pre-GDB - Authorisation Working Group

Europe/Zurich
31-S-028 (CERN)

31-S-028

CERN

30
Show room on map
Hannah Short (CERN)
Description
Monthly meeting of the WLCG Grid Deployment Board See also Twiki GDB area for actions and summaries
Videoconference Rooms
pre-GDB
Name
pre-GDB
Description
Pre-GDB vidyo
Extension
10394825
Owner
Gavin McCance
Auto-join URL
Useful links
Phone numbers
Registration
Participants

Attendees:

(Vidyo) Adrian Coveney, Brian Bockelman, David Groep, Linda Cornwell, Mischa Sallé, Paul Millar, Riku Silvola, Susan Sons, Tommaso Boccali, Greg Corbett, Antonio Falabella, Maria Arsuaga-Rios, Peter Gronbech

(In the room) Romain, Simone, Andrea, Marcus, Michel, Miguel, Joel, Liviu, David, Vincent, Stefano, Julia, Paul, Ulf, Ian C, Claudio, Nicolas, Dave, Maarten, Catherine, Hannah

Previous meetings: 

Summary:

  • World is moving to OAuth2 and JWT, we should go with them - let's not invent our own solution
  • Although Certificates have been a simple and functional solution, there are now more user friendly alternatives that we can employ to the benefit of our researchers 
  • Topics can be split into requirements for VO Membership Management and for Services
  • Draft Requirements Document available for comment

Main points from morning discussions: 

  • Authentication and Authorisation can be decoupled to a certain extent
    • VOs require different attributes on a user than downstream services
  • Best approach is to focus on a solution for the 95% of our users and assume that some power users will still manage certificates in the years to come
    • Certificates have been a very elegant solution and, if any community can manage them it's ours (!)
    • However, generally accepted that certificates are unworkable for early career researchers and, now that we have other options, they should be explored
  • Some services, e.g. CRIC, have had to define their own solutions to share authorisation attributes between web and non-web services
  • Services should receive ID & groups/roles/capabilities from VOs and be able to get additional information on users simply
  • We should follow standard approaches for authorisation, current progress points to bearer tokens JWT/OAuth2
  • Assurance of membership process should be maintained for LHC VOs, i.e. link with CERN HR db, when users are able to register via non-x509 credentials  
  • Suspension necessary at token level/VO user level/VO level/Site level 
  • User's identity is within context of VO and not global (although can be bootstrapped)
  • We recognize there is an important distinction between the "LHC VOs" and the "WLCG VOs".
    • Aim to have an infrastructure where a generic WLCG VOs can bring their own identity management.
    • The *implementation* for the LHC VOs should leverage CERN SSO and maintain CERN's identity vetting process.
    • The distributed infrastructure should see a common authorization approach at the inter-VO level, regardless of the identity management used.
  • Users should be able to give their consent for authorisation and provide constrained delegation to services

Main points from afternoon session:

  • Must ensure interoperability between EGI and OSG - work required to define a standard for authorisation tokens
  • WG should define clear requirements for VO Membership Management tool and share with solution providers to determine best approach (mustn't forget transition period from VOMS)
    • INDIGO IAM is likely next evolution of VOMS but there are multiple possibilities 
  • A token translation service is required and should be centrally run to aid integration with services

ACTIONS:

  • Hannah to circulate requirements document for further input and plan Vidyo meeting for week of December 11th
  • Hannah to share WLCG FIM4R input with group
  • Andrea and Nicolas to demo full JWT workflow (including VO registration) at next meeting
  • WG to define requirements for VO Membership Management Tool and assess solutions (such as INDIGO IAM or CoManage) against them
  • In collaboration with AARC
    • Jointly (EGI/OSG/WLCG) define a joint profile for OAuth2
      • content of the access token
      • OAuth2 proof of concept of interoperability between OSG and EGI
      • retrieving a token/sending the token (could also be done in VO?)
    • Provide command line solution to allow users to submit jobs without certificate management (AARC Pilot with Mischa, transparently provision proxies using ssh)
  • WG to consider Token Translation services
There are minutes attached to this event. Show them.
    • 09:30 10:00
      Intro and Agenda Setting 30m 31-S-028

      31-S-028

      CERN

      30
      Show room on map
    • 10:00 12:00
      Establishing the requirements for the future 2h 31-S-028

      31-S-028

      CERN

      30
      Show room on map

      What are the requirements for a WLCG AuthZ system?

      https://docs.google.com/document/d/1hnsPWf9C7ODVXZ7JehsSEiEsQwf5UmqLfTwVDhuqHzk/edit#heading=h.xam6oit8esxs

    • 12:00 13:30
      Lunch 1h 30m 31-S-028

      31-S-028

      CERN

      30
      Show room on map
    • 13:30 14:00
      Summary of the agreed requirements 30m 31-S-028

      31-S-028

      CERN

      30
      Show room on map
    • 14:00 16:30
      Review of existing or potential solutions and strategies 2h 30m 31-S-028

      31-S-028

      CERN

      30
      Show room on map

      Aim is to come up with a strategy for how to address our requirements. Split into roughly two sections, "Front end" i.e. impacting users, and "Back end" i.e. what's going on under the hood.

      ----Front end----

      Authentication mechanisms
      - X.509
      - SAML
      - OpenID Connect
      - Social logins

      Identity/Collaboration management/Authorization services
      - VOMS Admin
      - INDIGO IAM
      - EGI Check-in
      - CoManage
      - Keycloak
      - Argus

      ----Back end----

      Authorization
      - VOMS attribute certificate
      - OAuth bearer token
      - JWTs
      - Other token format (Macaroons)
      - SAML assertion

      Token Translation
      - Master Portal
      - WATTS

    • 15:30 16:00
      Coffee 30m 31-S-028

      31-S-028

      CERN

      30
      Show room on map
    • 16:30 17:15
      Consensus, conclusions and next steps 45m 31-S-028

      31-S-028

      CERN

      30
      Show room on map
    • 18:00 20:00
      Go for a drink 2h Restaurant 1

      Restaurant 1

      CERN

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now

×