Dave: CILogon will be used for many experiments instead of INDIGO-IAM
Support WLCG Common profile
Probably no additional plugins needed
Doug: Client workflows need to foresee that AT will timeout in long downloads
Yes, needs to be part of the workflow
Mario: Multiple Token Issuers possible? E.g. Cloud providers?
Probably difficult,
Petr: Cloud storage won't support the WLCG Token profile - It's a different thing
Mark: How much development work is it?
Extensive, will span the entire architecture, require changes in almost all components
Stefan: Possible to make token scope limitation decisions outside of Rucio and remove that burden from the DDM?
In terms of data embargos probably different, since the knowledge of the DDM system is needed to make the decision
For some communities this might be possible though
Dave: Every time you need to refresh a token it takes a user to do something in the webbrowser
Look at htgettoken (vault server) for integration
Makes it much easier for the user (Management of refresh tokens)
Maithili: What about macaroons?
and users without a Rucio account
Macaroons could be a good option to give non-users a quick and easy way to access data
We would need to look into it in detail and collect these usecases
Steve: Dual X509 and Token deployment will probably be needed for many communities
But also lots of ways to do this wrong
Brandon: Some communities do want to read data from each others infrastructure
Possible way to foresee this in the token workflows?
Paul: If things need clarification in the Token document, please let us know
e.g. can storage.create scoped tokens retrieve checksums?
Paul: Advantages of Macaroons
You can modify the tokens on the Rucio server side without have to do all the round-trips
Gareth: DIRAC token workflows
This would have to be checked together with DIRAC team
Dave: Figures in the slides suggest that the rucio client itself requests AT for the user
Martin: This is not the case, it's just simplified on the figure. User will request/provide AT to the clients, the clients will just user whatever is provided
Doug: Where will the common testing of the functionality be done?
Probably mostly in WLCG BDT
What about non-WLCG communities?
Needs to be discussed
16:40
→
16:55
Community News & DevOps roundtable15m
ATLAS
CMS
Fermilab/DUNE/Icarus/...
Transfers failing at DUNE
Belle II
DIRAC
PR merged - in which release?
ESCAPE
core dns issues for both ATLAS and ESCAPE
Seems to be fixed
--> Update core dns
Radu saw some eMails for ATLAS, but not very recently
List of daemons only able to run 1 instance? Not available in doc
SKAO
Token flow integration -> Some issues with poller/finisher