WLCG AuthZ Call

31/S-027 (CERN)



Show room on map

Proposed agenda:

  1. Privacy policy update
  2. VO Interviews Update
    1. LHCB
    2. ATLAS
    3. ALICE
    4. CMS
  3. Pilot CERN deployment update
  4. JWT Token Catalogue Document sign-off https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit 
  5. Schema document comments https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Outstanding Actions:

  • Hannah - ping Mischa/Brian/Paul/Nicolas to clarify Qs on JWT Catalogue
  • Hannah - ask Dave and Mischa how to handle this potential conflict between RCAuth providing certificate DNs vs RCAuth taking information from IdPs to generate DNs

  • Romain - in Tuesday meeting ask management board on importance of keeping user records in WLCG AAI indefinitely (may also be possible to keep a subset of data that won't change?)

Attendees: Brian, Hannah, Romain, Andrea, Linda, Ioannis, David, Maarten, Mischa, Nicolas


  • Privacy Policy
    • Is stuck with HR
    • Add a comment to the privacy statement that the source of some information may vary
    • Add RCAuth as an external party with whom data is shared
  • VO Interviews
    • LHCB is done - they have some specific requirements that maybe we haven't considered so far, e.g. adding authorisation within the Dirac infrastructure. Dirac is a shared tool with other users so have their own authZ. Federico Stagni is Dirac expert.
    • ATLAS - Alessandro di Salvo & Alessandro di Girolamo & Rucio folk (Mario Lassnic)
    • ALICE - Maarten & Miguel
    • CMS - Brian & he will include others (Stefano)
  • Pilot deployment 
    • Ioannis for EGI-Checkin-in
      • Building some ansible scripts
      • Experimenting on the cloud
      • Will take a couple more days
      • 5 VMs, 2 for failover
      • Would like a schema for the DB since they are mocking this atm with COManage
        • Laurence Field can tell us more about the view, would need a green light from them (different credentials per experiment, different view)
        • We could test within the groups as a first step
        • Andrea could create a DB on demand instance that mocks the HR DB and could be shared by the two pilots
    • Andrea for INDIGO-IAM
      • Requested DB, in progress
      • Tried Openshift, registration in progress, some trouble to get the documentation
      • Requested openstack tenant in the meantime
  • JWT Profiles 
    • We should have a more formal signoff
    • Do we *need* federation? Should clarify. Some confusion between resource servers and clients and how/whether they should be registered. It is possibly to do fully decentralised but would lose capability to do some revocation. 
    • The profiles have significant overlap, can we combine? 
    • Can we make the subject opaque (as per our requirements)? 
    • Later
      • Signoff table
      • Footnotes


  • Hannah go to HR in person
  • Hannah modify privacy statement for version 0.1
    • Add a comment to the privacy statement that the source of some information may vary
    • Add RCAuth as an external party with whom data is shared
  • Maarten read through LHCb interview in detail
  • Andrea to set up a mock HR db and share details
  • Ask Paul to clarify on mailing list whether macaroons can be sent over unencrypted channels
  • Andrea add text on workflows to JWT Profile
  • Hannah schedule call specifically to talk about token formats (2 calls in November)
There are minutes attached to this event. Show them.
The agenda of this meeting is empty