[ogsa-hpcp-wg] Telecon Notes

[Steven Newhouse]

Attendees

Chris Smith
Marty Humphreys
Glen Wasson
Steven Newhouse
Blair Dillaway

Agenda
1. IPR
Noted.

2. Agenda Bash
OGF Session discussion.

3. Application Template Specification Review (Steven)
No further comments. Review at OGF session.

4. Kerberos Use Cases Discussion (Chris)
Typical use of Kerberos by a site around job submission.
* Authentication:
Use Kerberos credentials to identify myself to the container. Still use https to do the connection, but use the client token to provide authentication. Could establish a secure conversation using Kerberos that can then be used within WS-Security. Mutual authentication may not be widely enabled. Start with just the server side identification for https - same as current HPCBP model. Happy to use certificates for servers but not for users.

* Token Forwarding
What could the token be used for?
1. Placed in the running environment of the running application. Establish the environment in the job.
2. Used in file transfer mechanism. Place the token in the environment of the file transfer.
3. Forwarding the job to another BES. Will the original BES container impersonate the user to the second BES.
Generally, don't use restricted delegation. Just send the main ticket granting ticket (TGT) - harder to bind the ticket to a specific service. Again make sure that the TGT gets put into the job environment. Make sure tickets are not bound to a specific IP address.

In the meta-scheduling use case... the authentication takes place at the BES to BES level, but the user credential is still passed with the job object. Does this need to be profiled? The token does need to be forwarded to any subsidiary file staging or meta-scheduling activity.

Running UNIX environment uses Kerberos, in some scenarios might uses certificates to use web services.

Next Steps:
* Chris to look at specification documents for next week.
* Is this one or two profiles - Kerberos for authentication to the service & Ticket forwarding into subsidiary environments (i.e. file staging, local job or job submitted to remote cluster)

5. Experiences Document Comments Review (Marty/Glenn)
Document revised and new version submitted to the OGF Editor.

6. AOB
OGF Session Planning
Experiences Document: Goes through GFSG review (7 day) and then published. Current HPCBP spec needs no changes.
File Staging: Marty to do 10-15 min review as will hopefully be in public comment.
Application Template: Steven to review current draft.
Kerberos: Chris/Blair to do a 10-15 min review to gather interest and participants in profile writing.
Steven to look at BES errata.