Login

Token Trust & Tracebility WG July 2024 Call

Europe/Zurich
Token Tracebility and Traceability WG
Zoom Meeting ID
64974356171
Host
Matthew Steven Doidge
Useful links
Join via phone
Zoom URL
Hide

TTT meeting July 23rd 2024
===

Attending: Matt, Marcus, Liz-SK, Maarten, TomB, DavidC, Hannah
Apologies: DaveK, Linda, TomD

Notes taken by Matt, sometimes paraphrasing for brevity.

Actions, Previous Meeting
---
-Populate github issues.
--made a start, https://github.com/TTT-WG/TTT-WG/issues
(review later in meeting)

-CHEP
--created an issue
(again review later in meeting).


Git Issues
---
https://github.com/TTT-WG/TTT-WG/issues

Review and add to.

As an aside added a folder with the collection of meeting minutes (although the markdown formating is off)


Topics of Recent Interest
---
Risking the squeaky wheel getting the oil, but you need to start lubricating somewhere.

-Token Lifetime
Liz would like to discuss this. Some discussion that there is a difference between CMS and ATLAS.
ML - operations should rarely in hampered by events around tokens. Dependency on workflow. Follow up meetings on this after the DC, had a first meeting late June with promising developements. Alluded to in GDB presentation (link), should be news about that soon. Need to prove things are workable - mini-challenges, working at scale. What we had wasn't "up to it", no one size fits all. Profile v1 was naive, v2.0 soon.
Practical compromise between operations and security.
Aim to have the matter concluded for large scale data ops in the second half of this year. Exact handling of user workflows kicked a bit down the road (a year+). Different experiments might go at different pace.
Liz - discussion of token refersh workflow in a previous meeting. CMS went ahead and implimented one. DUNE is doing the same thing. What is atlas going for?
ML- focal point still AuthZ group for much of these discussions, but spun off other WGs.
This is a practical WG to inform policy. Provide "how-tos" that can be fed into policies. Still somewhat early days, but have some experience with tokens. Understand many of the workflows and concerns now.
We shouldn't ebe worried about differences between experiments. For example Rucio used in very different ways. Rucio of course has to be able to support all users. Atlas have (roughly) stronger requirements then CMS due to more complex workflows.
During the DC Atlas and CMS were very similar. In recent discussions rucio and dirac are on the same page. Can do this by ignoring token refresh workflows.
Liz - this wasn't a problem in the DC for CMS, if the world is moving beyond this then this could pose issues.  CMS simpler usage meant it could live with a larger scope of tokens.
ML - "showed hand too soon". (paraphrasing)
For certain user groups FTS has to have full ownership of transfer. But can have a different model with a few days long lifetime, and if in that time the FTS hasn't succeeded the FTS returns failure. The limits within the token reduce the damage that could be done  (for example removing the modify scope). FTS modified to test this model, although Summer causing some delays. Aim for functional tests early August.
Liz - now sees how meeting with FTS jives with this. Longer lifetime means no need for refresh workflow.
CMS implimented shorter lifetime with a refresh. Notes that days long transfers aren't overly rare. 
ML - we are in this together. Exact configuration will differ. But would be nice to have common ground. Need to examine the risk.
The tests in the coming month might not have postive findings.
No need to rush! VOMS is fine for a few more years.
MD - make sure we all make decisions from the same logical framework.
ML- ideally we'd be able to see the future, but as we can't we have to work things out "informing policies"


DavidC - this group well placed to speak to intersection of operations and security. Focussing on what we need to be doing on security side, impact, lifetimes etc.

Discussion of Marcus' AARC document. Talk of the existing guidence, Maarten will add link to original recommendation, but we know a lot of these figures are not implimentable, or could lead to issues. These will be adjusted for v2.0
Marcus notes the final table. Very useful.
Load on issuer as an extra "column".


-"Token Age" trust anchors
Non-IGTF CAs used by token workflows a lot more. Librariries that use tokens happy to connect to such. Oxana points out that this is technicaly an issue, which will face us more whilst we have lots of our security backed by IGTF, particularly whilst we have to live with user certificates too. Things to "sort of" work now, but hacky.
DC - useful decoupling user and host certificates, and looking at IGTF in the light of how we want our trust fabric to look and the role played by IGTF, so we have the right trust in the right places.

Updated from MS: Note that the next EUGridPMA meeting at the HTCondor Workshop in Amsterdam: https://www.eugridpma.org/meetings/2024-09/

ML - We note that this isn't likely "news" to IGTF, so there's going to planning on what IGTF looks like in the order of 5 years.
DC- Yes.
ML- restates that user certs are outgoing, but will take a while. Need to make sure tokens work for user workflows.
Liz - User token use aimed for the end of the year -(using the fermilab model, which doens't use certs anymore for DUNE et al).  CMS have a vault instance at CERN, in the process of rolling out with CRAB for users. Using CRIC as authoritative source for this, will update IAM from CRIC.
Needs to take care when users stage out job output. This makes it not so simple. Pure job submission side is simpler.
Packaging the token into the job is being worked out.

Marcus - do you have different tokens at the end of the job then the beginning?
Liz - only guessing, principal was that a token can only get "simpler", not sure if keeping to that.
ML - WLCG tokens are "you get what you got". 
Now we have tokens we can split from a single VOMS proxies mashed together to do everything. But needs to be rolled out carefully as we can't upset production.


CHEP contribution
---
Suggested format of talk will be a series of "Questions/Issues" followed by the corresponding "Answers/Recommendation" (for certain values of those terms), or our plans in this area if we have nothing.

Aim to have the "question half" of the presentation in reasonable shape for the August meeting.

-Maarten notes the short time of the talks, so not many slides.

AOB, next meeting
---
Scheduled 27th August. I'll be here, not sure if anyone else will be (RAL closed).
--a few people will be around, so seems good.

The September meeting slot is in the middle of my vacation, and the October meeting is in the middle of CHEP, so we will need to be "flexible" with meetings over the coming months (dreaded doodle polls)

But in general the 4th Tuesday is a good time.

There are minutes attached to this event. Show them.
    • 15:00 15:05
      Actions, Since Last Meeting 5m

      Last meeting:
      https://indico.cern.ch/event/1421910/

      Minutes:
      https://codimd.web.cern.ch/2ObwhJwhSiuE5JcH0aEdbw?view

    • 15:05 15:25
      Populate our git with issues 20m

      https://github.com/TTT-WG/TTT-WG

    • 15:25 15:45
      Topics from the Previous Month 20m

      Token Lifetimes.

      Trust Anchors in the token age.

    • 15:45 15:55
      CHEP submission planning 10m
    • 15:55 16:00
      AOB, next meeting 5m

      This time on the 27th of August

Powered by Indico v3.3.7-pre