Participants: Andrea, Andrii, Dave D, Dave K, Federica, Irwin, Jeff, Jeny, Jim, Julie, Linda, Maarten, Marcelo, Mischa, Petr, Tom
Notes:
- Subgroups within a VO
- the "fermilab" VO comprises a number of independent projects
- those projects need to be distinguished e.g. for accounting
- and some sites only want to support a few, not all of them
- IAM supports such use cases via optional groups
- a single issuer can thus support multiple projects
- a client just has to ask for the desired group(s)
- they are returned in their own claim, irrespective of any capabilities
- groups and capabilities have to be requested separately
- on the roadmap for CILogon
- there are such multi-tenant instances at STFC and for the INFN cloud
- the STFC instance has multiple groups with different managers for different projects
- 1 issuer handles them all
- the INFN cloud instance has 2 hierarchies of groups
- one for infrastructure management
- one for collaborations
- there may be some rough edges still
- e.g. automatic, optional group membership expiration is on the to-do list
- VOMS-Admin API use cases
- the SCIM API will need to be used at least for extended queries
- e.g. groups, certificates, suspensions
- clients must be registered because such information is sensitive
- explicit registrations are good, provided their numbers are sustainable
- OK for central VO services like Rucio
- 1 per site (if needed for some use case) would also be tolerable
- the client registration request workflow could be enhanced if needed
- the ESCAPE project found their Rucio not being updated with new users
- their IAM client was not prepared for pagination of the returned list of users
- ATLAS AMI service experts ran into the CERN HR ID not being exposed yet
- meetings will be organized with GGUS and Operations Portal devs at some point
- so far there does not seem to be a clear requirement for a "mkgridmap" service
- to be assessed further in the coming months
- Token renewal workflows
- a requirements document would be desirable
- we then can see which tools can cover which use cases
- examples include SAM ETF and VOboxes
- these matters are expected to be discussed during the hackathon next week
Actions:
- Maarten to update the token transition document, resolving comments etc.
There are minutes attached to this event.
Show them.