Monday, February 25, 2008

To VOMS or not to VOMS? That is the question (for LCMAPS...)

Our advice to local users of the cluster has traditionally been to not use VOMS credentials. This is to ensure that they are mapped in the batch system to their local account, rather than to a pool account from their VOMS attributes (mappings to local accounts are maintained by the grid-mapfile-local file). In the default configuration of LCMAPS VOMS pool account mappings are made before the grid-mapfile, which is now just a fall back.

However, I could not simply reverse the order of the LCMAPS plugins as this would undo all the good which VOMS brings and move everyone back to a single fixed or pool account mapping no matter what their VOMS credentials (this would probably have affected me worse than anyone as I flit between atlas, atlas/Role=production, and dteam!).

So, for local users grid-proxy-init seemed to be the way to go, even if I knew this would come back and be a problem later. However, later became earlier as soon as I started to test the gLite-WMS - here it turns out you must use a VOMS proxy. Simple grid proxies just don't work anymore.

Finally, puzzling over the very poor LCMAPS documentation, and staring at the configuration script I managed to solve the problem by:

  1. First running a local account plugin against a grid-mapfile which only contains our local user accounts.
  2. Then running the VOMS plugins as usual.
  3. Finally, running the grid-mapfile plugin, against the usual /etc/grid-security/grid-mapfile.
This was almost too easy to be true - and indeed it turns out not to quite be that simple as you hit a bug in LCMAPS that you cannot use a module twice - so having lcmaps_localaccount.mod twice is not possible. However, it turns out that one can do it if the module is renamed and physically copied. This works, so we now have an lcmaps_localaccount.mod and a lcmaps_localuseraccount.mod - exactly the same bytes, different names! (To be strictly accurate we have two copies of, to which these links point.)

And, in the end, I was able to keep myself out of the local user grid-mapfile, so I have the full array of VOMS roles for myself, while the local users are cosily tucked up in their local account areas.


Oscar said...

Hi, I just want to comment that it's a feature not a bug that you can't run the same plugin twice ;-)

Internally in LCMAPS it looking up the plugins by their names, if I'm not mistaken the aliases only.

Try this again with the same plugin, but with a different alias in the definition area of the lcmaps.db file.

David said...
This comment has been removed by the author.
David said...

Since this post was written, the documentation was overhauled completely and now features more examples and explanations on why things work they way they do. Please have a look at for LCMAPS specific documentation. The over-all documentation of the current Site Access Control suite (LCAS, LCMAPS, gLExec and upcoming products such as the EES) can always be found at

Any questions (as well as suggestions of course!) are always welcome at grid-mw-security .at., or via the gLite support channels.

Enjoy! DavidG.

Graeme Stewart said...

Great - I've bookmarked. Thanks, David.