WLCG AuthZ Call
Previous Actions:
- Open tickets from VO Admin training from Andrea in Dec. Petr will try to ping the important ones of these for addressing
Proposed agenda:
- Token Transition Timeline cont.
Draft: https://docs.google.com/document/d/1Fv9LPZTKgg1Tn4pv06fvpj8EbakBEGw8Gu4VReq8OZ4/ - JDL/Scopes/Groups discussion & Subject for Token Issuer & list of issuers, as required/time
Zoom meeting:
Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!
Next Meeting:
- 19th Aug
WLCG AuthZ Call
- Zoom Meeting ID
- 61554826915
- Description
- Zoom room for WLCG AuthZ Call
- Host
- Tom Dack
- Alternative hosts
- Maarten Litmaath, Hannah Short
- Useful links
- Join via phone
- Zoom URL
-
Apologies: Tom, Linda, Dave D, Brian B
Present: David Crooks, Enrico, Jeny, Jim, Julie, Liz, Maarten (notes), Marcelo, Martin, Mine, Thomas
Notes: (please send corrections)
Mine asked for clarification of the proposed new timeline, in particular w.r.t. the support of the VOMS service beyond the EL7 EOL (June 2024), as there may well be some experiments at FNAL whose users will still need to use VOMS proxies by that time to access services e.g. in Europe.
Maarten first sketched what the new timeline is about and why we need to do this at an awkward time when many people are on holidays. We need v1.0 of the timeline document to be:
- sufficiently readable for people outside our WG,
- technically possible, and
- optimistic about what is feasible by when.
The document then will serve as a reference for requesting more effort in areas where that is needed or desirable. Examples are the IAM and FTS teams at CERN. We have until the end of next week to polish it further, after which a clean copy will be made available for the WLCG Management Board to comment on during the week that follows.
We will update the document when a milestone has been achieved or needs to be adjusted, or a new one has to be added. That implies that v1.1 could already replace v1.0 this autumn.
W.r.t. the support of VOMS, Enrico then replied that Francesco had already started looking into an EL9 port, but that the matter needs to be clarified when he is back.
Maarten then asked if only VOMS or also VOMS-Admin would be needed and Mine replied that VOMS-Admin is not needed, which is a big relief.
Liz then asked how long users may need to keep depending on X509 certificates still, as this has consequences for the amount of support that should be foreseen for debugging certificate problems.
Maarten replied that users typically are the last ones to be able to switch to tokens, because all the grid services they depend on must first be made to support those tokens. That said, when for a given VO those services are in good shape, it would seem best for that VO to start profiting from tokens as early as possible, even when neighbor VOs cannot do so yet. Note that we do not just want to switch to tokens, we also want to make the user experience better: users should be bothered less often with grid authentication dialogs and the latter should also be more convenient than today. To that end, we will need to make more use of auxiliary services like Vault + htgettoken, which will also require development efforts. There we will learn from the experience at FNAL.
We postponed the topics proposed on our mailing list to the next meeting, planned for Aug 19, when we might have a quorum for them.