WLCG AuthZ Call

Thursday 27 Nov 2025, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• TBC - in email

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Jan 8

Present: Adrian (APEL), Berk, Dimitrios, Enrico, Federica, Hannah, Maarten (notes), Patrick, Petr, Roberta, Stephan, Tom

Apologies: John & others (Thanksgiving), Dave K, Anders

Notes:

Maarten will communicate directly with Adrian regarding APEL client changes for HTCondor CEs with Slurm as their batch system, hopefully in the coming weeks. The matter does not look so urgent, there do not seem to have been any real complaints about the lack of functionality for token-only jobs yet.

Berk describes how all IAM instances at CERN were upgraded to the latest release (1.13.2) in the morning and that the only issue observed was a bug in a new feature that was only requested to be enabled for ALICE: the sending of an e-mail to the VO admins whenever a user certificate is added. As the feature is not urgent, it was simply disabled again. The 1.13.0 major release brings many improvements that had accumulated in the course of this year, including a set of PRs provided by Mia and Patrick, regarding features of interest to WLCG, but not specific to WLCG. The 1.13.1 and 1.13.2 updates are subsequent bugfix releases. See the release notes for further details. Hannah notes it was great to have WLCG funding for development and also thanks CNAF for the code reviews!

Enrico describes that the next major release, 1.14.0, will be mainly about allowing access tokens to be no longer stored in the DB, while the access token table still remains available in the DB. The new behavior needs to be carefully tested, which was already done to a significant extent. He thinks the next test image could be available in a matter of days, while the official release may need to happen early next year, given that several colleagues still need to take their remaining leaves for this year! Berk and Anders could also do further tests at some point, when that becomes desirable. Enrico adds that 1.14.0 will also include OpenID Federation support for the EOSC-Beyond project, and possibly the hashing of client secrets in the DB, which also requires careful testing. At least the API is planned to be cleaned up, to get rid of legacy methods to obtain such secrets. Also the support of AARC guidelines is on the cards, as is MFA for other communities. The disabling or enabling of upscoping per client could be another feature, which was started by Mia and now in the hands of Patrick. That would be of interest for the FTS, which triggered the feature request and might also profit from another enhancement eventually: the connection of tokens to a specific certificate owned by the client that requested the tokens, to help prevent compromised tokens from being used by third parties. Petr points out that the use of such a feature would also require the targeted services to support it, which would require development not only in the FTS, but also in storage MW products. He asks if the feature is needed for an internal use case at CNAF, perhaps in StoRM? Enrico replies there is no immediate use case. The team will present the main IAM enhancements and plans at CHEP.

Next, Tom announces the preparations for the IAM Community Workshop and Technical Hackathon on Feb 18-20 at Imperial College have advanced sufficiently to allow people to register and look into travel arrangements. He will inform the list after the meeting (done).

Next, Maarten summarizes where we are with v1.2 of the token profiles: finalizing the discussions in the 2 PRs, 107 and 108, which will hopefully have converged sometime next week and then allow us to publish v1.2 in December.

Next, Petr reports the new ROLE_READER functionality looks OK, but it seems the role can be enabled only through the CLI / API? Roberta replies there is a new button on the user account pages that is labeled "Assign monitoring privileges", but that the browser may still have the previous layout cached... Enrico confirms this is a problem in Chrome in particular (confirmed by Maarten after the meeting). Maarten sees the new button OK in Firefox without having to clear its cache and Petr manages to get the new button shown as well.

Next, Tom points out that December looks tricky for our next meeting and proposes we aim for January instead, which is agreed.

Maarten concludes we have had quite a good ride this year and that we won't be bored next year either! 🙂

Have a good end-of-year break!