[Go to /grid/lcaslcmaps/]

Local WP4 area
EDG Security Group


Interfaces and documentation
LCAS old docs
LCAS apidoc
LCMAPS old docs
LCMAPS apidoc


EDG security architecture (D7.6)
EGEE security architecture (DJRA3.1)
EGEE Site Access Control Arch (DJRA3.2)

JR integration
LCMAPS interface for the WorkSpace Service
glexec sources

NIKHEF General
UvA AIR Group - AAA

Privacy notice

Site Authorisation and Enforcement Services: LCAS, LCMAPS, and gLExec

This page will soon be updated

To ensure the autonomy of the resources that compose the Grid, each site should have authorization hooks to set and enforce local policies. LCAS, which stands for Local Centre Authorization Service, is a site-local service that can authorise users based on their name, their VO affiliation, and the resources requested.
And in order to run jobs, or store files, within a traditional UNIX system, LCMAPS - the Local Credential Mapping Service - can make sure user requests are sandboxes in local account with unique group memberships. Such accounts can span a machine or a cluster, in short: an entire administrative domain.

To keep track of tasks sent to the fabric, the relation between the identity and authorization tokens presented on the Grid side, and their mapping into local credentials (unix groups, account names, etc), the Job Repository (JR) was developed. Based on a backend ODBC-interface, a database contains this essential information.
The newest version includes an updated database schema which makes the structure easier to understand. This makes it easier to retrieve the required information from the database. The new schema is also extendable. By default the (Computing Element) CE is supported but other services can extend the schema with there service specific information to create a larger base for tracking all (user) actions in a relation way.

LCAS, LCMAPS and the JR were developed in the context of the EU DataGrid project, and parts are now also incorporated into gLite, the refactored middleware suite of the EGEE project. The software is open source and available from the web.


gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCMAPS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios. Please read more here....

[The LCAS and LCMAPS systems are incorporated into both the EDG gatekeeper and the EDG gridFTP server. These servers use a dynamic loader mechenism to load the LCAS/LCMAPS framework, which in turn loads the various authorisation and enforcement modules according to policy

Information and references

  • The LCAS and LCMAPS Install Guides
  • JobRepository documentation and install guide
  • LCAS description
  • LCMAPS and JobRepository description
  • Configuration via LCFGng or Quattor
  • Integration of VOMS + LCAS/LCMAPS at INFN

  • Publications:

    • Section 7 (page 256) of the EDG WP4 paper in the special issue of the Journal of grid computing:

      Thomas Röblitz, Florian Schintke, Alexander Reinefeld, Olof Bärring, Maite Barroso Lopez, German Cancio, Sylvain Chapeland, Karim Chouikh, Lionel Cons, Piotr Poznanski, Philippe Defert, Jan Iven, Thorsten Kleinwort, Bernd Panzer-Steindel, Jaroslaw Polok, Catherine Rafflin, Alan Silverman, Tim Smith, Jan van Eldik, David Front, Massimo Biasotto, Cristina Aiftimiei, Enrico Ferro, Gaetano Maron, Andrea Chierici, Luca dell'Agnello, Marco Serra, Michele Michelotto, Lord Hess, Volker Lindenstruth, Frank Pister, Timm M. Steinbeck, David L. Groep, Martijn Steenbakkers, Oscar Koeroo, Wim Som de Cerff, Gerben Venekamp, Paul Anderson, Tim Colles, Alexander Holt, Alastair Scobie, Michael George, Andrew Washbrook, Rafael A. García Leiva,
      Autonomic Management of Large Clusters and Their Integration into the Grid. J. Grid Comput. 2(3): 247-260 (2004) (PDF)

    • LCAS and LCMAPS in the EDG security architecture:

      Linda Cornwall, Jens Jensen, David P. Kelsey, Ákos Frohner, Daniel Kouril, Franck Bonnassieux, Sophie Nicoud, Károly Lörentey, Joni Hahkala, Mika Silander, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, Fabio Spataro, David O'Callaghan, Olle Mulmo, Gian Luca Volpato, David L. Groep, Martijn Steenbakkers, Andrew McNab,
      Authentication and Authorization Mechanisms for Multi-Domain Grid Environments. J. Grid Comput. 2(4): 301-311 (2004) (PDF)

    • CHEP2003 paper:

      R. Alfieri, Roberto Cecchini, Vincenzo Ciaschini, Luca dell'Agnello, A. Gianoli, Fabio Spataro, Franck Bonnassieux, Philippa J. Broadfoot, Gavin Lowe, Linda Cornwall, Jens Jensen, David P. Kelsey, Ákos Frohner, David L. Groep, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp, Daniel Kouril, Andrew McNab, Olle Mulmo, Mika Silander, Joni Hahkala, Károly Lörentey,
      Managing Dynamic User Communities in a Grid of Autonomous Resources. CoRR cs.DC/0306004: (2003) (PDF)

Comments to grid-mw-security@nikhef.nl