Participants: Hannah, David, Irwin, Jeny, Jim, Julie, Mine, Marcelo, Mischa, Petr, DaveK, Andrea, Maarten, James, Enrico, Brian, Federica, Joel, DaveD
Notes:
- IAM User sync
- CMS
- In place
- Runs 2 times per day noon and midnight
- New job in Openshift for CMS
- Automatically linked to SSO account
- Same script deployed for ATLAS but not active until duplicate account query is solved
- Generic attributes are used and cannot be merged
- Being looked at
- Asked to continue with sync and skip duplicates
- 7 duplicates, 20 service accounts
- Service account email can replace owner's email to avoid collision
- We need to provide client config files, i.e. rpms. Maarten normally provides rpms
- Can provide additional rpms for sites to install
- Can also create new versions of standard rpms that include new VOMS servers (IAM VOMS endpoints must be reliable)
- Safest solution, separate rpm for now during testing
- Groups Semantics
- Q on why wlcg.groups ? Talked about namespacing
- Broken link
- Token Transition Timeline Comments
- in doc https://docs.google.com/document/d/11fcZU8fEsfjDiSkjh95nVr4tNXLPCA_xwr2SwriBpiw/edit#heading=h.lzdl5i6720lh
- Brian to send details for hackathon 3/4 June
- Discussion points emerging, should be discussed
- Concern about power of tokens and impact if stolen
- "You could have the long-lived vault token owned only by root, and have a root process create a short lived one from that and store it as the unprivileged user" idea from DaveD
- David on central suspension
CMS LSC
cat /etc/grid-security/vomsdir/cms/voms-cms-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
cat /etc/vomses/voms-cms-auth.app.cern.ch.vomses
"cms" "voms-cms-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch" "cms"
Actions:
- Andrea to enable ATLAS user sync without duplicates
- Petr to fix duplicated accounts in ATLAS
- Maarten to create new rpms for IAM VOMS endpoints (Andrea to provide endpoints, included in minutes)
- Brian to do some one-off VOMS tests with the new IAM VOMS endpoints
- Brian to remove the word VO and fix broken link
- Maarten to create a discussions doc for ongoing issues