Difference between revisions of "LCAS"
| m (→User Guide) | m (→User Guide) | ||
| Line 13: | Line 13: | ||
|   pluginname=lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir/ -certdir /etc/grid-security/certificates/ -authfile /etc/grid-security/grid-mapfile -authformat simple -use_user_dn" |   pluginname=lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir/ -certdir /etc/grid-security/certificates/ -authfile /etc/grid-security/grid-mapfile -authformat simple -use_user_dn" | ||
| − | When used with a service that can provide arguments to LCAS, the location of the file can be changes. Otherwise, the build-in default must be used (for example in the GT4 callout). Others, like [gLExec], can make the configuration for LCAS explicit: | + | When used with a service that can provide arguments to LCAS, the location of the file can be changes. Otherwise, the build-in default must be used (for example in the GT4 callout). Others, like [[gLExec]], can make the configuration for LCAS explicit: | 
|   lcas_db_file                 = /opt/glite/etc/lcas/lcas-glexec.db |   lcas_db_file                 = /opt/glite/etc/lcas/lcas-glexec.db | ||
|   lcas_log_file                = /var/log/glexec/lcas_lcmaps.log |   lcas_log_file                = /var/log/glexec/lcas_lcmaps.log | ||
Revision as of 14:22, 26 March 2009
The Local Centre Authorization Service. This component makes binary ('yes' or 'no') authorization decisions at the site and resource level. In making this decision, it can use a variety of inputs: the 'grid' name of the user (the Subject Distinguished Name), any VO attributes the user has (like VOMS (https://twiki.cnaf.infn.it/cgi-bin/twiki/view/VOMS) FQANs), the name of the executable the user intends to execute. It supports basic black and white list functionality, but also more complex VOMS-based expressions, based on the GACL (http://www.gridpp.ac.uk/authz/gacl/) language.
User Guide
The configuration file, /opt/glite/etc/lcas/lcas.db by default, contains the list of plugins to be executed. A positive 'allow' decision is only reached if all modules allow the user (it's a simple logical AND). An example configuration file might be
# LCAS database/plugin list # # Format of each line: # pluginname="<name/path of plugin>", pluginargs="<arguments>" # pluginname=lcas_userban.mod,pluginargs=ban_users.db pluginname=lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir/ -certdir /etc/grid-security/certificates/ -authfile /etc/grid-security/grid-mapfile -authformat simple -use_user_dn"
When used with a service that can provide arguments to LCAS, the location of the file can be changes. Otherwise, the build-in default must be used (for example in the GT4 callout). Others, like gLExec, can make the configuration for LCAS explicit:
lcas_db_file = /opt/glite/etc/lcas/lcas-glexec.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 0 lcas_log_level = 1
If you want to use LCAS with GT4, use the AuthZ call out, configured in /etc/grid-security/gsi-authz.conf:
globus_mapping /opt/glite/lib/liblcas_lcmaps_gt4_mapping_gcc32.so lcmaps_callout
Plug in modules
- userallow.mod
- userban.mod
- voms.mod
- timeslots.mod
- the most useless plugin ever
- check_executable.mod
- restrict the user in the programs that can be invoked
Installation
LCAS is usually (dynamically) linked to your service or application. It is shipped by default with all gLite versions, but can also be installed from the etics repository. On a, say, GT4 gatekeeper node, or a GT GridFTP server, you might find:
glite-security-lcas-1.3.7-2.slc4 glite-security-lcas-interface-1.3.6-3.slc4 glite-security-lcas-lcmaps-gt4-interface-0.0.14-2.slc4 glite-security-lcas-plugins-basic-1.3.2-3.slc4 glite-security-lcas-plugins-check-executable-1.2.1-3.slc4 glite-security-lcas-plugins-voms-1.3.4-5.slc4
Developer Guide
The details of most modules (except check-executable) are available here.
