LCMAPS

LCMAPS is a Local Credential MAPping Service, which allows credential acquisition (like Unix user ids) to Grid jobs that run on the local fabric. LCMAPS offers detailed support for plug-in modules.

There are two different module types: "acquisition" and "enforcement". The acquisition modules collect information on the credentials to be used for a particular request, but do not enforce these credentials. Such a separation is required, because the enforcement of, in particular, uids and gids (i.e. doing setuid or setgid) may impede the capability of other modules to do their task that may need enhanced privileges. Since the acquisition and enforcement of local credentials is a complex process, a new policy description language was designed to ease the configuration of this service for site administrators.

The following plug-in modules are provided with the system:

• Mapping onto a local Unix account and group. This is static mapping from the users DN to a uid based on a plain-text grid-mapfile.
• Mapping onto Pool Accounts, i.e. the account lease system as originally implemented in the gridmapfile (the PoolAccount/gridmapdir system developed by Andrew McNab) but extended so that a Unix Group is also set.
• Full VOMS support. This allows also VOMS groups, roles, and capabilities to be mapped onto Unix groups, possibly taken from a pool of groups similar to the Pool Accounts system.
• Mapping from the DN onto local Kerberos and AFS tokens. This is carried out if, for example, the local home directory is on an AFS file system.
• Posix in-process enforcement. This will set the real and effective user and group ID for the current process. For fork-style grid jobs, this will then be the local account used for executing the users job.
• LDAP, will update a fabric-central user directory for userid and groupid information. This is required in the case of a cluster fabric that uses a batch system for running jobs, since the inprocess enforcement mentioned above will only affect the credential used for submitting the job, and not the actual job execution on back-end worker nodes in the cluster. Although LDAP is just one of the possible mechanisms for fabric central directory management, it is the most flexible for rapid updating and better secured than solutions like the Network Information System (NIS).

In a similar way to the case of LCAS, other plug-ins may be written to provide functionality specifically required by a site. The design of LCMAPS will ensure interoperability with any version of LCMAPS used.

The Job Repository

LCMAPS Job Repository (JR) will maintain a record of the credential information associated with all jobs running inside the fabric. By incorporating data persistence in the architecture (using a database as an archiving back-end) the JR can also be used to obtain information on actual credential mappings in the past, that were in effect for a particular job. The information is provided to the JR via the LCMAPS plug-in mechanism, and by modification to the job management system.

---

Comments to Physics Data Processing group.