Setting job information access control
There are three parameters available in lsb.params that allow you to control access to job information: SECURE_JOB_INFO_LEVEL, ENABLE_JOB_INFO_BY_ADMIN_ROLE, and SECURE_INFODIR_USER_ACCESS.
Controlling jobs a user can see
The parameter SECURE_JOB_INFO_LEVEL in lsb.params allows you to control which jobs any user (including adminisrators other than the primary administrator) can see information for. A value between 0 and 4 is defined, with 0 being no security and 4 being the highest security.
When a user or administrator enters one of the commands to see job information (bjobs, bjdepinfo, bread, or bstatus; also bacct and bhist if SECURE_INFODIR_USER_ACCESS=G), the SECURE_JOB_INFO_LEVEL parameter controls what they see. The following table describes the type of job information that can be viewed by a user with each security level.
|
Security Level |
User’s Own Job |
Same User Group Job Summary Info |
Same User Group Job Detail Info |
All Other Jobs’ Summary Info |
All Other Jobs’ Detail Info |
|---|---|---|---|---|---|
| 0 | Y | Y | Y | Y |
Y |
| 1 | Y | Y | Y | Y | |
| 2 | Y | Y | Y | ||
| 3 | Y | Y | |||
| 4 | Y | ||||
| 5 | Y | Y | Y |
- If SECURE_JOB_INFO_LEVEL is set to a level greater than 0, LSF checks if SECURE_INFODIR_USER_ACCESS is enabled (set to Y or G). If it is not enabled, access to bjobs functions will be restricted, but access to bhist / bacct will be available.
- When using the LSF multicluster capability, the SECURE_JOB_INFO_LEVEL definition still applies when a user attempts to view job information from a remote cluster through the bjobs -m remotecluster command. The security level configuration of a specified cluster will take effect.
Enabling administrator rights to job information
By default, an administrator’s access to job details is determined by the setting of SECURE_JOB_INFO_LEVEL, the same as a regular user. The parameter ENABLE_JOB_INFO_BY_ADMIN_ROLE in lsb.params allows you to enable user group, queue, and cluster administrators the right to access job detail information for jobs in the user group, queue, and clusters they manage, even when the administrator has no right based on the configuration of SECURE_JOB_INFO_LEVEL.
When an administrator enters one of the commands to see job information (bjobs, bjdepinfo, bread, or bstatus; also bacct and bhist if SECURE_INFODIR_USER_ACCESS=G), the ENABLE_JOB_INFO_BY_ADMIN_ROLE definition controls whether they see job detail information about jobs in their user group, queue or cluster that they manage.
The parameter may be set with any combination of the values usergroup, queue, or cluster.
Preventing users from viewing jobs that belong to other users
The parameter SECURE_INFODIR_USER_ACCESS in lsb.params allows you to control whether regular and administrator users (except the primary admin) can see other user’s jobs when using the bhist or bacct command.
If enabled (defined as Y), regular users and administrators can view only their own job information when using the bhist or bacct command, but you can control the granularity of the bjobs command to specify the information that other users can see by specifying a value for the SECURE_JOB_INFO_LEVEL parameter in the lsb.params file. LSB_SHAREDIR/cluster/logdir will be readable only by the primary administrator.
If enabled with increased granularity (defined as G), regular users and administrators can normally view only their own job information when using the bhist or bacct commands, but you can control the granularity of these commands to specify the information that other users can see by specifying a value for the SECURE_JOB_INFO_LEVEL parameter in the lsb.params file. LSB_SHAREDIR/cluster/logdir will be readable only by the primary administrator.
When disabled (defined as N), access to read LSB_SHAREDIR/cluster/logdir returns to default after an mbatchd restart or reconfig.