WLCG AuthZ Call


Proposed agenda: 

  • Schedules (Fermilab, WLCG in general, experiment specific)
  • Concern over group and capability incompatibility
  • Establishing a CMS IAM instance at CERN

 Next time:

  • Group membership in schema discussion (see emails)

Attendees: Irwin, Maarten, Hannah, Linda, Mischa, Mine, Jeny, Julie, Andrea, Saul, Brian, DavidC, Liz (13)


  • Fermilab has a schedule for the next few years, would be incredibly helpful for WLCG in general to have a schedule
  • IAM was designed to be backwards compatible so any deadlines will have to be decided by the group
  • This group is the right one to define a schedule
  • OSG currently has targets to end certificate support (2022) so this does present a deadline
  • Fermilab trying to be careful not to go much faster or slower than others
  • Client tools is a big one, we must develop a joint solution for efficiency 
  • What do we want in the first token issuer (CMS)?
    • Full lifecycle management? Open registration?
      • WLCG instance at INFN doesn't have requirement for user to exist in HR DB
      • Meant as a non-VO-specific instance against which software can be tested
    • Do we want to avoid registration for existing members? Pull in from VOMS.
      • Possible but a procedure could be put in place
    • Would like to avoid people wasting time or putting certain services under too much pressure (e.g. IAM maintainers) 
    • Would be good to use pilot to test the authentication flow
    • Brian is looking for an IAM instance with
      • real, vetted CMS members
      • web interface
      • an acceptable SLA (e.g. 99%)
      • an extra user registration is fine at the beginning (just signing in through CERN SSO), however there should be a migration before rolling out to all users
  • Client tools timeline
    • Ongoing discussions and communication channels in place
    • Many options to look at, need to compare against our requirements 
    • Mine has some user requirements already, will share
  • Groups and Capabilities compatibilities concerns - important to know because will impact token issuers at Fermilab
    • CMS strongly prefers capabilities, whereas others prefer groups (or a mix)
      • Clarification, in the context of distributed systems CMS is interested in capabilities
      • In other places, group structures may be more natural (e.g. is this person in the CMS management group?) 
    • Capabilities have mostly been discussed for data access, whereas groups may be more appropriate for e.g. web portals
    • We don't have clear documents describing how tokens would be used per experiment, suggestion to write one that could serve as inspiration to others
      • Some documents were put together in DOMA TPC group, should be revisited
  • Brian concerned about ARC CE, let's send out an invitation to hear what they're doing


  • Brian, Andrea and Hannah to come up with a timeline plan for CMS IAM for the next call (possibly shared at GDB)
  • Hannah to start a Technical Investigation Google doc to collect requirements (user requirements and site requirements), possible tools and ideas about command line tools -> https://docs.google.com/document/d/1yKZZsXfkWJoCU7_yutst01zIf_sGGiC1u6PRNbuIqh0/edit?usp=sharing 
  • Brian to start a living document on "what we think we want to do with tokens in CMS"
  • Andrea to ask ARC CE people to give us an update
There are minutes attached to this event. Show them.
The agenda of this meeting is empty