WLCG AuthZ Call
PLEASE NOTE: New Meeting Time
Previous Actions:
- Fermilab Token Integration with Websites - Maarten to look up technical contact and follow up with Mine offline
- Anyone who else wants to offer help, please email Mine
- Tom to review meeting schedule - done.
Proposed agenda:
- WLCG Tokens extended by additional scopes - see mailing list for background conversations.
- AOB:
Zoom meeting:
Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!
Next Meeting:
- TBC
Apologies: Tom Dack
Present: Dave D, Dave K, Federica, Francesco, Hannah, Jeff, Jim, Julie, Linda, Maarten, Max, Roberta, Stefano
Notes: (please send corrections)
Hannah briefly summarized the main points of a meeting between CERN IT and the IAM devs that took place on Wed:
- the IAM instances for ALICE and LHCb will be redone starting from a shared configuration
- when it works for those VOs, ATLAS and CMS will follow eventually
- the IAM team at CERN will be more active again and is also expected to get more effort
- there were other actions agreed as well
Francesco added:
- we will deploy the new IAM release on the WLCG instance in the next days
- if it looks OK there, it will be used for ALICE and LHCb
- ATLAS and CMS will follow at some point
Maarten added:
- we also spent a lot of time discussing the VOMS importer
Francesco:
- we continue improving it
We then started discussing some aspects of extending compute tokens with additional scopes. First, Stefano summarized the WIP partly sketched here. The question is how to convey by means of a token that the user is entitled to run on a particular resource, use a particular HW accelerator etc.
- An authZ token convention would be desirable.
- It should allow a convenient, corresponding configuration of the CE.
The hierarchical fair-share example documented on the aforementioned page shows how one could go about that today. The advantage of wlcg.groups is that its contents are ordered, whereas scopes are unordered and one would thus have to check all elements for the existence of a particular property, which is cumbersome. Maarten expressed concerns about putting too much knowledge into tokens, when rather JDL attributes should be used to indicate what resources the user expects for a given job. Stefano answered that the routing of jobs is based on authZ aspects as well as the JDL. Max agreed that decisions on what the user is allowed to do are already taken in the authZ layer and the JDL is applied later. Maarten concluded we need more AuthZ WG members to join this discussion, e.g. in the next meeting.