SECURE_INFODIR_USER_ACCESS
Prevents users from viewing detailed information for jobs that belong to other users.
Syntax
SECURE_INFODIR_USER_ACCESS=Y | N | G
Description
The LSF
primary administrator can always view job information for all users in the
lsb.event and lsb.acct files, no matter what the setting:
- By default, (SECURE_INFODIR_USER_ACCESS=N or is not defined), any user can view detailed information for jobs that belong to other users in the lsb.event and lsb.acct files by using the bhist or bacct commands. Specify Y or G to restrict this access so that regular and administrator users only see their own job information.
- Specify SECURE_INFODIR_USER_ACCESS=Y to prevent users (including all users except the primary administrator) from accessing other users' job information using the bhist or bacct commands. You can control the granularity of the bjobs command to specify the information that other users can see by specifying a value for the SECURE_JOB_INFO_LEVEL parameter in the lsb.params file. A regular user does not have rights to call the API to get data under LSB_SHAREDIR/cluster/logdir, which is readable only by the primary administrator. Regular and administrator users do not have rights to run bhist -t. Only the primary administrator has rights to run bhist -t.
- Specify SECURE_INFODIR_USER_ACCESS=G to prevent users (including all users except the primary administrator) from accessing other users' job information. You can control the granularity of the information that the bhist and bacct commands display by specifying the SECURE_JOB_INFO_LEVEL and ENABLE_JOB_INFO_BY_ADMIN_ROLE parameters in the lsb.params file. A regular user does not have rights to call the API to get data under LSB_SHAREDIR/cluster/logdir, which is readable only by the primary administrator. Regular and administrator users do not have rights to run bhist -t. Only the primary administrator has rights to run bhist -t.
After enabling this feature by setting SECURE_INFODIR_USER_ACCESS to Y or G, you must setuid of the LSF primary administrator for bhist and bacct binary under LSF_BINDIR. bhist and bacct will call mbatchd to check whether the parameter is set or not when you have setuid for bhist and bacct.
To disable this feature, set SECURE_INFODIR_USER_ACCESS to N, then remove the setuid for bhist and bacct binary under LSF_BINDIR to prevent bhist and bacct from calling mbatchd. When disabled, the permission to LSB_SHAREDIR/cluster/logdir returns to normal after you reconfigure mbatchd (by running badmin reconfig).
Note:
- This feature is only supported when LSF is installed on a file system that supports the setuid bit for files. Therefore, this feature does not work on Windows platforms.
- If LSB_LOCALDIR is enabled to duplicate LSB_SHAREDIR, LSB_LOCALDIR is also readable only by the primary administrator after setting SECURE_INFODIR_USER_ACCESS=Y.
Default
N