Edits and corrections welcome!
Attending: James Basney, Unknown User (awithers), Unknown User (tfleury), Donald Petravick, Margaret Gelman, Unknown User (jalt), Brian Van Klaveren, Fritz Mueller, Jacek Becla, Unknown User (xiuqin)
How does the architecture support the concept of a "tenant"? A tenant is like a virtual organization (VO) or OU in LDAP. Support multiple OUs in a single LDAP? A tenant has groups which have users. Look into tenants in keystone openstack and swift and how they map to LDAP.
UNIX groups or POSIX ACLs for filesystem authorization? Investigate both options.
Services running at NCSA and observation base site. Use case previously discussed of user work space running at user's home campus connecting to LSST services. Otherwise integration with external services considered out-of-scope for now.
Design based on common standards (Kerberos, LDAP, OAuth, SAML) to give a swiss army knife as LSST evolves.
Important end-to-end scenario to cover in IAM design doc: web app connecting to DAX API which accesses DB and file server.
DAX is a python flask app, so demonstrating IAM integration with python flax is a good near-term goal.
Future call topic: user work space
Next call in two weeks. Unknown User (xiuqin) won't be available.