IVOA_Nov3_GWS_etherpad < IVOA

---+ GWS WG discussion @ November Interop 2021

%TOC%

---++ GWS session 1

*Dave Morris: ExecutionPlanner Service Interface*

Today there exists a large variety of Science Platforms, they serve different communities, they have different configurations and different authentication methods. How can we make them interoperable?

There exists notebook based platform and platforms that execute containers. Both are based on a single file that defines the task, evenif the "content of the file" is different (task specific), the pattern is very similar.

The reality however is not so simple, there are a lot of different services that are not defined by a single file: reality is messy.

The Idea is to describe tasks in terms of what kind of service (eg. docker) and the amount of resources (cpus, memory etc) a user need.

we are working on two notes:

   * Execution Planner
   * UWS with container support
The combination of the two allows to schedule containers using different methods, like helm, kubernetes, docker-compose, etc. into a specific platform able to satisfy the resource requirements.

<div id="magicdomid6">Christine Banek: The reality is really complex, there are different specification designed to do different things that iteract one woth the other (e.g. like Kubernetes uses helm and helm uses docker, ans so on). I am worried that trying to unify this as one abstraction layer will be tricky at best, and since these are all moving, might be hard to keep up with.</div> <div id="magicdomid7">Dave Morris: yes, this is the problem we are trying to solve (it is hard to describe all the complexity in an 10min presentation). The execution planner only acts as a discovery service, it answers the question "can I do this", and hands the client the information it needs to use the actual service.</div>

GT: we could dedicate a virtual splinter in the next days to brainstorm on this idea

<div id="magicdomid11">Carlo Zwolf: Should the execution framework have to say how to execute the container? Shouldn't the implementer do it themselves "under the hood" and just run it? This may make the configuration even more limited to try to make a unified configuration for all these different specs, but it is a good point that in the end you just want to execute it and get the result. If the caller has to worry about the way it is done, it will be less interoperable between data centers if they don't support the same execution frameworks. I would say that the client is not interested in out the service is implemented under the hood but is more focused on the protocols to interact with the services.</div> <div id="magicdomid12">DM - you are right. It is hard to choose names for the interfaces in the presentation that people will recognise.</div>

*Stefano Alberto Russo: Rosetta science platform*

It is a conteiner centric microservices based science platform that allow users to execute tasks on different platforms including HPC clusters. Based on a set of architectural elements: files, computing resources, tasks, comtainers, AAI.

In practice it is a way to allow users to run containers of their choosing to host their containers for tasks. Similar to execution planner but a lot more simple in terms of the scope.

GT: the platform architecture identifies a set of elements that corresponds to services and standards that IVOA already has but shoud be updated to recent tecnologies (as containers). This si in line with what Dave is doing on extending UWS.

*Brian Major: GMS RFC.*

Brian is presenting the GMS and he is going through the currently open RFC issues.

GMS (group membership service) is an API that answers questions about whether a user is a member of a group or which groups they are a member of. GMS is supporting interaction between services; a user calling GMS directly isn't really useful (you can find out your group information) but if you have a TAP service using GMS for authorization decisions then it does become useful bacase it implements access control to data.

There's the RFC page where comments and can be submitted or github issues and pull requests.

We discuss the various issues and comments from github and wiki.

   1 It should be stated that GMS should have high availability because it is a crytical service called by many others (e.g. TAP, VOSpace etc.) in different contests.<br />Yes, availability is not usually part of a standard but we can add a implementation "best practice" at the end of the actual document standard. However, we should recommend any solutions for solving availability problem.
   1 GMS is a high transactional service, you could be doing many registry lookups per second which could affect the registry availability. Perhaps the way to solve that is caching.<br /> <div id="magicdomid29">Caching is tricky with security. Maybe we should say how long the response is valid for (Is it already done this way?) GMS issue 12</div>
   1 <div id="magicdomid29">we need to register IA2 GMS into the registry.</div>
   1 <div id="magicdomid29">Issue raised by Marcus regarding the use of standard ID.</div>
BM suggests a sort of "implementation recommendations" at the end of the document with a few sentences on different things that we have discussed during the session.

---++ GWS Session 2

*Nicola Calabria: IA2 VOSpace update.*

<div id="magicdomid5">INAF VOSpace Update. It implements VOSpace standard and it adds the integration with a tape <span style="background-color: transparent;">in the workflow for the user: a specific tranfer service is added to manage upload and download of files.</span></div> <div id="magicdomid7">There is a general overview and components with some specific implementation: e.g.<span style="background-color: transparent;">multiple nodes feature.</span></div> <div id="magicdomid9">The Auth and Authz is based on RAP and GMS. The GMS communication is based on (delegated?) tokens.</div>

<div id="magicdomid22">Brian Major&gt; How about the experience to have nodes in tar files?</div> <div id="magicdomid78">Nic&gt; This feature is under discussion now, the main problem is how much recursione levels includes.</div>

<div id="magicdomid152">Francois B.&gt; Can we compare VOSpace with rucio group implementation.</div>

Sara B.&gt; there is an on going work that involves Sara B. and Dave Morris about Rucio and VOSpace integration/implementation in the framework of ESCAPE project.

*Sara Bertocco: SSO discussion towards a new SSO standard*

<div id="magicdomid237">There is an on-going discussion on SSO lasting in the last couple of years. The basic idea is that we need to update the actual standard in two directions: update with new methods and implement a new better (non browser) client -- server challenge.</div> <div id="magicdomid628">We need to improve/implement:</div> <div id="magicdomid545">- SecutiryMethod: upgrade it and clarify the content.</div> <div id="magicdomid658">- Authentication discovery to allow non--browser clients to easly use auth</div> <div id="magicdomid716">- Authentication endpoints (from capabilities or from HTTP challenge)</div>

<div id="magicdomid770"> *Mark Taylor: SSO for non-browser clients* </div> <div id="magicdomid1070">How can a (non-broser) cliend find out how to autheticate and where to authenticate ?</div> <div id="magicdomid1094">Mark report the work done with CADC for an implementation based on TAP.</div>

In the actual proposal, the server communicate auth methods based on http challenge and security methods;
<div id="magicdomid1035">Two examples are detailed:</div>

- Bearer token including some open questions (e.g. scope of the token) to discuss in the future;

<span style="background-color: transparent;"> - cookie mechanism.</span>
<div id="magicdomid1183">A proposed metho for "challenge" is detailed.</div>

---++ *OPEN DISCUSSION*

<div id="magicdomid1261">Chb Q:  Boothstrap challenge? make a sync request. </div> <div id="magicdomid1494"> Pat: TAP example is the best to test different solutions. Every endpoint should provide the methods and this may go in the capabilites in particular because you can endup with situations in which you canstart as anonymous and then accessa an authenticated part,</div> <div id="magicdomid1497"> </div> <div id="magicdomid1551"> CHB&gt; There will be one endpoint per service. </div> <div id="magicdomid1570"> Pat&gt; VOSI </div> <div id="magicdomid1686"> Pat & Mark:probablyis a good optionto change the standard of VOSI and TAP to include the use of VOSI for the bootstrap mechanism</div> <div id="magicdomid1665"> </div> <div id="magicdomid1668"> </div> <div id="magicdomid1733">CHB&gt;  </div> <div id="magicdomid1809">Pat&gt; We need a couple of challegens to tell the client the kind of credential, we are looking for a flexibe logging APIs. </div> <div id="magicdomid1886">CHB&gt; how can I decode the token in the challenge and find you the scope of the token?</div> <div id="magicdomid2005">Mark&gt; for cookies it is not a problem, but for barrel token the scope is not standard</div> <div id="magicdomid2081">CHB&gt; if you can decode the scope from token you can then recover the scope somwhow</div> <div id="magicdomid2280">Tom&gt; with respect a scope that specify which service to access, the various service are finding if the token is valid to access them, it is very complex to programmatically manage that. </div> <div id="magicdomid2319">CHB&gt; it theren</div> <div id="magicdomid2524">Brian&gt; They are opaque tokens. We plan on removing the base64: prefix because the colon is not allowed in that header field.</div> <div id="magicdomid2490"> </div> <div id="magicdomid2718">Markus&gt; Scopes of the token is from user side, is it something that I have to take care at the challeng level? I </div> <div id="magicdomid2529"> </div> <div id="magicdomid2752">Pat&gt; is there a token for each service access? At CADC one token is used to access all the serivces. We must update the CDP. Reduced scope token can be used for the CDP.</div> <div id="magicdomid2803">Tom&gt; </div> <div id="magicdomid2924">Dave&gt; is there a way to communicate betewen server and client that you nee a different token to access a service? </div> <div id="magicdomid2953">Pat&gt; permission deny is the approch we are using.</div> <div id="magicdomid2968">Mark&gt; </div> <div id="magicdomid2978">Giuliano:</div> <div id="magicdomid3034">   Propose bi-monthly telco to synchronize and fix the idea on the document(s)</div> <div id="magicdomid3008">    </div> <div id="magicdomid3089">Pat: 2 things: .....</div> <div id="magicdomid3090">   Where we should use the token and not how can do.</div> <div id="magicdomid3092">    </div> <div id="magicdomid3172">CHB: the little group continue in work and then write e-mails to the GWS group. Keep Sara in to the loop.</div> <div id="magicdomid3239">Giuliano: update of credential delegation in terms of tokens. Try to keep to organize the update of the documents.</div> <div id="magicdomid3056">    </div> <div id="magicdomid2410"> CHAT:</div> <div id="magicdomid2424">    Brian:</div> <div id="magicdomid2427">        They are opaque tokens. We plan on removing the base64: prefix because the colon is not allowed in that header field. </div> <div id="magicdomid2555">     James Tocknell</div> <div id="magicdomid2582">     How would a client-side JS login system work with www-auth (e.g. a system where the login-form-system is implemented in react or similar framework) with non-browser clients (or should we require that system do not require client-side JS)? Things like 2FA are moving to requiring a full browser implementation. </div> <div id="magicdomid2641">     CHB:</div> <div id="magicdomid2658">         Yeah I agree James, and we&rsquo;re using 2FA and require browser too, and I think like I said topcat might have to make browser windows and stuff like that </div> <div id="magicdomid2724">         Brant Miszalski</div> <div id="magicdomid2767">       +1 for making authenticated programmatic access as simple as possible. It&rsquo;s very helpful to minimise the number of hoops to jump through. </div> <div id="magicdomid2958">      Markus Demleitner: Well, we shouldn't forget that people might want to do authenticated operations on headless systems...   </div> <div id="magicdomid2965">   James Tocknell:</div> <div id="magicdomid2967">       Totally, calling out that whatever auth system used should allow usage on headless systems might be a good idea </div>
This topic: IVOA > WebHome > WebPreferences > InterOpNov2021 > InterOpNov2021GWS > IVOA_Nov3_GWS_etherpad
Topic revision: r3 - 2021-11-04 - GiulianoTaffoni