WLCG AuthZ Call
Proposed agenda:
- Discussion: JWT usage and exchange in FTS workflows
- Workflow is described in our vCHEP paper (attached)
- Questions around...
- lifetime of refresh tokens
- whether Vault should be used instead of refresh tokens managed by the client
- Idea is to start from where we left off at the last call
- RUCIO client token workflows
- Presentation by Martin
- OAuth scope authorization management in IAM
- Andrea's presentation and demo on how access to scopes is authorized in IAM
- Andrea's presentation and demo on how access to scopes is authorized in IAM
Zoom meeting:
Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!
Join Zoom Meeting
https://cern.zoom.us/j/94718857994
Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland
Dial by your location
+41 43 210 70 42 Switzerland
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+33 1 7037 9729 France
+33 7 5678 4048 France
+33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4
Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188
Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>
Participants:
Andrea, Petr, Dave K., Enrico, Irwin, Martin, Julie Marsh, Linda, Jim, Roberta Miccoli, Gabriel Zachmann, Jeny, Dave D., Mine, David Crooks, Andrii Lytovchenko, Maarten, Brian
Notes:
- Discussion: JWT usage and exchange in FTS workflows
- We started from where we left off at the last call (presentation is linked in the agenda)
- Discussion on Vault becoming a bottleneck/SPOF
- Vault can be deployed in HA, and it seems very scalable from Dave's tests (250hz for a 2-core machine, but the token issuer was not touched in the testing)
- Q(Maarten): how would we manage a multi-site deployment for Vault? Would it be possible? It wasn't possible for MyProxy. To be further discussed/ understood
- Application and user-level traceability aspects would also need be discussed in a dedicated call. In the current model htgettoken/vault would use a single oauth client for different apps, need to be understood if a different approach is possible/needed depending on the use case
- Brian raised a concern about depending on an open source product that's heavily based on a single company (Hashicorp)
- RUCIO client token workflows
- Presentation by Martin (linked to the agenda)
- Currently a very privileged token, obtained out-of-band (with oidc-agent or similar tools) is used to interact with the RUCIO server and with the storages, following closely the VOMS model
- Discussion on how the token should be limited to talk to storage elements. Comment (Brian,Andrea): Token flows management is more safely implemented on the RUCIO backend than on the client
- Probably the more scalable approach for token attenuation that would limit impact on the central token issuer, is to let RUCIO (actually a library that RUCIO could use (e.g., GFAL)) exchange the VO token with a storage-issued token (aka Macaroon) that would be used for the file transfers
- Agreement that this token exchange should be discussed in a future call of this group, as it impacts development agendas on SEs, GFAL, FTS, RUCIO (Mihai and other relevant people should be invited to join)
- OAuth scope authorization management in IAM presentation
- Presentation post-poned for a future call (no time left)
Next call:
Thursday, August 26th, 15.00 CEST