[ Platform Documentation ] [ Title ] [ Contents ] [ Previous ] [ Next ] [ Index ]
The
lsf.sudoers
file is an optional file to configure security mechanisms. It is not installed by default.You use
lsf.sudoers
to set the parameter LSF_EAUTH_KEY to configure a key foreauth
to encrypt and decrypt user authentication data.On UNIX, you also use
lsf.sudoers
to grant permission to users other than root to perform certain operations as root in LSF, or as a specified user.These operations include:
- LSF daemon startup/shutdown
- User ID for LSF authentication
- User ID for LSF pre- and post-execution commands.
- User ID for external LSF executables
If
lsf.sudoers
does not exist, only root can perform these operations in LSF on UNIX.On UNIX, this file is located in
/etc
.There is one
lsf.sudoers
file per host.On Windows, this file is located in the directory specified by the parameter LSF_SECUREDIR in
lsf.conf
.
- lsf.sudoers on UNIX
- lsf.sudoers on Windows
- File Format
- Creating and Modifying lsf.sudoers
- Parameters
[ Top ]
lsf.sudoers on UNIX
In LSF, certain operations such as daemon startup can only be performed by root. The
lsf.sudoers
file grants root privileges to specific users or user groups to perform these operations.Location
lsf.sudoers
must be located in/etc
on each host.Permissions
lsf.sudoers
must have permission 600 and be readable and writable only by root.[ Top ]
lsf.sudoers on Windows
Location
The
lsf.sudoers
file is shared over an NTFS network, not duplicated on every Windows host.By default, LSF installs
lsf.sudoers
in the %SYSTEMROOT% directory.The location of
lsf.sudoers
on Windows must be specified by LSF_SECUREDIR inlsf.conf
. You must configure the LSF_SECUREDIR parameter inlsf.conf
if usinglsf.sudoers
on Windows.Permissions
The permissions on
lsf.sudoers
for Windows are:Workgroup Environment
Domain Environment
[ Top ]
File Format
The format of
lsf.sudoers
is very similar to that oflsf.conf
.Each entry can have one of the following forms:
The equal sign
=
must follow eachNAME
even if no value follows and there should be no space beside the equal sign.
NAME
describes an authorized operation.
VALUE
is a single string or multiple strings separated by spaces and enclosed in quotation marks.Lines starting with a pound sign (#) are comments and are ignored. Do not use
#if
as this is reserved syntax for time-based configuration.Example lsf.sudoers File
LSB_PRE_POST_EXEC_USER=user100 LSF_STARTUP_PATH=/usr/share/lsf/etc LSF_STARTUP_USERS="user1 user10 user55"[ Top ]
Creating and Modifying lsf.sudoers
You can create and modify
lsf.sudoers
with a text editor such asvi
.On Windows, you can use the graphical tool
xlsadmin
to create or modifylsf.sudoers
, by selecting Configure | Security Parameters. You must invokexlsadmin
as a domain administrator for a Windows domain. For a Windows workgroup, you must invokexlsadmin
as a local user with the necessary administrative privileges.After you modify
lsf.sudoers
, you need to restart allsbatchd
s in the cluster with the commandbadmin hrestart
all
to update configuration.[ Top ]
Parameters
- LSB_PRE_POST_EXEC_USER
- LSF_EAUTH_KEY
- LSF_EAUTH_USER
- LSF_EEXEC_USER
- LSF_LOAD_PLUGINS
- LSF_STARTUP_USERS
- LSF_STARTUP_PATH
LSB_PRE_POST_EXEC_USER
LSB_PRE_POST_EXEC_USER
=
user_nameUNIX only.
Specifies the authorized user for running queue level pre-execution and post- execution commands. When this parameter is defined, the queue level pre- execution and post-execution commands will be run as the specified user.
In particular, you can define this parameter if you need to run commands as root on UNIX.
Pre- and post-execution commands are configured at the queue level by the LSF administrator.
You can only define a single user name in this parameter.
Undefined. Pre- and post-execution commands are run as the user who submitted the job.
LSF_EAUTH_KEY
LSF_EAUTH_KEY
=
keyUNIX and Windows.
Specifies a key
eauth
uses to encrypt and decrypt user authentication data.This parameter provides a way to increase security at a site. The rule to choosing a key is the same as for choosing a password.
If you want to improve the security of your site by specifying a key, make sure it is at least six characters long and uses only printable characters (as when choosing a normal UNIX password).
If you want to change the key, modify the
lsf.sudoers
file on every host. For the hosts to work together, they must all use the same key.Undefined.
eauth
encrypts and decrypts authentication data using an internal key.LSF_EAUTH_USER
LSF_EAUTH_USER
= user_nameUNIX only.
Specifies the user account under which to run the external authentication executable
eauth
.Undefined.
eauth
is run as the primary LSF administrator.LSF_EEXEC_USER
LSF_EEXEC_USER
=
user_nameUNIX only.
Defines the user name to run the external execution command
eexec.
Undefined.
eexec
is run as the user who submitted the job.LSF_LOAD_PLUGINS
LSF_LOAD_PLUGINS = y
|Y
If defined, LSF loads plugins from LSB_LSBDIR. Used for Kerberos authentication in Sun HPC environments, and to enable the LSF CPUSET plugin for IRIX 6.5.8.
Undefined (no plugins).
LSF_STARTUP_USERS
LSF_STARTUP_USERS
=
all_admins
|"
user_name..."
UNIX only. Equivalent to the local LSF administrators group (Local Admins) in Windows.
Must be defined in conjunction with LSF_STARTUP_PATH for this feature to work.
By default, only root can start the LSF daemons.
lsadmin
andbadmin
must be installed assetuid root
programs.This parameter specifies other users who can start daemons as root using the LSF administration commands
lsadmin
andbadmin
.
all_admins
Allows all LSF administrators configured in
lsf.cluster.
cluster_name to start LSF daemons as root by runninglsadmin
andbadmin
commands.Defining LSF_STARTUP_USERS as
all_admins
incurs some security risk because administrators can be configured by a primary LSF administrator who is not root. You should explicitly list the login names of all authorized administrators here so that you have full control of who can start daemons as root."
user_name...
"
Allows specified users to start LSF daemons as root by running
lsadmin
andbadmin
commands. If only one user is specified, quotation marks are not required.Undefined. Only root can start daemons as root.
LSF_STARTUP_PATH
LSF_STARTUP_PATH =
pathUNIX only.
Absolute path name of the directory in which the server binaries (LIM, RES,
sbatchd
,mbatchd
, etc.) are installed.This is normally LSF_SERVERDIR as defined in
cshrc.lsf
,profile.lsf
orlsf.conf
. LSF will allow the specified administrators (see LSF_STARTUP_USERS) to start the daemons installed in the LSF_STARTUP_PATH directory.Both LSF_STARTUP_USERS and LSF_STARTUP_PATH must be defined for this feature to work.
Undefined
[ Top ]
SEE ALSO
lsadmin
(8)
,badmin
(8)
,
lsf.conf
(5)
,
lsfstartup
(3)
,lsf.cluster
(5)
,eexec(8)
,eauth(8)
[ Top ]
[ Platform Documentation ] [ Title ] [ Contents ] [ Previous ] [ Next ] [ Index ]
Date Modified: February 24, 2004
Platform Computing: www.platform.com
Platform Support: support@platform.com
Platform Information Development: doc@platform.com
Copyright © 1994-2004 Platform Computing Corporation. All rights reserved.