Introduction

The Gridification subtask of WP4 of the European Datagrid project interfaces the local fabric to other middleware components by a number of services, among which the Local Centre Authorization Service (LCAS) handles authorization requests to the local computing fabric and the Local Credential Mapping Service (LCMAPS) provides all local credentials needed for jobs allowed into the fabric. This document describes LCAS, which is the first component released by the Gridification subtask.

In this release the LCAS is a shared library, which is loaded dynamically by the globus gatekeeper. The gatekeeper has been slightly modified for this purpose and will from now on be referred to as edg-gatekeeper.

In the future the LCAS will evolve into an AAA server and can be contacted by other components, e.g. by the Storage Element.

The authorization decision of the LCAS is based upon the users's certificate and the job specification in RSL (JDL) format. The certificate and RSL are passed to (plugin) authorization modules, which grant or deny the access to the fabric. Three standard authorization modules are provided by default:

• lcas_userallow.mod, a module that checks if the user is allowed on the fabric (currently the gridmap file is checked). More info ...
• lcas_userban.mod, a module that checks if the user should be banned from the fabric. More info ...
• lcas_timeslots.mod, a module that checks if the fabric is open at this time of the day for datagrid jobs. More info ...

All three modules get their information from simple configuration files: allowed_users.db ¹, ban_users.db and timeslots.db, respectively.

In addition a plugin is provided that decides if the user is authorized based on the VOMS (VO Membership Service) information stored in the user proxy X509 certificate:

• lcas_voms.mod. More info ...

This plugin is driven by a policy file, which can have different formats:

1. text file format (just a list of allowed VO-GROUP-ROLE combinations)
2. GACL format (GACL is an XML ACL language).
3. XACML format (generic XML authorization language). This format is not supported yet, but will be in the future.

From release 1.1 and higher, hooks are provided for external authorization plugin modules. These plugins will be delivered by other subsystems like for example the Resource Management subsystem in order to do accounting and quota checks (for users/roles) or the Storage Element (WP5) in order to check file access or to make storage reservations. An example plugin has been added to the LCAS distribution.

More information on the LCAS and other components of the Gridification subsystem can be found in:

• the WP4 architecture document D4.2: pdf version or doc version.
• the description of the LCAS API: here , PostScript file and PDF file.
• LCMAPS: http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/
• the README, INSTALL, and LICENSE files.

Footnotes

...allowed_users.db ¹

In this release (1.1.16) the gridmap file is used instead of allowed_users.db