WLCG AuthZ Call


Proposed agenda: 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Participants: DaveD, DavidC, Andrea, Petr, Jim, Linda, Jeffrey, Federica, Tom, Brian, Irwin, Julie, Brian, Maarten, Andrii, Enrico


  • Capability sets
    • Generally remove the term Role
    • Discussion that roles could have been kept, unclear whether there is much value
    • Capability sets may eventually be used instead of groups, to be seen in the future
  • Securing bearer tokens
    • Have already discussed that we need to think about permissions of bearer token storage
    • We can be generic in the wording and add OS specific recommendations
    • In a container environment this is a little different
    • Can we borrow from "EUGridPMA Guidelines on Private Key Protection" (https://www.eugridpma.org/guidelines/pkp/)?
    • Maybe IETF has some guidelines
  • ID token claim for Kerberos principal
    • cern_kerberos_principal
  • CMS Migration
    • Duplicates can be merged since no generic attributes and no possibility of conflict
    • Secondary accounts can be dropped
    • If needed we can ask for more memory in OpenShift
    • Take a backup first :)
    • Tests should be run by CMS members afterwards
    • Require LSC files, Marten or Brian W take care help@opensciencegrid.org 


  • JWT Doc
  • Bearer Token Doc
    • Hannah check whether Guidelines on key protection (from EUGridPMA) can apply and add reference if so
    • Hannah check whether IETF has bearer token protection guidelines
    • Andrea add Linux example for token protection
  • IAM
    • Andrea to enable propagation of kerberos principal to Vault
    • Andrea to plan CMS migration and Hannah and Andrea to run next week
There are minutes attached to this event. Show them.
The agenda of this meeting is empty