WLCG Authorization WG
Introduction
The shift towards federated identities and the adoption of new authorization standards by industry constitute a strong signal for WLCG to adapt its authorization infrastructure. It is necessary to continue to connect with users globally as well as peer organisations, infrastructures and cloud services.
Although it is clear that WLCG has to evolve away from X.509 at least for end users, there has been no community wide strategy. Several independent efforts to provide an authorization infrastructure supporting federated identity and authorization without certificates have been started and it is essential that a common vision be agreed upon. Different solutions are being implemented in the Research & Education sector and a number of translation services will be required to allow interoperable services.
The objective of this working group is to understand & meet the requirements of an AuthZ service for WLCG experiments – focused on serving the 99% of our researchers.
There are several main activities
- Design and testing of a WLCG Membership Management and Token Translation service, facilitated by pilot projects with the support of AARC (AAI Pilot Projects)
- Definition of a token based authorization schema for downstream WLCG services and token issuers (JWT)
- Definition of token based workflows
Contact
e-group and mailing list,
project-lcg-authz@cernNOSPAMPLEASE.ch
Development tips
CE token configuration
Current Work
Token based bulk data transfer workflows
Many workflows for WLCG rely on one service calling another, for example Rucio & FTS. Each service in these workflows may expect different tokens with specific groups/capabilities for authorization. The mechanisms to provision the correct tokens to the correct services must be defined, taking into account operational impact.
Please see the
Slides
for an overview.
Leader: Andrea/Francesco
Output: Specification/Documentation
Design and test command line workflow tools
Physics workflows typically start on the command line. The WLCG community will need a user friendly mechanism to provision tokens locally, and that these tokens be correctly scoped for the workflow in question. There are several options under consideration such as OIDC-agent, myToken and htgettoken with Vault.
Requirements include:
- Users should not need to manage additional passwords
- Browser interaction should be limited (i.e. once per 10 days)
- Users should not need to manage client credentials
- The use of public clients (i.e. clients that do not require a client secret) should be well controlled
A next step is to install htgettoken with Vault for the WLCG IAMs to allow for user feedback.
Leader:
Output: Report with recommendations following user feedback
Update the WLCG Profile
The WLCG JWT Profile was published in September 2019
on Zenodo
. Since then practical experience and feedback has been gathered. The Profile will be updated to incorporate points such as:
- Leverage RFC 9068
wherever possible
- Make the profile more inclusive and open for use by other communities, i.e. not call it "WLCG"
- Specify fine grained compute scopes
Leader: Brian B
Output: New version of the JWT Profile
Analyse the impact of Tokens on the WLCG Security Model
A thorough study of the security impact of Tokens and their use in WLCG will be made. This may be via direct comparison with the risks of X.509.
Leader:
Output: Report with recommendations
Traceability & Suspension
Work is needed to ensure traceability requirements (from the traceability working group) are respected. Additionally, mechanisms to suspend users and revoke tokens must be defined and tested.
Leader: David C
Output: Report with recommendations
Provide backwards compatibility tools
Certain tools, e.g. grid mapfile generation, must be replicated for the new infrastructure.
Leader: Maarten L
Output: Tools
Guidance on capability vs group usage
Guidance is needed to help services understand whether groups or capabilities are more suitable for their use case, and to clarify some aspects of when groups and capabilities may be used in parallel.
Leader:
Output: Documentation
Recommendations on client registration
The topic of usability of client registration has been raised several times. Registering clients is a manual process and requires generating a clientID and secret from a WLCG IAM instance - this is significantly different from the previous certificate based authorisation model. Discussion is needed to understand what is acceptable for our community and provide recommendations.
Leader:
Output: Report with recommendations
Workplan
This is a rough timeline of priorities for the coming months
Work item |
Oct 21 |
Nov 21 |
Dec 21 |
Jan 22 |
Feb 22 |
Mar 22 |
Apr 22 |
May 22 |
Jun 22 |
Token based bulk data transfer |
X |
X |
X |
- |
- |
- |
- |
- |
- |
Command Line Tools |
X |
X |
X |
X |
X |
X |
X |
X |
X |
Update WLCG Profile |
- |
- |
X |
X |
X |
X |
- |
- |
- |
Security Analysis |
- |
- |
- |
- |
- |
X |
X |
X |
Suspension mechanisms |
Backwards Compatibility Tools |
Capability vs group usage |
Client Registration |
Face-to-Face Meetings
Video-Conference Meetings
See the Indico Category
https://indico.cern.ch/category/68/
Particular meetings to note:
Presentations have been recorded where possible and are available at
https://videos.cern.ch/deposit/project/aefb5d6eab4747008b54f305a9d721c5
Public Facing Documents
WG Documents
Internal / Draft documents
Related Presentations
- Beyond X.509: Token-based Authentication and Authorization for HEP (Plenary), https://indico.cern.ch/event/587955/contributions/3012583/
- Federated Identity Management for Research, https://indico.cern.ch/event/587955/contributions/2936916/
- EOSC-hub AAI: A federated authentication and authorisation infrastructure for international scientific collaboration at scale, https://indico.cern.ch/event/587955/contributions/2936245/
- Capability-Based Authorization for HEP (SciTokens), https://indico.cern.ch/event/587955/contributions/2936866/
- WLCG Authorisation; from X.509 to Tokens, CHEP 2019, https://indico.cern.ch/event/773049/contributions/3473383/
- Beyond X.509: token-based authentication and authorization in practice, CHEP 2019, https://indico.cern.ch/event/773049/contributions/3473393/
- WLCG Token Usage and Discovery, vCHEP 2021, https://indico.cern.ch/event/948465/contributions/4323987/
- Secure Command Line Solution for Token-based Authentication, vCHEP 2021, https://indico.cern.ch/event/948465/contributions/4323985/
Reference Documents