WLCG Authorization WG
- Introduction
- Contact
- Development tips
- CE token configuration
- Current Work
- Token based bulk data transfer workflows
- Design and test command line workflow tools
- Update the WLCG Profile
- Analyse the impact of Tokens on the WLCG Security Model
- Traceability & Suspension
- Provide backwards compatibility tools
- Guidance on capability vs group usage
- Recommendations on client registration
- Workplan
- Face-to-Face Meetings
- Video-Conference Meetings
- Public Facing Documents
- WG Documents
- Internal / Draft documents
- Related Presentations
- Reference Documents
Introduction
The shift towards federated identities and the adoption of new authorization standards by industry constitute a strong signal for WLCG to adapt its authorization infrastructure. It is necessary to continue to connect with users globally as well as peer organisations, infrastructures and cloud services. Although it is clear that WLCG has to evolve away from X.509 at least for end users, there has been no community wide strategy. Several independent efforts to provide an authorization infrastructure supporting federated identity and authorization without certificates have been started and it is essential that a common vision be agreed upon. Different solutions are being implemented in the Research & Education sector and a number of translation services will be required to allow interoperable services. The objective of this working group is to understand & meet the requirements of an AuthZ service for WLCG experiments – focused on serving the 99% of our researchers. There are several main activities- Design and testing of a WLCG Membership Management and Token Translation service, facilitated by pilot projects with the support of AARC (AAI Pilot Projects)
- Definition of a token based authorization schema for downstream WLCG services and token issuers (JWT)
- Definition of token based workflows
Contact
e-group and mailing list, project-lcg-authz@cernNOSPAMPLEASE.chDevelopment tips
CE token configuration
Current Work
Token based bulk data transfer workflows
Many workflows for WLCG rely on one service calling another, for example Rucio & FTS. Each service in these workflows may expect different tokens with specific groups/capabilities for authorization. The mechanisms to provision the correct tokens to the correct services must be defined, taking into account operational impact. Please see the Slides
for an overview.
Leader: Andrea/Francesco
Output: Specification/Documentation
Design and test command line workflow tools
Physics workflows typically start on the command line. The WLCG community will need a user friendly mechanism to provision tokens locally, and that these tokens be correctly scoped for the workflow in question. There are several options under consideration such as OIDC-agent, myToken and htgettoken with Vault. Requirements include:- Users should not need to manage additional passwords
- Browser interaction should be limited (i.e. once per 10 days)
- Users should not need to manage client credentials
- The use of public clients (i.e. clients that do not require a client secret) should be well controlled
Update the WLCG Profile
The WLCG JWT Profile was published in September 2019 on Zenodo. Since then practical experience and feedback has been gathered. The Profile will be updated to incorporate points such as: - Leverage RFC 9068 wherever possible
- Make the profile more inclusive and open for use by other communities, i.e. not call it "WLCG"
- Specify fine grained compute scopes
Analyse the impact of Tokens on the WLCG Security Model
A thorough study of the security impact of Tokens and their use in WLCG will be made. This may be via direct comparison with the risks of X.509. Leader: Output: Report with recommendationsTraceability & Suspension
Work is needed to ensure traceability requirements (from the traceability working group) are respected. Additionally, mechanisms to suspend users and revoke tokens must be defined and tested. Leader: David C Output: Report with recommendationsProvide backwards compatibility tools
Certain tools, e.g. grid mapfile generation, must be replicated for the new infrastructure. Leader: Maarten L Output: ToolsGuidance on capability vs group usage
Guidance is needed to help services understand whether groups or capabilities are more suitable for their use case, and to clarify some aspects of when groups and capabilities may be used in parallel. Leader: Output: DocumentationRecommendations on client registration
The topic of usability of client registration has been raised several times. Registering clients is a manual process and requires generating a clientID and secret from a WLCG IAM instance - this is significantly different from the previous certificate based authorisation model. Discussion is needed to understand what is acceptable for our community and provide recommendations. Leader: Output: Report with recommendationsWorkplan
This is a rough timeline of priorities for the coming months| Work item | Oct 21 | Nov 21 | Dec 21 | Jan 22 | Feb 22 | Mar 22 | Apr 22 | May 22 | Jun 22 |
| Token based bulk data transfer | X | X | X | - | - | - | - | - | - |
| Command Line Tools | X | X | X | X | X | X | X | X | X |
| Update WLCG Profile | - | - | X | X | X | X | - | - | - |
| Security Analysis | - | - | - | - | - | X | X | X | |
| Suspension mechanisms | |||||||||
| Backwards Compatibility Tools | |||||||||
| Capability vs group usage | |||||||||
| Client Registration | |||||||||
Face-to-Face Meetings
- July 26 2017 https://indico.cern.ch/event/656027/ Kickoff meeting, GDB
- November 2017 https://indico.cern.ch/event/578976/ pre-GDB, Requirements Gathering
- March 28 2018 WLCG Workshop https://indico.cern.ch/event/658060/
- July 17 2018 pre-GDB https://indico.cern.ch/event/651343/
- July 18 2018 Summary in GDB https://indico.cern.ch/event/651355/
- December 11 2018 pre-GDB https://indico.cern.ch/event/651348/
- March 13 2019 Summary in GDB https://indico.cern.ch/event/739876/
- March 19 2019 HOW Workshop Session https://indico.cern.ch/event/759388/contributions/3324311/
- September 10th 2019 pre-GDB at Fermilab https://indico.cern.ch/event/739896/
- January 16-17 2020 Token Hackathon https://indico.cern.ch/event/870616/
Video-Conference Meetings
See the Indico Category https://indico.cern.ch/category/68/
Particular meetings to note:
- December 14th 2017 AAI Pilot Projects https://indico.cern.ch/event/680452/ Indigo IAM and EGI Checkin demos
- January 26th 2018 AAI Pilot Projects https://indico.cern.ch/event/696286/ Demo assessments
- February 21st 2018 AAI Pilot Projects https://indico.cern.ch/event/706302/ CRIC Authorization Workflow & AARC Pilots plan
- May 28th 2018 AAI Pilot Projects https://indico.cern.ch/event/731164/ SciTokens and Condor
- September 20th 2018 VO Interviews https://indico.cern.ch/event/752370/
- December 13th 2018 https://indico.cern.ch/event/779671/ (VO Meetings, ALICE and LHCb)
- February 1st 2019 https://indico.cern.ch/event/792989/ (VO Meetings, CMS and ATLAS)
- March 5th 2019 https://indico.cern.ch/event/791175/ DEMOS
- April 8th 2019 https://indico.cern.ch/event/812344/ (with OpenID Foundation R&E Working Group)
- April 11th 2019 https://indico.cern.ch/event/804340/ (with ARC expert)
- January 28th 2020 https://indico.cern.ch/event/881002/ (Fermilab Questions)
- November 2021 pre-GDB https://indico.cern.ch/event/876810/
Public Facing Documents
- WLCG JWT Schema v1.0 on Zenodo
- Software supporting the WLCG JWT Schema on Github
- CHEP2019 Proceedings on EPJ Web of Conferences
- Bearer Token Discovery specification on Zenodo
- WLCG Token Transition Timeline on Zenodo
WG Documents
- (PUBLISHED) WLCG Authorisation Requirements Version 1.0, September 2018, Version 0.1, Working Doc
- (PUBLISHED) Catalogue of JWT usage in Infrastructures Version 1.0, November 2018, Google Doc
- (FINAL) VO Interview Qs Google Doc
- (FINAL) Supporting Information for VOs Hackmd page
- VO Interviews
Internal / Draft documents
- WLCG Token Transition Timeline work document
- WLCG Token Transition Timeline v1.0 Google Doc
- Client Tools Google Doc
- Timeline
- Github Repository
- Token Issuer Deployment
Related Presentations
- Beyond X.509: Token-based Authentication and Authorization for HEP (Plenary), https://indico.cern.ch/event/587955/contributions/3012583/
- Federated Identity Management for Research, https://indico.cern.ch/event/587955/contributions/2936916/
- EOSC-hub AAI: A federated authentication and authorisation infrastructure for international scientific collaboration at scale, https://indico.cern.ch/event/587955/contributions/2936245/
- Capability-Based Authorization for HEP (SciTokens), https://indico.cern.ch/event/587955/contributions/2936866/
- WLCG Authorisation; from X.509 to Tokens, CHEP 2019, https://indico.cern.ch/event/773049/contributions/3473383/
- Beyond X.509: token-based authentication and authorization in practice, CHEP 2019, https://indico.cern.ch/event/773049/contributions/3473393/
- WLCG Token Usage and Discovery, vCHEP 2021, https://indico.cern.ch/event/948465/contributions/4323987/
- Secure Command Line Solution for Token-based Authentication, vCHEP 2021, https://indico.cern.ch/event/948465/contributions/4323985/
Reference Documents
- VOMS Admin key features from Maria Dimou
- CERN Authorisation Service Plan from Paolo Tedesco
- Requirements matching to solutions exercise Google Doc
- AARC Pilot Intake Form
- The Road to the New CERN Authentication System, IT CDA
- lifetime of grid jobs from CERN Batch (2 week sample) PRELIMINARY DATA:
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 pdf |
20191105_CHEP_WLCG_AuthZ.pdf | r1 | manage | 16690.8 K | 2020-02-03 - 11:47 | HannahShort | CHEP2019 Slides |
| pdf |
AARC-AARC2SA1PilotIntakeWLCG-070318-1102-2218.pdf | r1 | manage | 62.2 K | 2018-03-07 - 11:02 | HannahShort | AARC Pilot Intake Form |
| pdf |
AuthZ-WG-180328.pdf | r1 | manage | 947.4 K | 2018-04-05 - 12:03 | HannahShort | Slides from WLCG Workshop March 2018 |
| pdf |
AuthZ_pre-GDB_Requirements.pdf | r1 | manage | 80.2 K | 2018-03-07 - 10:56 | HannahShort | AuthZ Requirements (snapshot) |
| pdf |
JWT_Shared_Profile_for_WLCG.pdf | r1 | manage | 526.9 K | 2018-04-05 - 11:52 | HannahShort | |
| pdf |
JWT_use_within_the_Community_v1.0.pdf | r1 | manage | 538.0 K | 2018-11-12 - 09:18 | HannahShort | JWT Catalogue v1.0 |
 png |
Screen_Shot_2018-09-20_at_12.36.42.png | r1 | manage | 130.4 K | 2018-09-20 - 12:38 | HannahShort | lifetime of grid jobs from CERN Batch (2 week sample) |
| pdf |
WLCGAAIPrivacyPolicy2.pdf | r1 | manage | 59.8 K | 2020-08-11 - 12:24 | HannahShort | WLCG Privacy Policy |
| pdf |
WLCG_AuthZ_WG_CHEP2019_Abstract.pdf | r1 | manage | 47.3 K | 2019-04-12 - 10:28 | HannahShort | CHEP 2019 Abstract |
| pdf |
WLCG_Authorisation_Requirements.pdf | r1 | manage | 110.6 K | 2018-09-28 - 16:10 | HannahShort | WLCG Requirements, frozen September 2018 |
| pdf |
WLCG_Authorisation_from_X_509_to_Tokens-Submitted.pdf | r1 | manage | 328.6 K | 2020-03-27 - 09:00 | HannahShort | CHEP2019 Proceedings |
 docx |
WLCG_Common_JWT_Profiles.docx | r1 | manage | 77.9 K | 2018-08-15 - 11:00 | HannahShort | JWT Schema Snapshot August 2018 |
| pdf |
WLCG_Token_based_Authentication__Authorisation_-_CodiMD.pdf | r1 | manage | 37.6 K | 2020-02-03 - 11:45 | HannahShort | Supporting material for VO Interviews |
Topic revision: r56 - 2022-11-10 - MaartenLitmaath
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback