WLCG AuthZ WG Call



  • DODAS (Andrea Ceccanti) - an example of token authorisation in practice
  • Working Group Documents (at https://twiki.cern.ch/twiki/bin/view/LCG/WLCGAuthorizationWG#WG_Documents)
    • Requirements doc - finalising and getting agreement
    • Catalogue of Token use - any final comments?
    • WLCG JWT Schemas - finalising and getting agreement
  • pre-GDB Agenda
    • Document completion
    • Pilot updates
    • Start discussion on operational impact?
    • AOB?

Attendees: Maarten, Andrea, David, Hannah, Mischa, Romain, Daniele, Paul, Mine, Nicolas, Ioannis


    • Important to be able to use whichever type of computing resources that are on offer
    • DODAS simplifies incorporating external resources, e.g. opportunistic public and private cloud providers 
    • Automate bootstrapping 
    • TOSCA templates (yaml) describes deployment configuration, volume, network connectivity, which services etc 
    • Generic and extensible since VMs are provisioned with docker
    • For CMS, have to translate user token from x509
    • See slides for diagrams
    • HTCondor ongoing work for token authorisation will mean that DODAS token translation is no longer necessary 
    • Out of bands authentication through a browser to validate token requested through a CLI
    • WATTS (Indigo TTS) adds credentials to the CMS global pool
    • Tokens are used in two cases
      • Bootstrap infrastructure
      • Access CMS global pool
  • Pre-GDB Agenda
    • Document approval - put all the names on the document, pdf v 1.0  
      • Catalogue of Tokens
      • Requirements Doc, everyone to read through and add their name and comments
      • Schema, have one additional call
    • Operational impact discussion
      • We have touched on it a little, it will last years
    • Pilot updates
      • Fine for both sides, Ioannis and Nicolas possibly remote, Andrea in person 


  • What's the link with SciTokens? Currently no clear relationship. There are not big differences and there is a convergence path. 
  • Could multiple tokens be supported? Yes, this is easy. Many services are being developed in a generic way to allow this. 
  • S3 supports OAuth


  • Hannah ask everyone to read through Requirements and add name
  • Hannah to schedule one more Schema document call to go through comments
There are minutes attached to this event. Show them.