Attendees: Hannah, Andrea, Dave, Alex, Ian, Tom, Jeffrey, Jeny, Jim, Joel, Laurence, Maarten, Mine, Mischa
Notes:
- Group scope request -> capability use case
- Requesting a group scope can provision a capability - this was not included in the original spec
- IAM Implements scope policy. I.e. only users in this group can access these scopes (not linked to how they are requested)
- In this particular case, Vault will be requesting specific scopes to get tokens with different capabilities for users (and service accounts).
- The problem is that Vault does not necessarily know which capabilities are required for a given user. They would know the group because that's part of the role selection.
- The problem to solve is how to allow someone to request capabilities for a particular role. Can be solved in multiple ways
- Scope requests, e.g. "production", "admin" that the token issuer interprets to capabilities
- Optional group that is also requested in scopes and results in capabilities in tokens and doesn't necessarily return the group (the proposal)
- Scope based capability reduction
- If a client requests a scope for e.g. path "/" and isn't allowed to get capabilities for "/" but only for "/test/" then the claim for "/test/" should be returned
- Requires knowledge of hierarchy and knowledge of what clients are able to request
- This breaks assumption of extract string matching between scopes and claims
- Page 13 of spec "For all storage.* scopes (requests), $PATH MUST be specified (but may be / to authorize the entire resource associated with the issuer); if not specified for these scopes, the token MUST be rejected."
- "If an entity is not entitled to a capability, the scope requested may be ignored by the server and the corresponding token may not have the corresponding claims; in this case, section 3.3 of RFC 6749 requires the token issuer to inform the client. A server may also return an error during the authorization request."
- VOMS Admin Deprecation
- As soon as IAM has the same features as VOMS Admin we should start deprecating VOMS Admin
- Maarten to contribute to mkgridmap replacement
- Issue (Bug) today when user changes institute it is not propagated to VOMS Admin
Actions:
- Dave/Jim/Mine to write summary of use case for groups -> capability scope request
- Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/6/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
- Andrea to schedule ad hoc meeting to show how scope selection works (in under 2 weeks)
- Dave/Jim/Mine to write summary of use case for scope based capability reduction
- Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/5/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
- Maarten to contribute to mkgridmap replacement
- Andrea to define dates
- Hannah remind mailing list about TAGPMA submission, particularly Brian (cannot be combined with Fermilab session)
- Hannah find out deadline for VCHEP submission and schedule
There are minutes attached to this event.
Show them.
