions:

• Next time just publish one video conference details :) 
• Ask all to comment on Client Tools
• Ask DavidG for any guidelines on public vs private clients etc