Participants: Petr, Mischa, Raul, Hannah, Brian, DaveD, Andrii, Martin, Jim, Elvin, Jeffrey, Julie, Andrea, Tom, Andrei, Federica, Roberta, Maarten, Jeny, Enrico, Derek, DavidC, John, Marcelo
Notes:
- Map file Qs from Elvin and Petr
- Almost all EOS instances use grid mapfiles to map tokens to users
- Believe files are populated by querying VOMS, but unclear that this information actually exists there
- All ATLAS users mapped to atlas001, VOMS is queried for membership
- https://github.com/ESCAPE-WP2/Utilities-and-Operations-Scripts/tree/master/iam-gridmap-sync
- Would like to have an LCMAPS equivalent for tokens, somewhere you can send token and get back "local account" information
- IAM can provide list of VO members plus some additional information e.g. CERN PersonID
- EOS is already using script to get equivalent list of users
- Endpoint for IAM will not be world readable, will need to get API credentials to read. Client registration may need to be improved (currently open to anyone to register new client), currently requires manual registration via web portal.
- Historically EOS did not use VOMS but just used the grid map file, this is not the ideal design.
- Could use SciTokens library, can already extract group information (or any attribute)
- Exactly same use case at RAL, DavidC will followup with Maarten
- Merging SciTokens and WLCG profiles
- We are 24 months in from WLCG profile, new RFC out that we should check against and use standardised elements where possible
- Open q on compute scopes, we started very course grained but can now be more specific. Right time for CE developers to be asked for input.
- A handful of things need updating in the WLCG profile
- Should consider merging the profiles and making it truly common
- Perhaps name needs to be more generic and inclusive, could link with OIDF R&E group and AEGIS
- Need to take care with the WLCG specific attributes, must still ensure no collision
- Negatives
- Impact on services that support WLCG profile
- Some AEGIS recommendations don't work for us, e.g. group expression
- Subjects in tokens
- CiLogon issues a username. By default issues a pseudo anonymous URI but many customers want direct traceability.
- One of first requirements for WLCG was that subject could be opaque and pseudo-anonymous - the important part was that it was still able to block a malicious user (even if the site cannot know who the user is)
- We don't have sufficient tools to get from subject to an identity, this could be included in Maarten's discussion on SCIM API for IAM (actually already provided to authorised clients)
- Suggestion: Hackathon on improving these tools
- Within Fermilab use email == eppn since guarantee it is unique
- Concern on data protection in US? There does seem to be some concern for future
- Per issuer unique subject (subject + issuer globally unique)
- API to resolve identity from subject must be authenticated (registered client credentials) and authorised for identity lookup
- Shared subjects
- Surprising use of tokens with shared subjects
- However, robot certs are very normal
- Client credentials and client tokens are well used already (e.g. ATLAS and CERN)
- In IAM can choose client ID, more useful if human readable
- Maybe this should be included in the profile?
- Petr would like to use client credentials for other use cases
- Not useful if need groups and authorization since only accounts can be in groups
- However, capabilities would probably be fine
- Brian, would discourage user group authorization for CE submission (conclusion that pilots should not use group based auth)
- Pre-GDB
- Still some slots left for presentations/discussions
# puppet-controlled, from per-instance templates in the "eos" module
# in particular, VO info might be duplicated between various instances
# atlas
group vomss://voms2.cern.ch:8443/voms/atlas?/atlas atlas001
# ops
group vomss://voms2.cern.ch:8443/voms/ops?/ops ops001
# overrides - controlled separately
gmf_local /etc/localgridmap.conf
Actions:
- Maarten to look into a solution for an equivalent to current grid map generation script
- Maarten to start a thread with Brian, Elvin, DavidC, Petr and other relevant people
- Brian send 1 page motivation on compute scope evolution
- Hannah do a loose workplan -> updated https://twiki.cern.ch/twiki/bin/view/LCG/WLCGAuthorizationWG#Current_Work
- @All email Tom if have a topic for the pre-GDB
There are minutes attached to this event.
Show them.