Apologies: Tom Dack

Present: Dave D, Dave K, Federica, Francesco, Hannah, Jeff, Jim, Julie, Linda, Maarten, Max, Roberta, Stefano

Notes:   (please send corrections)

Hannah briefly summarized the main points of a meeting between CERN IT and the IAM devs that took place on Wed:

• the IAM instances for ALICE and LHCb will be redone starting from a shared configuration
  • when it works for those VOs, ATLAS and CMS will follow eventually
• the IAM team at CERN will be more active again and is also expected to get more effort
• there were other actions agreed as well

Francesco added:

• we will deploy the new IAM release on the WLCG instance in the next days
• if it looks OK there, it will be used for ALICE and LHCb
  • ATLAS and CMS will follow at some point

Maarten added:

• we also spent a lot of time discussing the VOMS importer

Francesco:

• we continue improving it

We then started discussing some aspects of extending compute tokens with additional scopes. First, Stefano summarized the WIP partly sketched here. The question is how to convey by means of a token that the user is entitled to run on a particular resource, use a particular HW accelerator etc.

• An authZ token convention would be desirable.
• It should allow a convenient, corresponding configuration of the CE.

The hierarchical fair-share example documented on the aforementioned page shows how one could go about that today. The advantage of wlcg.groups is that its contents are ordered, whereas scopes are unordered and one would thus have to check all elements for the existence of a particular property, which is cumbersome. Maarten expressed concerns about putting too much knowledge into tokens, when rather JDL attributes should be used to indicate what resources the user expects for a given job. Stefano answered that the routing of jobs is based on authZ aspects as well as the JDL. Max agreed that decisions on what the user is allowed to do are already taken in the authZ layer and the JDL is applied later. Maarten concluded we need more AuthZ WG members to join this discussion, e.g. in the next meeting.