WLCG AuthZ Call


Proposed agenda: 

  • Kick off plans for 2022
  • AOB: 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Topic: WLCG AuthZ Call

Join Zoom Meeting

Password: <see email>

You can test your connection prior to the meeting here:

One tap mobile
+442034815240,,92046302514# United Kingdom
+442039017895,,92046302514# United Kingdom

Dial by your location
        +44 203 481 5240 United Kingdom
        +44 203 901 7895 United Kingdom
        +44 208 080 6591 United Kingdom
        +44 208 080 6592 United Kingdom
        +44 330 088 5830 United Kingdom
        +44 131 460 1196 United Kingdom
        +44 203 481 5237 United Kingdom
        0 800 358 2817 United Kingdom Toll-free
        0 800 456 1369 United Kingdom Toll-free
        0 800 031 5717 United Kingdom Toll-free
        0 800 260 5801 United Kingdom Toll-free
        +1 253 215 8782 US (Tacoma)
        +1 301 715 8592 US (Washington DC)
        +1 312 626 6799 US (Chicago)
        +1 346 248 7799 US (Houston)
        +1 669 900 6833 US (San Jose)
        +1 929 205 6099 US (New York)
        877 853 5257 US Toll-free
        888 475 4499 US Toll-free
        833 548 0276 US Toll-free
        833 548 0282 US Toll-free
Meeting ID: 920 4630 2514
Password: <see email>
Find your local number: https://ukri.zoom.us/u/aezJzbn6at

Join by SIP

Join by H.323 (US West) (US East) (India Mumbai) (India Hyderabad) (Amsterdam Netherlands) (Germany) (Australia Sydney) (Australia Melbourne) (Canada Toronto) (Canada Vancouver)
Meeting ID: 920 4630 2514
Password: 112738

Join by Skype for Business

Or Skype on a SurfaceHub:
    SIP: 92046302514@lync.zoom.us


Participants: Tom, Petr, Julie, Alison, Jim, Andrii, Roberta, John, Maarten, Ian, Jeny, Francesco, Irwin, Marcelo, Federica, Brian, Dave, Jeffrey, Douglas

Previous Actions (11th Nov):

  • Schedule next meeting (not Nov 25) for FTS & Rucio (include right people, Mihai, Petr) - done
  • Brian/Hannah to kick off activity for joint profile
  • Hannah update grid map activities in workplan to “Mapping”
  • Hannah clarify who will volunteer whilst on leave (until June 2022) - done, hi
  • DaveD to help Hannah/CERN deploy htgettoken instance for testing


  • Joint Profile - will likely need to wait for Hannah to return as it requires her
  • Workplan for Gridmap - Tom will check this
  • htgettoken/CERN testing
    • Will need to involve people for this - Hannah represented a team but only she attended
    • Cannot put activities on hold
    • If things need to happen will likely need to use tickets for now
    • Maarten will follow up and reach out to see if there are others who can attend
  • Other work at CERN
    • IAM instances - continue ops and move forward, upgrades etc
      • Will need a meeting between IAM developers and CERN team to introduce and share config details etc
      • Maarten will organise/email on this topic
    • CMS instance -
      • Running smoothly
      • Need to ensure relevant people know where monitoring happens and processes
      • No clear urgent response person
      • Not critical yet - could change rapidly, and would soon affect production jobs
      • Plans to turn off legacy? Still some transition steps to happen, need to start pushing for changes to SCIM
      • Token only independent of VOMS Admin Servers. Nothing in US utilises VOMS Admins API, but there are a number of other things dependent
      • Alison updates on echo & castor - using old VOMS Admin. Castor this won't change, Run 3 will use CTA. Echo will move this quarter, in flight but not complete - aiming for end of Feb
      • Brian - bigger concern is no statement on whether more time is needed or not from factories. OSG will request stakeholders to sign off beginning of Feb. Not sufficient progress on CMS side.
      • Most important thing is production IAM for CMS, can be more relaxed for phasing out old VOMS admin to ensure that use cases are covered.
      • No external deadline, but is there a support deadline - INFN would ideally deprecate VOMS Admin/Server in favour of IAM for maintenance reasons
      • Aim for end of year to show IAM as "fully grown up" - VOs switch successfully, then supposedly anyone else could to. This would enable a deadline for support
      • Doug - Matrix of use cases to understand dates for switches and dependencies?
      • Service will be in spotlight if in trouble. Do we need to plan tests, exercises to test this?
      • New setup more vulnerable as issues would be noticed more swiftly - do we need to revise token lifetimes?
      • Any IAM downtime would be very visible due to short token lifetimes - more vulnerable to incidents. Significant step from multi-day proxies.
      • Fermilab uses 3 hours for access tokens, note that token lifetime falls under "guidance" and not mandatory
  • Takeaway - next 6 weeks?
    • Pilots - decide maximum recommended lifetime. Start at the upper end and then work and talk with all and iterate from there. Perhaps even beyond a 6 hour token to understand stability. Issues with multi-day: revocation? If no revoke, want a less-than-day timeframe.
      Lifetime one way to reduce a tokens "power", unlike X509 you can limit a token scope and audience more to reduce the power.
    • Last weeks issue took a few days - we need to avoid trouble on the grid
    • What level of support can CERN handle? 4/6/8/+ hour response time, weekend/holidays?
    • Is it possible to offer the same level of response as offered to SSO. Will need weekend checking.
    • High-reliability infrastructure for IAM - will be needed if in production. Andrea had said planned. Francesco - some High-reliability instances in pre-prod at the moment, will need to talk to cloud about moving services to HA cluster. Then similar processes for CERN cluster, work underway.
    • Storage timelines
  • Tracking progress
    • Lots of info in the google doc - add a table to display pertinent information, and updates on their progress.
    • Can discuss as needed
    • One example - Operations Portal would like access with SCIM to IAM instances to count users.
      • EGI report those numbers to their funding agencies
    • Francesco can look at this on IAM side


  • Updates from last Rucio meeting:
    • https://indico.cern.ch/event/1105648/
    • Production of a document based on slides from today's meeting.
    • Andrea will have left by this point. Francesco and IAM team can help with this.
    • Zenodo White Paper on this topic



  • Maarten will follow up with various teams to understand handover and ongoing support.
There are minutes attached to this event. Show them.
The agenda of this meeting is empty