Next: Installation
Up: Guide to LCMAPS
Previous: Guide to LCMAPS
The Gridification subtask of WP4 of the
European Datagrid project
interfaces the local fabric to other middleware components by a
number of services, among which the Local Centre Authorization Service (LCAS) handles authorization
requests to the local computing fabric and the Local Credential Mapping Service (LCMAPS) provides
all local credentials needed for jobs allowed into the fabric.
This document describes a prototype version of LCMAPS, which is the second component released by
the Gridification subtask, the first being LCAS.
Initially LCMAPS will only be used by the gatekeeper running on a Computing Element (CE), but eventually
other services (e.g. gridftp server) may rely on LCMAPS for their local credential mapping.
LCMAPS is implemented as a shared library, which is loaded dynamically by the globus gatekeeper.
The gatekeeper has been slightly modified for this purpose and will from now on be referred to as
edg-gatekeeper.
LCMAPS is a framework that can load and run one or more 'credential mapping' plugins.
The use of a plugin-framework architecture for LCMAPS makes it very easy for sites/organizations
to add new functionality to LCMAPS by writing new plugins.
The LCMAPS framework consists of the following components:
- the plugin manager, which is responsible for managing, loading and running the LCMAPS
plugins.
- the evaluation manager, which is responsible for the order in which the LCMAPS
plugins are called. The evaluation manager is driven by a policy engine, which
is documented in more detail
here
, or as
PostScript file
or
PDF file.
Based on the user global credentials (more specifically the user's X509 certificate) and the job
specification (JDL), the LCMAPS plugins have to perform either of these two tasks:
- acquire local credentials (A).
- enforce (apply) the local credentials (E).
The local credentials that are gathered (UNIX uids, gids, VO information, AFS/Kerberos (?) tokens),
are stored internally, but a new WP4 component, the job repository, is foreseen in which these
credentials may be stored as well and which is accessible by other applications and services.
The following LCMAPS plugins are currently available:
- plugins providing the functionality that is equivalent to the functionality of the original
gatekeeper:
- lcmaps_localaccount.mod (A):
this plugin collects the local account name from a gridmap file.
More info ...
- lcmaps_poolaccount (A):
this plugins collects a pool account name from a gridmap file (leases in $GRIDMAPDIR).
More info ...
- lcmaps_posix_enf.mod (E):
this plugin enforces the local credentials in the running process
by posix system calls (setuid(), setgid() etc.).
More info ...
- lcmaps_ldap_enf.mod (E):
this plugin enforces the local credentials by setting the primary and
secondary gids in the LDAP database that is used by the site
as the source of account information for PAM or NSS.
More info ...
- plugins that use the VOMS (VO Membership Service)
attribute assertions in the user certificate for the credential mapping.
- lcmaps_voms.mod (A):
this plugin extracts the VOMS information from the user X509 proxy
certificate.
More info ...
- lcmaps_voms_localgroup.mod (A):
this plugin tries to find a local group Id (gid) based on the VO information
and a groupmapfile.
More info ...
- lcmaps_voms_poolgroup.mod (A):
this plugin tries to find a pool group Id (gid) based on the VO information
and a groupmapfile (leases in $GROUPMAPDIR)
More info ...
- lcmaps_voms_poolaccount.mod (A):
this plugin tries to find a pool account based on the VO information and a
gridmapfile (leases in $GRIDMAPDIR)
More info ...
More information on LCMAPS and other components of the Gridification subsystem can be found in:
Next: Installation
Up: Guide to LCMAPS
Previous: Guide to LCMAPS
Martijn Steenbakkers, Wednesday Jul 16 2003