WLCG AuthZ Call

Name: WLCG AuthZ Call
Start: 2021-04-01T15:00:00+02:00
End: 2021-04-01T16:00:00+02:00
Location: No location set

Thursday 1 Apr 2021, 15:00 → 16:00 Europe/Zurich

Description

Proposed agenda:

Discussions:
- Capability Sets
  - https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/10
- Bearer Token comment raised on Security of token provisioning
  - https://github.com/WLCG-AuthZ-WG/bearer-token-discovery/issues/5
- Standardisation of CE capability requirements
  - https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/11
- MyProxy Equivalent for tokens
- id token claim for use by vault with kerberos (Dave, Andrea, Hannah)
- VOMS Migration Strategy

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
+41 43 210 70 42 Switzerland
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+33 1 7037 9729 France
+33 7 5678 4048 France
+33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Hide

Participants: DaveD, DavidC, Andrea, Petr, Jim, Linda, Jeffrey, Federica, Tom, Brian, Irwin, Julie, Brian, Maarten, Andrii, Enrico

Notes

Capability sets
- Generally remove the term Role
- Discussion that roles could have been kept, unclear whether there is much value
- Capability sets may eventually be used instead of groups, to be seen in the future
Securing bearer tokens
- Have already discussed that we need to think about permissions of bearer token storage
- We can be generic in the wording and add OS specific recommendations
- In a container environment this is a little different
- Can we borrow from "EUGridPMA Guidelines on Private Key Protection" (https://www.eugridpma.org/guidelines/pkp/)?
- Maybe IETF has some guidelines
ID token claim for Kerberos principal
- cern_kerberos_principal
CMS Migration
- Duplicates can be merged since no generic attributes and no possibility of conflict
- Secondary accounts can be dropped
- If needed we can ask for more memory in OpenShift
- Take a backup first :)
- Tests should be run by CMS members afterwards
- Require LSC files, Marten or Brian W take care help@opensciencegrid.org

Actions

JWT Doc
- Hannah: clarify what a VOMS role is as a footnote
- Andrea: Provide example of error handling based on missing group
- Brian to revisit https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/2/files
Bearer Token Doc
- Hannah check whether Guidelines on key protection (from EUGridPMA) can apply and add reference if so
- Hannah check whether IETF has bearer token protection guidelines
- Andrea add Linux example for token protection
IAM
- Andrea to enable propagation of kerberos principal to Vault
- Andrea to plan CMS migration and Hannah and Andrea to run next week

There are minutes attached to this event. Show them.

The agenda of this meeting is empty

Choose timezone

WLCG AuthZ Call