LCAS
From SysadminWiki
| Table of contents |
Description
LCAS (Local Centre Authorization Service) is a site-local service that can authorise users based on their name, their VO affiliation, and the resources requested. Different independent authorisation modules may be plugged-in, thus creating a flexible system. The plug-in framework enables multiple modules to collectively grant or deny access to the resource. The decision is based on the requested resources, the identity of the requestor, and the authorisation credentials presented by the end-user in the proxy certificate. A basic policy language allows selection of which authorisation plug-ins are to be invoked, and the access decision is the logical "and" of the answers of the individual plug-ins.
By default the following plug-ins are provided as part of the LCAS system:
lcas_userallow.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcas_apidoc/html/lcas_userallow.mod.html) inspects a list of DNs of users allowed to access the system.
lcas_userban.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcas_apidoc/html/lcas_userban.mod.html) inspects a list of DNs of users banned from using the system.
lcas_timeslots.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcas_apidoc/html/lcas_timeslots.mod.html) regulates the access hours of the system.
lcas_voms.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcas_apidoc/html/lcas_voms.mod.html) compares VOMS attribute assertions against a site-local access control list.
The lcmaps software documentation is located here (http://www.nikhef.nl/grid/lcaslcmaps/lcas_apidoc/html) and you can look also at the LCMAPS page.
HowTos
Using LCAS is pretty easy each of the modules basically reads an input file normally located in ROOT_INSTALL/etc/lcas directory. In an LCG installation ROOT_INSTALL=/opt/edg and in a glite installation ROOT_INSTALL=/opt/glite. The input files names terminate with the extension .db. The naming scheme makes it clear what .db file corresponds to which plugin. In the directories you will find also .db.in files which are just templates. LCAS finds which plugins to call and with what arguments in ROOT_INSTALL/etc/lcas/lcas.db. If you have a YAIM installation the initial .db are created by config_lcas function.
HowTo ban a user
By default any user is allowed. To ban a user simply add his/her certificate DN to ROOT_INSTALL/etc/lcas/ban_users.db.
For example to ban the user Mickey Mouse add the line:
"/DC=com/DC=disney/OU=Cartoon/CN=Mickey Mouse"
HowTo close a site using time slots
You can stop jobs coming at your site using ROOT_INSTALL/etc/lcas/timeslots.db. This is not an official way of closing a site and can be used either as a drastical measure to stop ALL the jobs iimediately or it can be used instead of closing the batch queues after you have drained them. The advantage of this method compared to closing the queues is that the jobs are blocked at authentication level and not at batch system level. Typically cutting down the rejection time from > 1 min to 0.5 secs (tested with globus job submission). To close the site then simply comment out the line:
* * * * * * 0-0 23-24 * * * *
(added by YAIM in a typical installation) and replace them with
0-0 0-0 0-0 0-0 0-0 0-0
If you have a more complicated timeslots.db make sure you save a copy before touching anything.
