Participants: Tom, Petr, Julie, Alison, Jim, Andrii, Roberta, John, Maarten, Ian, Jeny, Francesco, Irwin, Marcelo, Federica, Brian, Dave, Jeffrey, Douglas
Previous Actions (11th Nov):
- Schedule next meeting (not Nov 25) for FTS & Rucio (include right people, Mihai, Petr) - done
- Brian/Hannah to kick off activity for joint profile
- Hannah update grid map activities in workplan to “Mapping”
- Hannah clarify who will volunteer whilst on leave (until June 2022) - done, hi
- DaveD to help Hannah/CERN deploy htgettoken instance for testing
Notes:
- Joint Profile - will likely need to wait for Hannah to return as it requires her
- Workplan for Gridmap - Tom will check this
- htgettoken/CERN testing
- Will need to involve people for this - Hannah represented a team but only she attended
- Cannot put activities on hold
- If things need to happen will likely need to use tickets for now
- Maarten will follow up and reach out to see if there are others who can attend
- Other work at CERN
- IAM instances - continue ops and move forward, upgrades etc
- Will need a meeting between IAM developers and CERN team to introduce and share config details etc
- Maarten will organise/email on this topic
- CMS instance -
- Running smoothly
- Need to ensure relevant people know where monitoring happens and processes
- No clear urgent response person
- Not critical yet - could change rapidly, and would soon affect production jobs
- Plans to turn off legacy? Still some transition steps to happen, need to start pushing for changes to SCIM
- Token only independent of VOMS Admin Servers. Nothing in US utilises VOMS Admins API, but there are a number of other things dependent
- Alison updates on echo & castor - using old VOMS Admin. Castor this won't change, Run 3 will use CTA. Echo will move this quarter, in flight but not complete - aiming for end of Feb
- Brian - bigger concern is no statement on whether more time is needed or not from factories. OSG will request stakeholders to sign off beginning of Feb. Not sufficient progress on CMS side.
- Most important thing is production IAM for CMS, can be more relaxed for phasing out old VOMS admin to ensure that use cases are covered.
- No external deadline, but is there a support deadline - INFN would ideally deprecate VOMS Admin/Server in favour of IAM for maintenance reasons
- Aim for end of year to show IAM as "fully grown up" - VOs switch successfully, then supposedly anyone else could to. This would enable a deadline for support
- Doug - Matrix of use cases to understand dates for switches and dependencies?
- Service will be in spotlight if in trouble. Do we need to plan tests, exercises to test this?
- New setup more vulnerable as issues would be noticed more swiftly - do we need to revise token lifetimes?
- Any IAM downtime would be very visible due to short token lifetimes - more vulnerable to incidents. Significant step from multi-day proxies.
- Fermilab uses 3 hours for access tokens, note that token lifetime falls under "guidance" and not mandatory
- Takeaway - next 6 weeks?
- Pilots - decide maximum recommended lifetime. Start at the upper end and then work and talk with all and iterate from there. Perhaps even beyond a 6 hour token to understand stability. Issues with multi-day: revocation? If no revoke, want a less-than-day timeframe.
Lifetime one way to reduce a tokens "power", unlike X509 you can limit a token scope and audience more to reduce the power.
- Last weeks issue took a few days - we need to avoid trouble on the grid
- What level of support can CERN handle? 4/6/8/+ hour response time, weekend/holidays?
- Is it possible to offer the same level of response as offered to SSO. Will need weekend checking.
- High-reliability infrastructure for IAM - will be needed if in production. Andrea had said planned. Francesco - some High-reliability instances in pre-prod at the moment, will need to talk to cloud about moving services to HA cluster. Then similar processes for CERN cluster, work underway.
- Storage timelines
- Tracking progress
- Lots of info in the google doc - add a table to display pertinent information, and updates on their progress.
- Can discuss as needed
- One example - Operations Portal would like access with SCIM to IAM instances to count users.
- EGI report those numbers to their funding agencies
- Francesco can look at this on IAM side
- Updates from last Rucio meeting:
- https://indico.cern.ch/event/1105648/
- Production of a document based on slides from today's meeting.
- Andrea will have left by this point. Francesco and IAM team can help with this.
- Zenodo White Paper on this topic
Actions:
- Maarten will follow up with various teams to understand handover and ongoing support.
There are minutes attached to this event.
Show them.