WLCG AuthZ Call


Proposed agenda: 

Call details (assuming Vidyo does not work):

Topic: WLCG Call

Time: Apr 2, 2020 03:00 PM Zurich

Join Zoom Meeting

Meeting ID: 209 171 638

One tap mobile
+41432107108,,209171638# Switzerland
+41315280988,,209171638# Switzerland

Dial by your location
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +41 43 210 70 42 Switzerland
        +33 7 5678 4048 France
        +33 1 7037 2246 France
        +33 1 7037 9729 France
Meeting ID: 209 171 638
Find your local number: https://cern.zoom.us/u/alblAtfty

Join by SIP

Join by H.323
Meeting ID: 209 171 638

Attendees: Hannah, Brian, IanC, Mischa, Andrea, DavidC, Tom, Nicolas, Julie, Linda, Mine, Irwin, DaveK, Burt, Will


    • CMS IAM instance being set up at CERN
      • IAM on Openshift, with NGINX in front 
      • DB from CERN's DB on demand
      • HR DB API also running on Openshift 
    • Aim to complete by end of April
    • https://cms-auth.web.cern.ch
    • Openshift Project already set up 
    • Jira project https://its.cern.ch/jira/projects/WLCGTOKENS 
    • TO DO
      • Much later can decide on external DNS load balancers to rename endpoints
      • CERN SSO integration
      • Monitoring and logs to Elastic Search in progress
      • Need Grid host cert on VOMS endpoint but currently blocked by CA policy (and technical limitations) on Openshift
    • Currently IAM only integrates with VOMS 3 and not VOMS 2 due to bug
    • We are going to need to do training with VOMS maintainers (possibly in May)
      • Andrea has some documentation already
      • Need to understand what they are expected to do? Register? Migration? Large scale onboarding? 
    • AUP: WLCG already using the WISE AUP, we can just point people to this
    • Currently CMS users link their DN to their CERN account, can we get the DN directly into CMS IAM?
      • Unfortunately seems that people really still need a CERN account and cannot fully use Federated Identity
  • Client Tools Technical Investigation
    • Ask all to read through and comment
    • Policy requirements should lead discussion
    • Ask DavidG if there are any (generic) guidelines for public vs private clients etc
      • https://www.eugridpma.org/guidelines/trustedstores/
      • https://www.eugridpma.org/guidelines/aaops/
    • This tool should be relevant for both WLCG and CERN, involve more CERN members
  • Groups in WLCG Schema
    • Paul M raised Qs about group membership in profile, expression and request
    • Should clients enforce hierarchical structuring of groups? 
      • Andrea's opinion, should keep simple to allow use of generic libraries etc 
        • Prefers that groups are matched on string matching only
      • Brian prefers the logic in the clients (but it does get complicated outside a flat hierarchy scenario) 
    • Could implement group hierarchy knowledge in IAM 
    • Either way there is not much hierarchy going on in WLCG so this is low risk
    • Summary: suggest that token issuers do hierarchical group membership, relying parties must only use groups asserted in tokens (no calculations) and only use standard scope style string matching (plus remove VOMS-like text from schema)


  • Next time just publish one video conference details :) 
  • Ask all to comment on Client Tools
  • Ask DavidG for any guidelines on public vs private clients etc 
There are minutes attached to this event. Show them.
The agenda of this meeting is empty