[ Platform Documentation ]

[ Title ]

[ Contents ]

[ Previous ]

[ Next ]

[ Index ]

---

lsf.sudoers

---

The lsf.sudoers file is an optional file to configure security mechanisms. It is not installed by default.

You use lsf.sudoers to set the parameter LSF_EAUTH_KEY to configure a key for eauth to encrypt and decrypt user authentication data.

On UNIX, you also use lsf.sudoers to grant permission to users other than root to perform certain operations as root in LSF, or as a specified user.

These operations include:

• LSF daemon startup/shutdown
• User ID for LSF authentication
• User ID for LSF pre- and post-execution commands.
• User ID for external LSF executables

If lsf.sudoers does not exist, only root can perform these operations in LSF on UNIX.

On UNIX, this file is located in /etc.

There is one lsf.sudoers file per host.

On Windows, this file is located in the directory specified by the parameter LSF_SECUREDIR in lsf.conf.

Contents

• lsf.sudoers on UNIX
• lsf.sudoers on Windows
• File Format
• Creating and Modifying lsf.sudoers
• Parameters

[ Top ]

---

lsf.sudoers on UNIX

In LSF, certain operations such as daemon startup can only be performed by root. The lsf.sudoers file grants root privileges to specific users or user groups to perform these operations.

Location

lsf.sudoers must be located in /etc on each host.

Permissions

lsf.sudoers must have permission 600 and be readable and writable only by root.

[ Top ]

---

lsf.sudoers on Windows

Location

The lsf.sudoers file is shared over an NTFS network, not duplicated on every Windows host.

By default, LSF installs lsf.sudoers in the %SYSTEMROOT% directory.

The location of lsf.sudoers on Windows must be specified by LSF_SECUREDIR in lsf.conf. You must configure the LSF_SECUREDIR parameter in lsf.conf if using lsf.sudoers on Windows.

Permissions

The permissions on lsf.sudoers for Windows are:

Workgroup Environment

• Local Admins (W)
• Everyone (R)

Domain Environment

• Domain Admins (W)
• Everyone (R)

[ Top ]

---

File Format

The format of lsf.sudoers is very similar to that of lsf.conf.

Each entry can have one of the following forms:

• NAME=VALUE
• NAME=
• NAME= "STRING1 STRING2 ..."

The equal sign = must follow each NAME even if no value follows and there should be no space beside the equal sign.

NAME describes an authorized operation.

VALUE is a single string or multiple strings separated by spaces and enclosed in quotation marks.

Lines starting with a pound sign (#) are comments and are ignored. Do not use #if as this is reserved syntax for time-based configuration.

Example lsf.sudoers File

LSB_PRE_POST_EXEC_USER=user100
LSF_STARTUP_PATH=/usr/share/lsf/etc
LSF_STARTUP_USERS="user1 user10 user55"

[ Top ]

---

Creating and Modifying lsf.sudoers

You can create and modify lsf.sudoers with a text editor such as vi.

On Windows, you can use the graphical tool xlsadmin to create or modify lsf.sudoers, by selecting Configure | Security Parameters. You must invoke xlsadmin as a domain administrator for a Windows domain. For a Windows workgroup, you must invoke xlsadmin as a local user with the necessary administrative privileges.

After you modify lsf.sudoers, you need to restart all sbatchds in the cluster with the command badmin hrestart all to update configuration.

[ Top ]

---

Parameters

• LSB_PRE_POST_EXEC_USER
• LSF_EAUTH_KEY
• LSF_EAUTH_USER
• LSF_EEXEC_USER
• LSF_LOAD_PLUGINS
• LSF_STARTUP_USERS
• LSF_STARTUP_PATH

LSB_PRE_POST_EXEC_USER

Syntax

LSB_PRE_POST_EXEC_USER = user_name

Description

UNIX only.

Specifies the authorized user for running queue level pre-execution and post- execution commands. When this parameter is defined, the queue level pre- execution and post-execution commands will be run as the specified user.

In particular, you can define this parameter if you need to run commands as root on UNIX.

Pre- and post-execution commands are configured at the queue level by the LSF administrator.

You can only define a single user name in this parameter.

Default

Undefined. Pre- and post-execution commands are run as the user who submitted the job.

LSF_EAUTH_KEY

Syntax

LSF_EAUTH_KEY = key

Description

UNIX and Windows.

Specifies a key eauth uses to encrypt and decrypt user authentication data.

This parameter provides a way to increase security at a site. The rule to choosing a key is the same as for choosing a password.

If you want to improve the security of your site by specifying a key, make sure it is at least six characters long and uses only printable characters (as when choosing a normal UNIX password).

If you want to change the key, modify the lsf.sudoers file on every host. For the hosts to work together, they must all use the same key.

Default

Undefined. eauth encrypts and decrypts authentication data using an internal key.

LSF_EAUTH_USER

Syntax

LSF_EAUTH_USER = user_name

Description

UNIX only.

Specifies the user account under which to run the external authentication executable eauth.

Default

Undefined. eauth is run as the primary LSF administrator.

LSF_EEXEC_USER

Syntax

LSF_EEXEC_USER = user_name

Description

UNIX only.

Defines the user name to run the external execution command eexec.

Default

Undefined. eexec is run as the user who submitted the job.

LSF_LOAD_PLUGINS

Syntax

LSF_LOAD_PLUGINS = y | Y

Description

If defined, LSF loads plugins from LSB_LSBDIR. Used for Kerberos authentication in Sun HPC environments, and to enable the LSF CPUSET plugin for IRIX 6.5.8.

Default

Undefined (no plugins).

LSF_STARTUP_USERS

Syntax

LSF_STARTUP_USERS = all_admins | "user_name..."

Description

UNIX only. Equivalent to the local LSF administrators group (Local Admins) in Windows.

Must be defined in conjunction with LSF_STARTUP_PATH for this feature to work.

By default, only root can start the LSF daemons. lsadmin and badmin must be installed as setuid root programs.

This parameter specifies other users who can start daemons as root using the LSF administration commands lsadmin and badmin.

• all_admins

  Allows all LSF administrators configured in lsf.cluster.cluster_name to start LSF daemons as root by running lsadmin and badmin commands.

  Defining LSF_STARTUP_USERS as all_admins incurs some security risk because administrators can be configured by a primary LSF administrator who is not root. You should explicitly list the login names of all authorized administrators here so that you have full control of who can start daemons as root.

• "user_name..."

  Allows specified users to start LSF daemons as root by running lsadmin and badmin commands. If only one user is specified, quotation marks are not required.

Default

Undefined. Only root can start daemons as root.

See Also

LSF_STARTUP_PATH

LSF_STARTUP_PATH

Syntax

LSF_STARTUP_PATH = path

Description

UNIX only.

Absolute path name of the directory in which the server binaries (LIM, RES, sbatchd, mbatchd, etc.) are installed.

This is normally LSF_SERVERDIR as defined in cshrc.lsf, profile.lsf or lsf.conf. LSF will allow the specified administrators (see LSF_STARTUP_USERS) to start the daemons installed in the LSF_STARTUP_PATH directory.

Both LSF_STARTUP_USERS and LSF_STARTUP_PATH must be defined for this feature to work.

Default

Undefined

See Also

LSF_STARTUP_USERS

[ Top ]

---

SEE ALSO

lsadmin(8), badmin(8), lsf.conf(5), lsfstartup(3), lsf.cluster(5), eexec(8), eauth(8)

[ Top ]

---

[ Platform Documentation ]

[ Title ]

[ Contents ]

[ Previous ]

[ Next ]

[ Index ]

---

Date Modified: February 24, 2004 Platform Computing: www.platform.com Platform Support: support@platform.com Platform Information Development: doc@platform.com Copyright © 1994-2004 Platform Computing Corporation. All rights reserved.