WLCG AuthZ Call

Name: WLCG AuthZ Call
Start: 2021-05-27T15:00:00+02:00
End: 2021-05-27T16:00:00+02:00
Location: No location set

Thursday 27 May 2021, 15:00 → 16:00 Europe/Zurich

Description

Proposed agenda:

Announcements/Info
- CMS / ATLAS user sync
Discussions:
- WLCG Token Transition Timeline Comments https://docs.google.com/document/d/11fcZU8fEsfjDiSkjh95nVr4tNXLPCA_xwr2SwriBpiw/
Parking lot
- Standardisation of CE capability requirements https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/11
- MyProxy Equivalent for tokens

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
+41 43 210 70 42 Switzerland
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+33 1 7037 9729 France
+33 7 5678 4048 France
+33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Hide

Participants: Andrea, Andrii, Dave D, Dave K, Federica, Irwin, Jeff, Jeny, Jim, Julie, Linda, Maarten, Marcelo, Mischa, Petr, Tom

Notes:

Subgroups within a VO
- the "fermilab" VO comprises a number of independent projects
  - those projects need to be distinguished e.g. for accounting
  - and some sites only want to support a few, not all of them
- IAM supports such use cases via optional groups
- a single issuer can thus support multiple projects
  - a client just has to ask for the desired group(s)
  - they are returned in their own claim, irrespective of any capabilities
  - groups and capabilities have to be requested separately
  - on the roadmap for CILogon
- there are such multi-tenant instances at STFC and for the INFN cloud
- the STFC instance has multiple groups with different managers for different projects
  - 1 issuer handles them all
- the INFN cloud instance has 2 hierarchies of groups
  - one for infrastructure management
  - one for collaborations
- there may be some rough edges still
  - e.g. automatic, optional group membership expiration is on the to-do list

VOMS-Admin API use cases
- the SCIM API will need to be used at least for extended queries
  - e.g. groups, certificates, suspensions
  - clients must be registered because such information is sensitive
  - explicit registrations are good, provided their numbers are sustainable
    - OK for central VO services like Rucio
    - 1 per site (if needed for some use case) would also be tolerable
  - the client registration request workflow could be enhanced if needed
- the ESCAPE project found their Rucio not being updated with new users
  - their IAM client was not prepared for pagination of the returned list of users
- ATLAS AMI service experts ran into the CERN HR ID not being exposed yet
  - will be added soon
- meetings will be organized with GGUS and Operations Portal devs at some point
- so far there does not seem to be a clear requirement for a "mkgridmap" service
  - to be assessed further in the coming months

Token renewal workflows
- a requirements document would be desirable
- we then can see which tools can cover which use cases
- examples include SAM ETF and VOboxes
- these matters are expected to be discussed during the hackathon next week

Actions:

Maarten to update the token transition document, resolving comments etc.

There are minutes attached to this event. Show them.

The agenda of this meeting is empty