Applying job access control in LSF to protect information privacy

 

By default, everyone with access to the LSF cluster can query all job information. This default behavior is not desirable when individual users or project groups need to protect information privacy. This is particularly important in a shared environment, for instance, an HPC data center. In this context, cluster resources are open to projects from different organizations to maximize resource utilization, but different people or project groups may not want others to see what they are doing and how they are running their workloads. Information privacy is also important in the internal cluster environments of some commercial customers. For example, internal policies may not allow contractors to access any internal workload information, since that same contractor may also work for competitors.

 

The following requirements are often raised:

• Individual users only have rights to access their own job information from command line tools
• Project leaders should only be able to access workload information from their managed projects
• All users working on the same project should be able to access the workload information of their peers

The LSF Access Control Level (ACL) feature addresses these needs. The feature is available from LSF 9.1.2 release. It supports different levels of access control in job information query.  Here are two examples to demonstrate how to use this feature:

Example 1:

Configure access controls so that users can access their own job information, while user group administrators are allowed to access group job information for their group,

1. Configure parameters in lsb.params:

SECURE_JOB_INFO_LEVEL=4

This setting will put constraint on all users to only allow them to access their own job information.

ENABLE_JOB_INFO_BY_ADMIN_ROLE=usergroup

This setting will allow user group administrators to access job information of his/her own group.

2: Run badmin reconfig to reconfigure LSF.

3: Run bparams -a to see that the parameter has taken effect.

 

After changing the configuration, a users can only see their own job information. They cannot access job information for other users.

 

For example, both jack and mike are regular users, and susan is their leader. Users jack and mike can only see their own jobs, but user susan can see everyone's job information:

 

[jack@host1]# bjobs -u all JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME 337     jack    PEND  normal     host1                   *eep 12345 Jun  9 15:15   <mike@host1> bjobs -u all JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME 338     mike    RUN   normal     host1       host1       sleep 123  Jun  9 15:36   susan@host1: bjobs -u all JOBID   USER    STAT  QUEUE      FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME 337     jack    PEND  normal     host1                   *eep 12345 Jun  9 15:15 338     mike    RUN   normal     host1       host1       sleep 123  Jun  9 15:36

 

Example 2:

Make job history information access under control:

1: Configure the following parameter in lsb.params

SECURE_INFODIR_USER_ACCESS=Y

2: Run badmin mbdrestart to restart mbatchd:

3: Run bparams -a to see that that the parameter has taken effect.

4: Run chmod u+s to make the binaries bhist and bacct setuid for the LSF primary administrator.

 

# ls -l bhist bacct -rwxr-xr-x 1 lsfadmin lsf 2958368 Nov 28  2013 bacct* -rwxr-xr-x 1 lsfadmin lsf 3072216 Nov 28  2013 bhist* # chmod u+s bhist bacct # ls -l bhist bacct -rwsr-xr-x 1 lsfadmin lsf 2958368 Nov 28  2013 bacct* -rwsr-xr-x 1 lsfadmin lsf 3072216 Nov 28  2013 bhist*

bhist and bacct can now only be used by users to query their own job information. Only the LSF primary administrator can query all job history information.

The LSF ACL feature supports 5 different levels of control for job information. For different administrator roles in job information access, the feature also supports queue and cluster administrators. See the IBM Platform LSF Configuration Reference for more information.