WLCG AuthZ WG

Attendees: Maarten, Petr, Hannah, Federica, DaveD, Berk, Patrick, Angela, Mia, Enrico, Roberta, Mischa, Matthew

Notes: 

• Accounting
• HTCondor-CE APEL accounting for jobs with tokens https://github.com/htcondor/htcondor-ce/pull/634
• Petr will submit PR and wait for HTCondor release
• This is only really for the EGI contribution part of HTCondor
• Suggestion from Maarten, we could get an rpm and ask sites to update
• Petr - it’s up to Maarten to ping the right people r.e. rpm and back porting 
• WLCG Workshop summary
• Maarten gave a (excellent) summary https://indico.cern.ch/event/1484669/timetable/#77-token-transition-overview 
• Task Force already in place to help converge on urgent decisions
• Working groups remain for “slower” topics 
• Within 1-2 years we need to be not fully dependent on certificates. Already dark clouds hanging over them. 3rd party decisions in this area is influencing us heavily (e.g. US saying no more user certificates)
• Some lively discussion. 
• FTS proposal on using tokens with Tape (already presented in Task Force) looks good to go ahead 
• Milestone on running a risk analysis of what would happen if issuer down needs to happen earlier (i.e. now). To be done in Task Force
• Hannah’s general impressions 
• long lived but tightly scoped tokens seem to be acceptable to all parties
• We should (quickly) run a simulation of what would happen if the OAuth provider went down. Based on that there may be a decision on whether to have subsidiary token issuers
• DaveD
• CILogon has shut down X.509 user certificates this month
• All Fermilab-hosted experiments are using tokens exclusively
• Also LIGO/IGWN
• Although some experiments are still using service certs from InCommon as client certs for some tasks
• Token Profile doc 2.0 for September 
• Limitations in storage claims doc raised by LHCb https://github.com/WLCG-AuthZ-WG/common-jwt-profile/issues/22. Brian, Mischa and Maarten have commented. May result in significant change, probably would not make 2.0
• Many non-trivial points raised by Paul
• Now that the US has removed user certs and using publicly trusted certs for most server/host scenarios, there is more of a push to stop using the IGTF CA bundle
• HTCondor CE are still using IGTF certs
• ARC CEs are not fully token enabled everywhere
• Let's Encrypt may be forced to remove client auth. Chrome is probably going to enforce that you cannot have both client auth and server auth in the same certificate. FYI, for the Chrome/Chromium suggested update concerning CAs, see latest EUGridPMA notes, in particular: https://sharemd.nikhef.nl/wvqt7KeiR3K5NYTPVScO-w#Fabric-updates---eKU-cleanup-initiated-by-Google-Chrome 

• and slide 8 of https://indico.nikhef.nl/event/6378/#10-igtf-fabric-updates-status

• Concern that WLCG will make decisions that will not be compatible with a joint infrastructure and make life harder for e.g. Nikhef that hosts multiple VOs
• Again clarification from Maarten that there is still a role for the Working Groups outside the Task Force (which is invite only and tasked with getting decisions made relatively quickly). 
• Request for public minutes from the Task Force meeting acknowledged for discussion in the TF
• The summary from the WLCG workshop was effectively a public report from the Task Force
• INDIGO IAM Code. When will we have the release that doesn’t store access tokens in the DB?
  • Not next release but it is ready to be tested
  • Table remains but we stop inserting access tokens. Rely on garbage collection to delete existing tokens post release 
  • General setting for INDIGO IAM (not per client)
  • Possibly production ready in the Autumn
  • Last step before moving off MitreID
• Petr flagged a security issue with scope paths and token refresh. CNAF and CERN teams both investigating. 
• Release candidate 1.12 almost ready but can do a hot fix for Petr’s issue 
• Berk is working on changing the time between the deployments (issue of multiple clusters coming up at exactly the same time). 
• CNAF held Italian wide course on OAuth, OIDC and INDIGO IAM etc. Enrico offers to create something similar for wider use
  • Maybe overlap with the Authentication lecture that Tom gives at the Security CERN School of Computing
  • Can be made available as a pdf 
• Comment from Petr. Dave, what are the plans with individual Fermilab experiments? Currently HTCondor-CE classad contains e.g. for NoVA
  • x509UserProxyFirstFQAN = "/fermilab/nova/Role=pilot/Capability=NULL"
  • but once you move completely to tokens, it'll not be possible to distinguish individual Fermilab experiments just with 
  • AuthTokenGroups = "/fermilab,/fermilab/pilot"
  • AuthTokenIssuer = "https://cilogon.org/fermilab"
  • AuthTokenScopes = "compute.create,compute.read,compute.cancel,compute.modify"
  • AuthTokenSubject = "fermilabpilot@fnal.gov" 
• Dave will investigate. These should include a group for the experiment. ACTUALLY the pilots are shared by multiple experiment so maybe this makes sense.
  • Some query about whether there are conflicts in experiment
  • Possible topic for profile enhancement

Addition from John: 

> Now that the US has removed user certs and using publicly trusted certs for most server/host scenarios, there is more of a push to stop using the IGTF CE bundle

There are still US (and other) groups who haven't yet been able to move to tokens, e.g., Belle II, whose US users had to move from discontinued CILogon user certificates, not to token auth, but to registering new user certificates from other CAs (primarily CERN and KEK). DUNE is in a similar situation, but in a better spot with CILogon working to help integrate tokens into their workflows. And most experiments are still using x.509 for storage auth while the software devs work toward full token integration.

While the general impression is that x.509 is nearly dead, it's not quite there yet, and the migration has in a sense left some behind.