WLCG AuthZ Call

Friday 19 Aug 2022, 15:00 → 16:00 Europe/Zurich

Previous Actions:

• Open tickets from VO Admin training from Andrea in Dec. Petr will try to ping the important ones of these for addressing

Proposed agenda:

• Token Transition Timeline cont - management board comments on v0.91
  Draft: https://docs.google.com/document/d/1djOpM2px_7xiqNX4_dMnhd4KQyF9Q0WNpIsKUXI29Oc/
• JDL/Scopes/Groups discussion & Subject for Token Issuer & list of issuers, as required/time

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 2nd Sept

Apologies: Tom, Hannah

Present: Dave D, David Crooks, Enrico, Francesco, Jim, John, Julie, Linda, Liz, Maarten (notes), Marcelo, Martin, Mine, Petr, Xin

Notes: (please send corrections)

Maarten shared the Google Doc timeline document sent to the WLCG Management Board and went through the few comments that were received and the small changes proposed to address them. As there were no further comments on the contents, he then proposed creating the v1.0 document starting from a copy in which all the discussed suggestions then are accepted and comments resolved. A PDF version will then be published in Zenodo and announced to our WG and the MB on Monday.

Next Petr proposed discussing a few items that are referred to in the timeline document. First he pointed out that the CERN IAM team not only needs to be sufficiently staffed, but also sufficiently experienced to be able to deal with most issues themselves, instead of having to rely a lot on the CNAF team. For example, while v1.8 will still be deployed through a combined effort, perhaps v1.9 could be deployed by the CERN team themselves? Maarten answered that the CERN and CNAF teams will continue collaborating closely, but indeed, the CERN team needs to be able to take care of business as usual and should only involve the CNAF team on occasions that are difficult to debug. The extra FTE we hope to get in the near future needs to become an expert in both IAM and the underlying Kubernetes technology. Francesco confirmed this picture.

Petr then drew our attention to the support of JWTs for authentication towards IAM itself, which may have desirable features for certain workflows, but the details were not clear from the presentation Andrea gave on Oct 14. Enrico pointed to the location where the details are documented for v1.8. Francesco added that Federica did some tests and would be able to provide further information when she is back from holidays.

Next we went through Petr's list of technical issues in IAM to be resolved before moving away from VOMS-Admin. Some of them do not appear to be showstoppers, while others are more serious and thus need to be prioritized. AUP expiration issues probably can be tolerated for a while and the proxycert API is not critical while we still have the MyProxy service. Users should be given the minimum amount of freedom in the registration process, to prevent mistakes that then have to be corrected later by experts. E-mails need to have a correct sender address, because more and more e-mail servers implement DMARC these days, as Liz pointed out. VO admins should not receive e-mails that can be handled by group managers in IAM. Suspended accounts probably should be cleaned up after ~1 year instead of 30 days, to allow for a much larger grace period when users change employers while staying in the same experiment. Yet longer retention times might run into GDPR / OC11 issues. VO admins probably should create separate accounts for VO admin activities, to avoid potentially getting very powerful tokens also for user activities. Those accounts could be linked to secondary or service accounts at CERN. The audit trail currently is insufficient. While IAM may already log all that is required, the log retention and query facilities need improvements that Hannah thinks can be accomplished soon.

Next meeting: Sep 2.