Choose timezone
Your profile timezone:
GridPP Technical Meeting - IAM for GridPP
→
Europe/London
Virtual Only
Virtual Only
Alastair Dewhurst
(Science and Technology Facilities Council STFC (GB)),
Alessandra Forti
(The University of Manchester (GB))
Description
Weekly meeting slot for technical topics. We will try and focus on one topic per meeting. We will announce at the Tuesday Ops meeting if this meeting is going ahead and if so the topic to be discussed.
Zoom Meeting ID
95305495507
Host
Alastair Dewhurst
Alternative hosts
Matthew Steven Doidge, Brij Kishor Jashal, Samuel Cadellin Skipsey
Useful links
Join via phone
Zoom URL
-
-
1
IAM UpdateSpeaker: Tom Dack
[Thomas Dack - STFC UKRI] 11:03:36
Hello, sorry, I'm…[Thomas Dack - STFC UKRI] 11:03:39
Just finishing and making a coffee. I believe Alistair is not able to make it today, so I will…[Thomas Dack - STFC UKRI] 11:03:44
jump in and get started.[Thomas Dack - STFC UKRI] 11:03:49
So, uh, basically the purpose of…[Thomas Dack - STFC UKRI] 11:03:53
This technical meeting was to touch in, touch bases around the…[Thomas Dack - STFC UKRI] 11:03:58
Need for an IAM instance of some degree.[Thomas Dack - STFC UKRI] 11:04:01
for grid PP, given…[Thomas Dack - STFC UKRI] 11:04:05
where VOMS is, and where we are at with that migration process.[Thomas Dack - STFC UKRI] 11:04:09
I wanted to touch in a little bit about[Thomas Dack - STFC UKRI] 11:04:13
current status of IAM, using some of the slides from…[Thomas Dack - STFC UKRI] 11:04:18
Um… Jeff from the various speakers at CHEP.[Thomas Dack - STFC UKRI] 11:04:20
Give an overview of where we are with the STFC instances, we wanted to give space for anyone else running an ION instance to talk a little bit about what they're doing as well.[Thomas Dack - STFC UKRI] 11:04:28
before we have any discussions around, sort of, next steps with BP, about[Thomas Dack - STFC UKRI] 11:04:33
deploying a ion instance, etc.[Thomas Dack - STFC UKRI] 11:04:37
So what I'm going to do is I put a couple of slides together.[Thomas Dack - STFC UKRI] 11:04:41
And then I've asked Donald to talk a little bit about the current technical status of what we're running at SDFC.[Thomas Dack - STFC UKRI] 11:04:48
So I'm just going to jump around and…[Thomas Dack - STFC UKRI] 11:04:51
Get the slide stuff started.[Thomas Dack - STFC UKRI] 11:04:57
working.[Thomas Dack - STFC UKRI] 11:05:00
Share.[Thomas Dack - STFC UKRI] 11:05:04
Cool. Hopefully that should all be visible. It looks like it should be on my side, unless anyone yells at me.[Brij Kishor Jashal] 11:05:09
Yes, it is.[Thomas Dack - STFC UKRI] 11:05:11
Perfect, thanks. Um, so yeah, just to start with, I was just going to give a bit of a…[Thomas Dack - STFC UKRI] 11:05:16
High-level IAM update about the application and where things are at with the overall[Thomas Dack - STFC UKRI] 11:05:21
whole transition process.[Thomas Dack - STFC UKRI] 11:05:22
So, within WLCG, WLCG itself currently has several IAM instances representing the VOs within[Thomas Dack - STFC UKRI] 11:05:31
the grid. Um, so you've got 5 for the AHC experiments, ALICE, ATLAS, CMS, LHB, and Modal.[Thomas Dack - STFC UKRI] 11:05:37
uh, seven other rat experiments are represented by their own IAM instances as well. Amber,[Thomas Dack - STFC UKRI] 11:05:43
Calus, Compass, FCC, ILC, SHIP, DRD, Callo.[Thomas Dack - STFC UKRI] 11:05:46
As well as operational instances as well. So WLCG at CERN runs[Thomas Dack - STFC UKRI] 11:05:51
The WCG Ops and D team IAM instances as well.[Thomas Dack - STFC UKRI] 11:05:56
This is slides… this and the next slide are taken from Burke, who is the…[Thomas Dack - STFC UKRI] 11:06:02
operator of the ion instances at CERN, his talk from CHEP recently.[Thomas Dack - STFC UKRI] 11:06:08
Burke also presented a current overview of the token transition.[Thomas Dack - STFC UKRI] 11:06:11
Where we are at at the moment, mid-2026,[Thomas Dack - STFC UKRI] 11:06:15
Um, we have…[Thomas Dack - STFC UKRI] 11:06:18
several amounts of tokens… a large amount of tokens being used across the grid for Atlas file transfers.[Thomas Dack - STFC UKRI] 11:06:24
And with the recent updates to the WSCG token profile at the end of 2025 as well, well, recent, but…[Thomas Dack - STFC UKRI] 11:06:30
Um, meaning that the profile is more flexible around the use cases needed.[Thomas Dack - STFC UKRI] 11:06:36
There is current development around Indigo IAM happening.[Thomas Dack - STFC UKRI] 11:06:40
There is a plan for a version 2.0.[Thomas Dack - STFC UKRI] 11:06:43
Um, if you want more details around this, I would suggest having a look through Francesco's Giacomini's talk.[Thomas Dack - STFC UKRI] 11:06:50
at, uh, CHEP, where he goes into[Thomas Dack - STFC UKRI] 11:06:52
what they're doing to remove MITRE ID out of the software package and have a much more…[Thomas Dack - STFC UKRI] 11:06:57
flexible build for IAM going forward.[Thomas Dack - STFC UKRI] 11:06:59
One of the notable things that has recently been implemented, however, is the IAM no longer keeps a copy of every single access token in the database.[Thomas Dack - STFC UKRI] 11:07:09
This notably helps with performance of the service.[Thomas Dack - STFC UKRI] 11:07:13
Um, within our STFC context, it is going to really help some of the operational concerns we had around[Thomas Dack - STFC UKRI] 11:07:19
geographically deployed IAM, which Donald should hopefully be able to touch on a little bit in his slides.[Thomas Dack - STFC UKRI] 11:07:24
But the plan later this year is for the first grid jobs using tokens.[Thomas Dack - STFC UKRI] 11:07:30
leading towards Data Challenge 27 down the line.[Thomas Dack - STFC UKRI] 11:07:34
Now, with this coming up, it puts us in the situation of making sure Grid PPP is aligned on how we're going to be using tokens and what we need to do in this space.[Thomas Dack - STFC UKRI] 11:07:42
Particularly with the full expected X509 phase out.[Thomas Dack - STFC UKRI] 11:07:46
currently aiming for 2028.[Thomas Dack - STFC UKRI] 11:07:49
Um, so IAM does have the provided VOMS attribute authority.[Thomas Dack - STFC UKRI] 11:07:53
uh, tooling to basically provide backwards compatibility,[Thomas Dack - STFC UKRI] 11:07:58
support for VOMs using IAM.[Thomas Dack - STFC UKRI] 11:08:00
So IAM is able to[Thomas Dack - STFC UKRI] 11:08:03
manage the VO, and then issue VOM's proxies using the information IAM stores.[Thomas Dack - STFC UKRI] 11:08:10
The VOMS Actuate Authority isn't something that STFC, we've used.[Thomas Dack - STFC UKRI] 11:08:15
For IRIS IAM or SKIAM, just because of use cases so far, but it's been very well tested across the CERN instances.[Thomas Dack - STFC UKRI] 11:08:20
Um, and it basically…[Thomas Dack - STFC UKRI] 11:08:22
is able to provide a standard[Thomas Dack - STFC UKRI] 11:08:25
VOM's attribute certificate for services that still need it in a backwards compatible manner.[Thomas Dack - STFC UKRI] 11:08:31
What this means, ultimately, is I am…[Thomas Dack - STFC UKRI] 11:08:33
Provide you the OAuth and OpenID Connect authorization server.[Thomas Dack - STFC UKRI] 11:08:36
But also, as a VOM server for the given organization as needed.[Thomas Dack - STFC UKRI] 11:08:41
The full documentation page for the VOMS attribute Authority is linked there.[Thomas Dack - STFC UKRI] 11:08:47
So, but I am for Grippy P.[Thomas Dack - STFC UKRI] 11:08:49
Uh, in order for us to align, follow what's happening with the WCG token transition,[Thomas Dack - STFC UKRI] 11:08:55
My perception is that we'll need to operate our own IAM instance to represent the Gripy PVO and make sure that we can[Thomas Dack - STFC UKRI] 11:09:02
work with this. At least one IAM instance, the conversation around[Thomas Dack - STFC UKRI] 11:09:05
Whether we need multiple VOMS endpoints, etc., I think is a conversation to be had.[Thomas Dack - STFC UKRI] 11:09:10
Um, but the point is, is that an IAM instance to represent the VO for tokens at the PPP level.[Thomas Dack - STFC UKRI] 11:09:16
As well as VOMs, proxies within the VO as well, can be done through the VOMS attribute Authority.[Thomas Dack - STFC UKRI] 11:09:23
You can use a single ion instance to represent Grip PPP with…[Thomas Dack - STFC UKRI] 11:09:27
IAM has a good standard of delegated group management at this point, so you can have Grid PPP and then have various subgroups underneath to represent the user communities.[Thomas Dack - STFC UKRI] 11:09:37
But you also…[Thomas Dack - STFC UKRI] 11:09:38
have the ability to use the scope-based permissions that are used throughout the WCG token profile.[Thomas Dack - STFC UKRI] 11:09:45
to ensure…[Thomas Dack - STFC UKRI] 11:09:46
Things like FDS and ratio can have the full permissions and operations they require.[Thomas Dack - STFC UKRI] 11:09:52
This is something that we have done[Thomas Dack - STFC UKRI] 11:09:55
and worked out the usage quite substantially, because SKA, I am…[Thomas Dack - STFC UKRI] 11:10:00
interacts with FGS and Ruscio in the same way.[Thomas Dack - STFC UKRI] 11:10:02
James Walder and Rose Cooper have done quite a lot around token usage between the SK and IAM.[Thomas Dack - STFC UKRI] 11:10:07
And the FGS RUSHO instances that SKA is currently using.[Thomas Dack - STFC UKRI] 11:10:11
So, the sort of the conversation, I was aware that at a recent Grid PP Ops meeting, there's been talk around IAM deployments,[Thomas Dack - STFC UKRI] 11:10:20
Um, and I missed some of these, but obviously with RHEL,[Thomas Dack - STFC UKRI] 11:10:24
We've been running the IRS IM for…[Thomas Dack - STFC UKRI] 11:10:26
nearly 10 or so years now. We have what I believe is a fairly robust operational framework around it at this point.[Thomas Dack - STFC UKRI] 11:10:35
Um, and so I sort of wanted to…[Thomas Dack - STFC UKRI] 11:10:36
make sure we're having the conversation about how we're running IAM for Grip PPP going forward.[Thomas Dack - STFC UKRI] 11:10:42
understanding what else is being ran within the community, and how we bring this together to have a[Thomas Dack - STFC UKRI] 11:10:48
overall platform.[Thomas Dack - STFC UKRI] 11:10:49
that better represents the VO.[Thomas Dack - STFC UKRI] 11:10:54
Migration to IAM.[Thomas Dack - STFC UKRI] 11:10:56
from the existing infrastructure will require some degree of a campaign to make sure the users are onboarded into IAM.[Thomas Dack - STFC UKRI] 11:11:03
Um, the groups and…[Thomas Dack - STFC UKRI] 11:11:05
relevant populations of this information will need to be done[Thomas Dack - STFC UKRI] 11:11:08
We'll need to make sure the reset of the VOM's attribute authorities, but also set up the token clients for anything that is jumping straight into tokens.[Thomas Dack - STFC UKRI] 11:11:15
So that this works properly. It's not going to be just a…[Thomas Dack - STFC UKRI] 11:11:19
Plug and pay hot swap that I think there will need to be some work around making sure everything is in place properly to do so.[Thomas Dack - STFC UKRI] 11:11:27
From my point of view,[Thomas Dack - STFC UKRI] 11:11:29
there's a couple of options around…[Thomas Dack - STFC UKRI] 11:11:32
this process, um…[Thomas Dack - STFC UKRI] 11:11:34
whether we want a specific dedicated IAM instance as GRP,[Thomas Dack - STFC UKRI] 11:11:38
or whether we could use something like the existing IRS IAM.[Thomas Dack - STFC UKRI] 11:11:42
I think, from my point of view, a dedicated group PP instance would better serve the community, it would allow for better delegation of group management, etc.[Thomas Dack - STFC UKRI] 11:11:51
And so that's sort of the conversation I wanted to have following[Thomas Dack - STFC UKRI] 11:11:55
The overview of what people are doing with IAM at the moment.[Thomas Dack - STFC UKRI] 11:11:59
So I'm going to hand over to Donald to talk about[Thomas Dack - STFC UKRI] 11:12:02
a little bit more technical detail. Those of you may know that I was the person who originally deployed the IRS IM and ran it.[Thomas Dack - STFC UKRI] 11:12:08
for a long time.[Thomas Dack - STFC UKRI] 11:12:10
Uh, before stepping into the group lead federating services role, keeping an eye on accounting, as well as identity management, DB, etc.[Thomas Dack - STFC UKRI] 11:12:17
So Donald is now currently the technical lead of the IAM services, so he's going to give in[Thomas Dack - STFC UKRI] 11:12:22
overview of where they are at before we then move into a bit more of a…[Thomas Dack - STFC UKRI] 11:12:26
Open floor for anyone else running IAM, and then any discussions we need to have around.[Thomas Dack - STFC UKRI] 11:12:31
how we can move forward with this.[Thomas Dack - STFC UKRI] 11:12:34
So, Donald, do you want to go?[Thomas Dack - STFC UKRI] 11:12:37
Does anyone have any questions for me before I hand over to Donald, I guess, as well?[Peter Clarke] 11:12:41
So, a very quick one, Tom, from a lay point of view.[Thomas Dack - STFC UKRI] 11:12:43
Hmm.[Peter Clarke] 11:12:45
I had got the impression from conversations[Peter Clarke] 11:12:49
That there isn't a multi-VO.[Peter Clarke] 11:12:52
I am. But you just said one possibility for Grid PP is use the existing IAM instance.[Peter Clarke] 11:12:58
So I'm probably asking the wrong question, but maybe you could question and…[Thomas Dack - STFC UKRI] 11:13:01
So… so it would depend…[Thomas Dack - STFC UKRI] 11:13:02
It depends on basically how you use your group structures and how you use them to represent the VOs within it.[Thomas Dack - STFC UKRI] 11:13:08
Um, the way we use…[Thomas Dack - STFC UKRI] 11:13:11
iris I am to represent all the different communities is you have[Thomas Dack - STFC UKRI] 11:13:15
sufficiently detailed route-level groups, and then you construct the group structure underneath it.[Thomas Dack - STFC UKRI] 11:13:20
Um, and so you'd still end up with[Thomas Dack - STFC UKRI] 11:13:23
some degree of shared baseline of users, etc.[Thomas Dack - STFC UKRI] 11:13:27
Um, but it represents a…[Thomas Dack - STFC UKRI] 11:13:31
community quite effectively in that way.[Thomas Dack - STFC UKRI] 11:13:34
Now, because of the admin permissions, because Grid PPP needs slightly different[Thomas Dack - STFC UKRI] 11:13:38
like, IAM doesn't really use the WCG format as much.[Thomas Dack - STFC UKRI] 11:13:42
Uh, of iris, I mean.[Thomas Dack - STFC UKRI] 11:13:44
Um, and so I think Grid PPP would be better served having[Thomas Dack - STFC UKRI] 11:13:48
its own IAM instance to represent it, and then potentially looking at whether there's other ones needed to represent different experiments within it.[Thomas Dack - STFC UKRI] 11:13:54
That's the conversation, but my, my gut feeling is it would be better represented by its own one.[Thomas Dack - STFC UKRI] 11:13:59
Does that sort of clarify your question?[Peter Clarke] 11:13:59
Yeah, no, that actually that that gives him. Yeah, that's fair. Yeah.[Daniela Bauer] 11:14:01
Um…[Daniela Bauer] 11:14:03
Um, sorry, is my understanding that the next version of the whatever WLCG token something stuff…[Daniela Bauer] 11:14:12
explicitly disallows.[Daniela Bauer] 11:14:15
the multi VOUs, because we obviously currently run some kind of multi VO for Dirac.[Daniela Bauer] 11:14:21
And, um…[Daniela Bauer] 11:14:23
I understand this. I I don't know what is it called the standard is being updated, and um…[Thomas Dack - STFC UKRI] 11:14:30
Let me double check the wording. I don't…[Thomas Dack - STFC UKRI] 11:14:33
I thought that…[Daniela Bauer] 11:14:38
Because I put a bit of a spanner in our grand plans.[Thomas Dack - STFC UKRI] 11:14:39
Bye.[Thomas Dack - STFC UKRI] 11:14:42
Yeah, yeah, I will… I'll let… just to make sure I'm double-checking the wording correctly, Daniel, I'll let Donald do[Thomas Dack - STFC UKRI] 11:14:49
his and come back to your point, because I just need to double-check the wording in the profile to make sure that that's all[Thomas Dack - STFC UKRI] 11:14:53
Fine, I, I thought that there was still going to be.[Thomas Dack - STFC UKRI] 11:15:00
I, uh…[Thomas Dack - STFC UKRI] 11:15:03
VA plane.[Thomas Dack - STFC UKRI] 11:15:09
Okay, yeah, I'll get back to that one.[Thomas Dack - STFC UKRI] 11:15:24
Donald, you're not currently unmuted.[Donald Chung - STFC UKRI] 11:15:42
Okay, all right.[Thomas Dack - STFC UKRI] 11:15:43
Are you having… yeah, that's working now.[Donald Chung - STFC UKRI] 11:15:46
Let me just…[Brij Kishor Jashal] 11:16:03
It was working for a…[Brij Kishor Jashal] 11:16:05
In it, but now it's not working again. You are muted again.[Thomas Dack - STFC UKRI] 11:16:07
Yeah, the…[Thomas Dack - STFC UKRI] 11:16:12
You seem to be in the meeting twice, Donald, once in the room and once on your laptop, I guess. The laptop was unmuted just now, but is muted again.[Thomas Dack - STFC UKRI] 11:16:37
We can't, we still can't hear you, Donald. They're good. Yeah, that's working.[Donald Chung - STFC UKRI] 11:16:37
Yeah, so I'm just going to use my laptop, because I was trying to use the room.[Donald Chung - STFC UKRI] 11:16:43
for things. So let me just…[Donald Chung - STFC UKRI] 11:16:46
Let's start again. So can everyone hear me now?[Thomas Dack - STFC UKRI] 11:16:49
Yes.[Donald Chung - STFC UKRI] 11:16:54
Okay, so…[Donald Chung - STFC UKRI] 11:16:59
Audio issues.[Donald Chung - STFC UKRI] 11:17:02
Um, so…[Donald Chung - STFC UKRI] 11:17:04
So I think I'm here to just give a update in terms of how SDFC run the IAM.[Donald Chung - STFC UKRI] 11:17:10
So, um, what I'm going to do is to do a…[Donald Chung - STFC UKRI] 11:17:14
overview in terms of, like, how…[Donald Chung - STFC UKRI] 11:17:16
We are going to run the… we are running the IMF route,[Donald Chung - STFC UKRI] 11:17:19
And also any development that I'm in particular aware of for the IAM, because I also work closely with the IAM and development team and stuff like that, and how we are going to develop the service at Brown.[Donald Chung - STFC UKRI] 11:17:30
And so which might be useful in terms of, like, how Grip envision the kind of like IAM to work in the future.[Donald Chung - STFC UKRI] 11:17:38
Um, so…[Donald Chung - STFC UKRI] 11:17:40
the current status, so we basically operates the I am and iris, IM and skim that supports the both communities, so…[Donald Chung - STFC UKRI] 11:17:48
The SKO one we are currently running as a Kobo service, so we basically support everything[Donald Chung - STFC UKRI] 11:17:53
every SLC in the globe right now,[Donald Chung - STFC UKRI] 11:17:55
And the iris is mainly a UK federation focused one where we support various institutions within UK.[Donald Chung - STFC UKRI] 11:18:02
In particular, this is a service that we kind of, like, um…[Donald Chung - STFC UKRI] 11:18:07
surf right now. So so we mainly support the Sdfc cloud and also various experiments such as LSST, Dirac, and Durham Cloud, and[Donald Chung - STFC UKRI] 11:18:16
Yeah, various facilities across a wide range of regions.[Donald Chung - STFC UKRI] 11:18:21
So in terms of availability, so both of our IM is operating at a very high level of availability.[Donald Chung - STFC UKRI] 11:18:29
Most of the time, it will be accessible by the users.[Donald Chung - STFC UKRI] 11:18:32
Um, and overall, as you can see from the statistics, so for the past two weeks, we have[Donald Chung - STFC UKRI] 11:18:37
100% availability.[Donald Chung - STFC UKRI] 11:18:39
Um, with, like, a…[Donald Chung - STFC UKRI] 11:18:42
Slight deep with the 30-day availability for SKIM.[Donald Chung - STFC UKRI] 11:18:46
Um, so there's…[Donald Chung - STFC UKRI] 11:18:47
Basically, I think there's one or two seconds, one or two minutes unavailable over the…[Donald Chung - STFC UKRI] 11:18:52
period of the past 30 days.[Donald Chung - STFC UKRI] 11:18:55
Um, so usage data, so currently for HIM, we have, like, almost a thousand users, and then almost 300 for SKIM is because mainly SKIM is great now is for[Donald Chung - STFC UKRI] 11:19:06
Development purpose, so is more restricted to a smaller[Donald Chung - STFC UKRI] 11:19:10
community of developers and DevOps engineers within the SRC net.[Donald Chung - STFC UKRI] 11:19:15
Um, but hopefully we will start onboarding users soon.[Donald Chung - STFC UKRI] 11:19:19
Um, for clients, um, yeah, as you can see, like, because SKA is a more development-heavy side, they have a much more… much higher amount of clients.[Donald Chung - STFC UKRI] 11:19:27
Um, and combining both IAM in general, we generate issues around 2,000 tokens per hour.[Donald Chung - STFC UKRI] 11:19:34
So is a significant usage, although not as much as WLCG.[Donald Chung - STFC UKRI] 11:19:39
But we do have the capacity to support more in the future.[Donald Chung - STFC UKRI] 11:19:44
development updates. So, as you know, at Rao, we work with the Indigo IAM development team closely.[Donald Chung - STFC UKRI] 11:19:52
Um, and to ensure the longevity of the service and compliance with the latest security practices and stuff like that.[Donald Chung - STFC UKRI] 11:19:58
Um, so… so… so within the Federating Service Group, we have contributed significantly towards, like, various, um,[Donald Chung - STFC UKRI] 11:20:06
important features for the past,[Donald Chung - STFC UKRI] 11:20:08
year or so, past few years, so I think that, um…[Donald Chung - STFC UKRI] 11:20:12
In terms of, like, we have the MFA stuff,[Donald Chung - STFC UKRI] 11:20:14
And also, we support the security enhancements, um, bug fix,[Donald Chung - STFC UKRI] 11:20:19
Um, to ensure that things work.[Donald Chung - STFC UKRI] 11:20:22
Uh, for our customers,[Donald Chung - STFC UKRI] 11:20:24
Um, and also supporting the OIDC federation.[Donald Chung - STFC UKRI] 11:20:28
Um, and we also support the sort of, like, I think Tom mentioned the, uh,[Donald Chung - STFC UKRI] 11:20:33
refractoring work in terms of, like, the meter ID and stuff like that, that is also being supported by the route team to, uh,[Donald Chung - STFC UKRI] 11:20:41
Help with, um…[Donald Chung - STFC UKRI] 11:20:42
uh, migrating off the meta ID stuff.[Donald Chung - STFC UKRI] 11:20:44
Um, so, uh, and I think…[Donald Chung - STFC UKRI] 11:20:49
So.[Donald Chung - STFC UKRI] 11:20:50
In terms of highlights. So these are the various commits that we have pushed, um,[Donald Chung - STFC UKRI] 11:20:55
pull request that we have pushed recently by the developers.[Donald Chung - STFC UKRI] 11:20:59
Um, so we are… I think the… we're currently working on various quality of life improvements.[Donald Chung - STFC UKRI] 11:21:05
Um, such as rotating, like, banning users and, um, and also having a timeout for registration, and[Donald Chung - STFC UKRI] 11:21:13
various things that will improve the IAM services.[Donald Chung - STFC UKRI] 11:21:18
Uh, looking forward, so in terms of development,[Donald Chung - STFC UKRI] 11:21:21
I think that the thing that will most interest Grid PP is the sort of, like, delegation.[Donald Chung - STFC UKRI] 11:21:27
for community. So at the moment, the IM is mainly a sort of like tattoo.[Donald Chung - STFC UKRI] 11:21:34
So, like, Bing rose the admin role and the user role,[Donald Chung - STFC UKRI] 11:21:37
Um, so, um, only admin can onboard users and, uh, create groups and stuff like that, and we hope that once we move off material ID, we will be able to split off this function,[Donald Chung - STFC UKRI] 11:21:49
And so that allows a little bit more delegation in terms of, like,[Donald Chung - STFC UKRI] 11:21:53
various sub, uh…[Donald Chung - STFC UKRI] 11:21:56
Some like some sector of the, um…[Donald Chung - STFC UKRI] 11:22:00
of the community to be able to do some of the tasks.[Donald Chung - STFC UKRI] 11:22:04
For example, like onboarding and offboarding users because[Donald Chung - STFC UKRI] 11:22:10
Uh, because they will be more…[Donald Chung - STFC UKRI] 11:22:12
They would know that a certain user has departed in a more timely manner compared to us, the admins.[Donald Chung - STFC UKRI] 11:22:18
Um, so… and also the other thing that we are currently working on is to implement a more robust multi-factor authentication, such as the passkey.[Donald Chung - STFC UKRI] 11:22:27
This will ensure… enable us to break into a more, like, support communities with more sensitive[Donald Chung - STFC UKRI] 11:22:34
data requirements that requires a higher level of security.[Donald Chung - STFC UKRI] 11:22:38
And finally, OpenID Federation is the thing that we are currently working on to support.[Donald Chung - STFC UKRI] 11:22:42
Um, because it's a very fancy new standard, and we hope to be able to, uh, bring it to the community as soon as possible.[Donald Chung - STFC UKRI] 11:22:51
Um, so in terms of the service operation side,[Donald Chung - STFC UKRI] 11:22:55
It is… so the current focus is for the IAM to go[Donald Chung - STFC UKRI] 11:23:00
Um, in, you know, way that is geographically distributed, so that we can remove a single point of failure at round.[Donald Chung - STFC UKRI] 11:23:08
Um, so currently, we have a fair offer prototype, um, so we are…[Donald Chung - STFC UKRI] 11:23:13
have a working configuration deployed on a public cloud instances.[Donald Chung - STFC UKRI] 11:23:18
So in the event of an extended outage at Rao, we will be able to spin up a backup, um,[Donald Chung - STFC UKRI] 11:23:25
like, uh, instances to continue to serve the community.[Donald Chung - STFC UKRI] 11:23:30
during their outage. So when it's planned or, like, extended period of unplanned outage, we'll be able to failover to it.[Donald Chung - STFC UKRI] 11:23:39
Um, but…[Donald Chung - STFC UKRI] 11:23:41
Death comes through the problem is that, like, sometimes the database snapshot might be delayed, and is very fairly cumbersome.[Donald Chung - STFC UKRI] 11:23:49
Way to move in terms of, like,[Donald Chung - STFC UKRI] 11:23:51
That's why, um, it's not as flexible and agile as we hope for. So what we are working on is to[Donald Chung - STFC UKRI] 11:24:00
is to have a more…[Donald Chung - STFC UKRI] 11:24:03
more that is have a horse standby in terms of like.[Donald Chung - STFC UKRI] 11:24:09
geographically distribution.[Donald Chung - STFC UKRI] 11:24:12
way of doing it. Um, so the main blocker was the fact that we are unable to, um,[Donald Chung - STFC UKRI] 11:24:19
not store the token in the database.[Donald Chung - STFC UKRI] 11:24:22
But I think for 1.14.0. So the IRS IM is already operating at 1.14.0. We are able to do this geographically distributed setup.[Donald Chung - STFC UKRI] 11:24:33
What we plan to do in the future is to have a glare geographically distributed Glera database.[Donald Chung - STFC UKRI] 11:24:40
Um, so that it will have a sort of like a synced copy across multiple sites.[Donald Chung - STFC UKRI] 11:24:46
Um, and that in the event of a failure at SDFC, we'll just ask the DI to migrate the DNS record.[Donald Chung - STFC UKRI] 11:24:53
to point to another site that has a host standby running and continue to serve the customer, and once the issue at[Donald Chung - STFC UKRI] 11:25:01
SDFC has been resolved.[Donald Chung - STFC UKRI] 11:25:03
We can move back to being hosted by SDFC.[Donald Chung - STFC UKRI] 11:25:09
So…[Donald Chung - STFC UKRI] 11:25:10
Yeah, so I mean, that's pretty much it for my presentation.[Thomas Dack - STFC UKRI] 11:25:21
Thank you, Donald. Does anyone have questions for Donald?[Peter Clarke] 11:25:26
Yeah, again, I have a quickie.[Peter Clarke] 11:25:29
Again, from a lay point of view, it seems to me that[Peter Clarke] 11:25:33
Um, being able to delegate admin rights[Peter Clarke] 11:25:37
is a really, really high priority, because to not have that, it simply doesn't scale.[Thomas Dack - STFC UKRI] 11:25:38
Mm-hmm.[Peter Clarke] 11:25:41
And I can see it works fine for Iris at the moment.[Peter Clarke] 11:25:44
It'd be wrong to describe Iris as nascent, it's much more than that, but…[Peter Clarke] 11:25:48
The communities it supports are probably[Peter Clarke] 11:25:51
Such that, indeed, with, you know, only one set of admins, it can be done. But envisaging the future,[Peter Clarke] 11:25:57
It clearly wouldn't scale. So the question, you know, how… how guaranteed and what was the time scale that there would be?[Thomas Dack - STFC UKRI] 11:25:57
Yeah.[Peter Clarke] 11:26:03
Delegated admin.[Thomas Dack - STFC UKRI] 11:26:06
So, so just to clarify, at the moment, the admin level[Thomas Dack - STFC UKRI] 11:26:13
Tasks are user account creation approvals,[Thomas Dack - STFC UKRI] 11:26:17
And the scope additions.[Thomas Dack - STFC UKRI] 11:26:20
Um…[Thomas Dack - STFC UKRI] 11:26:21
Group management, et cetera, is all fully delegatable at the moment.[Thomas Dack - STFC UKRI] 11:26:25
Um, so once someone is into the IAM instance, that can then be split down to the relevant people to handle approvals and authorization approvals.[Peter Clarke] 11:26:33
Oh.[Peter Clarke] 11:26:34
Okay.[Thomas Dack - STFC UKRI] 11:26:35
Donald, do you have…[Thomas Dack - STFC UKRI] 11:26:38
anticipate notes around the timeframe.[Donald Chung - STFC UKRI] 11:26:43
Um, so I… I think that, um, is probably by…[Donald Chung - STFC UKRI] 11:26:50
at the very latest, um…[Donald Chung - STFC UKRI] 11:26:53
next year at this time, at the very latest. But I think I do think it it kind if… because it's, like,[Donald Chung - STFC UKRI] 11:26:59
It's difficult to give a time scale because it's dependent on…[Donald Chung - STFC UKRI] 11:27:03
the material ID migration work, and also the deployment of the new dashboard, which will supposedly makes this easier.[Donald Chung - STFC UKRI] 11:27:11
So yeah, I think… I think it…[Donald Chung - STFC UKRI] 11:27:14
Depends on how quickly the IAM can[Donald Chung - STFC UKRI] 11:27:18
like, migrate off Metroid ID and also migrate off the current dashboard and to a new React dashboard. So, yeah.[Peter Clarke] 11:27:27
Okay, I'll just say, thanks, Tom. That was an important clarification that it's partially delegated. I've understood that.[Thomas Dack - STFC UKRI] 11:27:33
Yeah, it's… it's…[Peter Clarke] 11:27:34
Which makes a difference, actually, okay, yeah.[Thomas Dack - STFC UKRI] 11:27:36
Yeah.[Peter Clarke] 11:27:37
Okay.[Thomas Dack - STFC UKRI] 11:27:38
So, Daniela, I'm assuming this is carrying on with the previous points around VO usage.[Daniela Bauer] 11:27:43
Yeah, so I I mean, I apologize. I don't have slides. I run out yesterday, but I think there is a slight misunderstanding[Thomas Dack - STFC UKRI] 11:27:44
Mm-hmm.[Thomas Dack - STFC UKRI] 11:27:47
No, no, no.[Daniela Bauer] 11:27:51
What um.[Daniela Bauer] 11:27:53
you know where the crunch points are.[Thomas Dack - STFC UKRI] 11:27:54
Yeah, yeah.[Daniela Bauer] 11:27:54
So so let me just go…[Daniela Bauer] 11:27:57
Go back a little bit. So the good PP warm server currently[Daniela Bauer] 11:28:02
has about, you know, 10 or 12 active wheels.[Daniela Bauer] 11:28:06
You know, um, things vary.[Daniela Bauer] 11:28:09
Um, then we have, um…[Daniela Bauer] 11:28:13
Dirac has basically a so our IM server has a client for each VO.[Daniela Bauer] 11:28:19
And we used that sort of to fudge the, you know, multivo.[Daniela Bauer] 11:28:23
So it's not just the grid PPIM survey. So, you know, it's a T2K IM server, a hyperk IM server, a Lux Zeppelin IAM server, and so on. Well, one server at this point. But you know.[Thomas Dack - STFC UKRI] 11:28:30
Mm-hmm.[Daniela Bauer] 11:28:36
So so that one thing that you know we need an IM server and we need obviously to be, you know, the Zeppelin.[Daniela Bauer] 11:28:44
admin to be the admin, you know, not of the IAM server, but of the group.[Thomas Dack - STFC UKRI] 11:28:45
Mm-hmm.[Daniela Bauer] 11:28:50
And but…[Daniela Bauer] 11:28:51
To be honest, the IAM service, the easy bit.[Thomas Dack - STFC UKRI] 11:28:55
Yeah.[Daniela Bauer] 11:28:56
Um…[Daniela Bauer] 11:28:57
Once you have an IM server. So, for example, what we had discussed at the great Pp meeting is that[Daniela Bauer] 11:29:05
For the existing VAOs,[Daniela Bauer] 11:29:07
Most of them have a, you know, a group they're working with.[Daniela Bauer] 11:29:12
And that sort of the groups they're working with would adopt these VOs because, you know, they know us, and they know who to talk to, and they know that we know them.[Daniela Bauer] 11:29:21
And, um…[Daniela Bauer] 11:29:23
So, you know, step one is get an IAM,[Daniela Bauer] 11:29:25
Step 2 is explained to them approximately how it works, transfers to users over.[Daniela Bauer] 11:29:30
Step 3 is if they're using the rack, make a client. This is, you know, it's a small step in also a 15-minute Zoom call with Simon and me, but it.[Daniela Bauer] 11:29:39
It has to be done and it has to be made clear to these organizations that, you know,[Daniela Bauer] 11:29:44
It's not just, oh, here's a new thing for you. You have to actively do something.[Daniela Bauer] 11:29:48
So it requires a bit of liaison.[Daniela Bauer] 11:29:50
Then we have to test it.[Daniela Bauer] 11:29:52
And then we have to go and walk them through how to get all these sites updated.[Daniela Bauer] 11:29:58
And when we first installed the grid Ppp.[Daniela Bauer] 11:30:01
And for all the Dirac ones, I don't know what everybody else did.[Daniela Bauer] 11:30:05
But we basically…[Daniela Bauer] 11:30:08
Walk them all through it.[Daniela Bauer] 11:30:11
So we were going to capitalize on these relations and say, like, okay.[Daniela Bauer] 11:30:16
There is a transition.[Daniela Bauer] 11:30:17
And especially for some of the[Daniela Bauer] 11:30:21
You know, there's some that are sort of a bit at the tail end,[Daniela Bauer] 11:30:25
uh, you know…[Daniela Bauer] 11:30:27
Lux Zeppelin, which is fragile as hell to start with.[Daniela Bauer] 11:30:29
I don't want to throw them in some kind of weird, you know, love triangle between Imperial and US.[Thomas Dack - STFC UKRI] 11:30:35
Mm-hmm.[Daniela Bauer] 11:30:37
collaborators, because…[Daniela Bauer] 11:30:39
It's bad enough as it is.[Daniela Bauer] 11:30:42
And so…[Daniela Bauer] 11:30:45
I, you know, I think…[Daniela Bauer] 11:30:50
So the other thing which I think is a bit helpful is that, you know, we have a slightly.[Daniela Bauer] 11:30:56
bigger basis of people actually working on these things.[Daniela Bauer] 11:31:00
And so my instinct would be is, like,[Daniela Bauer] 11:31:04
We distribute the work.[Thomas Dack - STFC UKRI] 11:31:07
Yeah.[Daniela Bauer] 11:31:07
Right? Everybody picks the ones we have most an affiliation with, I don't know.[Daniela Bauer] 11:31:14
Which one, you know,[Daniela Bauer] 11:31:18
Aral should, you know, pick which experiment they work closely with, and just…[Daniela Bauer] 11:31:23
you know, see how it goes, and see if the model actually works.[Daniela Bauer] 11:31:27
And then, if it works, and we get it[Daniela Bauer] 11:31:28
You know, all set up, and we have the experience, and then when there's new ones coming in,[Daniela Bauer] 11:31:32
You know, we can do it properly from the start.[Thomas Dack - STFC UKRI] 11:31:33
Mm-hmm.[Daniela Bauer] 11:31:35
But I'd be really, really reluctant…[Daniela Bauer] 11:31:39
You know, especially for stuff that relies on features yet to come.[Daniela Bauer] 11:31:43
Um, to use established or VOS that, you know, are at the tail end of their life.[Daniela Bauer] 11:31:49
Because, um…[Daniela Bauer] 11:31:52
Dissa, you know, you have virus, and I think you have SKA, but, you know, these are big communities.[Thomas Dack - STFC UKRI] 11:31:56
Yeah, yeah, yeah. Mm-hmm.[Daniela Bauer] 11:31:58
These aren't, you know…[Daniela Bauer] 11:32:00
one person who didn't duck fast enough running the production server.[Daniela Bauer] 11:32:08
and so on, and so forth. So, um…[Daniela Bauer] 11:32:11
Anyway, this is… this is what we discussed, and we were going to use the opportunity[Daniela Bauer] 11:32:17
to go through all the VOs that nominally are supported by Grid PPP.[Thomas Dack - STFC UKRI] 11:32:21
Yeah, yeah. And I guess part of the point, sorry, Pete, if I just finished my point around.[Daniela Bauer] 11:32:21
And, you know, and cross-check, do they still need support?[Daniela Bauer] 11:32:25
Or, you know, is this the opportunity where we, you know, we do a bit of housekeeping and so on?[Thomas Dack - STFC UKRI] 11:32:37
regarding this. Part of what[Peter Clarke] 11:32:37
No hurry, no hurry.[Thomas Dack - STFC UKRI] 11:32:40
And with what we've been doing is like we've worked out with our deployment, like, it's relatively easy for us to set up a new IAM instance that runs the same operational standard. And so if we wanted to onboard,[Thomas Dack - STFC UKRI] 11:32:51
various communities, we can…[Thomas Dack - STFC UKRI] 11:32:53
spin up IAM instances, connect them to edge again,[Thomas Dack - STFC UKRI] 11:32:56
relatively easy and keep that network and operations all together. So if that's the approach that needs to be taken, that is something that[Thomas Dack - STFC UKRI] 11:33:02
We have the infrastructure, Donald's done a lot about simplifying that, but also[Thomas Dack - STFC UKRI] 11:33:07
there's conversations to be had around some of the, um…[Thomas Dack - STFC UKRI] 11:33:11
The, the multi-issuer IAM setup that was proposed for SKA around having a centralized attribute authority.[Thomas Dack - STFC UKRI] 11:33:17
And then multiple IAM issuers that can use the same…[Thomas Dack - STFC UKRI] 11:33:22
like, centralized attribute authority. So, you'd have a centralized, like, group management platform that you can delegate all the access control to.[Thomas Dack - STFC UKRI] 11:33:28
And then you have various IAMs that are the VOs that use that information. And so you can have a centralized, like,[Thomas Dack - STFC UKRI] 11:33:35
Grid PP group management platform, and then you hang a load of different IAM instances as the VOs underneath it, so that you would have consistent.[Thomas Dack - STFC UKRI] 11:33:43
user and group information across the whole[Thomas Dack - STFC UKRI] 11:33:47
of Gripy P, and then you have various different issuers underneath it.[Thomas Dack - STFC UKRI] 11:33:50
Pete, you want to.[Peter Clarke] 11:33:51
Yeah, I was simply going to say, Daniela brought up, you know, one thing, just reminded that I think is quite important in this.[Peter Clarke] 11:33:58
I would use the word affinity. You use a different word, but[Thomas Dack - STFC UKRI] 11:34:05
So I think don't… don't… I think don't…[Peter Clarke] 11:34:05
Oh, sorry, for some reason I thought my Zoom…[Thomas Dack - STFC UKRI] 11:34:07
I think Donald was still sharing, and he's just ended the share, so…[Peter Clarke] 11:34:07
I thought my Zoom had crashed for a moment.[Peter Clarke] 11:34:10
Yeah, yeah, yeah, they do. Anyway, there is a great power in.[Peter Clarke] 11:34:16
groups that have an affinity, a strong affinity with a VO,[Thomas Dack - STFC UKRI] 11:34:17
Yeah, of course.[Peter Clarke] 11:34:20
Big ones running it. For just the obvious reasons, you know, if I use an example, Imperial and LZ,[Peter Clarke] 11:34:24
you know, there's such a close thing that Imperial can instantly reprioritize their people, depending how hard LZ.[Thomas Dack - STFC UKRI] 11:34:30
Mm-hmm.[Peter Clarke] 11:34:31
Screaming because the spokesperson of LZ is in Imperial. And actually, that's a good thing.[Peter Clarke] 11:34:36
that it leads to agile response and agile and so on, and that.[Thomas Dack - STFC UKRI] 11:34:37
Yeah. Yeah, of course.[Peter Clarke] 11:34:40
Yeah, and it stop, yeah, whereas the more central the thing is, the more likely people are to complain if.[Thomas Dack - STFC UKRI] 11:34:45
Mm-hmm. Bridge?[Peter Clarke] 11:34:46
a thing doesn't get done in exactly the time you want it. It's just human nature. It's not.[Peter Clarke] 11:34:52
So that is useful.[Brij Kishor Jashal] 11:34:59
Madam. Uh, so, I mean, following the discussions, uh…[Brij Kishor Jashal] 11:35:03
about the IM and the services at CHEP. I was wondering,[Brij Kishor Jashal] 11:35:06
So, when you say about having a great PPIM instance.[Brij Kishor Jashal] 11:35:11
What's the current status in terms of these different IM instances being able to share[Brij Kishor Jashal] 11:35:18
And communicate with each other with regards to the common users. So, for example, the Atlas IM,[Brij Kishor Jashal] 11:35:24
If a user is registered in the Atlas, I am and authorized, and so on.[Brij Kishor Jashal] 11:35:29
And also, for example, have a way of great VP authentication.[Thomas Dack - STFC UKRI] 11:35:34
Mm-hmm.[Brij Kishor Jashal] 11:35:35
Then, is it like this information shared that, okay, this user…[Brij Kishor Jashal] 11:35:39
Or do you have to, like, explicitly, like, have entry for each user?[Brij Kishor Jashal] 11:35:45
Uh, and scopes and so on in each IAM instance.[Thomas Dack - STFC UKRI] 11:35:48
with the current implementation, it is a separate user in each one. They all link to…[Brij Kishor Jashal] 11:35:49
So…[Thomas Dack - STFC UKRI] 11:35:54
like the CERN SSO, or EduGain, or a technology like that, and so…[Thomas Dack - STFC UKRI] 11:35:59
There are mechanisms to verify they're the same user, but each user entry within[Thomas Dack - STFC UKRI] 11:36:04
Atlas, I am, Alice I am, etc. will be a separate[Thomas Dack - STFC UKRI] 11:36:09
user entity.[Thomas Dack - STFC UKRI] 11:36:10
Um, I don't believe…[Thomas Dack - STFC UKRI] 11:36:13
There is token exchange to switch between the two of them. Um, I know James has done some prep work around this for the SKA context.[Thomas Dack - STFC UKRI] 11:36:20
And I don't know whether Sam is about to correct me on something, but…[Sam S] 11:36:24
No, no, I'm not. I was going to add that if you compare it to bombs, right, that same is also true of bombs. This is not like a[Sam S] 11:36:31
This is not a degradation of performance relative to how BOM servers used to do things.[Sam S] 11:36:35
Where you also would have separate entries for every[Thomas Dack - STFC UKRI] 11:36:36
Hmm.[Sam S] 11:36:38
VO, right? In fact, in some ways,[Sam S] 11:36:42
Some of the IAMs are slightly better, which you might expect for something that's replacing it, but, um…[Sam S] 11:36:46
Yeah, I just don't want this to become a…[Sam S] 11:36:50
this is a… this is a duplication thing, or is this bad? Well, it's no worse than VOS at the… at the very least.[Thomas Dack - STFC UKRI] 11:36:53
Hmm.[Brij Kishor Jashal] 11:36:58
No, but I mean, the thing, what I'm trying to wonder is, so, for example, in WOMs, any certificate of authority which is used a certificate, that particular identity remains common across any of the VUs that user is[Brij Kishor Jashal] 11:37:09
wants to use unless, you know…[Sam S] 11:37:11
Yes. Right.[Brij Kishor Jashal] 11:37:11
So there was this common infrastructure which was authenticated across all the things, irrespective of how many BMI servers are there, and so on.[Thomas Dack - STFC UKRI] 11:37:19
So you're saying, like, the base identity, the certificate, is consistent across all of them, is that the point you're making?[Brij Kishor Jashal] 11:37:19
So in terms…[Brij Kishor Jashal] 11:37:27
Yeah.[Thomas Dack - STFC UKRI] 11:37:27
Yeah, and so the intention with the IAM instances is you connect them to[Thomas Dack - STFC UKRI] 11:37:32
Something like the CERN SSO, something like the National Federations, and so…[Thomas Dack - STFC UKRI] 11:37:38
For example, Iris IAM, we use the base educate accounts, and so people sign in using their SDFC email or their university email, their IDs.[Thomas Dack - STFC UKRI] 11:37:46
They're associated with their institution.[Thomas Dack - STFC UKRI] 11:37:48
And so rather than using…[Thomas Dack - STFC UKRI] 11:37:51
and issued certificate, we are currently using…[Thomas Dack - STFC UKRI] 11:37:54
the national identity, the identities that are associated with the affiliations.[Thomas Dack - STFC UKRI] 11:37:58
IAM does support linking certificates and certificates with registration,[Thomas Dack - STFC UKRI] 11:38:02
Uh, but hanging an infrastructure off X.509 certificates at this point feels like[Thomas Dack - STFC UKRI] 11:38:08
not the right direction. Um…[Brij Kishor Jashal] 11:38:10
Yeah, true, I agree.[Thomas Dack - STFC UKRI] 11:38:11
But, like, this was the point I was making, is that, say, say you have a researcher who's affiliated with a university, and they make an account at two different IAM senses. If they've affiliated it with their university ID,[Thomas Dack - STFC UKRI] 11:38:22
there will be the persistent identifier across the university level.[Brij Kishor Jashal] 11:38:25
Yeah, the problem is that they're having to register with two different IAM instances. That's the problem.[Thomas Dack - STFC UKRI] 11:38:26
Um, that…[Sam S] 11:38:30
What they have to do with vomit as well, they have to deal with volumes anyway, Butch. With VOMS, you still have to.[Sam S] 11:38:36
it's assigned to… to sign the AUPs, et cetera, for every given BOMS server that represents a viewer that you're part of. That isn't… that isn't a different thing.[Thomas Dack - STFC UKRI] 11:38:46
One of the benefits God.[Daniela Bauer] 11:38:47
Yes. So, and also, you know, it's a permission issue, you know, if you joined one IAM, it,[Daniela Bauer] 11:38:53
It doesn't mean you can, you know,[Daniela Bauer] 11:38:56
suddenly access all VOs it possibly support. You only still[Daniela Bauer] 11:39:00
can access the one you're actually a member of.[Brij Kishor Jashal] 11:39:03
Yeah, that would be important.[Thomas Dack - STFC UKRI] 11:39:04
One of the benefits is that IAM is implementing the support for the OpenID federation schema.[Brij Kishor Jashal] 11:39:06
Sorry.[Thomas Dack - STFC UKRI] 11:39:10
Which will mean that there will be better mechanisms for[Thomas Dack - STFC UKRI] 11:39:14
If you get a token that isn't from an issuer, but it is an issuer within the OpenID Federation you are attached to,[Thomas Dack - STFC UKRI] 11:39:21
you, like, there better ways to verify this, and so there…[Thomas Dack - STFC UKRI] 11:39:24
is potential for…[Thomas Dack - STFC UKRI] 11:39:26
If you get a token that's not from your default issuer, that the trust chain is there to verify that identity.[Thomas Dack - STFC UKRI] 11:39:32
Uh, because OAuth is a more federation-leading technology than the significant identity mechanisms are. And so there will be better tooling.[Thomas Dack - STFC UKRI] 11:39:40
in place around this, but…[Thomas Dack - STFC UKRI] 11:39:42
I think, as Daniela and Sam have said, like[Thomas Dack - STFC UKRI] 11:39:46
Having it default transfer across different issuers.[Thomas Dack - STFC UKRI] 11:39:50
isn't actually really kind of what you want. This is the entire, I guess, the reason why.[Thomas Dack - STFC UKRI] 11:39:55
the LHC experiments are separated at the VO level because you don't want to have[Thomas Dack - STFC UKRI] 11:40:02
various admin rights, etc., jumping between different VOs.[Brij Kishor Jashal] 11:40:06
That's… that's clearly important. I mean, uh…[Brij Kishor Jashal] 11:40:09
Yeah.[Thomas Dack - STFC UKRI] 11:40:10
Now, obviously, I sort of mentioned this and SK haven't really moved forward with it.[Thomas Dack - STFC UKRI] 11:40:18
in the direction because they're making some questionable decisions around their token infrastructure that we have been advising them not to.[Thomas Dack - STFC UKRI] 11:40:25
Um, but…[Thomas Dack - STFC UKRI] 11:40:26
The… one of the pieces of work that myself, Ian, and Jens put together was an overall design to have.[Thomas Dack - STFC UKRI] 11:40:34
a centralized attribute authority, which is where you'd get a centralized identities and centralized group management, and then IAM instances that can[Thomas Dack - STFC UKRI] 11:40:41
build their user bases off this. And so for core…[Thomas Dack - STFC UKRI] 11:40:45
group management activities, they can happen, and then the different VOs can just pull the user information from there. That could be a model that would work for GridPP, so you have a centralized[Thomas Dack - STFC UKRI] 11:40:54
user and group management portal that then feeds into different VOs that don't even have to be running at the same site, right? Like, the entire SKA model was to have[Thomas Dack - STFC UKRI] 11:41:03
a centralized SKA-run attribute authority, and then the different national SRCs running.[Thomas Dack - STFC UKRI] 11:41:09
Their own issuers.[Thomas Dack - STFC UKRI] 11:41:11
And so you can lean more into what[Thomas Dack - STFC UKRI] 11:41:13
He and Daniela have been saying about having a specific site running a VO because it's got a better connection to the users.[Thomas Dack - STFC UKRI] 11:41:19
while still doing a bit more of your centralized group management activities.[Thomas Dack - STFC UKRI] 11:41:23
Um, that could be a…[Thomas Dack - STFC UKRI] 11:41:25
An answer here. Now, I think what's clear from the conversation here is that there isn't just a[Thomas Dack - STFC UKRI] 11:41:30
We'll slap a grid PPVO IM together, and we'll call it a day. There's further discussion needed around this, about what level we need to do, what we need to deploy,[Thomas Dack - STFC UKRI] 11:41:40
etc.[Thomas Dack - STFC UKRI] 11:41:42
there's… I don't know whether there would still be a use case for a…[Thomas Dack - STFC UKRI] 11:41:46
sort of centralized group BP1, and then other ones representing different VOs underneath it.[Thomas Dack - STFC UKRI] 11:41:51
Um, what I can say is, obviously,[Thomas Dack - STFC UKRI] 11:41:53
If we want to start…[Thomas Dack - STFC UKRI] 11:41:56
testing and running things and getting a VOMS AA together.[Thomas Dack - STFC UKRI] 11:42:02
using IAM, uh, I can have my team set something up relatively quickly, and we can start doing the technical conversations and next steps around that, and we can[Thomas Dack - STFC UKRI] 11:42:11
work out steps from there, uh…[Thomas Dack - STFC UKRI] 11:42:14
I think…[Thomas Dack - STFC UKRI] 11:42:16
this isn't something that's going to be answered in this meeting, I think is quite clear the conversation here, because[Thomas Dack - STFC UKRI] 11:42:22
Understanding the granularity and the VOs that need to be served is important here.[Brij Kishor Jashal] 11:42:29
Just a follow-up question, perhaps it's quite, uh…[Brij Kishor Jashal] 11:42:32
Uh, basic income question. Apologies for my not full understanding, but…[Thomas Dack - STFC UKRI] 11:42:35
No, that's fine.[Brij Kishor Jashal] 11:42:38
So under the grid PPVO, we have multiple VOs, right? If a user connects[Thomas Dack - STFC UKRI] 11:42:41
Mm-hmm.[Brij Kishor Jashal] 11:42:43
Authenticates using the GitBM.[Brij Kishor Jashal] 11:42:45
comes to it, uh, from the site point of view, or the accounting point of view, uh,[Brij Kishor Jashal] 11:42:52
will be able to distinguish between, okay, that particular[Brij Kishor Jashal] 11:42:55
user who got authenticated via the good PPIM,[Brij Kishor Jashal] 11:42:59
which particular view he belonged to.[Brij Kishor Jashal] 11:43:02
And, like, the further classification, so that we are able to, for example, a user[Brij Kishor Jashal] 11:43:07
from some, you know, biocomputation versus chemistry versus anything you will be able to account separately.[Brij Kishor Jashal] 11:43:16
How will that work?[Brij Kishor Jashal] 11:43:19
From the… yeah, Matt…[Brij Kishor Jashal] 11:43:21
perhaps if you want to comment on this, or something else.[Brij Kishor Jashal] 11:43:24
We can't hear you. You are muted, I think.[Sam S] 11:43:30
It'll be clear, Matt, you look like you're unmuted, but we couldn't hear you on your mic, so it might be the wrong microphone.[Brij Kishor Jashal] 11:43:34
Yeah.[Matthew Steven Doidge] 11:43:36
That's, I think[Thomas Dack - STFC UKRI] 11:43:41
It's got a lot of background noise, but we can hear you.[Sam S] 11:43:42
Yeah, there's lots of background noise, yeah, but it's fine[Matthew Steven Doidge] 11:43:52
There's a big difference between VOM server and VO, and we need to make sure you keep that because the statement only have a lot of user groups underneath the WPPL is not necessarily true. We have a lot of user groups under Google then server[Matthew Steven Doidge] 11:44:11
And in the move to IAM, we have to stay here. And it's already been touched on everyone, but we need to[Matthew Steven Doidge] 11:44:20
Keep this clear and disentangle all of this. And you probably drop some… drops, you have a cleaner femuray, as Danina said, there's a lot of things that we don't necessarily, you know, we don't want to[Matthew Steven Doidge] 11:44:33
People want to clean up[Matthew Steven Doidge] 11:44:37
We have 11 active, and we have a lot, and we haven't counted them, we have more that are inactive, and you should use that to clean up. But yeah, it's a big distinction between VL and BOM server[Matthew Steven Doidge] 11:44:48
We need to make make sure that we get that in the migration.[Thomas Dack - STFC UKRI] 11:44:55
Bridge, you're now muted.[Brij Kishor Jashal] 11:44:57
My question particularly was that[Brij Kishor Jashal] 11:45:01
At the accounting party, once a user is getting authenticated by a great VPIM, at the accounting level, will we be able to distinguish between which[Brij Kishor Jashal] 11:45:10
particular sub-grid PPVO, or it is grid PP under[Sam S] 11:45:15
If the information is in… if the information is in the token they get, yes. I mean, we already do that for anything else that has an IM[Brij Kishor Jashal] 11:45:17
Yeah.[Thomas Dack - STFC UKRI] 11:45:19
Yeah.[Brij Kishor Jashal] 11:45:21
Okay.[Sam S] 11:45:23
Issue thing.[Sam S] 11:45:25
Sometimes better than others based upon supporting ARC7, etc. But no, you can do that, right? Because[Sam S] 11:45:34
pragmatically, even in the case where… so, from an acrobatic perspective, Bridge, right, the token has to give them access to the things they need to do to do whatever work they're doing for whatever experiment they're part of. So the token must[Sam S] 11:45:48
represent permissions for the kind of things they need for the for the experiment they're part of.[Brij Kishor Jashal] 11:45:54
And that we, like, configure somehow in the IAM, I mean, that delegation happens in the IAM, right?[Sam S] 11:45:57
Yes.[Sam S] 11:46:00
Yeah[Brij Kishor Jashal] 11:46:00
Okay.[Thomas Dack - STFC UKRI] 11:46:00
Yeah, IAM provides group management, and so…[Thomas Dack - STFC UKRI] 11:46:05
You would basically have group management associated with the activity in question and you'd use that information, the user identity, etc.[Brij Kishor Jashal] 11:46:11
Okay.[Matthew Steven Doidge] 11:46:17
One thing we could consider, hopefully my sounds better[Brij Kishor Jashal] 11:46:19
Thanks[Sam S] 11:46:21
You're much less, you know, yes, this is much better[Matthew Steven Doidge] 11:46:23
Yeah, I'm playing playing a Russian roulette with my input my sound inputs apparently.[Matthew Steven Doidge] 11:46:31
It is[Matthew Steven Doidge] 11:46:34
Do we want to move just[Matthew Steven Doidge] 11:46:37
it's a case where we end up scrapping our entire way of doing things right now, and move to a purely group-subgroup infrastructure, and therefore get a workaround to the, as noted, one issuer per VO, so that every, every, you know, so, so some VOs are big enough that we spin off onto their own and they can have their own but a lot of the smaller[Matthew Steven Doidge] 11:47:01
VOM servers, which maybe we want to keep, but only small, do we then merge them into a subgroup? And this is, again, one of many things that we, we don't want to sort out today, but this is one of the questions for the table, you know, for the table[Matthew Steven Doidge] 11:47:20
merge some VOs down, then spin off some other VOs into something else[Thomas Dack - STFC UKRI] 11:47:25
I think at that point, your question then becomes,[Thomas Dack - STFC UKRI] 11:47:29
Sort of what is a VO? Like is this previous.[Thomas Dack - STFC UKRI] 11:47:34
five-person VO, actually a VO, or is it a subgroup within GrippyP? Because if it's a subgroup within Grippy P, then yeah, you can go for that.[Thomas Dack - STFC UKRI] 11:47:41
And so I think one of the decisions we'd need to make is what is the…[Thomas Dack - STFC UKRI] 11:47:46
granularity of what we want to view[Thomas Dack - STFC UKRI] 11:47:48
as a VO, what can be accounted as part of Grid PPP, and what needs to be accounted as its own individual[Thomas Dack - STFC UKRI] 11:47:54
thing, and so I think it's quite clear from[Thomas Dack - STFC UKRI] 11:47:56
Some of the topics Daniella has been talking about, that they should be accounted as their own individual thing, and we set up an IAM to represent that community.[Thomas Dack - STFC UKRI] 11:48:02
But there's probably, possibly,[Thomas Dack - STFC UKRI] 11:48:06
things that could be represented as[Thomas Dack - STFC UKRI] 11:48:09
tasks and communities within Grid PPP that you could do with the group structure that Matt's talking about.[Thomas Dack - STFC UKRI] 11:48:14
Daniela.[Daniela Bauer] 11:48:16
Yeah, so obviously we do something a little bit like that when we onboard new VOs. We run them all under the grid PPVO. So if you see usage from the grid PPVO, it's not[Thomas Dack - STFC UKRI] 11:48:21
Hmm.[Daniela Bauer] 11:48:27
you know the grid PPVO, it's a new community, typically, and not always the same.[Daniela Bauer] 11:48:34
However, most of these communities have an international component. And that makes it tricky[Daniela Bauer] 11:48:42
To run it[Daniela Bauer] 11:48:45
You know, just from an admin point of view, as a grid PPVO, because, you know, you have them[Thomas Dack - STFC UKRI] 11:48:47
Yeah.[Daniela Bauer] 11:48:52
Even if they use 90% UK only, this tends to be one outlier and then it gets[Daniela Bauer] 11:49:00
You're on[Daniela Bauer] 11:49:02
on shaky ground. I mean, if we… obviously, if we have UK internal projects, yes[Daniela Bauer] 11:49:08
That we could happily just, you know, put them all under the same and especially if we have, you know[Thomas Dack - STFC UKRI] 11:49:08
Mm-hmm.[Daniela Bauer] 11:49:13
Let's say loan researchers[Daniela Bauer] 11:49:17
you know one-off[Daniela Bauer] 11:49:20
One of things, but[Daniela Bauer] 11:49:24
Ticket[Daniela Bauer] 11:49:26
International collaborators get kind of touchy if you tell them they're all British now[Thomas Dack - STFC UKRI] 11:49:32
Very fair. But then I think, yeah, there's a degree of conversation to be had here to understand.[Thomas Dack - STFC UKRI] 11:49:40
What do we need and where? And I think it's quite clear that some things will need their own one, like, um.[Thomas Dack - STFC UKRI] 11:49:46
And some things may not need their own one, so, like, something like[Thomas Dack - STFC UKRI] 11:49:51
If we're setting one up for, like, XLZD, for example, that should clearly have its own.[Thomas Dack - STFC UKRI] 11:49:56
time instance to represent it, and we go from there, but…[Thomas Dack - STFC UKRI] 11:50:01
there's understanding, I think, and I think, like, Matt's point around having some things represented by a group structure under Group EP.[Thomas Dack - STFC UKRI] 11:50:07
Is probably the correct way forward.[Thomas Dack - STFC UKRI] 11:50:09
Um, and there's some things where it's clearly not.[Thomas Dack - STFC UKRI] 11:50:13
And at that point then, it's back to the conversation of where is the correct place to run this so the admins have the correct[Thomas Dack - STFC UKRI] 11:50:20
Understanding of the user community, uh, to better simplify the operations and better serve the community as Pete was talking about earlier.[Matthew Steven Doidge] 11:50:35
I think it's one of the meetings in the near future would be us with a set of bowls and the ball representing each group of HBO bombserve, and we put them into each one, or have a vote on it. I think that might be the next step, is to basically take stock[Thomas Dack - STFC UKRI] 11:50:50
I was gonna say, like, it kind of sounds like what we need is some degree of…[Thomas Dack - STFC UKRI] 11:50:55
I don't want to say working group, but, like,[Thomas Dack - STFC UKRI] 11:50:58
group to set together and plan…[Thomas Dack - STFC UKRI] 11:51:01
how this should look, so that we can start putting things together.[Thomas Dack - STFC UKRI] 11:51:04
Um, and yes, it's likely to start with the ball-dropping, where do things belong, that Matt's talking about, but like.[Thomas Dack - STFC UKRI] 11:51:12
doing some of the tidying up that Daniela's talking about as well, like, working out what do we actually need, what do we put together? Like, I was…[Thomas Dack - STFC UKRI] 11:51:18
absolutely not expecting this meeting to be like, cool, we've got an answer, we're going to do this tomorrow, or Monday, I guess, at this point, but, like,[Thomas Dack - STFC UKRI] 11:51:25
I think it's a… let's take an assessment of where we're at, and…[Thomas Dack - STFC UKRI] 11:51:30
The thing that I sort of…[Thomas Dack - STFC UKRI] 11:51:32
jumped at me was the notes from a Grippy P call that I missed because I was in a different meeting a few weeks ago, where it was like,[Thomas Dack - STFC UKRI] 11:51:39
Manchester is just going to deploy an IAM instance, and I think, like, what we want to avoid is…[Thomas Dack - STFC UKRI] 11:51:45
IAM instances just popping up without an overall plan to how we want the[Thomas Dack - STFC UKRI] 11:51:50
Grid PP infrastructure look.[Sam S] 11:51:52
Yeah, I mean, so to unpack certainly the conversation I had with Alistair, I think that's what Alastair was worried about as well. Alastair felt a bit blindsided by people saying things like, I now X and Y are going to set up an IAM instance and wanted to be a conversation[Thomas Dack - STFC UKRI] 11:51:58
Mm-hmm.[Thomas Dack - STFC UKRI] 11:52:06
Yeah. Yeah, and that sounds good to me. Pete.[Sam S] 11:52:06
So, you know[Peter Clarke] 11:52:12
Tom, can I just reinforce that? I think you make a very good point. You've put it very well and succinctly that it's not about inhibiting anyone running an individual one or otherwise. We should have a conscious grid PPP plan[Thomas Dack - STFC UKRI] 11:52:24
Mm-hmm.[Peter Clarke] 11:52:26
And I think we should pick that up and the PMB should agree to that. So quite how to form that plan. I mean, all the people around here are the people to talk, but you know[Peter Clarke] 11:52:36
I mean, I'd say since Sam will be and Daniela with everything, they're on the PMB, I think if perhaps if you guys are the natural people to make sure[Peter Clarke] 11:52:46
plan is exposed, let's say, and then one agrees to it and discusses it. But this is light touch, this is not to inhibit anyone from doing common sense at any[Sam S] 11:52:53
Yeah[Thomas Dack - STFC UKRI] 11:52:55
No, for sure, yeah. I think it's just what we want to avoid is having[Thomas Dack - STFC UKRI] 11:53:00
too many things claiming we are THE grid PPO, etc. Like, have it.[Peter Clarke] 11:53:02
Yeah, yeah, yeah[Sam S] 11:53:04
Yeah, I don't think we were planning on that happening, but yes, there needs to be, yes.[Thomas Dack - STFC UKRI] 11:53:07
No, but…[Thomas Dack - STFC UKRI] 11:53:08
I think it's also quite easy for these sorts of things to fall into production and we end up with a disparate, like[Thomas Dack - STFC UKRI] 11:53:14
I think, as well, like,[Thomas Dack - STFC UKRI] 11:53:16
If we're talking about having subgroups, et cetera, like we want to have a consistency in the group structure, not just, like, around the WCG token profile, but, like,[Thomas Dack - STFC UKRI] 11:53:25
What root groups are what, etc., to make sure.[Thomas Dack - STFC UKRI] 11:53:30
For the service endpoints point of view, like, if they have to interact with multiple of Grid PPP IAM instances from different communities.[Thomas Dack - STFC UKRI] 11:53:36
We want some degree of consistency across them, instead of having to have a[Thomas Dack - STFC UKRI] 11:53:40
VO-specific configuration for every single one as well.[Peter Clarke] 11:53:46
It also sounds like it might be a good idea to have it written down somewhere. So I smile as I say that because[Thomas Dack - STFC UKRI] 11:53:47
Right.[Peter Clarke] 11:53:53
It always sounds to me a bit like, yes, Minister, the answer to everything is, you know, have a review. Well, you know, meaning you do nothing, right? The answer to everything is, oh, write a document, but no, but seriously, the point is, if there's good practice, as in, you know, after discussion, this is a… this is a sensible way everyone agrees[Thomas Dack - STFC UKRI] 11:53:57
Mm-hmm.[Thomas Dack - STFC UKRI] 11:54:05
Yeah.[Peter Clarke] 11:54:10
To use IAM for multi-groups or do if there are some work lines of wisdom, it'd really be helpful to have them written down somewhere.[Thomas Dack - STFC UKRI] 11:54:19
Agreed.[Robert Wolfgang Frank] 11:54:21
Yeah, I agree. So Manchester hasn't been pushing this. So I've installed IAM instances for years now. There actually is an IAM.quid bpac[Robert Wolfgang Frank] 11:54:33
And we've also tested the Bombs AA thing, so I also have a Wombs AA service running in Manchester that I've been using for testing for some years, and… but we never pushed it, because there never really was a plan[Robert Wolfgang Frank] 11:54:47
On how to proceed this initially there will be questions about multi video I am instances versus one instance per VO[Robert Wolfgang Frank] 11:54:59
Plus it would be easier to use a multi VOI and instance, because[Robert Wolfgang Frank] 11:55:04
you don't have that many different types of services, but[Robert Wolfgang Frank] 11:55:08
That's definitely not be possible if the[Robert Wolfgang Frank] 11:55:12
Actual restrictions come into place[Robert Wolfgang Frank] 11:55:14
On the WLCG token profile[Thomas Dack - STFC UKRI] 11:55:20
So, the double… when I… well, during Donald's talk, I was double-checking the profile, and it does assert.[Robert Wolfgang Frank] 11:55:21
So[Thomas Dack - STFC UKRI] 11:55:27
that the issuer URL is used to identify a specific VO.[Thomas Dack - STFC UKRI] 11:55:32
Um, and so…[Thomas Dack - STFC UKRI] 11:55:34
The token issuer should map to a single VO.[Thomas Dack - STFC UKRI] 11:55:38
But I guess this is the sort of conversation.[Thomas Dack - STFC UKRI] 11:55:40
prompted by Matt's point is, like,[Thomas Dack - STFC UKRI] 11:55:42
What is the… what needs to be its own…[Thomas Dack - STFC UKRI] 11:55:47
unique VO with an issuer.[Thomas Dack - STFC UKRI] 11:55:49
And what can exist within an overarching Grippy PVO, for example, like…[Thomas Dack - STFC UKRI] 11:55:54
That's the… that's part of what we need to understand for the infrastructure.[Sam S] 11:55:57
There were also questions like can you hack this both DNS aliases, right?[Thomas Dack - STFC UKRI] 11:56:02
Mm-hmm.[Sam S] 11:56:03
Can you actually… would it be within the scope of the policy to have the same one bit of infrastructure providing multiple things, because it actually has multiple DNS aliases, so it has the names of multiple VMs[Sam S] 11:56:16
That is not a question I think you should answer right now, Tom, but it just, you know, it does… it does feel like there might also be ways to make it slightly more flexible[Thomas Dack - STFC UKRI] 11:56:16
All right, yeah.[Thomas Dack - STFC UKRI] 11:56:26
For sure, uh, my gut reaction is you have multiple IAMs hanging off the same database, for example, so that they all have… because the issue is, IAM… the IAM is what sets the issuer, and so you need to have a way for it to act as multiple.[Sam S] 11:56:34
Yeah, yeah, yeah.[Thomas Dack - STFC UKRI] 11:56:39
That's technical plans that I would ask Donald to investigate.[Sam S] 11:56:42
No, absolutely, yeah, but it's more that I think there are definitely ways of sharing infrastructure without[Thomas Dack - STFC UKRI] 11:56:42
But, um, there's definitely…[Thomas Dack - STFC UKRI] 11:56:46
Yeah, absolutely.[Thomas Dack - STFC UKRI] 11:56:53
So I think it's clear, like,[Thomas Dack - STFC UKRI] 11:56:58
The general consensus is we need to do more on this and have a full understanding.[Thomas Dack - STFC UKRI] 11:57:06
That Sam, Dania and Pete, some function of them will take it to the PMB to make sure that this is all[Thomas Dack - STFC UKRI] 11:57:12
on board there and being moved forward.[Thomas Dack - STFC UKRI] 11:57:14
Uh, and then…[Thomas Dack - STFC UKRI] 11:57:16
is my correct understanding that one of Daniela or Sam will start to put together[Thomas Dack - STFC UKRI] 11:57:22
The next steps of a group process discussion, because that was what was suggested.[Sam S] 11:57:27
Yeah, I think we can sign up to that. He says, signing up, Daniella, to something without her being unmuted. Yes[Thomas Dack - STFC UKRI] 11:57:33
I'm obviously happy[Thomas Dack - STFC UKRI] 11:57:35
to help with this process, as someone who's done a lot with it, it's just, I'm… I'm not the person on the PMB to have that conversation at that level, but I'm happy to work with you and[Sam S] 11:57:42
No, no, no. And[Sam S] 11:57:45
And there have been some conversations already had, as Daniella alluded to about this. So we do have some agreement at some level, just need to formalize things[Thomas Dack - STFC UKRI] 11:57:48
Mm-hmm.[Peter Clarke] 11:57:53
I would say essential you'd be involved, Tom, obviously. I mean, you know.[Thomas Dack - STFC UKRI] 11:57:56
Yeah, yeah, yeah. I'd hope so.[Peter Clarke] 11:57:59
Yeah, yeah, yeah, I mean just but let's just say it clearly.[Peter Clarke] 11:58:04
And just to be clear, it's not the PMB is going to have any, you know, PMB is not technical, so I ain't going to say anything. No, of course not, but I just think some good things have been said, so it's useful to expose them at the PMB, that's all[Thomas Dack - STFC UKRI] 11:58:09
Yeah, yeah.[Peter Clarke] 11:58:21
Good.[Thomas Dack - STFC UKRI] 11:58:26
Is there anyone… anything, anyone else wanted to raise in the closing few minutes?[Thomas Dack - STFC UKRI] 11:58:39
I realize I've been too involved in discussion and I haven't done a good job of taking any notes, and so.[Thomas Dack - STFC UKRI] 11:58:45
I think also we didn't hit a record button, so…[Thomas Dack - STFC UKRI] 11:58:49
Uh, we probably just need to type up a little bit of the summary.[Thomas Dack - STFC UKRI] 11:58:53
between us, uh…[Matthew Steven Doidge] 11:58:54
I think it's been transcribed, I had a little[Thomas Dack - STFC UKRI] 11:58:55
Oh, it has got… actually, I did see the described.[Sam S] 11:58:57
Yeah, I could have pop up about transcription, so someone is something that's transcribing.[Thomas Dack - STFC UKRI] 11:58:59
Cool, so we've got that somewhere.[Thomas Dack - STFC UKRI] 11:59:01
We can dump the transcription somewhere, which is good.[Sam S] 11:59:04
I mean, I assume that Bridge is going to get emailed it because he's the host, so[Thomas Dack - STFC UKRI] 11:59:05
Um… .[Thomas Dack - STFC UKRI] 11:59:08
Cool. If we can make sure that gets attached, I guess, to the IndiCo page.[Brij Kishor Jashal] 11:59:11
I mean.[Thomas Dack - STFC UKRI] 11:59:15
as minutes or so.[Brij Kishor Jashal] 11:59:17
Transcription is automatically stored[Brij Kishor Jashal] 11:59:20
I mean, is it saved?[Thomas Dack - STFC UKRI] 11:59:21
It should do. This is a Sanzu business, right?[Brij Kishor Jashal] 11:59:24
Okay.[Sam S] 11:59:26
Usually, usually what Zoom does, if you turn on subscription, is it emails you stuff, or tells you have a subscription somewhere[Thomas Dack - STFC UKRI] 11:59:33
checking the… checking the indico, the actual host for the Zoom is Alistair with…[Brij Kishor Jashal] 11:59:33
Okay.[Sam S] 11:59:34
But I don't[Thomas Dack - STFC UKRI] 11:59:39
not bridging you, Sam, all being alternate hosts, and so some function of the four of you will get[Brij Kishor Jashal] 11:59:43
Yeah, with the[Brij Kishor Jashal] 11:59:45
But, yeah, but the Zoom is, like, I think I'm the host for the Zoom, so I… I'll get the transcription, and then I can upload that into the Indigo.[Thomas Dack - STFC UKRI] 11:59:51
Yeah, it might be…[Thomas Dack - STFC UKRI] 11:59:53
It might exist within… you might have to log into your CERN Zoom profile to find it.[Thomas Dack - STFC UKRI] 11:59:58
Within there, but that's all good, so we have that.[Brij Kishor Jashal] 11:59:58
Yeah, yeah.[Matthew Steven Doidge] 12:00:00
What[Matthew Steven Doidge] 12:00:03
Or if someone hits the transcribe button[Matthew Steven Doidge] 12:00:08
whoever first hit it might have a false transcription, so they might just be able to save it[Matthew Steven Doidge] 12:00:14
And that's what I just hate this transcription button now, but I've only had it since I hit the transcription button.[Matthew Steven Doidge] 12:00:20
So I only have, like, 10 minutes of transcribing[Thomas Dack - STFC UKRI] 12:00:22
I've found it, I have the whole thing, so I'll make sure I save a copy at the end just as a backup.[Thomas Dack - STFC UKRI] 12:00:31
Um, cool. Any, any other closing points?[Thomas Dack - STFC UKRI] 12:00:35
Um…[Peter Clarke] 12:00:38
Well, no, I only say thanks, been a really useful meeting. Yeah, I'm unmuted. Yeah.[Peter Clarke] 12:00:43
Thanks for running this, Tom.[Thomas Dack - STFC UKRI] 12:00:47
No worries. Thanks all for attending. It's definitely been…[Thomas Dack - STFC UKRI] 12:00:51
useful from my point of view to gain a better understanding.[Thomas Dack - STFC UKRI] 12:00:55
of where we're at and where we need to look towards, so…[Thomas Dack - STFC UKRI] 12:01:00
I look forward to…[Thomas Dack - STFC UKRI] 12:01:02
working out the next steps with her people.[Peter Clarke] 12:01:04
Okay[Thomas Dack - STFC UKRI] 12:01:06
Cool. Cheers everyone.[Gerard Hand (Lancs)] 12:01:08
Right -
2
Other IAM instances / Authentication Requirements
-
3
Discussion
-
1