WLCG AuthZ Call

Thursday 25 Jan 2024, 16:00 → 17:00 Europe/Zurich

Previous Actions:

• Action, IAM Team: Consider the possibility for a release candidate to fix DTeam permissions issues before DC24. Discussion offline and to be reported back.

Proposed agenda:

• Token Profile: Open Issues and PRs
  
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/issues
     
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pulls

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 08 Feb 2024

Present: Angela, Berk, Dave D, Dimitrios, Federica, Francesco, Julie, Linda, Maarten (notes), Matt, Roberta, Stephan

Notes:

Maarten brings up the topic of the "WLCG" VO having been advertised as a good VO to enable on production services to allow testing, while there is not a good VO membership vetting process and we must not allow strangers to have access to our resources. He proposes the "WLCG" IAM instance be given some sort of banner on its login page pointing out the "WLCG" VO is for developers only. To test and/or monitor production services one can use the "dteam" VO, which after the 4 LHC experiments was the 5th VO created exactly for such purposes and has a more careful registration process. Since December, it has its own IAM instance that continues to be populated from its VOMS-Admin instance as long as the latter is still kept running. That would presumably be until the CentOS 7 EOL at the latest, but could be a lot earlier: in September there was talk of it being stopped at the end of December! Francesco replies the IAM team will look into doing something that will not require code changes at this time.

The "dteam" IAM instance already has an FTS client for token workflows in the FTS monitoring. In setting that up, Steve Murray discovered that anonymous users not only can define clients-credentials clients, but also use those to get tokens with any scopes, including the compute, storage and "fts" scopes being used in production. The quick cure was to make all those scopes restricted, like they are in the IAM instances of the LHC experiments etc. The IAM team agreed, however, that there should be no way for anonymous users to define such clients in the first place and they produced a patch that is lined up for the next IAM release. The question is when to upgrade our various instances. After some discussion, the conclusion is we do not need to rush this, but would certainly like the new release to become available by the second half of February, to be used e.g. for setting up IAM instances for small VOs that CERN IT needs to support. Berk explains that by that time, we expect to be able to profit from improvements on the Kubernetes side that will facilitate our deployments. Federica replies the IAM team is flexible about the release timeline and that other bugfixes and enhancements can still be included.

Maarten then reminds everyone of the review of the open issues and pull requests for our common JWT profile document, whose v1.0 was published in 2019 and has become out of date in various places as well as being incomplete in several respects. In the next weeks, he intends to merge the easy PRs and close the corresponding issues, with the aim of having an updated version published by spring, which could be 1.x or 2.0 depending on backward-(in)compatibility.

The next meeting is foreseen for Feb 8.