WLCG AuthZ Call

Thursday 1 Apr 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Discussions:
  • Capability Sets
    •  https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/10
  • Bearer Token comment raised on Security of token provisioning
    • https://github.com/WLCG-AuthZ-WG/bearer-token-discovery/issues/5 
  • Standardisation of CE capability requirements
    • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/11
  • MyProxy Equivalent for tokens
  • id token claim for use by vault with kerberos (Dave, Andrea, Hannah)
  • VOMS Migration Strategy

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Participants: DaveD, DavidC, Andrea, Petr, Jim, Linda, Jeffrey, Federica, Tom, Brian, Irwin, Julie, Brian, Maarten, Andrii, Enrico

Notes

• Capability sets
  • Generally remove the term Role
  • Discussion that roles could have been kept, unclear whether there is much value
  • Capability sets may eventually be used instead of groups, to be seen in the future
• Securing bearer tokens
  • Have already discussed that we need to think about permissions of bearer token storage
  • We can be generic in the wording and add OS specific recommendations
  • In a container environment this is a little different
  • Can we borrow from "EUGridPMA Guidelines on Private Key Protection" (https://www.eugridpma.org/guidelines/pkp/)?
  • Maybe IETF has some guidelines
• ID token claim for Kerberos principal
  • cern_kerberos_principal
• CMS Migration
  • Duplicates can be merged since no generic attributes and no possibility of conflict
  • Secondary accounts can be dropped
  • If needed we can ask for more memory in OpenShift
  • Take a backup first :)
  • Tests should be run by CMS members afterwards
  • Require LSC files, Marten or Brian W take care help@opensciencegrid.org 

Actions

• JWT Doc
  • Hannah: clarify what a VOMS role is as a footnote
  • Andrea: Provide example of error handling based on missing group
  • Brian to revisit https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/2/files
• Bearer Token Doc
  • Hannah check whether Guidelines on key protection (from EUGridPMA) can apply and add reference if so
  • Hannah check whether IETF has bearer token protection guidelines
  • Andrea add Linux example for token protection
• IAM
  • Andrea to enable propagation of kerberos principal to Vault
  • Andrea to plan CMS migration and Hannah and Andrea to run next week