lsf.sudoers

About lsf.sudoers

The lsf.sudoers file is an optional file to configure security mechanisms. It is not installed by default.

You use lsf.sudoers to set the parameter LSF_EAUTH_KEY to configure a key for eauth to encrypt and decrypt user authentication data.

On UNIX, you also use lsf.sudoers to grant permission to users other than root to perform certain operations as root in LSF, or as a specified user.

These operations include:
  • LSF daemon startup or shutdown
  • User ID for LSF authentication
  • User ID for LSF pre- and post-execution commands
  • User ID for external LSF executables

If lsf.sudoers does not exist, only root can perform these operations in LSF on UNIX.

On UNIX, this file is located in /etc.

There is one lsf.sudoers file per host.

On Windows, this file is located in the directory specified by the LSF_SECUREDIR parameter in the lsf.conf file.

Note: To use the lsf.sudoers file, you must enable the setuid bit for the LSF administration commands. Run the hostsetup --setuid command option on the LSF management and candidate hosts. Since this allows LSF administration commands to run with root privileges, do not enable the setuid bit if you do not want these LSF commands to run with root privileges.

The hostsetup --setuid command enables the setuid bit for the following LSF executable files: badmin, lsadmin, egosh, utmpreg, swtbl_api, ntbl_api, lstbl_nid, and swtbl_poe.

Changing lsf.sudoers configuration

After making any changes to lsf.sudoers, run badmin reconfig to reload the configuration files.

/etc/lsf.sudoers on UNIX

In LSF, certain operations such as daemon startup can only be performed by root. The lsf.sudoers file grants root privileges to specific users or user groups to perform these operations.

Location

lsf.sudoers must be located in /etc on each host.

Permissions

/etc/lsf.sudoers must have permission 600 and be readable and writable only by root.

lsf.sudoers on Windows

The lsf.sudoers file is shared over an NTFS network, not duplicated on every Windows host.

By default, LSF installs lsf.sudoers in the %SYSTEMROOT% directory.

The location of lsf.sudoers on Windows must be specified by the LSF_SECUREDIRparameter in the lsf.conf file. You must configure the LSF_SECUREDIR parameter in lsf.conf if using lsf.sudoers on Windows.

Windows permissions

Restriction:

The owner of lsf.sudoers on Windows be Administrators. If not, eauth may not work.

The permissions on lsf.sudoers for Windows are:

Workgroup Environment
  • Local Admins (W)
  • Everyone (R)
Domain Environment
  • Domain Admins (W)
  • Everyone (R)

File format

The format of lsf.sudoers is very similar to that of lsf.conf.

Each entry can have one of the following forms:
  • NAME=VALUE
  • NAME=
  • NAME= "STRING1 STRING2 ..."

The equal sign = must follow each NAME even if no value follows and there should be no space beside the equal sign.

NAME describes an authorized operation.

VALUE is a single string or multiple strings separated by spaces and enclosed in quotation marks.

Lines starting with a pound sign (#) are comments and are ignored. Do not use #if as this is reserved syntax for time-based configuration.

Example lsf.sudoers File

LSB_PRE_POST_EXEC_USER=user100
LSF_STARTUP_PATH=/usr/share/lsf/etc
LSF_STARTUP_USERS="user1 user10 user55"

Creating and modifying lsf.sudoers

You can create and modify lsf.sudoers with a text editor.

After you modify lsf.sudoers, you must run badmin hrestart all to restart all sbatchds in the cluster with the updated configuration.

Parameters

  • LSB_PRE_POST_EXEC_USER
  • LSF_EAUTH_KEY
  • LSF_EAUTH_USER
  • LSF_EEXEC_USER
  • LSF_EGO_ADMIN_PASSWD
  • LSF_EGO_ADMIN_USER
  • LSF_LOAD_PLUGINS
  • LSF_STARTUP_PATH
  • LSF_STARTUP_USERS

LSB_PRE_POST_EXEC_USER

Syntax

LSB_PRE_POST_EXEC_USER=user_name

Description

Specifies the UNIX user account under which pre- and post-execution commands run. This parameter affects host-based pre- and post-execution processing defined at the first level.

You can specify only one user account. If the pre-execution or post-execution commands perform privileged operations that require root permissions on UNIX hosts, specify a value of root.

If you configure this parameter as root, the LD_PRELOAD and LD_LIBRARY_PATH variables are removed from the pre-execution, post-execution, and eexec environments for security purposes.

Default

Not defined. Pre-execution and post-execution commands run under the user account of the user who submits the job.

LSF_EAUTH_KEY

Syntax

LSF_EAUTH_KEY=key

Description

Applies to UNIX, Windows, and mixed UNIX or Windows clusters.

Specifies the key that eauth uses to encrypt and decrypt user authentication data. Defining this parameter enables increased security at your site. The key must contain at least six characters and must use only printable characters.

You must configure the LSF_EAUTH_KEY parameter if any of the following cases apply to you:

  • You want to use your own defined key instead of the default LSF key.
  • You are using the battach command.
  • You are running the data manager daemon (dmd) while using the LSF multicluster capability.
  • You are running the global policy daemon (gpolicyd) while using the LSF multicluster capability.
  • You are using the job forward mode in the LSF multicluster capability with the battach or bsub -f commands because these commands require the use of eauth -c or eauth -s on both clusters.
Tip: When you specify a new eauth key, you can also allow LSF to continue using the old eauth key for a specified period of time. This gives LSF administrators time to update the eauth key on each host in the cluster without disrupting authentication operations.

To continue using the old eauth key, rename the current LSF_EAUTH_KEY parameter to LSF_EAUTH_OLDKEY, then define the LSF_EAUTH_OLDKEY_EXPIRY parameter to specify an expiry date for the old key. Define a new LSF_EAUTH_KEY parameter with the new eauth key as the value.

For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. For Windows, you must edit the shared lsf.sudoers file.

Default

Not defined. The eauth executable encrypts and decrypts authentication data using an internal key.

LSF_EAUTH_OLDKEY

Syntax

LSF_EAUTH_OLDKEY=key

Description

Applies to UNIX, Windows, and mixed UNIX and Windows clusters.

Specifies the previous key that eauth used to encrypt and decrypt user authentication data after you specify a new eauth key. Defining this parameter gives LSF administrators time to update the eauth key on each host in the cluster without disrupting authentication operations. The key must contain at least six characters and must use only printable characters. To use this parameter, you must also define the LSF_EAUTH_OLDKEY_EXPIRY parameter to specify an expiry date for the old key.

Default

Not defined. LSF uses an internal key that is generated by eauth.

LSF_EAUTH_OLDKEY_EXPIRY

Syntax

LSF_EAUTH_OLDKEY=[year-month-day]

Description

Applies to UNIX, Windows, and mixed UNIX/Windows clusters.

The date is in the form of [year-month-day] where the number ranges are as follows: year after 1970, month 1-12, day 1-31.

Specifies the expiry date for the previous eauth key (LSF_EAUTH_OLDKEY_EXPIRY parameter), after which the previous key no longer works and only the new LSF_EAUTH_KEY parameter works. Defining the LSF_EAUTH_OLDKEY and LSF_EAUTH_OLDKEY_EXPIRY parameters gives LSF administrators time to update the eauth key on each host in the cluster without disrupting authentication operations.

Default

Not defined. LSF uses an internal key that is generated by eauth.

LSF_EAUTH_USER

Syntax

LSF_EAUTH_USER=user_name

Description

UNIX only.

Specifies the UNIX user account under which the external authentication executable eauth runs.

Default

Not defined. The eauth executable runs under the account of the primary LSF administrator.

LSF_EEXEC_USER

Syntax

LSF_EEXEC_USER=user_name

Description

UNIX only.

Specifies the UNIX user account under which the external executable eexec runs.

Default

Not defined. The eexec executable runs under root or the account of the user who submitted the job.

LSF_EGO_ADMIN_PASSWD

Syntax

LSF_EGO_ADMIN_PASSWD=password

Description

When the EGO Service Controller (EGOSC) is configured to control LSF daemons, enables UNIX and Windows users to bypass the additional login required to start res and sbatchd. Bypassing the EGO administrator login enables the use of scripts to automate system startup.

Specify the Admin EGO cluster administrator password as clear text. You must also define the LSF_EGO_ADMIN_USER parameter.

Default

Not defined. With EGOSC daemon control enabled, the lsadmin and badmin startup subcommands invoke the egosh user logon command to prompt for the Admin EGO cluster administrator credentials.

LSF_EGO_ADMIN_USER

Syntax

LSF_EGO_ADMIN_USER=Admin

Description

When the EGO Service Controller (EGOSC) is configured to control LSF daemons, enables UNIX and Windows users to bypass the additional login required to start res and sbatchd. Bypassing the EGO administrator login enables the use of scripts to automate system startup.

Specify the Admin EGO cluster administrator account. You must also define the LSF_EGO_ADMIN_PASSWD parameter.

Default

Not defined. With EGOSC daemon control enabled, the lsadmin and badmin startup subcommands invoke the egosh user logon command to prompt for the Admin EGO cluster administrator credentials.

LSF_LOAD_PLUGINS

Syntax

LSF_LOAD_PLUGINS=y | Y

Description

If defined, LSF loads plug-ins from LSB_LSBDIR. Used for Kerberos authentication and to enable the LSF CPU set plug-in for SGI.

Default

Not defined. LSF does not load plug-ins.

LSF_STARTUP_PATH

Syntax

LSF_STARTUP_PATH=path

Description

UNIX only. Enables the LSF daemon startup control feature when LSF_STARTUP_USERS is also defined. Define both parameters when you want to allow users other than root to start LSF daemons.

Specifies the absolute path name of the directory in which the LSF daemon binary files (lim, res, sbatchd, and mbatchd) are installed. LSF daemons are usually installed in the path specified by LSF_SERVERDIR defined in the cshrc.lsf, profile.lsf or lsf.conf files.
Important:

For security reasons, you should move the LSF daemon binary files to a directory other than LSF_SERVERDIR or LSF_BINDIR. The user accounts specified by LSF_STARTUP_USERS can start any binary in the LSF_STARTUP_PATH.

Default

Not defined. Only the root user account can start LSF daemons.

LSF_STARTUP_USERS

Syntax

LSF_STARTUP_USERS=all_admins| "user_name..."

Description

UNIX only. Enables the LSF daemon startup control feature when LSF_STARTUP_PATH is also defined. Define both parameters when you want to allow users other than root to start LSF daemons. On Windows, the services admin group is equivalent to LSF_STARTUP_USERS.

On UNIX hosts, by default only root can start LSF daemons. To manually start LSF daemons, a user runs the commands lsadmin and badmin, which have been installed as setuid root. LSF_STARTUP_USERS specifies a list of user accounts that can successfully run the commands lsadmin and badmin to start LSF daemons.
all_admins
  • Allows all UNIX users defined as LSF administrators in the file lsf.cluster.cluster_name to start LSF daemons as root by running the lsadmin and badmin commands.
  • Not recommended due to the security risk of a non-root LSF administrator adding to the list of administrators in the lsf.cluster.cluster_name file.
  • Not required for Windows hosts because all users with membership in the services admin group can start LSF daemons.
"user_name..."
  • Allows the specified user accounts to start LSF daemons by running the lsadmin and badmin commands.
  • Separate multiple user names with a space.
  • For a single user, do not use quotation marks.

Default

Not defined. Only the root user account can start LSF daemons.

See also

LSF_STARTUP_PATH