Attendees: Irwin, Maarten, Hannah, Linda, Mischa, Mine, Jeny, Julie, Andrea, Saul, Brian, DavidC, Liz (13)
Notes:
- Fermilab has a schedule for the next few years, would be incredibly helpful for WLCG in general to have a schedule
- IAM was designed to be backwards compatible so any deadlines will have to be decided by the group
- This group is the right one to define a schedule
- OSG currently has targets to end certificate support (2022) so this does present a deadline
- Fermilab trying to be careful not to go much faster or slower than others
- Client tools is a big one, we must develop a joint solution for efficiency
- What do we want in the first token issuer (CMS)?
- Full lifecycle management? Open registration?
- WLCG instance at INFN doesn't have requirement for user to exist in HR DB
- Meant as a non-VO-specific instance against which software can be tested
- Do we want to avoid registration for existing members? Pull in from VOMS.
- Possible but a procedure could be put in place
- Would like to avoid people wasting time or putting certain services under too much pressure (e.g. IAM maintainers)
- Would be good to use pilot to test the authentication flow
- Brian is looking for an IAM instance with
- real, vetted CMS members
- web interface
- an acceptable SLA (e.g. 99%)
- an extra user registration is fine at the beginning (just signing in through CERN SSO), however there should be a migration before rolling out to all users
- Client tools timeline
- Ongoing discussions and communication channels in place
- Many options to look at, need to compare against our requirements
- Mine has some user requirements already, will share
- Groups and Capabilities compatibilities concerns - important to know because will impact token issuers at Fermilab
- CMS strongly prefers capabilities, whereas others prefer groups (or a mix)
- Clarification, in the context of distributed systems CMS is interested in capabilities
- In other places, group structures may be more natural (e.g. is this person in the CMS management group?)
- Capabilities have mostly been discussed for data access, whereas groups may be more appropriate for e.g. web portals
- We don't have clear documents describing how tokens would be used per experiment, suggestion to write one that could serve as inspiration to others
- Some documents were put together in DOMA TPC group, should be revisited
- Brian concerned about ARC CE, let's send out an invitation to hear what they're doing
Actions:
- Brian, Andrea and Hannah to come up with a timeline plan for CMS IAM for the next call (possibly shared at GDB)
- Hannah to start a Technical Investigation Google doc to collect requirements (user requirements and site requirements), possible tools and ideas about command line tools -> https://docs.google.com/document/d/1yKZZsXfkWJoCU7_yutst01zIf_sGGiC1u6PRNbuIqh0/edit?usp=sharing
- Brian to start a living document on "what we think we want to do with tokens in CMS"
- Andrea to ask ARC CE people to give us an update
There are minutes attached to this event.
Show them.