1 / 12

LCAS/LCMAPS notes

Rough notes Steven Young NGS Surgery 3 June 2009. LCAS/LCMAPS notes. What is LCAS/LCMAPS?. LCAS: Local Centre Authorisation Service LCMAPS: Local Credential MAPping Service It is a middleware which enables grid services to make complex authorisation decisions

season
Download Presentation

LCAS/LCMAPS notes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rough notes Steven Young NGS Surgery 3 June 2009 LCAS/LCMAPS notes

  2. What is LCAS/LCMAPS? • LCAS: Local Centre Authorisation Service • LCMAPS: Local Credential MAPping Service • It is a middleware which enables grid services to make complex authorisation decisions • A set of plug-in libraries which allow Globus authorisation libraries to call out to the separate services

  3. History • First there was pure Globus grid-mapfile account mappings • Then there was gridmapdir pool account patches • Now LCAS/LCMAPS plugins for VOMS support

  4. History cont. • NGS needed something better than the gridmapdir pool account patches to allow for correct VO/project accounting to work. • gLite had LCAS/LCMAPS plugins, but they didn't work with the “vanilla” Globus libraries from VDT. • Patches were developed to the LCAS/LCMAPS gLite plugins to work with “vanilla” Globus (Work done by Robert Frank)‏

  5. More information • There are various pages on the NGS wiki: • http://wiki.ngs.ac.uk/index.php?title=LCAS_LCMAPS • http://wiki.ngs.ac.uk/index.php?title=LCAS/LCMAPS_Overview • Prerequisites for installation • VOMS support • Need to set up pool accounts (and groups)‏

  6. VOMS support • vomsdir/ • contains certificates for supports VOMS servers • glite/etc/vomses/ • contains VOMS configuration files for supported VOMS servers • Some tests: • voms-proxy-init -voms ngs.ac.uk • voms-proxy-info -all • Voms-proxy-from-proxy ngs.ac.uk

  7. LCAS/LCMAPS installation • The current installation method is thengs-vdt-installer script which includes LCAS/LCMAPS download and install • There has been talk of having LCAS/LCMAPS installers happen separately • Once you've installed the plugins you should sort out their configuration • $GSI_AUTHZ_CONF environment variable points to a configuration file which defines the globus_mapping call out • See http://wiki.ngs.ac.uk/index.php?title=LCAS/LCMAPS_Overview

  8. LCAS configuration • LCAS is the plugin that makes local authorization decisions. Important functionality is being able to ban users. • glite/etc/lcas/lcas.dbThis text file points to various modules and defines arguments to the modules, eg. lcas_userban.mod and a ban_users.db

  9. LCMAPS configuration • LCMAPS provides functionality for mapping users according to the credential they present, ie. VOMS attributes asserting membership of a specific VO. • glite/etc/lcmaps/lcmaps.dbThis text file defines policies. See http://wiki.ngs.ac.uk/index.php?title=LCAS/LCMAPS_Overview and http://wiki.ngs.ac.uk/index.php?title=LCMAPS_Plug-ins

  10. Inca Testing • Inca has a test for LCAS/LCMAPS • The LCAS/LCMAPS test requires support for the following VOMS group."/monitoring.ngs.ac.uk/lcas_lcmaps/*" • This group needs to be mapped to a different set of pool accounts than the pool accounts for the ngs.ac.uk VO

  11. Problems • Loads more things can go wrong with LCAS/LCMAP. VOMS support can be tricky. It is good to have a bit of understanding to debug things • LCAS/LCMAPS doesn't work with Globus WS • Westminster (I think) have reverted to multiple mappings in their grid-mapfile to support GT4 WS requirements • Standard locations for configuration: some things are in /etc/grid-security/, some things are in $VDT_LOCATION/glite. VOMS configuration can also be in multiple places.

  12. Problems cont. • Problems with training courses: Does training material use voms-proxy-* methods and VOMS/LCAS/LCMAPS authorisation yet? • Question about status of VDT 1.10.1/LCAS/LCMAPS installer? • LCAS/LCMAPS Inca test isn't included in a summary page. Are any gLite sites willing to be tested with the LCAS/LCMAPS Inca test? • Logging for LCAS/LCMAPS seems to be excessive: Can log level be reduced?

More Related