LCAS
LCAS, the Local Centre Authorisation Service, is the authorisation decision engine that adds access controls to the "gatekeeper". The gatekeeper accepts job requests from external sources (like the enduser or the workload management system) over an authenticated channel. Today, this functionality is also available for the Classic storage element, since an LCAS and LCMAPS aware GridFTP server (based on the wu-ftpd server) is available.The concept is that different independent authorisation modules may be plugged-in, thus creating a flexible system. The plug-in framework enables multiple independent authorisation modules to collectively grant or deny access to the resource. The decision is based on the requested resources (expressed via the Resource Specification Language RSL), the identity of the requester, and the authorisation credentials presented by the end-user in the proxy certificate. If VOMS is used this will be the VO, Group, Role, and Capability combinations the user has acquired from VOMS. A basic policy language allows selection of which authorisation plug-ins are to be invoked, and the access decision is the logical "and" of the answers of the individual plug-ins.
As part of the LCAS system, the following plug-ins are provided:
- An allowed-user and banned-user list inspection, based on the requesters subject identifier (DN) only.
- A wall-time limiting module, effectively defining "fabric opening hours".
- A VOMS module, that compares VOMS attribute assertions against a site-local access control list. This access control list uses the GACL (section 3.4.8.) language to express complex policies that take all VOMS credentials into account.