LCMAPS

From SysadminWiki

[edit]

Description

LCMAPS (Local Credential MAPping Service) allows credential acquisition (like Unix user ids) to Grid jobs that run on the local fabric. LCMAPS like LCAS offers support for plug-in modules.

There are two different module types: "acquisition" and "enforcement". The acquisition modules collect information on the credentials to be used for a particular request, but do not enforce these credentials. Such a separation is required, because the enforcement of, in particular, uids and gids (i.e. doing setuid or setgid) may impede the capability of other modules to do their task that may need enhanced privileges. Since the acquisition and enforcement of local credentials is a complex process, a new policy description language was designed to ease the configuration of this service for site administrators.

The following plug-in modules are provided with the system:

lcmaps_posix_enf.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_posix_enf.mod.html) will set the real and effective user and group ID for the current process. For fork-style grid jobs, this will then be the local account used for executing the users job.

lcmaps_ldap_enf.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_ldap_enf.mod.html) will update a fabric-central user directory for userid and groupid information.

lcmaps_localaccount.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_localaccount.mod.html) maps the DN onto a local Unix account and group. This is static mapping from the users DN to a uid based on a plain-text grid-mapfile.

lcmaps_poolaccount.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_poolaccount.html) maps a DN onto Pool Account. Uisng the account lease system as originally implemented in the gridmapfile (the PoolAccount/gridmapdir system developed by Andrew McNab) but extended so that a Unix Group is also set.

lcmaps_voms.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_voms.mod.html) full VOMS support.

lcmaps_voms_localaccount.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_voms_localaccount.mod.html) maps VOMS groups, roles, and capabilities to a local account or to a pool account.

lcmaps_voms_locagroup.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_voms_localgroup.mod.html) maps VOMS groups, roles, and capabilities to a local group.

lcmaps_voms_poolgroup.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_voms_poolgroup.mod.html) maps VOMS groups, roles, and capabilities to be mapped to a pool group (an extension of the pool account concept).

lcmaps_afs.mod (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/lcmaps_afs.mod.html) maps the DN onto local Kerberos and AFS tokens. This is carried out if, for example, the local home directory is on an AFS file system.

The lcmaps software documentation is located here (http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html) and you can look also at the LCAS page.

(David Groep, Nikhef)

[edit]

HowTos

This article is a stub. You can help fellow system administrators by expanding it (http://www.sysadmin.hep.ac.uk/w/index.php?title=LCMAPS&action=edit).
Retrieved from "http://www.sysadmin.hep.ac.uk/wiki/LCMAPS"