WLCG AuthZ Call

Thursday 1 Oct 2020, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Hackathon report
• Update on client registration
• Restricting the audience/Audience guidance from profile doc https://github.com/WLCG-AuthZ-WG/CommonJWTProfile/pull/3
• Guidance on service owners choosing between WLCG IAMs or CERN IdP
• Personal data in UserInfo endpoint

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Attendees: Hannah, Andrea, IanC, Alex, Brian, Tom, Enrico, Jeny, Julie, David, Linda, Marcelo, Jeffrey, Paul

Notes:

• Supercomputing HPC meeting https://docs.google.com/document/d/1yss1gDOtsH_-O_vL-saKnt1cwR3l_3Lr1nYomwKe4C0/edit
  • Kickoff meeting, SKA, PRACE, CERN, GEANT
  • WLCG presented
  • eduTEAMs presented, would have been good to mention IAM
  • Demonstrators for data access and authentication 
  • Signup sheet to follow demonstrators
• Hackathon https://indico.cern.ch/event/953075/
  • Generally a success, EU and US attendance
    • Particularly on the 1st day
  • Defined set of achievable objectives, e.g.
    • Update smoke test scripts to use JWT (checks if transfers are working correctly)
    • Data transfer workflows proof of concepts
    • JWT compliance test suite (identified some bugs), Token Factory produces malformed tokens to verify
    • Group AuthZ for Rucio etc.
    • Mapping VO level identity to local user identity, now under development by Brian
    • Simplifying enrolment flows
      • Although some VOs want human check too
    • Transitioning IAM in production for VOs
      • ATLAS & LHCb would like an instance 
  • Notes linked from agenda
• Choice between WLCG IAMs or CERN IdP, e.g. Jupyter Notebook
  • CERN IdP integrates with e-groups which is useful for services that already have users in e-groups
  • Missing a few things
    • Experiment AUP, depends whether grid service should be reserved ONLY for HR DB checked individuals
    • How are experiment e-groups managed? This is probably not be equivalent with HR DB check
  • Must be behind IAM if
    • WLCG token schema, or integrating with others
    • Require verified membership 
  • Need to check policy and see if HR DB membership and e-group are equivalent https://documents.egi.eu/public/RetrieveFile?docid=79&filename=EGI-SPG-VOManagement-V1_0.pdf&version=6 (Auth assurance policy to be updated)
    • Perhaps less important now that we have personID in the token (x.509 were decoupled)
    • Should update policies as part of this effort
  • We should also try to retire VOMS Admin, this would boost membership and uptake
    • Many services still relying on grid map files, this needs to be available in IAM
    • LOTS of work :) schedule for early next year
      • Some enhancements required in IAM
      • Load tests (need estimates)
      • Test migrations
      • Technical migration (Laurence Field is service owner)
      • User onboarding documentation & processes per VO
      • Policies
• Personal Data in UserInfo endpoint
  • Can configure scopes per client, IAM now configured not to display info.
    • For services that need this information we should enable scopes and ensure that tokens are exchanged appropriately to be able to access the information
    • Generally, Bearer tokens should not have profile or email scope that exposes UserInfo data. If the information is needed, the tokens should be exchanged for one that is allowed those scopes
    • This could be easy and quick to change if needed
  • Closing UserInfo endpoint would break spec  
  • But let's consider...
    • This data is available in current system (X.509)
    • Seems little concern from GDPR perspective (e.g. French authority said this level of data was low concern)
    • Scopes and audiences are designed to limit power
    • If a token can be used to launch jobs etc, surely getting an email address is less impactful
    • Email addresses are useful (this is professional email in most cases)

Actions:

• Hannah to set up meetings with ATLAS and LHCb
  • Joel Closier (LHCb)
  • Alessandro de Salvo (ATLAS)
• Hannah request comments on Audience MR
• Dave K to set up a policy maker group to understand whether policies on membership need tweaking (new version due anyway as policies are outdated)
• Hannah to invite Laurence to the next meeting
• Hannah make Google doc for VOMS Admin deprecation etc. https://docs.google.com/document/d/1Mk24GET8q2BIIpkl-ccIIziNF4IbehX_NvfrqCDDqjY/edit?usp=sharing
• Hannah send summary of personal data issues