WLCG AuthZ Call

Europe/Zurich
Description

Previous Actions:

  • A pull request to be opened to implement prototype/experimental token renew descriptions, from 23/03: https://indico.cern.ch/event/1262265/
  • Ticket handling, and ticket disappeared due to auto-cleanup - to be followed up offline


Proposed agenda:

  • CHEP Recap and Paper
  • Issuer information in tokens

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

  • TBC
Zoom Meeting ID
61554826915
Description
Zoom room for WLCG AuthZ Call
Host
Tom Dack
Alternative hosts
Hannah Short, Maarten Litmaath
Useful links
Join via phone
Zoom URL

Present: Tom D (notes), Linda C, Dave D, Maarten L, Julie M, Martin B, Petr V, Enrico V, Roberta M, Andrei T, Mischa S, Alexandre FB, Francesco G

Apologies: 

 

Previous Actions:

  • A pull request to be opened to implement prototype/experimental token renew descriptions, from 23/03: https://indico.cern.ch/event/1262265/
    • Dropped as this has been decided to move away
    • Making a shell for renewal
    • Potential for a user-level SystemD service to get a token for a user
      • Doesn't need to do anything special/things in parallel
      • A simple user-level solution may be simpler
  • Ticket handling, and ticket disappeared due to auto-cleanup - to be followed up offline


Proposed agenda:

  • CHEP Recap and Paper
  • Issuer/VO information in tokens

Discussions:

  • IAM 1.8.2 release for CERN?
    • IAM released for 1.8.2 last week
    • To follow up with upgrade - allow the IAM dev team access to support upgrades, to be discussed with Berk
    • this will allow the IAM team to help sort operational issues
    • To follow up with Hannah after her leave
    • Petr to email/open ticket to look at in the future
  • Token Rates
    • Seeing a lot of improvements through improved configurations
      • Token rates up from 100hz to 600hz
      • CNAF team looking at DB improvements and methods to avoid the DB (ie not storing access tokens)
    • High rates are possible - and directly connected the the lifetime of a token
      • However services should consider the affects of downtimes - can your service survive an hour outage if it happens
      • lifetimes can help reduce rates for some scenarios
    • Understanding how rates and lifetimes link through testing to Ruico and FTS
      • A note from Martin - not always connected to lifetimes. If your tokens are fine-grained, then you will have much higher token rates
      • Could have more generic create/read tokens, but modify/delete will need to be more specific and fine grained
    • Big step away from X.509 VOMs proxies - directly confronted by the type of credential needed for a specific option, no longer "the" credential
    • Can reduce the power by splitting on tasks
    • Focus is tuning, and understanding tolerance on service side should there be a glitch
    • Want to avoid causing more operational issues through use of tokens - the intention is that operations must profit from tokens
    • aim to converge soon on somethign feasible for DC24
There are minutes attached to this event. Show them.
The agenda of this meeting is empty