esecurity.json

Use the esecurity.json file to additionally secure LSF Web Services access through IP addresses and users.

Location

The esecurity.json file is located in the $LWS_TOP/conf directory.

Description

The esecurity.json file secures LSF Web Services access. The security settings in this file are in addition to the general security provided in the lws.conf configuration file; this file only takes effect if you have set ENHANCED_SECURITY="Y" in the lws.conf file.

Use it to define the IP addresses and users that can access LSF Web Services, and block those to which you want to restrict access. You can also use this file to control users' LSF Web Services access time through authentication token time to live values.

Format and structure

The esecurity.json file is a JSON array in plain text format. Each element in the JSON array is a JSON object that contains three fields. For example:

{
        "addresses" : [
            "0.0.0.0/0"
        ],
        "users" : [],
        "ttl" : 86400
}

Each JSON object contains these fields:

addresses

Required field. The IP addresses that are allowed to initiate requests to LSF Web Services. Specify a JSON array of strings. Each string must be in CIDR format to represent an IP address range (for example, 9.200.56.141/32). Additionally, specifying 0.0.0.0/0 indicates any IP address range. An empty array represents blocking specific users to access LSF Web Services from anywhere.

LSF Web Services only allows users defined in the users field to initiate requests to LSF Web Services from IP addresses defined in the addresses field.

users

Required field. The users that are allowed to initiate requests to LSF Web Services. Specify a JSON array of strings. Wildcard characters (such as *) are not supported. An empty array represents the default settings for any user not defined in this file.

LSF Web Services only allows users defined in the users field to initiate requests to LSF Web Services from IP addresses defined in the addresses field.

ttl

Optional field and only applicable if OAuth2 integration is disabled.

Note: Token time to live only takes effect when OAuth2 integration is not enabled; therefore, the value of the ttl field defined in this esecurity.json file only takes effect when the ENABLE_OAUTH parameter is not set to true in the OAUTH2 PARAMETERS section of the lws.conf file.

The authentication token's time to live (TTL), in seconds, for the specified users, to control the amount of time that users have to use LSF Web Services. Specify a positive number between 300 and 9223372036854775. The default value of this field is 86400 seconds (the equivalent of one day).

When a user logs on to LSF Web Services, LSF Web Services generates a token with a time to live value defined in the ttl field for that user. Any changes to the ttl field does not affect existing tokens.

If a user is defined from multiple places, LSF Web Services generates token time to live value with the minimum time to live.

Examples

Allow only users u1 and u2 to access LSF Web Services from IP addresses 9.200.56.141 and 9.30.199.99, with a token time to live of 3600 seconds for both users. All other users are not allowed to access LSF Web Services from any IP address:

[
    {
        "addresses" : [
            "9.200.56.141/32",
            "9.30.199.99/32"
        ],
        "users" : ["u1","u2"],
        "ttl" : 3600
    }
]

Allow only users u1 and u2 to access LSF Web Services from IP address range between 9.200.56.0 to 9.200.56.255, and between 9.30.199.0 and 9.30.199.255, with a token time to live of 3600 seconds for both users. All other users are not allowed to access LSF Web Services from any IP address:

[
    {
        "addresses" : [
            "9.200.56.1/24",
            "9.30.199.1/24"
        ],
        "users" : ["u1","u2"],
        "ttl" : 3600
    }
]

Allow only users u1 and u2 to access LSF Web Services from anywhere, with a token time to live of 3600 seconds for both users. All other users are not allowed to access LSF Web Services from any IP address:

[
    {
        "addresses" : [
            "0.0.0.0/0"
        ],
        "users" : ["u1","u2"],
        "ttl" : 3600
    }
]

Allow only users u1 and u2 to access LSF Web Services from IP address 9.200.56.141, with a token time to live of 3600 seconds for both users. All other users can access LSF Web Services from IP address 9.30.199.99, with a token time to live of 86400 seconds for all users:

[
    {
        "addresses" : [
            "9.200.56.141/32"
        ],
        "users" : ["u1","u2"],
        "ttl" : 3600
    },
    {
        "addresses" : [
            "9.30.199.99/32"
        ],
        "users" : [],
        "ttl" : 86400
    }
]

Allow only users u1 and u2 to access LSF Web Services from IP address 9.200.56.141, with a token time to live of 3600 seconds for both users. Block users u3 and u4 from accessing LSF Web Services from anywhere. All other users can access LSF Web Services from IP address 9.30.199.99, with a token time to live of 86400 seconds for all users:

[
    {
        "addresses" : [
            "9.200.56.141/32"
        ],
        "users" : ["u1","u2"],
        "ttl" : 3600
    },
    {
        "addresses" : [
            "9.30.199.99/32"
        ],
        "users" : [],
        "ttl" : 86400
    },
    {
        "addresses" : [],
        "users" : ["u3","u4"]
    }
]

Allow only users u1, u2, and u3 to access LSF Web Services from IP address 9.200.56.141, with a token time to live of 3600 seconds for all users. Also allow user u3 to access LSF Web Services from IP address 9.30.199.99 still with a token time to live of 3600 seconds. All other users are not allowed to access LSF Web Services from any IP address:

[
    {
        "addresses" : [
            "9.200.56.141/32"
        ],
        "users" : ["u1","u2","u3"],
        "ttl" : 3600
    },
    {
        "addresses" : [
            "9.30.199.99/32"
        ],
        "users" : ["u3"],
        "ttl" : 99999
    }
]