Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!
Apologies: Tom Dack
Present: Dave D, Dave K, Federica, Francesco, Hannah, Jeff, Jim, Julie, Linda, Maarten, Max, Roberta, Stefano
Notes: (please send corrections)
Hannah briefly summarized the main points of a meeting between CERN IT and the IAM devs that took place on Wed:
We then started discussing some aspects of extending compute tokens with additional scopes. First, Stefano summarized the WIP partly sketched here. The question is how to convey by means of a token that the user is entitled to run on a particular resource, use a particular HW accelerator etc.
The hierarchical fair-share example documented on the aforementioned page shows how one could go about that today. The advantage of wlcg.groups is that its contents are ordered, whereas scopes are unordered and one would thus have to check all elements for the existence of a particular property, which is cumbersome. Maarten expressed concerns about putting too much knowledge into tokens, when rather JDL attributes should be used to indicate what resources the user expects for a given job. Stefano answered that the routing of jobs is based on authZ aspects as well as the JDL. Max agreed that decisions on what the user is allowed to do are already taken in the authZ layer and the JDL is applied later. Maarten concluded we need more AuthZ WG members to join this discussion, e.g. in the next meeting.