Participants: DaveD, DavidC, Andrea, Petr, Jim, Linda, Jeffrey, Federica, Tom, Brian, Irwin, Julie, Brian, Maarten, Andrii, Enrico
Notes
- Capability sets
- Generally remove the term Role
- Discussion that roles could have been kept, unclear whether there is much value
- Capability sets may eventually be used instead of groups, to be seen in the future
- Securing bearer tokens
- Have already discussed that we need to think about permissions of bearer token storage
- We can be generic in the wording and add OS specific recommendations
- In a container environment this is a little different
- Can we borrow from "EUGridPMA Guidelines on Private Key Protection" (https://www.eugridpma.org/guidelines/pkp/)?
- Maybe IETF has some guidelines
- ID token claim for Kerberos principal
- CMS Migration
- Duplicates can be merged since no generic attributes and no possibility of conflict
- Secondary accounts can be dropped
- If needed we can ask for more memory in OpenShift
- Take a backup first :)
- Tests should be run by CMS members afterwards
- Require LSC files, Marten or Brian W take care help@opensciencegrid.org
Actions
- JWT Doc
- Bearer Token Doc
- Hannah check whether Guidelines on key protection (from EUGridPMA) can apply and add reference if so
- Hannah check whether IETF has bearer token protection guidelines
- Andrea add Linux example for token protection
- IAM
- Andrea to enable propagation of kerberos principal to Vault
- Andrea to plan CMS migration and Hannah and Andrea to run next week