WLCG AuthZ Call

Friday 27 Jan 2023, 15:00 → 16:00 Europe/Zurich

Previous Actions:

• Atlas IAM upgrade to 1.8
• Hannah: Investigate failover solutions to VOMS admin retirement - see previous meeting for further notes: https://indico.cern.ch/event/1237526/

Proposed agenda:

• Review Previous Actions
• Authorization Logic for Storage
  • Handling multiple groups
  • Recap of when groups and scopes are present
• Future of Host Certificates
  • Potential need for a dedicated meeting
  • Is IGTF Certification still needed?
  • Fermilab issues with host cert provider
    • Can non-IGTF CAs be used for host/service Certs if CA goes down?
    • What is the status of host certs after switch? Is there plans for this

 

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 10 February

Present: Linda C, Tom D (Minutes), Angela C-B, Dimitrios C, Martin B, Mine AC, Maarten L, Christophe H, Petr V, David C, Stefano DP, Francesco G, Julie M, Roberta M, Dave K, Sven G, Max F, Dave D, Dmitry L, 
Apologies: John SDS

 

Previous Actions:

• Atlas IAM upgrade to 1.8
• Hannah: Investigate failover solutions to VOMS admin retirement - see previous meeting for further notes: https://indico.cern.ch/event/1237526/

Proposed agenda:

• Review Previous Actions
• Authorization Logic for Storage
  • Handling multiple groups
     
  • Same behavior as VOMS attributes
  • Top group takes priority for writing, but all need to be checked for reading
  • A feature will be required for re-ordering groups for selecting the priority
     
  • Recap of when groups and scopes are present
     
  • Implementation defined - if both are there, scopes take priority, otherwise groups will be used.
  • Capabilities are more precise, and help improve predictability
  • Flexibility required for transition. This was evident in DCache concerns around the use of a logical OR in the profile. In practice, the full power of an OR is not required - it's expected that
  • VOs will be configured either one way or another, rather than doing both methods
  • Groups is the easier transition as it aligns to the existing VOMS authorisation, just using a different front end authentication. Capabilities will require changes to the authorisation logic.
  • Whilst a hybrid setup is possible, it is not likely to be implemented in practice
  • Not understood to be urgent, but people should be aware that this is not reflected in the current profile - a PR is required, the existing one does not reflect final conclusions
  • This makes sense for the Fermilab setup
     
• Future of Host Certificates
  • Potential need for a dedicated meeting
     
  • Is IGTF Certification still needed?
     
  • Useful for having a trustworthy manner to authenticate users, however with users now being authenticated via IAM - is the IGTF CA needed for host certificates?
  • This work is being looked at by the Research Truest Evolution Taskforce, led by Maarten and David C - but has been somewhat put on hold by other priorities. Have been reminded by the management board on this too
  • RTE got to producing a suite of use-cases which were being explored, partoicularly noting the cloud use cases
  • Discussions have been had at GridPMA meetings and what assurance is needed for Host certificates - different levels needed for different tasks
  • Splitting the trust stores needed for authentication and those needed for securing transport
  • Design towards a token based solution, rather than what is required right now
  • Topic is of particular importance to Fermilab, and Mine expressed an interest to join in with this discussions
  • The aim is to pull apart existing certificate rules, and separate host and user certificates
  • Aims to minimize the development effort needed in this work, to focus on the required aspects only
  • Potential for a targeted meeting focusing on a specific use case, before the next GDB, so that there can be some more progress made
  • Something made easier for the services today, results in something easier for the users - need to work out what can be done at this stage
  • On the topic of dates - next EUGridPMA meeting is early Februrary, and so a meeting prior to that would help keep things moving so ideas can be traded between the two - provisionally on the 1st February
  • A technical roadmap would help solidify the work, and push things forward
  • Doodle for next RTE TF meeting: https://doodle.com/meeting/participate/id/dNOL2Eze/vote 
    Current top voted slot clashes with DOMA meeting.
    Maarten will email the AuthZ WG list to invite more people to join this discussion
     
  • Further discussions to be had at the RTE TF include trust in other areas - including Cloud, network, etc. The Certificate usage is the first stepping stone here, which needs a more urgent solution
  • IGTF is not just tied to certificates, and so something to consider the trust of tokens could be implemented down the line
  • Whatever is done needs to be appropriate, and the community 
     
  • Fermilab issues with host cert provider
    Concerns around provider being down for 2-months already, and need to understand a short-term answer, if the service goes down completely
    
    • Can non-IGTF CAs be used for host/service Certs if CA goes down?
    • What is the status of host certs after switch? Is there plans for this
       
• Some of the previous discussion points can look to move forward, due to a number of notable factors:
  • New CERN starter at begining of Feb
  • IAM hackathon 9/10 Feb
• Fermilab kicking off token transition on 1st Feb
  • Some cases certificates will be sent with the tokens, and the endpoints can use either as required
  • Full transition due to be migrated by May
  • Data management is waiting on FTS, Rucio and XRootD - for these cases, Fermilab will wait and stick to the WLCG timeline to remain compatible
    • FTS team due to have an extra FTE in Feb
  • FTS had a successful token exchange with CILogon earlier this week
• Stefano: Condor CE version working with version 10.2.1
  • Latest version installed, but has not yet found a Condor CE working with that version
  • Would like to experiment with EGI tokens, any news?
  • Maarten: nothing with news on EGI tokens, but has seen some messages emailed through - this is areas to be worked on
  • Maarten suggested asking this to the Condor user list, but that has not resulted in answers thus far
  • Look to set up a test instance on the CERN openstack, so as to provide resources for the CheckIn developers to try things out
  • Stefano to write an email to look to identify parties interested in working on this
  • Maarten expresses concerns for this area, noting that this needs demonstration asap, and that has not seen so far
  • Petr asks if the status of this integration can be questioned, to find out when the release can be done
  • Seems unwise to have end of life without token features in place
• Petr: the Atlas IAM instance didn't work properly and was rolled back to 1.7
  • General question about IAM release cycle: previously there was ~1 year between 1.7 and 1.8. This slow release schedule means that small issues may be discovered when transition happens, and will likely require a faster release schedule
  • For the upgrade - was due to a small mistake, and Hannah will likely be able to update. The change in the health endpoint means that the health check failed, and so to be on the safe side Hannah rolled back. 
  • For release cycle: not as fast as Francesco likes. Recent discussions about 1.8.1, but the plan would be to release things as soon as they are ready and working. Not to wait for big releases, and do more regular (~monthly) releases
  • Still understaffed, and negotiations underway to dedicate more effort towards IAM
  • Maarten: is a release an expensive procedure? No
  • Could a bug be fixed in a short term release on the matter of a few days? Francesco says yes, the release process is short and lightweight, it is just the work required to get things done
  • Any requests for features and work should be requested for focus at the Hackathon
    • https://github.com/indigo-iam/iam/issues/543 noted critical by Petr
  • Petr: we'll most probably also need scope policies to include "audience" ... there is not yest issue IAM for this
    • Francesco encouraged opening one