View Source

Date

24 Jan 2019

Attendees

Gregory Dubois-Felsmann (apologies; I cannot attend today due to a family conflict)
@mention a person to add them as an attendee and they will be notified.

Goals

Advance the integration of the LSST Science Platform components

Discussion items

Item	Who	Notes
Authentication integration	Brian Van Klaveren Loi Ly	Status on: Brian Van Klaveren 's demonstration of the integration of authentication with WebDAV This week's work on integration of the Portal with the authentication proxy Authentication integration Issues with the proxy buffer size — tokens and cookies are > 4KB Tried to configure per-location; Matt tried to do it at the ingress level but had problems; applying configuration at the server block level in Inginx works Loi gets token from X-Auth-Request header Loi modified ingress rules to add an auth URL in the K8s configuration to enable authentication Two issues: timeout is set to 10 minutes and may not be working quite right; Loi can store X-Auth-Request for every request and would then always have a fresh token to pass to DAX services, or can get a refresh token but he needs CILogon OAuth2 client secret Refresh token would have to be managed by Portal Using tokens from web requests is not sufficient as Portal may issue DAX requests autonomously long after the last web request Token re-issuer could be used to extend lifetime of tokens, but not quite done yet, and integrating into the authorizer is only a short-term solution Custom code needed in notebook to manage tokens at all; could build in refresh token handling Refresh token handling can use client secret or not (by using PKCE); long-term solution is using PKCE Frossie: Do we have an enumeration of authentication interactions? Discuss offline with timelines; meeting set for 2019-01-25 Fritz: Do we need refresh functionality within DAX APIs? DAX will get a 24 hour or longer reissued token for every request Loi can use the current functionality with 15 minute lifetime, accessing WebDAV and DAX services (via configured new ingress) Perhaps use token reissuer for non-DAX clients? But token would leave our domain WebDAV from clients Need to set up a page to issue tokens Token would have to be pasted into a client in the username or password field But works today within a web browser Authentication has only a 15 minute lifetime for now Only pointing at /datasets for now Do a public demo?
Insulation of `lsst-lsp-stable` from active development and integration experiments on `lsst-lsp-int`		Sharing between lsst-lsp-stable and lsst-lsp-int Currently at least ingress controller Physically separate lsst-lsp-stable cluster with external Internet access coming in ~1 week Should we have multiple ingress controllers anyway? e.g. for internal vs. external traffic Won't take any action for now until new cluster comes up
AOB		Working group for deployment proposal/tech note summarizing current practice coming soon (led by Frossie)

Action items

Type your task here. Use "@" to assign a user and "//" to select a due date.