January 2016 GDB notes

Agenda

https://indico.cern.ch/event/394776/

Morning:

Local attendance (19): Ian Bird, Andrew McNab, Simone Campana, Romain Wartel, Maarten Litmaath, Edoardo Martelli, Julia Andreeva, Christoph Wissing, Helge Meinhard, Tim Bell, Ian Collier, Maria Alandes, David Kelsey, Eric Lancon, Mattias Wadenstein, Vincent Brillault, Hannah Short, Latchezar Betev, Pepe Flix, Andrea Manzi

Remote attendance (28): Anders Waananen, Andrea Ceccanti, Catherine Biscarat, Claudio Grandi, Ian Neilson, Jeff Templon, Jeremy Coles, John Gordon, Marco Caberletti, Marian Babik, Michel Jouvin, Mischa Salle, Sophie Ferry, Ulf Tigerstedt, Vincenzo Ciaschini, Alessandro Paolini, Tony Cass, Predrag Buncic, Miguel Martinez Pedreira, Daniele Bonacorsi, Alessandra Forti, Anunpan Ashish, Alessandro di Girolamo, Cristina Aiftimiei, David Cameron

GDB Introduction, Ian Collier

Slides: https://indico.cern.ch/event/394776/contribution/0/attachments/1210612/1765819/GDB-Introduction-20160113.pdf

Security Policy Update, Dave Kelsey

Slides: https://indico.cern.ch/event/394776/contribution/1/attachments/1210671/1765730/Kelsey13jan16.pdf

• Ongoing review and update of currently endorsed policies
• EGI AUP and VM Endorsement and Operations policy now ready
• AUP includes now all services and can be referenced in documents. New Data Protection Policy will require another change in AUP
• VM Endorsement and Operations policy first draft will be distributed for public comments until the end of next week
• AUP to be approved by MB

Data Protection Policy development, Ian Neilson

Slides: https://indico.cern.ch/event/394776/contribution/2/attachments/1210607/1765588/201601GDB_DataProcessing_01.pdf

EGI Policy on Processing Personal Data: https://indico.cern.ch/event/394776/contribution/2/attachments/1210607/1765590/EGI-SPG-Privacy-V1_15.pdf

• Personal Data as defined by EU regulations and directives (user level job accounting, VO registration, traceability and logging)
• Provide common policy on storage and transfer of personal data
• Possible approaches are presented: Shaped by rules on international transfers, user consent, model contracts, adequate safeguards, binding corporate rules
• Safe Harbour not good for WLCG since only applicable in US
• Draft proposal:
  • Infrastructure bound by a single policy set and keep it clear and simple
  • Draft: https://documents.egi.eu/document/2732
  • Policy structure: introduction, definitions, scope, policy, principles of personal data processing (8 clauses), references, participant example privacy policy
  • Principles of data processing: fair and lawful, purposes, adequacy, accuracy, retention, technical and organisational security (measures for protected storage and transmission, Data Protection Officer, audits and incidents response), rights, transfer restrictions

Maarten asks whether this will be used by WLCG and EGI, Ian confirms that this is the plan. Maarten asks whether there has been discussions with OSG for these matters, Ian says that not for the moment. Maarten suggests to involve OSG as soon as possible. Dave explains that some people have been consulted in OSG. Dave points out that only people running WLCG services may need to sign this, not a whole institute. Dave confirms in any case that at with the current state of things more people will be consulted more widely.

The future of Federated Access within WLCG, Hannah Short

Slides: https://indico.cern.ch/event/394776/contribution/3/attachments/1210272/1765020/GDB_Federated_Access.pdf

• WLCG is already federated using x509 grid certificates. The idea is to move to a different model more based on national federations
• AARC project, 2-year funded project. Objective is to define and integrated AAI framework. CERN is leading it.
• Benefits of federation: more accurate provisioning for new users, reduced account maintenance, increased collaboration, minimal bilateral agreements between participants
• eduGAIN interconnects identity federations around the world
• Authorisation and authentication in WLCG has drawbacks: lifetime of x509 certs presents security risks if account compromised, time creating and maintaining additional CERN accounts, significant config time for end users, etc
• WLCG pilot where users can come with a local credential and are authenticated through eduGAIN to finally obtain a x509 grid certificates
• Future plans: working with some VOs to start deploying the WLCG pilot with some initial services.

Maarten asks whether there are any drawbacks to the federated access. Hannah explains that EduGain is not fully ready but key elements are coming together.

Simone points out that the service providing the grid certificate in the WLCG pilot in slide 8 could become a SPF. Romain Wartel explains that this service could be indeed many services, not necessarily just one service. Ian Bird explains that he doesn't see a problem in a having a single service in any case if the service is resilient. Romain explains that with the WLCG pilot the current way of doing things don't change, it's only that instead of the user contacting VOMS, there is a web service contacting VOMS.

Maarten asks whether there has been any progress so far in adopting the WLCG pilot. Romain explains that not really, there have been some initiatives but none of them successful. Ian Bird explains that when end users put pressure on having this implemented, we will see more progress. Andrew McNab claims that stop using the CERN accounts is going to be very difficult. Romain explains that the web based access should be a first adopter of the WLCG pilot to make further progress. Latchezar adds that anything that could ease the CLI towards the WLCG pilot is key to succeed.

Romain asks that if users could download a one year old certificate provided by IOTA CA, how this will change VO plans for the Identity Federation? Maarten explains that will make the life of VOs easier. It could be a small step forward. Of course, logging with one's account and start working will be the ideal situation. Simone also points out that a unique id for the user will be extremely useful.

Dave explains we are trying to move out from community identifiers. EU would be interested in having one single identifier, but this is very difficult to implement.

Michel asks whether there is any link with EGI for the implementation of AARC. Hannah explains that there have been indeed meetings and discussions with EGI. Michel asks whether there is convergence in EGI and WLCG implementations. Romain explains that both EGI and WLCG provide the same functionality but provided by different solutions, and Romain agrees there should be indeed a convergence.

Authentication and Authorization in INDIGO DataCloud, Andrea Ceccanti

Slides: https://indico.cern.ch/event/394776/contribution/7/attachments/1210661/1765830/INDIGO-AAI-GDB120116.pdf

• Indigo project aims at developing an open source platform for computing and data targeted at multi-disciplinary scientific communities
• Indigo based on Open Source solutions
• Main use case is to provide Scientific Portal as a service
• AAI problem: heterogeneous infrastructures with heterogeneous authZ/authN mechanisms
• Need to harmonise identities
• Need to support multiple AuthN mechanisms
• openID connect used for AuthN
• Cross-organisational user and privilege management for AuthZ (like VOMS)
• Indigo is relying on Argus
• First Indigo release in July 201

Afternoon:

Local attendance (15): Andrew McNab, Romain Wartel, Maarten Litmaath, Ian Collier, Andrea Sciaba, David Kelsey, Eric Lancon, Mattias Wadenstein, Vincent Brillault, Hannah Short, Pepe Flix, Andrea Manzi , Predrag Buncic, Latchezar Betev, Ian Bird

Remote attendance (20): Anders Waananen, Andrea Ceccanti, Catherine Biscarat, Claudio Grandi, Jeff Templon, Jeremy Coles, John Gordon, Michel Jouvin, Sophie Ferry, Ulf Tigerstedt, Vincenzo Ciaschini, Tony Cass, , Cristina Aiftimiei, Denise Heagerty, Helge Meinhard, Jose Hernandez Calama, Sophie Ferry, Sebastien Lopienski, Sven Gabriel, David Crooks

Data Management Plans

Slides: https://indico.cern.ch/event/394776/contribution/6/attachments/1208558/1764567/DPHEP-GDB-Jan2016.pdf

• Jeff: similar requests/requirements in NL, we may profit from common terms etc.

• Simone: data management strategies should depend on the data type/format?
• Jamie: we can clarify what we do differently for different kinds of data

• Pepe: how might we ever make raw data easily available?
• Jamie: we can explain why that is not realistic for us

Operational Security & Cyberthreats

Slides: https://indico.cern.ch/event/394776/contribution/5/attachments/1210829/1766015/201601_Wartel_GDB.pdf

• Ian B: what is the "HEP appliance"?
• Romain: a HW module that monitors network traffic for security purposes and can be inspected by security experts for incident response and analysis
  • big vendors like Cisco are active in that area
  • particularly helpful for small sites lacking security expertise
• Ian C: compare such a stand-alone appliance with the one we use for perfSONAR
  • both are independent of high-level applications and frameworks used in WLCG also effectiveness is independent of site expertise
• David Cr: GridPP are looking into that

• Dave K: the WLCG security contact at a site may not be part of its IT security team
  • also NRENs may be involved with investigating security incidents at sites
  • investments in security are about risk management trade-offs

• Romain: WLCG has a global view, can link "small" incidents seen at multiple sites
  • assist in the tracking of incidents
  • may convince at least one site to report such an incident to law enforcement

• Ian B: how can we implement these ideas? discuss at the workshop?
• Romain: it depends on what can be done per country
• Vincent: a country may not have a "central team"
• Ian B: the "central team" in WLCG can be distributed over partners
  • GEANT and the NRENs should be involved
• Romain: and corresponding entities in the US

• Simone: are companies already involved somewhere?
• Romain: to some extent possibly at some sites

-- IanCollier - 2016-01-15