Site Authorisation and Enforcement Services: LCAS, LCMAPS, and gLExec
To ensure the autonomy of the resources that compose the Grid,
each site should have authorization hooks to set and enforce local policies.
LCAS, which stands for Local Centre Authorization Service, is a
site-local service that can authorise users based on their name, their
VO affiliation, and the resources requested.
And in order to run jobs, or store files, within a traditional UNIX
system, LCMAPS - the Local Credential Mapping Service - can make sure
user requests are sandboxes in local account with unique group memberships.
Such accounts can span a machine or a cluster, in short: an entire
administrative domain.
To keep track of tasks sent to the fabric, the relation between the
identity and authorization tokens presented on the Grid side, and their
mapping into local credentials (unix groups, account names, etc), the
Job Repository (JR) was developed. Based on a backend ODBC-interface, a
database contains this essential information.
The newest version includes an updated database schema which makes the structure
easier to understand. This makes it easier to retrieve the required information from the database.
The new schema is also extendable. By default the (Computing Element) CE is supported but
other services can extend the schema with there service specific information
to create a larger base for tracking all (user) actions in a relation way.
LCAS, LCMAPS and the JR were developed in the context of the EU DataGrid project, and parts are now also incorporated into gLite, the refactored middleware suite of the EGEE project. The software is open source and available from the web.
gLExec
gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCMAPS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios. Please read more here....
Information and references
- The LCAS and LCMAPS Install Guides
- Installation notes for LCAS, LCMAPS, gatekeeper and Workspace service (WSS)
- Notes of the installation on the LSF CE in the EGEE prototype for LCAS, LCMAPS, gatekeeper and Workspace service
- JobRepository documentation and install guide
- LCAS description
- LCMAPS and JobRepository description
- Configuration via LCFGng or Quattor
- Integration of VOMS + LCAS/LCMAPS at INFN
- Publications:
-
Section 7 (page 256) of the EDG WP4 paper in the special issue of the Journal of grid computing:
Thomas Röblitz, Florian Schintke, Alexander Reinefeld, Olof Bärring, Maite Barroso Lopez, German Cancio, Sylvain Chapeland, Karim Chouikh, Lionel Cons, Piotr Poznanski, Philippe Defert, Jan Iven, Thorsten Kleinwort, Bernd Panzer-Steindel, Jaroslaw Polok, Catherine Rafflin, Alan Silverman, Tim Smith, Jan van Eldik, David Front, Massimo Biasotto, Cristina Aiftimiei, Enrico Ferro, Gaetano Maron, Andrea Chierici, Luca dell'Agnello, Marco Serra, Michele Michelotto, Lord Hess, Volker Lindenstruth, Frank Pister, Timm M. Steinbeck, David L. Groep, Martijn Steenbakkers, Oscar Koeroo, Wim Som de Cerff, Gerben Venekamp, Paul Anderson, Tim Colles, Alexander Holt, Alastair Scobie, Michael George, Andrew Washbrook, Rafael A. García Leiva,
Autonomic Management of Large Clusters and Their Integration into the Grid. J. Grid Comput. 2(3): 247-260 (2004) (PDF) -
LCAS and LCMAPS in the EDG security architecture:
Linda Cornwall, Jens Jensen, David P. Kelsey, Ákos Frohner, Daniel Kouril, Franck Bonnassieux, Sophie Nicoud, Károly Lörentey, Joni Hahkala, Mika Silander, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, Fabio Spataro, David O'Callaghan, Olle Mulmo, Gian Luca Volpato, David L. Groep, Martijn Steenbakkers, Andrew McNab,
Authentication and Authorization Mechanisms for Multi-Domain Grid Environments. J. Grid Comput. 2(4): 301-311 (2004) (PDF) -
CHEP2003 paper:
R. Alfieri, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, A. Gianoli, Fabio Spataro, Franck Bonnassieux, Philippa J. Broadfoot, Gavin Lowe, Linda Cornwall, Jens Jensen, David P. Kelsey, Ákos Frohner, David L. Groep, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp, Daniel Kouril, Andrew McNab, Olle Mulmo, Mika Silander, Joni Hahkala, Károly Lörentey,
Managing Dynamic User Communities in a Grid of Autonomous Resources. CoRR cs.DC/0306004: (2003) (PDF)