MWSG 8, March 7-8, 2006, CERN Minutes Day 1 by Gerben Venekamp Minutes Day 2 by Oscar Koeroo Decisions and outstandig issues on day 1 ----------------------------------------- Dave Kelsey - GGF16 AuthZ workshop - (Olle Mulmo) we need a minimal interoperability level in GIN, e.g. roles. - (Olle Mulmo) how to define priority (boolean, true/false, integer) - (David Groep) All of the above. - (Ian) Is it sensible to standardise on role name? VOs want to assign (five or so) meta names to put people in. - (Akos Frohner) Can we not give recommendations for names to use? - (Olle Mulmo) Problems with a truly fine grained roles name solution. - (Akos Frohner) What do we want to achieve? - (Olle Mulmo) Have different role names depending on the VO and then reason about the differences, but try to keep the meaning of the names as close as possible to oneanother. - (David Groep) Putting glexec on the worker-nodes shifts the problem, and the problem becomes easier solvable. The site is no-longer directly in control, but can track what happens because user need to switch identities (on the worker-node). ---------------- Coffee break ---------------- David Groep - Glexec on worker nodes - Glite wants to have a secure session from glexec on the worker node to the underlying lcas/lcmaps backend. - Signing job requests to prevent replay attacts. - (Oscar Koeroo) This means you'll have to sign your sandbox which can be rather large. Does this scale? - (David Groep) Signing is not a problem. - (Ian) What motivates VOs to change their way of working, e.g. give TW full access as is done today? - (David Groep) VOs might not be able to run on (particular) sites. - (Ruth Pordes) I will not allow glexec on worker nodes. It is not worth the pain. (Oscar Koeroo) should be ready by July '06 - (David Groep) Glexec does a real-time check and might be a better check. - ---------------------------------------- Decisions and outstandig issues on day 2 ---------------------------------------- Vincenzo - GPBox - (Ian) Can the Policy also go up, from a site to VO-level. Answer (Vincenzo): yes it can, but not shown here in test - (Christopf): GPbox needed on WN (after yesterday's discussion on GLexec on WN) (Claudio): it is to the descression of the VO. If they wish to enforce the policy in that stage, then they could do that. (David): GPbox CE PEP is a LCMAPS plugin. Linda - GSVG - (Ian) RAT should do Risk Assesments, nothing more, because they are not in the role of developers. - (all) MW management need to involve the risk/bug level of a bug from management to developers. To make aware of the fact that one bug is more important to fix then other (critical) bugs - Need to change: getting fixes through to deployment, perhaps a site functional test for vulnerable versions of S/W. - Closed issues shouldn't get a low priority but no priority. Since no work is expected to be done on closed issues. - (Olle) "Question on TD": developers needs to have free space in their timelines to solve vulnerabilities - Developers must be aware of the fact that one of their vulnerabilities could cause great problems at sites (e.g. financially). - (DaveK) Who is allowed to be a member of the Vulnerability? - (Bob C) Somebody reports a bug on LCG-Roll-Out...? Needs to get clear that there is a mechanism to report such a bug. The procedure is to submit a bug through Savannah Needs a lower threshhold perhaps (like an e-mail to myvul@linda.com) Critical bugs are reported in the EMT (weekly), which bugs are and which bug might be marked critical in JRA1 savannah Marking bugs for their criticality needs to be coordinated with JRA1 (EMT), Security Coordination group en others now(!) -- No record of talks Akos - delegation Structered file storage - discussion on the use of the file 'voms.attributes' in the delegation cache. It is used to check if the new delegation used the same set of VOMS attribs otherwise it is a compromise. David - Name Space Contraint policy - status of the implementation stated in the MWSG7 as begin deployed at the end of februari? why isn't it deployed? Ake - Wrap-up "TONIC is a good idea" Silver Bullet: Who will participate in it? DaveK: Grid Deployment: still a problem for VOs to have a clear notion on what is a Group and what is a Role Focus should on between EGEE and OSG for us (MWSG). VO Naming: Olle: We should not enforce the VO to be an entry DavidG: "The VO name SHOULD be formatted as a subdomain name as specified in RFC1034, and the VO administrators using a thus-formatted VO name MUST be entitled to the use of this name, either by a direct delegation of the corresponding DNS name from an accredited registrar, or by consent of the administrative or operational contact of the most specific sub-part of the equivalent DNS domain name that is thus registered with such a registrar." Oscar/DVincenzo/David: /[/group2][/Role=role1] where the first 'group' is equal to the name of the VO. GLexec on WN DaveK: Needs more discussion DavidG: needs to be deployable by the sites at their discression. VOs should not assume deployment on the infrastructure Future MWSG: EGEE-OSG: NExt meeting in June (Stanford) ------ Decisions and outstandig issues on day 1 ----------------------------------------- Dave Kelsey - GGF16 AuthZ workshop - (Olle Mulmo) we need a minimal interoperability level in GIN, e.g. roles. - (Olle Mulmo) how to define priority (boolean, true/false, integer) - (David Groep) All of the above. - (Ian) Is it sensible to standardise on role name? VOs want to assign (five or so) meta names to put people in. - (Akos Frohner) Can we not give recommendations for names to use? - (Olle Mulmo) Problems with a truly fine grained roles name solution. - (Akos Frohner) What do we want to achieve? - (Olle Mulmo) Have different role names depending on the VO and then reason about the differences, but try to keep the meaning of the names as close as possible to oneanother. - (David Groep) Putting glexec on the worker-nodes shifts the problem, and the problem becomes easier solvable. The site is no-longer directly in control, but can track what happens because user need to switch identities (on the worker-node). ---------------- Coffee break ---------------- David Groep - Glexec on worker nodes - Glite wants to have a secure session from glexec on the worker node to the underlying lcas/lcmaps backend. - Signing job requests to prevent replay attacts. - (Oscar Okoeroo) This means you'll have to sign your sandbox which can be rather large. Does this scale? - (David Groep) Signing is not a problem. - (Ian) What motivates VOs to change their way of working, e.g. give TW full access as is done today? - (David Groep) VOs might not be able to run on (particular) sites. - (Ruth Pordes) I will not allow glexec on worker nodes. It is not worth the pain. (Oscar Okoeroo) should be ready by July '06 - (David Groep) Glexec does a real-time check and might be a better check. Attendees Day 1 - March 7 Ake Edlund (chair) EGEE/KTH Joni Hahkala EGEE/UH-HIP David Groep EGEE/RAL Olle Mulmo EGEE/KTH Gerben Venekamp EGEE/NIKHEF Oscar Koeroo EGEE/NIKHEF Stephen Hicks EGEE/RAL Linda Cornwall EGEE/GRIDPP/RAL Akos Frohner EGEE/CERN Thomas Leggenhager EGEE/SWITCH Bob Cowles OSG/SLAC Vincenzo Ciaschini EGEE/INFN Ricardo Rocha EGEE/CERN Valery Tshopp EGEE/SWITCH Remi Mollon EGEE/CNRS/IBCP John White EGEE/CERN Christoph Witzig EGEE/SWITCH Paolo Roccetti DILIGENT/ENGINEERING Dave Kelsey EGEE/RAL Daniel Kouril EGEE/CESNET Andrea Ceccanti EGEE/INFN-CNAF Gianluca Rubini EGEE/INFN-CNAF Ian Neilson EGEE/CERN Ruth Pordes OSG Executive Director Day 2 - March 8 Ake Edlund (chair) EGEE/KTH Joni Hahkala EGEE/UH-HIP David Groep EGEE/RAL Olle Mulmo EGEE/KTH Gerben Venekamp EGEE/NIKHEF Oscar Koeroo EGEE/NIKHEF Stephen Hicks EGEE/RAL Linda Cornwall EGEE/GRIDPP/RAL Akos Frohner EGEE/CERN Thomas Leggenhager EGEE/SWITCH Bob Cowles OSG/SLAC Vincenzo Ciaschini EGEE/INFN Ricardo Rocha EGEE/CERN Valery Tshopp EGEE/SWITCH Remi Mollon EGEE/CNRS/IBCP John White EGEE/CERN Christoph Witzig EGEE/SWITCH Paolo Roccetti DILIGENT/ENGINEERING Dave Kelsey EGEE/RAL Daniel Kouril EGEE/CESNET Andrea Ceccanti EGEE/INFN-CNAF Gianluca Rubini EGEE/INFN-CNAF Ian Neilson EGEE/CERN Claudio Grandi EGEE/INFN Christophe Blanchet EGEE/CNRS/IBCP Csaba Anderlik EGEE/UiB