WLCG AuthZ Call

Thursday 10 Apr 2025, 16:00 → 17:00 Europe/Zurich

Previous Actions:

• Action: Tom to send an email to request topics and issues for discussion, and then we can plan a schedule of meetings upcoming
  • Done - initial plan to focus on Accounting & Tokens
  • Will ping for further requests
• Action: Maarten to tidy up and review open issues and pull requests for the token profile, and then circulate a potential 2.0 draft
• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• Token Accounting Cont.

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 24th April

Present: Adrian (APEL), Dave D, Dennis (NIKHEF), Enrico, Federica, Maarten (notes), Patrick (CERN IAM), Roberta, Stephan

Apologies: Berk, Dave K, David C, Hannah, Linda, Mischa, Tom

Notes:

Maarten observes we do not really have a quorum today, but we can still bring up matters for the minutes. Adrian reports that Daniela (Imperial College) expects to be able to help determine stop-gap adjustments of the APEL log parser for HTCondor CEs to deal with jobs that do not come with VOMS proxies. He also draws attention to the message Mischa sent today about the potential risk of using the wlcg.groups claim for accounting when it may be ignored in the authorization decision. Maarten replies that the ARC v7 CE also supports driving the accounting from the configuration for a given VO and that he still needs to contact the HTCondor CE developers to see what could be done to simplify the accounting for those services. Stephan points out that the ARC v7 release notes are a good reference in that matter.

Next, Enrico reports he will soon release voms-api-java v3.3.5 that allows underlying building blocks like BouncyCastle to be upgraded to versions that have certain vulnerabilities fixed. That library is used not only by VOMS, but also by dCache and StoRM. It will be announced on the UMD Release Team list etc.

Maarten then asks when the next IAM release (v1.12) can be expected? Enrico replies it currently is waiting for an important feature to be finalized and carefully tested, viz. the encryption of secrets, requiring a corresponding DB migration. He thinks the end of April could be possible. Maarten suggests the next release be done without that feature if the work needs a lot more time still, because there are some other improvements being looked forward to, e.g. the service account flag. Enrico agrees. Maarten then asks if Berk found any blocking issues with v1.11? Enrico answers that things look OK. Maarten recalls that in our previous meeting, Berk had in fact already indicated his plans for upgrading the IAM services: that looks to be the week after Easter.