Applying job access control in IBM® Spectrum LSF to protect information privacy

The LSF access control level (ACL) feature supports different levels of access control in job information queries.

About this task

By default, everyone with access to the LSF cluster can query all job information. This default behavior is not desirable when individual users or project groups need to protect information privacy. This is particularly important in a shared environment, for instance, an HPC data center. In this context, cluster resources are open to projects from different organizations to maximize resource utilization, but different people or project groups may not want others to see what they are doing and how they are running their workloads. Information privacy is also important in the internal cluster environments of some commercial customers. For example, internal policies may not allow contractors to access any internal workload information, since that same contractor may also work for competitors.

The following requirements are often raised:

  • Individual users only have rights to access their own job information from command line tools
  • Project leaders should only be able to access workload information from their managed projects
  • All users working on the same project should be able to access the workload information of their peers

The LSF access control level (ACL) feature addresses these needs. The feature is available from LSF 9.1.2 release. It supports different levels of access control in job information query. The following examples demonstrate how to use this feature.

Example 1: Job information

About this task

Configure access controls so that users can access their own job information, while user group administrators are allowed to access group job information for their group.

Procedure

  1. Configure parameters in the lsb.params file. 
    SECURE_JOB_INFO_LEVEL=4

    This setting puts constraints on all users to only allow them to access their own job information.

    ENABLE_JOB_INFO_BY_ADMIN_ROLE=usergroup

    This setting allows user group administrators to access job information of their own groups.

  2. Run the badmin reconfig command to reconfigure LSF.
  3. Run the bparams -a command to verify that the parameter took effect.

Results

After changing the configuration, a users can only see their own job information. They cannot access job information for other users.

Example

For example, both jack and mike are regular users, and susan is their leader. Users jack and mike can only see their own jobs, but user susan can see everyone's job information:

[jack@host1]# bjobs -u all
JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME
337     jack    PEND  normal     host1                   *eep 12345 Jun  9 15:15

<mike@host1> bjobs -u all
JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME
338     mike    RUN   normal     host1       host1       sleep 123  Jun  9 15:36

susan@host1: bjobs -u all
JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME
337     jack    PEND  normal     host1                   *eep 12345 Jun  9 15:15
338     mike    RUN   normal     host1       host1       sleep 123  Jun  9 15:36

Example 2: Job history information

About this task

Control users' access to job history information.

Procedure

  1. Enable the SECURE_INFODIR_USER_ACCESS parameter in the lsb.params file. 
    SECURE_INFODIR_USER_ACCESS=Y
  2. Run badmin mbdrestart to restart mbatchd.
  3. Run bparams -a to verify that the parameter took effect.
  4. Run chmod u+s to enable the setuid bits on the bhist and bacct executable files for the LSF primary administrator. 
    # ls -l bhist bacct
-rwxr-xr-x 1 lsfadmin lsf 2958368 Nov 28  2022 bacct*
-rwxr-xr-x 1 lsfadmin lsf 3072216 Nov 28  2022 bhist*
# chmod u+s bhist bacct
# ls -l bhist bacct
-rwsr-xr-x 1 lsfadmin lsf 2958368 Nov 28  2022 bacct*
-rwsr-xr-x 1 lsfadmin lsf 3072216 Nov 28  2022 bhist*

Results

bhist and bacct can now only be used by users to query their own job information. Only the LSF primary administrator can query all job history information.

The LSF ACL feature supports five different levels of control for job information. For different administrator roles in job information access, the feature also supports queue and cluster administrators. See the IBM Spectrum LSF Configuration Reference for more information.