WLCG AuthZ Call

Friday 2 Sept 2022, 15:00 → 16:00 Europe/Zurich

Previous Actions:

• Open tickets from VO Admin training from Andrea in Dec. Petr will try to ping the important ones of these for addressing

Proposed agenda:

• Token Transition Timeline cont - management board comments on v0.91
  Draft: https://docs.google.com/document/d/1djOpM2px_7xiqNX4_dMnhd4KQyF9Q0WNpIsKUXI29Oc/
• JDL/Scopes/Groups discussion & Subject for Token Issuer & list of issuers, as required/time

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 16th Sept

Apologies: Tom D

Present: Maarten, Hannah, Liz, Thomas H, Martin B, Dimitrios C, Mine A, Petr V, Julie, Roberta, Federica, David K, Francesco, Enrico, Douglas, Dave D, Max F

Notes: (please send corrections)

• Token Transition Timeline document has been published https://zenodo.org/record/7014668
  • A 2 year Graduate has been approved to work on WLCG IAM
  • A second Graduate has been approved for FTS and may work on integration
  • For Rucio, Dimitrios will take over as the contact (started in August) 
  • We can create a new version when there are sufficient changes
• JDL (Job Description)/Scopes/Groups discussion & Subject for Token Issuer & list of issuers
  • Not the right people in the room
  • Petr - not sure why we would need more granular functionality (this is about defining policies in IAM)
  • Compute scopes are too simplistic (comment from Brian a while ago), but unclear what they should become 
  • Thomas - how would access rights be kept in sync with local user accounts (posix)
    • Petr - it's not a problem. This will be defined by dcache devs. Normally use groups/roles rather than user mapping.
  • Discussion about how to allow legacy methods to continue to work 
• When will IAM 1.8 be available for ATLAS? CNAF is testing this week, if all ok can plan for coming weeks. Even if transparent we will publish a service intervention OTG. 
• Instances for ALICE and LHCb are in progress 
• Several development enhancements are deemed important for IAM (see https://indico.cern.ch/event/1191146/?note=207352), these weren't prioritised. Some we may be able to live with for some time, others are more urgent. Several have already been addressed.
  • Official issues should be added to IAM on Github 
  • Move to agile rollout mechanism, do releases often when a few issues are fixed
  • Q from Petr, can we skip registration and just create people when they appear in the HR DB? 
    • In some cases this is a necessary checkpoint for VO admins to perform other actions
• Did we ever try to change the IAM private key?
  • We should do this annually (?)
  • No experience so far from CNAF
  • Hannah will add to the Jira for service operations for WLCG IAM
• CHEP submission?
  • Maarten to start a thread
  • Possibly better not to be submitted from CERN
• Upcoming meetings
  • HEPiX? Still not sure but likely in Nov
  • September 15/16 Hackathon at Nikhef https://indico.nikhef.nl/event/3612/ 
    • Some online participation possible
  • October 4th to 6th EUGridPMA (at CERN) https://indico.cern.ch/event/1181342/ 
  • October 10th pre-GDB on IAM (at CERN) https://indico.cern.ch/event/1185598/ 

Actions: 

• Hannah create new Doc to understand what's missing with compute scopes
• Petr to send to the mailing list r.e. storage developers supporting https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/requirements/ 
• Petr to discuss automatic user registration with VO admins for ATLAS
• Francesco & CNAF to add issues to IAM on Github
• Maarten to start a thread on CHEP submission
• Hannah add key rotation testing to WLCG IAM Jira