Site Authorisation and Enforcement Services: LCAS, LCMAPS, and gLExec

This page will soon be updated

To ensure the autonomy of the resources that compose the Grid, each site should have authorization hooks to set and enforce local policies. LCAS, which stands for Local Centre Authorization Service, is a site-local service that can authorise users based on their name, their VO affiliation, and the resources requested.
And in order to run jobs, or store files, within a traditional UNIX system, LCMAPS - the Local Credential Mapping Service - can make sure user requests are sandboxes in local account with unique group memberships. Such accounts can span a machine or a cluster, in short: an entire administrative domain.

To keep track of tasks sent to the fabric, the relation between the identity and authorization tokens presented on the Grid side, and their mapping into local credentials (unix groups, account names, etc), the Job Repository (JR) was developed. Based on a backend ODBC-interface, a database contains this essential information.
The newest version includes an updated database schema which makes the structure easier to understand. This makes it easier to retrieve the required information from the database. The new schema is also extendable. By default the (Computing Element) CE is supported but other services can extend the schema with there service specific information to create a larger base for tracking all (user) actions in a relation way.

LCAS, LCMAPS and the JR were developed in the context of the EU DataGrid project, and parts are now also incorporated into gLite, the refactored middleware suite of the EGEE project. The software is open source and available from the web.


gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCMAPS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios. Please read more here....

[The LCAS and LCMAPS systems are incorporated into both the EDG gatekeeper and the EDG gridFTP server. These servers use a dynamic loader mechenism to load the LCAS/LCMAPS framework, which in turn loads the various authorisation and enforcement modules according to policy

Information and references