pre-GDB - Authorization Working Group

31/S-028 (CERN)



Show room on map
Monthly meeting of the WLCG Grid Deployment Board See also Twiki GDB area for actions and summaries

Attendees: Maarten L, Dave K, Andrew M, Romain W, Ian C, Alessandra F, David C, Oliver K, Ioannis I, Hannah S, Andrea C, Mischa S, Linda C, Nicolas L, Miguel M, Paul M, Adrian C, Brian B


  • IAM
    • Roles supported (not yet in UI)
    • HR DB layer created as a standalone microservice
    • Test instance at CERN already with Mock Data
    • CERN SSO integration 
      • They provide the person ID, putting behind SSO gets the person ID (probably in most cases)
      • Can choose between only having full CERN Users, or a wider range of assurance profiles
    • Need to consider file names of proxies to avoid overlap
    • RCAuth integration
      • Test instance at CNAF
      • Could add an OIDC plugin to RCAuth
      • Nicolas started deploying an SSP bridge between the two to allow OIDC connection
      • Needs to work out how to deploy master portal 
    • Difficulty getting an IGTF certificate for an openshift - not allowed because of policy 
      • VOMS is on openstack instead (benefit of using a publicly trusted certificate for the frontend) 
      • Actually this is probably better!
    • Currently cannot show full workflow because of lack of RCAuth integration. Can demonstrate VOMS proxy creation based on user certificate 
    • Comment from Alessandra that two actions, expiration and suspension, are causing problems for VOs
      • Must have a useful error message on the command line
  • EGI Checkin (sorry not many notes, was sharing video)
    • Do we allow the user to specify their own email address? 
    • We should define a list of bulk actions
  • Pre-registratioin workflow at all VO members should have a PersonID and access to a CERN account
  • DOMA
    • Group is trying to improve bulk transfers between WLCG sites, replacement to GridFTP (certificates & globus)
    • Long standing effort, e.g. EMI project in 2012
    • GridFTP powers WLCG data transfer, GSI Delegation
    • Need to do this in a new way and maintain user info
    • Token based authorisation seems to be the right option
    • Dcache and DPM and SciTokens all enhancing storage to accept token based authorisation
    • Work has started to define interface to request tokens (Paul, Brian and Andrea) 
    • Learn by doing
    • TPC test bed works
    • FTS takes complexity of different authorisation models
    • Multiple token translation possibilities to enable downstream delegation
    • Q What should a storage element be doing next year? Awaiting recommendations early next year. OAuth2 plus refresh flows. Local tokens (macaroons) and OAuth2 (remote trusted authorisation server)


  • Add requirement that AARC syntax be supported for futureproofing
  • Consider hosting an RCAuth instance at CERN
  • Critical extensions should be considered (if we think we need them)


  • Hannah ask Paolo r.e. PersonID in tokens (old and new)
  • Hannah and Maarten talk to Paolo about IGTF certificates 
  • In GDB - ask r.e. whether all VO members have a CERN account
  • Hannah send SSO registration info to Ioannis and Nicolas
  • Hannah email DavidG and Mischa r.e. hosting RCAuth at CERN and what is required (and also with Paolo)
There are minutes attached to this event. Show them.
    • 9:00 AM 9:20 AM
      Welcome and Objectives Setting 20m
      Speaker: Hannah Short (CERN)
    • 9:30 AM 11:30 AM
      WLCG Pilots Review: WLCG AAI Pilots Review

      Pilot Objective: Allow WLCG users to submit a job without managing end user certificates manually

      Conveners: Andrea Ceccanti (Universita e INFN, Bologna (IT)), Andrea Ceccanti (Unknown)
    • 12:00 PM 1:30 PM
      Lunch 1h 30m
    • 1:30 PM 1:50 PM
      What's going on in DOMA? 20m
      Speakers: Andrea Ceccanti (Unknown), Andrea Ceccanti (Universita e INFN, Bologna (IT))
    • 1:50 PM 3:50 PM
      JWT Schema Finalisation
    • 4:30 PM 5:30 PM
      Next Steps 1h
    • 8:30 PM 10:30 PM
      Dinner 2h

      A table is booked at the Buvette des Bains (on the lake in Geneva, at Bains des Paquis) at 20:30. The name is "Anna".

      IMPORTANT please bring cash

      Prices are approximately
      - Fondue 25chf
      - Plate of ham for a few to share 15chf
      - Bottle of wine 30chf

      How to get there? The nicest route is to take tram 18 into town, get off at Bel Air and walk clockwise around the lake until you get to the Bains des Paquis