WLCG DOMA BDT Meeting

Europe/Zurich
Brian Paul Bockelman (University of Wisconsin Madison (US)), Maria Arsuaga Rios (CERN), Petr Vokac (Czech Technical University in Prague (CZ))
Description

Topic: WLCG DOMA BDT Meeting (twiki)

Videoconference
WLCG DOMA BDT Meeting
Zoom Meeting ID
69074333781
Host
Petr Vokac
Useful links
Join via phone
Zoom URL
    • 4:30 PM 4:40 PM
      News 10m

      Happy new year 2023, the year of the tokens for storage

      • connected mostly people from US, because today is still CERN end-of-year closure
    • 4:40 PM 4:55 PM
      Transfers with tokens 15m
      Speaker: Francesco Giacomini (INFN CNAF)

      User / group managed storage areas

      • IAM admin have full access to all VO data on all storage sites that give access to the particular issuer
      • it may be tricky to configure and use tokens for non-grid storage areas, e.g. ATLAS CERN group disk (ServiceX#507)
        • access to whole namespace with storage.read:/ can't be revoked in the subdirectories
          • OK for CMS where all users have read-only access to the all CMS data
          • no private data for users / groups - everything readable by any VO user
            • not so clear for ATLAS
            • user can change permission on EOS mounted as posix filesystem
              • revoke access to subdirs
        • site specific namespace would result in complicated IAM scope policies
          • e.g. "atlascerngroupdisk"
          • can't be fully enforced (no aud in IAM scope policy definition)
        • it may be tricky for users to understand which scopes they are allowed to use
          • e.g. storage.read:/atlascerngroupdisk/phys-higgs/ for access to root://eosatlas.cern.ch//eos/atlas/atlascerngroupdisk/phys-higgs
      • it would be easier to use wlcg.groups for storage areas mounted also as a posix filesystem
        • e.g. /eos/atlas/atlascerngroupdisk is mounted as a posix filesystem (different permission model)
        • tricky / impossible to configure same access permissions with capability
        • groups doesn't provide storage.create functionality => we can't limit damage done by rogue jobs / tokens stolen from jobs

      ATLAS XCache & tokens

      • ATLAS just prepends XCache in the URL, e.g. root://xcache.example.com:1094//root://storage.example.com/path/to/file
      • it is not clear which tokens should be used for XCache and than for final storage
        • storage.read:/root://storage.exmple.com(?)
        • different scope necessary for final storage
      • used for job stage-in => not relevant for DC24, but we should try to identify all valid and problematic cases asap
        • some xroot:// (protocol) features may not work properly without updates / improvements / changes

      Fermilab and storage access with tokens

      • jobsub_lite uses SciTokens (https://scitokens.org) to authorize users to submit jobs, write to storage, etc.
    • 4:55 PM 5:05 PM
      Tape REST access 10m
      Speaker: Mihai PATRASCOIU (CERN)
    • 5:05 PM 5:15 PM
      Packet marking 10m
      Speakers: Marian Babik (CERN), Shawn Mc Kee (University of Michigan (US))
    • 5:15 PM 5:25 PM
      WebDAV Error Message Improvement Project 10m

      Discuss with experts improvements in the error messages produced by failed transfers.

      Speaker: Stephan Lammel (Fermi National Accelerator Lab. (US))
    • 5:25 PM 5:30 PM
      AOB 5m

      WLCG JWT profile - group OR scope authorization

      • brief discussion related to the long email thread "Tokens with groups and explicit AuthZ statements" in project-lcg-authz mailing list
      • the whole email thread covers an edge case that most VOs should never face - combining scopes with wlcg.groups in one token
        • people seems not to be very concerned that e.g. dCache doesn't implement what's required by WLCG JWT profile
        • LHC experiments plans to avoid tokens that combine scopes and wlcg.groups
      • we could easily survive even if current "OR" is replaced with "implementation specific behavior"