WLCG AuthZ Call

Thursday 28 Aug 2025, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

• Action: Maarten to tidy up and review open issues and pull requests for the token profile, and then circulate a potential 2.0 draft
  • Has made very good progress!
• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• Next Profile Version
• Token Accounting Cont - as needed

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Sept 11

Present: Angela, Dave D, Dimitrios, Enrico, Hannah, John, Linda, Maarten (notes), Mia, Mischa, Patrick, Roberta, Stephan

Apologies: Tom

Notes:

First, Enrico takes us through a summary of the INDIGO-IAM Community Workshop and Technical Hackathon on July 28-30. He expects v1.13 to become available in 1 or 2 weeks. In the hackathon it was decided not to stop storing access tokens for everyone, but make it configurable instead, which implies more development and tests than initially foreseen. Maarten asks if CERN can get a pre-release to allow ATLAS to ramp up the use of tokens in FTS workflows much further still, without any concerns about loading the DB too much? Enrico replies an ad-hoc release looks possible in about 2 months, given that it will need to be carefully tested, and because of other deliverables. He adds that the plan is to have a stable release based on the legacy MITREid framework for WLCG and other communities for ~1 year, while the modernized code based on the Spring Authorization Server framework gets developed further and tested extensively. The stable legacy versions can still be patched as needed.

Stephan asks what the plans are for the policy engine and regex support? Enrico replies the porting to Open Policy Agent (OPA) is continuing, but not with high priority at this time. Client IDs will also be usable in policies at some point. For now, there must not be any breaking change in the JSON output. CTAO expressed particular interest in the policy engine and may be able to contribute in that area, which would help moving it forward. The focus of the CNAF team rather has to be on the new framework and other urgent matters like decryption of SAML assertions, to unblock the use of certain identity providers. Stephan clarifies that CMS is looking into experiment-specific tokens and needs guidance on what will be supported in the future, adding that regex support will be needed for policies. Might the "legacy" IAM still be enhanced with bespoke patches? Enrico replies that regex support will have to wait for OPA to be available. Stephan suggests we may need a discussion in WLCG about additional effort for IAM development.

Next, Maarten recaps the e-mail he sent to the mailing list on Monday, adding that one other significant change is in the handling of WLCG profile versions by our MW, which needs to be made to comply, where needed, with the recipes provided by Dave Dykstra in PR #89.

Maarten describes how it turned out to be quite non-trivial to convert the profile from Markdown (MD) on GitHub to a good-looking PDF that we need as the official document, but that a sustainable method based on open-source SW was found:

• from MD to HTML via "pandoc";
• from HTML to PDF via "weasyprint", recently discovered by Mischa!

Both packages are available from EPEL. This way, we also get a convenient HTML version as a bonus. The PDF is paged and its layout can still be tuned further. Maarten will send a pre-draft to the list.

He then draws attention to the single open PR at this time: #99 about improvements in the "storage.create" scope description. It is the result of a significant discussion in issue #33 and does not look controversial. Still, it would be good for more data management experts to have a look.

Maarten outlines the plan for the next weeks:

• merge the open PR;
• apply any further minor changes as needed;
• present the v1.1 draft to the WLCG Management Board on Sep 16;
• allow 1 week for feedback and small changes;
• publish v1.1 on Zenodo ASAP!

Finally, the next meeting is planned for Sep 11, which is a CERN holiday, but may still happen nonetheless. We will also use the mailing list as needed.