Participants:

Andrea, Petr, Dave K., Enrico, Irwin, Martin, Julie Marsh, Linda, Jim, Roberta Miccoli, Gabriel Zachmann, Jeny, Dave D., Mine, David Crooks, Andrii Lytovchenko, Maarten, Brian

Notes:

• Discussion: JWT usage and exchange in FTS workflows
  • We started from where we left off at the last call (presentation is linked in the agenda)
  • Discussion on Vault becoming a bottleneck/SPOF
    • Vault can be deployed in HA, and it seems very scalable from Dave's tests (250hz for a 2-core machine, but the token issuer was not touched in the testing)
    • Q(Maarten): how would we manage a multi-site deployment for Vault? Would it be possible? It wasn't possible for MyProxy. To be further discussed/ understood
  • Application and user-level traceability aspects would also need be discussed in a dedicated call. In the current model htgettoken/vault would use a single oauth client for different apps, need to be understood if a different approach is possible/needed depending on the use case
  • Brian raised a concern about depending on an open source product that's heavily based on a single company (Hashicorp)
• RUCIO client token workflows
  • Presentation by Martin (linked to the agenda)
  • Currently a very privileged token, obtained out-of-band (with oidc-agent or similar tools) is used to interact with the RUCIO server and with the storages, following closely the VOMS model
  • Discussion on how the token should be limited to talk to storage elements. Comment (Brian,Andrea): Token flows management is more safely implemented on the RUCIO backend than on the client
  • Probably the more scalable approach for token attenuation that would limit impact on the central token issuer, is to let  RUCIO  (actually a library that RUCIO could use (e.g., GFAL)) exchange the VO token with a storage-issued token (aka Macaroon) that would be used for the file transfers
  • Agreement that this token exchange should be discussed in a future call of this group, as it impacts development agendas on SEs, GFAL, FTS, RUCIO (Mihai and other relevant people should be invited to join)
• OAuth scope authorization management in IAM presentation
  • Presentation post-poned for a future call (no time left)

Next call:

Thursday, August 26th, 15.00 CEST