WLCG AuthZ Call


Previous Actions:

Proposed agenda: 

  • AOB: 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

  • June 2nd
WLCG AuthZ Call
Zoom Meeting ID
Zoom room for WLCG AuthZ Call
Tom Dack
Useful links
Join via phone
Zoom URL

Present: Andrei T, Maarten L, Max F, Irwin G, Petr V, Adeel A, Thomas H, Jim B, John SdS, Marcelo S, Dave D, Enrico V, Federica A, Francesco G, Julie M, Roberta M, Mihai P, Lix S-K,

Apologies: Linda C, Dave K

DIRAC Update - Andrei
Been working on the topic for AAI for a while, initially in the scope of EGI Check-in
Since then has been working to work with other providers, such as WLCG IAM
Current focus is to make internal machinery able to talk with tokens alongside Certs
DIRAC clients and services soon to be talking using tokens after certification of framework changes
Next step -
Connect to external services
Token management service for longer lifetime tokens - coded, but not for immient release and needs more testing.
Tokens to be in use for user payloads, will also need to look at implementation for accessing data
Users will not see major changes.

Timeframes for Token based Job submission - should ATLAS wait and synchronise the movement to token support, or start immediately
Campaign to point to sites that some VOs are using token based submission
Need to manage deadline so that places do not put aside and forget about it. Check what CMS did and look for applications to other sites.
CMS progress: https://docs.google.com/spreadsheets/d/1P5Tvv5RorEDsUtKbsN-UuW_GanSos9Yz5dPJwD5_hJk/edit?pli=1#gid=0
ATLAS ARC-CE REST Test Results: http://novastore.farm.particle.cz/ce/arc-rest/
Ensure to coordinate proper help and resources

Maarten and Petr to follow up after meeting to look at ATLAS migration

IAM Next Version Release
This next version includes many components developed by Andrea before leaving
Plan now is to not immediately deploy at WLCG, but will be tested and deployed at CNAF
Primarily refactoring and integrating, however some changes to client side including the new client side dashboard - improved user experience.
Believed to be backwards compatible, but to be tested at CNAF to ensure this first
After this release:
Clean up issues and understand what is not closed on GitHub
Go through AARC guidelines and consider those

Petr - admin access for WLCG instance to work with/test that. Configured with WLCG schema and so more suitable for testing.

VOMS Importer
Francesco has reviewed what Petr has submitted, and hopes to finalise soon.
Independent component of the next IAM release, and can be put into production as soon as it is felt the code does the right thing.

Accounts missing within IAM, though no deletion within synchronisation. Changed UID.
To be followed up offline.

FTS & Token concerns - perhaps to present at a later time to cover questions.
Need to look with RUCIO how token exchange should go.
Last FTS/RUCIO work was about a quarter ago - time for a new one?
Doodle for timeslots - Mihai to start and send round

How to propagate tokens to jobs? GlideIn solved for CMS, built in DIRAC - is there a plan for a general purpose solution or is one needed to be invented for ATLAS. Delivery of tokens to the payload.
Could start tackling the issue at the condor workshop.
Need to understand what IAM provides.
Idea previously was Vault servers at CERN - will need to see how that changes with CERN workload once Hannah returns (next month)


There are minutes attached to this event. Show them.
The agenda of this meeting is empty