WLCG AuthZ Call


Proposed agenda:

  1. Privacy policy update
  2. VO Interviews Update
    1. LHCB
    2. ATLAS
    3. ALICE
    4. CMS
  3. Pilot CERN deployment update
  4. JWT Token Catalogue Document sign-off https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit 
  5. Schema document comments https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 
  6. WLCG Overview Board

Outstanding Actions:


Attendees: Andrea, Hannah, Jeny, Linda, Mischa, Tian Yan, Xiaomei, Ioannis, Maarten, Joel, Brian, Mine


  • General agreement that 15:30 is OK
  • Privacy Policies
    • Approved by HR
    • Andrea is working to pull out the code from VOMs for HR DB integration
      • REST API
      • Mock DB set up to allow testing
      • Two points of integration
        • At registration provide HR ID
        • Periodic synchronisation
      • How to give access? Deploy it on Openshift at CERN, authenticated https service
    • Andrea will keep Ioannis in the loop of when this is available 
  • VO Interview Impacts
    • Andrea, we should try to summarise and try to track
    • Joel, a dedicated meeting
    • For pre-gdb we should have a few goals
      • VO details may need to be done in a followup call
      • If VOs see an issue that isn't addressed it should come up
  • Pilot deployment
    • EGI-Check-in
      • Demo set up that needs some configuration
      • Some issues with firewalls
      • Need NGINX as a frontend for the setup
      • Believe they will be ready for the pre-GDB
      • Glad there will be a REST API
      • Q: what about the RCAuth stuff? There are several test instances. Different configuration models with master portal + CA or just CA
        • IAM cannot register to external module since only supports SAML integration atm (Mischa could potentially deploy OIDC) 
        • EGI-Checkin will also implement the masterportal & CA at CERN
      • Deployed on Openshift
      • DB on demand also OK
      • Main functionality should be OK
      • Not clear how to expose Openstack 
        • May be an issue of internal/external DNS
        • Certificates on PaaS is not very clear
        • Cannot require TLS client authentication for web services on Openshift (this is a policy issue but there may be technical limitations too)
  • JWT Token Catalogue
    • Published a PDF snapshot on the Twiki
  • WLCG Overview Board
    • Change a couple of things in the slides
  • Schema Comments
    • Mailing list discussion on schema changes seems to be agreed upon


  • Maarten, Hannah, Andrea, to read through the VO Interviews and try and summarise in preparation for te pre-DGB
  • Hannah schedule a call for mid-December with VOs (same week as pre-GDB)
  • Mischa, Nicolas & Andrea, see if the AARC RCAuth instance could be used. Also discuss integrating OIDC
  • Ioannis to send mail to technical pilots list r.e. Master Portal etc 
  • Hannah to refactor document to reflect new "joint schema" 
  • Andrea to clarify section on how to request the token
There are minutes attached to this event. Show them.
The agenda of this meeting is empty