WLCG AuthZ Call

Thursday 3 Feb 2022, 15:00 → 16:00 Europe/Zurich

Previous Actions:

• Maarten will follow up with various teams to understand handover and ongoing support.

Proposed agenda: 

• Understand handover status and next steps for WLCG VOs
• AOB: 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch or signed in here to see the meeting password!

Participants: Adeel, Alison, Andrei, Andrii, Balazs, Dave, Doug, Enrico, Francesco, Ian, Irwin, Jeny, Jim, Joao, John, Julie, Maarten (notes), Manuel, Marcelo, Matthias, Max, Mischa, Petr, Roberta, Stefano

Notes:  (please send corrections)

Maarten summarized the support that can be expected for the IAM services at CERN:

• Currently not much better than 8/5

• It should improve sometime this spring, e.g. when Hannah is back

• The group hosting the services will aim for 24/7 support this year

• The CNAF devs have admin access to the instances and are automatically informed of any tickets

• HA deployment of the services is foreseen

  • Functional tests at CNAF looked OK

  • Scalability tests to be done

For the next few months it would be somewhat risky to rely on the IAM instances at CERN for short-lived tokens. Incidents outside working hours might not be resolved until the next business day. Token lifetimes could in principle be increased to a few days. However, there are expectations in some libraries that lifetimes are a few hours at most. We would need to make those expectations more configurable (could still be a good idea).

Dave then pointed out that we only need pilot submission tokens at this time and that those tokens do not have to come from IAM. ATLAS and CMS can set up their own pilot token providers, imitating what is already in place for LIGO. Jim agreed scitokens.org would be a good place to host the required details, already being HA and well-supported:

• For publishing the well-known endpoint, see (for example) https://github.com/scitokens/cms which publishes to https://scitokens.org/cms/.well-known/openid-configuration and https://scitokens.org/cms/oauth2/certs

• The pilot factory can use the SciTokens Python CLI to generate tokens locally: https://github.com/scitokens/scitokens

• There are scitokens rpms in EPEL.

This approach now looks the way forward and possibly even part of the long-term solution. HTCondor CEs will just need to have more trusted issuers included in their configurations. Stefano asked for guidance beyond the ad-hoc recipes being used today. Maarten acknowledged we need to capture examples and best practices e.g. in our Twiki area.

Actions:

• We need to get the scitokens.org issuers working for ATLAS and CMS this month.

  • Doug will follow up in ATLAS.

  • Brian to be contacted for CMS.

• HTCondor CE configuration examples, links etc. to be collected on our Twiki page.

 

Next meeting:  Feb 17.