- Compact style
- Indico style
- Indico style - inline minutes
- Indico style - numbered
- Indico style - numbered + minutes
- Indico Weeks View
Previous Actions:
Proposed agenda:
Zoom meeting:
Please ensure you are signed up to project-lcg-authz@cern.ch or signed in here to see the meeting password!
Participants: Adeel, Alison, Andrei, Andrii, Balazs, Dave, Doug, Enrico, Francesco, Ian, Irwin, Jeny, Jim, Joao, John, Julie, Maarten (notes), Manuel, Marcelo, Matthias, Max, Mischa, Petr, Roberta, Stefano
Notes: (please send corrections)
Maarten summarized the support that can be expected for the IAM services at CERN:
Currently not much better than 8/5
It should improve sometime this spring, e.g. when Hannah is back
The group hosting the services will aim for 24/7 support this year
The CNAF devs have admin access to the instances and are automatically informed of any tickets
HA deployment of the services is foreseen
Functional tests at CNAF looked OK
Scalability tests to be done
For the next few months it would be somewhat risky to rely on the IAM instances at CERN for short-lived tokens. Incidents outside working hours might not be resolved until the next business day. Token lifetimes could in principle be increased to a few days. However, there are expectations in some libraries that lifetimes are a few hours at most. We would need to make those expectations more configurable (could still be a good idea).
Dave then pointed out that we only need pilot submission tokens at this time and that those tokens do not have to come from IAM. ATLAS and CMS can set up their own pilot token providers, imitating what is already in place for LIGO. Jim agreed scitokens.org would be a good place to host the required details, already being HA and well-supported:
For publishing the well-known endpoint, see (for example) https://github.com/scitokens/cms which publishes to https://scitokens.org/cms/.well-known/openid-configuration and https://scitokens.org/cms/oauth2/certs
The pilot factory can use the SciTokens Python CLI to generate tokens locally: https://github.com/scitokens/scitokens
There are scitokens rpms in EPEL.
This approach now looks the way forward and possibly even part of the long-term solution. HTCondor CEs will just need to have more trusted issuers included in their configurations. Stefano asked for guidance beyond the ad-hoc recipes being used today. Maarten acknowledged we need to capture examples and best practices e.g. in our Twiki area.
Actions:
We need to get the scitokens.org issuers working for ATLAS and CMS this month.
Doug will follow up in ATLAS.
Brian to be contacted for CMS.
HTCondor CE configuration examples, links etc. to be collected on our Twiki page.
Next meeting: Feb 17.