WLCG AuthZ Call


Proposed agenda: 

  • Merging SciTokens and WLCG profiles
  • Q from Mine: subject field and token lifetimes
  • Continue Rucio & FTS workflow discussions
  • AOB: 
    • Status of security analysis of OAuth on the grid
    • Continue IAM Token Exchange discussion from October 14th

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Participants: Petr, Mischa, Raul, Hannah, Brian, DaveD, Andrii, Martin, Jim, Elvin, Jeffrey, Julie, Andrea, Tom, Andrei, Federica, Roberta, Maarten, Jeny, Enrico, Derek, DavidC, John, Marcelo


  • Map file Qs from Elvin and Petr
    • Almost all EOS instances use grid mapfiles to map tokens to users 
    • Believe files are populated by querying VOMS, but unclear that this information actually exists there
    • All ATLAS users mapped to atlas001, VOMS is queried for membership
    • https://github.com/ESCAPE-WP2/Utilities-and-Operations-Scripts/tree/master/iam-gridmap-sync
    • Would like to have an LCMAPS equivalent for tokens, somewhere you can send token and get back "local account" information
    • IAM can provide list of VO members plus some additional information e.g. CERN PersonID
    • EOS is already using script to get equivalent list of users
    • Endpoint for IAM will not be world readable, will need to get API credentials to read. Client registration may need to be improved (currently open to anyone to register new client), currently requires manual registration via web portal.
    • Historically EOS did not use VOMS but just used the grid map file, this is not the ideal design. 
    • Could use SciTokens library, can already extract group information (or any attribute)
    • Exactly same use case at RAL, DavidC will followup with Maarten
  • Merging SciTokens and WLCG profiles
    • We are 24 months in from WLCG profile, new RFC out that we should check against and use standardised elements where possible
    • Open q on compute scopes, we started very course grained but can now be more specific. Right time for CE developers to be asked for input. 
    • A handful of things need updating in the WLCG profile
    • Should consider merging the profiles and making it truly common
    • Perhaps name needs to be more generic and inclusive, could link with OIDF R&E group and AEGIS
    • Need to take care with the WLCG specific attributes, must still ensure no collision
    • Negatives
      • Impact on services that support WLCG profile
      • Some AEGIS recommendations don't work for us, e.g. group expression
  • Subjects in tokens
    • CiLogon issues a username. By default issues a pseudo anonymous URI but many customers want direct traceability. 
    • One of first requirements for WLCG was that subject could be opaque and pseudo-anonymous - the important part was that it was still able to block a malicious user (even if the site cannot know who the user is)
    • We don't have sufficient tools to get from subject to an identity, this could be included in Maarten's discussion on SCIM API for IAM (actually already provided to authorised clients)
    • Suggestion: Hackathon on improving these tools
    • Within Fermilab use email == eppn since guarantee it is unique
    • Concern on data protection in US? There does seem to be some concern for future
    • Per issuer unique subject (subject + issuer globally unique) 
    • API to resolve identity from subject must be authenticated (registered client credentials) and authorised for identity lookup 
  • Shared subjects
    • Surprising use of tokens with shared subjects
    • However, robot certs are very normal
    • Client credentials and client tokens are well used already (e.g. ATLAS and CERN)
    • In IAM can choose client ID, more useful if human readable 
    • Maybe this should be included in the profile?
    • Petr would like to use client credentials for other use cases
      • Not useful if need groups and authorization since only accounts can be in groups
      • However, capabilities would probably be fine
      • Brian, would discourage user group authorization for CE submission (conclusion that pilots should not use group based auth)
  • Pre-GDB
    • Still some slots left for presentations/discussions

# puppet-controlled, from per-instance templates in the "eos" module
# in particular, VO info might be duplicated between various instances
# atlas
group vomss://voms2.cern.ch:8443/voms/atlas?/atlas atlas001
# ops
group vomss://voms2.cern.ch:8443/voms/ops?/ops ops001
# overrides - controlled separately
gmf_local /etc/localgridmap.conf


  • Maarten to look into a solution for an equivalent to current grid map generation script
  • Maarten to start a thread with Brian, Elvin, DavidC, Petr and other relevant people
  • Brian send 1 page motivation on compute scope evolution
  • Hannah do a loose workplan -> updated https://twiki.cern.ch/twiki/bin/view/LCG/WLCGAuthorizationWG#Current_Work 
  • @All email Tom if have a topic for the pre-GDB


There are minutes attached to this event. Show them.
The agenda of this meeting is empty