Choose timezone
Your profile timezone:
Powered by Indico
v3.3.5
TA6 WP2 Meeting
May 4, 2023
participants:
Kilian Schwarz
Luka Vomberg
Simon Thiele
Oliver Freyermuth
Michael Huebner
Christopher Huhn
Rouven Spreckels
Sander Apweiler
Introduction round:
- Kilian Schwarz
DESY IT, head of Scientific Computing, head of TA6 and of TA6 WP2
- Christopher Huhn, GSI
observation, GSI IT should work on AAI and the plan is to see how it fits to
PUNCH objectives
- Luka Vomberg
PhD student in Bonn
working on Jupyter implementation in TA2
- Michael Huebner
IT services in Bonn
- Oliver Freyermuth
active in PUNCH TA2 and TA4 projects
- Simon Thiele
Bonn, PhD student, xrootd for storage solutions, TA2
- Rouven Spreckels
GSI, before university of Mainz, PhD student,
PhD in neutron electric form factor
focus AAI, figuring out requirements and worked with keycloak
- Sander Apweiler
operating Helmholtz AAI, hosting AAI for PUNCH
News/Mission:
after setup of initial PUNCH AAI now adjusting to the need of services
Requirements document:
https://results.punch4nfdi.de/?md=/docs/Documents/aai-requirements.md
use cases should not be
blackboxes as storage and compute for punch
but instead concrete services we want to connect to AAI
discussing
Jupyter Hub:
see presentation
https://indico.desy.de/event/39107/contributions/143173/attachments/81707/107477/AAI_DPSIssues.pdf
not technical but beurocratic issues
DPS for public services necessary
DPS requires to know what data is needed
during development new DPS approval each time required
Data privacy is given by law
users do not need to agree to
it is sufficient if it is put on the server
but data protection officer needs to agree to it
this is als required for test services
Helmholtz AAI requests this for every service
service providers can put a statement that it is a preliminary policy
and then this is fine for Helmholtz AAI.
but this is not allowed at Bonn, even Personalraete need to agree
in other cases if services are not reachable from outside
this would be ok
Helmholtz AAI could request services from dev not to go public
Bonn is the first institute who has a problem with that ?
But maybe Bonn is also the first institute who read this carefully.
GSI also read through this recently
and they did quite some assumptions with respect to meaning of certain things
on call team exists there also on weekends
organisations of university level are out for operating services in this case
domain: uni-bonn
officially bonn is not certified
bonn has a security team but not a cert team
contact person exists but no guarantee to react in 24 hours
Sander Apweiler did not write this part of documentation
is not sure what "certify" means
this is nothing really extraordinary
should be normal behaviour for everybody providing a service
but the person power is required exclusively for that available any time
Sander Apweiler will discuss that statement in Hifis,
but doubts that this will be removed
recommended is best practises
security incidences have to be reacted on in timely manner
it is a problem of interpretation
DFN interpretation: different for certified or non certified service
In this context
certified / certify is the wording for the abbreviation "SIRTFI" ( https://refeds.org/sirtfi ).
it seems to be an interpretation problem
we are all not lawyers
we currently have to follow the common interpretations
have to take it offline
bonn has problem with dev and production mode ==> with both
"interpretation guideline" by Helmholtz AAI would be helpful
with the data protection statement no good solution exists
once for production service would be ok
but to specificy always in case of changes is tough
GSI: doing it to IdP only since no service so far
melded down to direct operation to IdP service and not to the whole
IT infrastructure
cert team exists they have on call service
a lot of management work but doable
while Bonn interpretes it for the whole IT infrastructure
but also not doable of IdP itself
this is centrally for the university of Bonn.
then bridge to technical issues
mainly one issue
when job is started it wants to read a file
for that it needs to ask AAI if user has permission
and then wait for answer
this will not scale for many files and users
hoping for change with respect to access token to contain this group
information
workaround via keycloak at AIP
so we avoid data privacy statement because we are hidden behind that.
this is a workaround
technical reason: keycloak fetches group membership and puts it into token
which is then used
similar token can not be received from helmholtz service
token: discussed with developers
did not implement it yet, but not highlevel on roadmap
no idea about time line
also not high level on Helmholtz AAI
why not bypass Jupyterhub for each job ?
But then we would make Jupyterhub a token issuer ?
Storage services need a token and they are independent from the hub
maybe this is the software question which services have to be connected:
dCache, XrootD, Apache, but we do not want to limit
dCache is connected but will not scale because dCache itself queries AAI
then every file will cause a request to AAI
DESY people wrote a document about that and they are using a workaround
and are not happy about that.
data will be provided by ourselves
either they trust ourselves and have to go for each request to Helmholtz AAI
one solution to speed up
instead of open source request a paid request
price depends on work
general cheaper than implementing it ourselves
1000s or low 10s000 euro
procedure how to do this ?
FZJ has a contract with Unity developers
Normal flow: request, estimation (does not cost)
is ok to do that via FZJ contract.
needs to be discussed with Daniel Mallmann
then maybe DESY needs to do this
Sander will ask Daniel
Sander could do a request for cost estimation
then time requirements could be part of request
maybe there are correlated things in the requirements document
maybe additional correlated things can be added ?
Sander: rather independent step by step
from requirements document:
"authorisation should be possible directly with tokens"
sub bullet points different issues to be requested later
AI: check in DFN AAI which universities are certified
Oliver Freyermuth would gather info from other universities
AOB:
none