WLCG AuthZ Call

Thursday 11 Nov 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Pre-GDB summary
• Group Workplan
• Discussion updating the WLCG Profile, e.g.
  • Incorporating RFC 9068 (JWT Profile for OAuth 2.0 Access Tokens) in our schema: https://www.rfc-editor.org/rfc/rfc9068
  • Merging with SciTokens
  • Defining compute scopes
  • Producing a more inclusive profile/name
• AOB: 
  • Status of security analysis of OAuth on the grid
  • Continue IAM Token Exchange discussion from October 14th

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Gridmap doc

Workplan

Notes WLCG AuthZ

Participants: Andrea, Andrii, Dave, Enrico, Jim, Julie, Linda, Mischa, Elvin, DaveK, Mihai, Roberta, Maarten, Jeffrey, Francesco, Brian, Mine, Petr, DavidC, Raul

Notes:

• Pre-GDB summary
  • Policy
    • We seem to be missing docs on who makes authorization decisions etc. Maybe good to start with a risk assessment
    • Discussion needs to happen within IGTF as well (raised at TAGPMA)
    • IGTF has idea of self assessment, how would this process look for a token issuer? Who are the peers and what are the criteria?
    • US labs only allowed to do some things because DoE trusts IGTF processes
    • Note, we never accredited VOMS which is a bit more parallel to the token issuer
    • Possible actions
      • Add to workplan short document on how “it” all works, what is the token issuer and who authorizes what
      • Do a trial peer review of a self assessment of a token issuer (this would be a good test)
      • We should have a compliance test suite for the WLCG JWT profile (there is already something basic)
    • Which projects could we use to fund policy work?
      • Some existing projects e.g. EC ones
      • Should keep an eye out for good opportunities
  • ARC etc
    • Need to define the division of work
  • Dedicated meetings for token based workflows (or hackathon)
  • Rucio has a conflicting meeting on Thursday afternoons
• “Token based bulk data transfer”
• Also forward compatibility with mapping (not just backwards)
• Try and spin up broader discussion with FIM4R and OIDF group and AEGIS r.e. next WLCG profile
  • Need to decide whether want to align with recent RFC
  • Moving towards a more general profile (possibly longer term)
    • Could use RFC as an excuse to get things going
  • Brian suggests starting email sending now before real work begins
  • What are we asking for from FIM4R etc? Find a way to make more broadly adoptable. Will merge WLCG and Sci-Tokens
• FIM4R Signup https://fim4r.org/contact/
• Petr: Could we have similar workflows for job submission as we have for download/upload? Yes, that’s next
• CE scopes presentation from Brian

Actions:

• Schedule next meeting (not Nov 25) for FTS & Rucio (include right people, Mihai, Petr)
• Brian/Hannah to kick off activity for joint profile
• Hannah update grid map activities in workplan to “Mapping”
• Hannah clarify who will volunteer whilst on leave (until June 2022)
• DaveD to help Hannah/CERN deploy htgettoken instance for testing