Attendees: Hannah, Andrea, IanC, Alex, Brian, Tom, Enrico, Jeny, Julie, David, Linda, Marcelo, Jeffrey, Paul
Notes:
- Supercomputing HPC meeting https://docs.google.com/document/d/1yss1gDOtsH_-O_vL-saKnt1cwR3l_3Lr1nYomwKe4C0/edit
- Kickoff meeting, SKA, PRACE, CERN, GEANT
- WLCG presented
- eduTEAMs presented, would have been good to mention IAM
- Demonstrators for data access and authentication
- Signup sheet to follow demonstrators
- Hackathon https://indico.cern.ch/event/953075/
- Generally a success, EU and US attendance
- Particularly on the 1st day
- Defined set of achievable objectives, e.g.
- Update smoke test scripts to use JWT (checks if transfers are working correctly)
- Data transfer workflows proof of concepts
- JWT compliance test suite (identified some bugs), Token Factory produces malformed tokens to verify
- Group AuthZ for Rucio etc.
- Mapping VO level identity to local user identity, now under development by Brian
- Simplifying enrolment flows
- Although some VOs want human check too
- Transitioning IAM in production for VOs
- ATLAS & LHCb would like an instance
- Notes linked from agenda
- Choice between WLCG IAMs or CERN IdP, e.g. Jupyter Notebook
- CERN IdP integrates with e-groups which is useful for services that already have users in e-groups
- Missing a few things
- Experiment AUP, depends whether grid service should be reserved ONLY for HR DB checked individuals
- How are experiment e-groups managed? This is probably not be equivalent with HR DB check
- Must be behind IAM if
- WLCG token schema, or integrating with others
- Require verified membership
- Need to check policy and see if HR DB membership and e-group are equivalent https://documents.egi.eu/public/RetrieveFile?docid=79&filename=EGI-SPG-VOManagement-V1_0.pdf&version=6 (Auth assurance policy to be updated)
- Perhaps less important now that we have personID in the token (x.509 were decoupled)
- Should update policies as part of this effort
- We should also try to retire VOMS Admin, this would boost membership and uptake
- Many services still relying on grid map files, this needs to be available in IAM
- LOTS of work :) schedule for early next year
- Some enhancements required in IAM
- Load tests (need estimates)
- Test migrations
- Technical migration (Laurence Field is service owner)
- User onboarding documentation & processes per VO
- Policies
- Personal Data in UserInfo endpoint
- Can configure scopes per client, IAM now configured not to display info.
- For services that need this information we should enable scopes and ensure that tokens are exchanged appropriately to be able to access the information
- Generally, Bearer tokens should not have profile or email scope that exposes UserInfo data. If the information is needed, the tokens should be exchanged for one that is allowed those scopes
- This could be easy and quick to change if needed
- Closing UserInfo endpoint would break spec
- But let's consider...
- This data is available in current system (X.509)
- Seems little concern from GDPR perspective (e.g. French authority said this level of data was low concern)
- Scopes and audiences are designed to limit power
- If a token can be used to launch jobs etc, surely getting an email address is less impactful
- Email addresses are useful (this is professional email in most cases)
Actions:
- Hannah to set up meetings with ATLAS and LHCb
- Joel Closier (LHCb)
- Alessandro de Salvo (ATLAS)
- Hannah request comments on Audience MR
- Dave K to set up a policy maker group to understand whether policies on membership need tweaking (new version due anyway as policies are outdated)
- Hannah to invite Laurence to the next meeting
- Hannah make Google doc for VOMS Admin deprecation etc. https://docs.google.com/document/d/1Mk24GET8q2BIIpkl-ccIIziNF4IbehX_NvfrqCDDqjY/edit?usp=sharing
- Hannah send summary of personal data issues
There are minutes attached to this event.
Show them.