LSB_KRB_IMPERSONATE

Syntax

LSB_KRB_IMPERSONATE=Y | y | N | n

Description

Enables Kerberos user impersonation in the LSF cluster when user eauth with krb5 is enabled.

When set to Y, LSF changes the OS submission user on the job execution host to be the user in the Kerberos ticket (TGT) when external authentication is enabled (LSF_AUTH=eauth in the file lsf.conf). For example, if the OS submission user for LSF (userA) runs the kinit -r userB command to obtain a user TGT, then userA submits a job to LSF, the job submission user is userB, the Kerberos ticket user. LSF commands such as bjobs and bhist show that the submission user is userB.

LSF_AUTH=eauth must be set in the lsf.conf file for the LSB_KRB_IMPERSONATE parameter to take effect. Kerberos user impersonation requires eauth authentication in the LSF cluster.

After changing the value of this parameter, you must restart the LSF daemons for your changes to take effect.

Note: When Kerberos user impersonation is enabled, the following LSF commands work differently:

If the token user is not the OS submission user, commands that depend on OS file permissions (such as bpeek and brestart) do not work properly.
The ACL feature for the bacct and bhist commands is disabled to prevent other users from getting the LSF administrator token. To ensure that the commands remain secure, do not enable the setuid bit for the bacct and bhist executable files, and disable them if they are already set.
The lsrun command might behave inconsistently between running on local and remote hosts, because when an lsrun task is run on the local host, it does not go through eauth authorization.

Default

N. Kerberos user impersonation is disabled, and LSF does not change the OS submission user to the user in the Kerberos ticket.