WLCG AuthZ Call

Name: WLCG AuthZ Call
Start: 2020-10-29T15:00:00+01:00
End: 2020-10-29T16:00:00+01:00
Location: No location set

Thursday 29 Oct 2020, 15:00 → 16:00 Europe/Zurich

Description

Proposed agenda:

Plan for VOMS Admin deprecation https://docs.google.com/document/d/1Mk24GET8q2BIIpkl-ccIIziNF4IbehX_NvfrqCDDqjY/edit?usp=sharing
Discussion: how to handle requesting of scopes with greater capability than allowed, and about using wlcg.groups to request a group-owned access token (such as one used for a "production" role within a VO).
Need for GDB to ask for feedback on personal data available at sites?
Abstract for TAGPMA https://docs.google.com/document/d/16YwHvXOGSB6dSQ-Tgrno7jSLWwoW_5xXTalPjSata9Q/edit?usp=sharing

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
+41 43 210 70 42 Switzerland
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+33 1 7037 9729 France
+33 7 5678 4048 France
+33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Hide

Attendees: Hannah, Andrea, Dave, Alex, Ian, Tom, Jeffrey, Jeny, Jim, Joel, Laurence, Maarten, Mine, Mischa

Notes:

Group scope request -> capability use case
- Requesting a group scope can provision a capability - this was not included in the original spec
- IAM Implements scope policy. I.e. only users in this group can access these scopes (not linked to how they are requested)
- In this particular case, Vault will be requesting specific scopes to get tokens with different capabilities for users (and service accounts).
- The problem is that Vault does not necessarily know which capabilities are required for a given user. They would know the group because that's part of the role selection.
- The problem to solve is how to allow someone to request capabilities for a particular role. Can be solved in multiple ways
  - Scope requests, e.g. "production", "admin" that the token issuer interprets to capabilities
  - Optional group that is also requested in scopes and results in capabilities in tokens and doesn't necessarily return the group (the proposal)
Scope based capability reduction
- If a client requests a scope for e.g. path "/" and isn't allowed to get capabilities for "/" but only for "/test/" then the claim for "/test/" should be returned
- Requires knowledge of hierarchy and knowledge of what clients are able to request
- This breaks assumption of extract string matching between scopes and claims
- Page 13 of spec "For all storage.* scopes (requests), $PATH MUST be specified (but may be / to authorize the entire resource associated with the issuer); if not specified for these scopes, the token MUST be rejected."
- "If an entity is not entitled to a capability, the scope requested may be ignored by the server and the corresponding token may not have the corresponding claims; in this case, section 3.3 of RFC 6749 requires the token issuer to inform the client. A server may also return an error during the authorization request."
VOMS Admin Deprecation
- As soon as IAM has the same features as VOMS Admin we should start deprecating VOMS Admin
- Maarten to contribute to mkgridmap replacement
- Issue (Bug) today when user changes institute it is not propagated to VOMS Admin

Actions:

Dave/Jim/Mine to write summary of use case for groups -> capability scope request
Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/6/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
Andrea to schedule ad hoc meeting to show how scope selection works (in under 2 weeks)
Dave/Jim/Mine to write summary of use case for scope based capability reduction
Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/5/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
Maarten to contribute to mkgridmap replacement
Andrea to define dates
Hannah remind mailing list about TAGPMA submission, particularly Brian (cannot be combined with Fermilab session)
Hannah find out deadline for VCHEP submission and schedule

There are minutes attached to this event. Show them.

The agenda of this meeting is empty

Choose timezone

WLCG AuthZ Call