WLCG AuthZ Call
Previous Actions:
- All to send high priority issues to the mailing list -> Enrico to create board for 1.11 release including those issues (not experiment specific but specifying initial requestor)
- Next call to focus on JWT Common Profile improvements for v 2.0
- Maarten to send email to working groups to ask for consensus on v 2.0 profile (allows developers to progress)
Proposed agenda:
- Token profile PRs and open issues
- CHEP Talk: https://cernbox.cern.ch/s/pHZJQssclXZJ2PD
WLCG transition from X.509 to Tokens: Progress and Outlook
Since 2017, the Worldwide LHC Computing Grid (WLCG) has been working towards enabling token-based authentication and authorization throughout its entire middleware stack.
Taking guidance from the WLCG Token Transition Timeline, published in 2022, substantial progress has been achieved not only in making middleware compatible with the use of tokens, but also in understanding the limitations of the WLCG Common JWT Profiles, first published in 2019. Significant scalability experience has been gained from Data Challenge 2024, during which millions of files were transferred with only tokens used as credentials.
Besides describing the state of affairs in the transition to tokens, revisions to the WLCG token profile, and the evolving roadmaps, this contribution also covers the corresponding transition from VOMS-Admin to INDIGO-IAM services, with continuing improvements in terms of functionality as well as deployment.
Zoom meeting:
Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!
Next Meeting:
- 26 Sept 2024
Present: John SDS, Tom Dack (minutes), Dave Dykstra, Hannah Short, Berk Balci, Dave Kelsey, Federica Agostini, Linda C, Enrico V, Roberta M, Mine AC
Apologies: Maarten L (first half), Hannah Short (second half)
- Token profile PRs and open issues
- CHEP Talk: https://cernbox.cern.ch/s/pHZJQssclXZJ2PD
WLCG transition from X.509 to Tokens: Progress and Outlook
Berk raises:
- 1.10.1 of IAM has been released.
- CERN instances have been updated - auto group enrollment has been added, and configured for LHC VOs
- CERN instances have been updated - auto group enrollment has been added, and configured for LHC VOs
- HA-rollout
- Turning on HA mode in Kubernetes infrastructure
- This week was second phase. Already had some some VOs setup, and this week rolled out Alice and other small VOs
- Not a full test as Kubernetes is not in production, but testing is looking fine
- Promising results means LHC-B, CMS, and Atlas has been moved to early October
- Turning on HA mode in Kubernetes infrastructure
- John thanks the work of Berk and the team for being fast on setting this up
Enrico raises:
- Current work area
- Facing issues on aligning what is the expiration membership time, and the alignment of this with the HR Db value
- This will likely be part of a future update, and will be prioritised if necessary
- Ongoing discussion - should not provide more information than neceassary
- Dedicated effort on this, aiming to not need any DB migrations or other changes
- Need to define the authoritative source, and whether grace periods are needed or not
- Enrico shares that he would prefer to avoid grace periods where necessary
- Will provide fixes for this and aim to provide a friendly solution to those who are responsible for user management
- This will likely be part of a future update, and will be prioritised if necessary
Tom raises:
- APEL Token integration
- The APEL dev team at RAL has had a backlog of work to be worked through, but are aware of the need for token integration
- The team operates on bi-monthly development cycles, and will be looking to schedule initial work into token support for October, once hepscore rollout is complete - targetting end of September/early October
- Tom Team lead's this activity now, and will liaise and support this activity between the AuthZ group and APEL
CHEP notes:
- Hannah and Berk have added slides for their areas
- Tom will look to pull things together over the next weeks
- Enrico mentions that there will be a development presentation, and so we should make sure that things link in there
- Please, if you have any comments and suggestions - they are welcomed.
Indigo IAM Hackathon Registration