WLCG AuthZ Call

Name: WLCG AuthZ Call
Start: 2023-04-27T16:00:00+02:00
End: 2023-04-27T17:00:00+02:00
Location: No location set

Thursday 27 Apr 2023, 16:00 → 17:00 Europe/Zurich

Description

Previous Actions:

A pull request to be opened to implement prototype/experimental token renew descriptions, from 23/03: https://indico.cern.ch/event/1262265/

Proposed agenda:

Milestone Review and CHEP presentation
Automated token renewal for interactive users

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting:

61554826915

Zoom room for WLCG AuthZ Call

Tom Dack

Hannah Short, Maarten Litmaath

Join via phone

Hide

Present: Tom Dack (notes), Maarten L, Dave D, Dimitrios C, Alexandre FB, Petr V, Jim B, Francesco G, David K, Roberta M, Linda C, Mischa S, J G, Thomas H, Mine AC, Hannah S

Apologies: David C

Previous Actions:

A pull request to be opened to implement prototype/experimental token renew descriptions, from 23/03: https://indico.cern.ch/event/1262265/

Proposed agenda:

Milestone Review and CHEP presentation
Automated token renewal for interactive users

Notes:

Milestone Review and CHEP presentation

No notes as Tom was sharing. Comments and changes to presentation made, will be shared for final comments before CHEP
Viewer link: https://cernbox.cern.ch/s/Q8gNuBWZMr3c7uD
Please see mailing list for editor link
Technical comment from Petr:
In _my view_ IAM proxycert interface (https://indigo-iam.github.io/v/v1.8.1/docs/reference/api/proxycert-api/) developed for RCAuth could be still used to store long lived proxy and retrieve short proxies ... currently we use MyProxy (built on top of Globus libraries) for this functionality.

Previous Action & Token Renewal:

A pull request to be opened to implement prototype/experimental token renew descriptions, from 23/03: https://indico.cern.ch/event/1262265/
Previous two options:
- Tool has background refresh, the tool gets a token whenever a new one is needed
- Add to WLCG bearer token discovery, allowing it to get a token with a command when needed
- New third suggestion: Parent Shell.
  - This shell can get new tokens when needed, and perform processes as needed
  - OIDC auth done interactively when shell generated, and renews with existing vault token - works up to 7 days.
  - Combines the best of both previous ideas, whilst
  - Concept proven through other grid shell usage

AOB

Petr commenting on ticket handling, and ticket disappeared due to auto-cleanup.
- Slow ticket handling, though bug commented on by Hannah about duplicating tickets with Petr's messages
- https://ggus.eu/index.php?mode=ticket_info&ticket_id=161020
- To be followed up offline

There are minutes attached to this event. Show them.

The agenda of this meeting is empty