Login

WLCG AuthZ Meeting

Europe/Zurich
Hide

WLCG AuthZ WG

September 28th, 16:00 CEST

Attendees:  Susan Sons,Hannah Short, Kyle, Linda, Andrea, DavidC, Romain, Maarten, Mischa, Vincent

Apologies: Brian, Michel, Dave, Liviu

 

Next meetings:

  • October Vidyo

  • November 7th pre-GDB at CERN

 

Agenda:

  1. Maarten/Brian - present and review how Authorization is used today in WLCG, and what features or functionalities would need to be preserved in the future

  2. Hannah - FIM discussion points (postponed)

  3. Mischa - CLI voms proxy provisioning via ssh https://wiki.nikhef.nl/grid/AARC_Pilot_-_SSH_Key_Portal

  4. AOB

 

Notes:

  • FIM Discussion points postponed to next time

  • Andrea believes there is a lot of overlap with Brian’s slides and Indigo - Agenda next time

  • Brian to present next time (hopefully)

  • Doodle for next call: http://doodle.com/poll/ektmk7q4yfypd2ft

  • Maarten’s EGI summary

    • CANL (library for consistent proxy treatment) may be more maintained than first thought

    • Many sites do not run ARGUS, quite a large use of ARGUS is disappearing since glexec is retired and the information about the user is not provided

  • A clear set of requirements would help us to avoid duplicating efforts - perhaps a topic for a future call or meeting

There are minutes attached to this event. Show them.
    • 16:00 16:20
      AuthZ in WLCG 20m

      Maarten/Brian - present and review how Authorization is used today in WLCG, and what features or functionalities would need to be preserved in the future

      Speakers: Brian Paul Bockelman (University of Nebraska Lincoln (US)), Maarten Litmaath (CERN)
      OSG-AAI-WG.pdf
      WLCG-EGI-sec-landscape-v11.pdf
      WLCG-EGI-sec-landscape-v11.pptx
    • 16:20 16:40
      VOMS proxy provisioning via ssh 20m
      Speaker: Dr Mischa Sallé (FOM Nikhef)
      RCauth_SSH_wlcg_authz_wg.pdf
    • 16:40 17:00
      FIM Considerations 20m

      FIM Discussion Points:
      - How can we enable membership requests based on federated credentials?
      - What is a suitable source of membership roles & groups? Does it need to change? (VOMS, e-groups, User Office, COManage etc)
      -Acceptable LoA of federated credentials?
      -Acceptable trust in IdP (e.g. Sirtfi)?
      -Identity vetting process integration? (Between User Office & AA)
      -Account transfer between federated credentials (home organisation changes)?
      -What needs to change for services to accept federated credentials?
      -Translation services?
      -Move non web services behind web portals?
      -CLI possibilities?
      -Can we remove the need for certificates in the hands of the -user - or make it transparent?
      -How can we block users?
      -Blocking at the authentication stage?
      -Real-time blocking?
      -Blocking long lived access tokens (certificates, OAuth tokens, etc)?
      -How can access rights (roles/groups) for a user be queried?
      -What can we expect of users in addition to web based AuthN?
      -Certificate management?
      -SSH Key management?
      -Other?

      Speaker: Hannah Short (CERN)
Powered by Indico v3.3.2-pre