Authentication between clusters

Because this is configured for individual clusters, not globally, different cluster pairs can use different systems of authentication. You use a different eauth program for each different authentication mechanism.

eauth executables

Contact Platform Professional Services for more information about the eauth programs that Platform distributes to allow LSF to work with different security mechanisms. If you already have an eauth that works with LSF for daemon authentication within the cluster, use a copy of it.

If different clusters use different methods of authentication, set up multiple eauth programs.

  1. Copy the corresponding eauth program to LSF_SERVERDIR.
  2. Name the eauth program eauth.method_name.

    If you happen to use the same eauth program for daemon authentication within the cluster, you should have two copies, one named eauth (used by LSF) and one named eauth.method_name (used by MultiCluster).

Platform MultiCluster configuration

  1. Edit the lsf.cluster.cluster_name RemoteClusters section.

    If the cluster does not already include a RemoteClusters list, you must add it now. To maintain the existing compatibility, specify all remote clusters in the list, even if the preferred method of authentication is the default method.

  2. If necessary, add the AUTH column to the RemoteClusters section.
  3. For each remote cluster, specify the preferred authentication method. Set AUTH to method_name (using the same method name that identifies the corresponding eauth program). For default behavior, specify a dash (-).
  4. To make the changes take effect in a working cluster, run the following commands:
    lsadmin limrestart master_host 
    lsadmin limrestart master_candidate_host 
    badmin mbdrestart

    Repeat the steps for each cluster that will use external authentication, making sure that the configurations of paired-up clusters match.

Configuration example

In this example, Cluster1 and Cluster2 use Kerberos authentication with each other, but not with Cluster3. It does not matter how Cluster3 is configured, because without a common authentication method between clusters no communication occurs.

RECV_FROM set to Y indicates the local cluster accepts parallel jobs that originate in a remote cluster.

EQUIV set to Y changes the default behavior of LSF commands and utilities and causes them to automatically return load (lsload(1)), host (lshosts(1)), or placement (lsplace(1)) information about the remote cluster as well as the local cluster, even when you don’t specify a cluster name.

Cluster1

lsf.cluster.cluster1:

Begin RemoteClusters
CLUSTERNAME  EQUIV   CACHE_INTERVAL   RECV_FROM   AUTH
cluster2       Y           60            Y        KRB
cluster3       N           30            N         -
End RemoteClusters

LSF_SERVERDIR in Cluster1 includes an eauth executable named eauth.KRB.

Cluster2

lsf.cluster.cluster2:

Begin RemoteClusters
CLUSTERNAME  EQUIV   CACHE_INTERVAL   RECV_FROM   AUTH
cluster1       Y           60            Y        KRB
cluster3       N           30            N         -
End RemoteClusters

LSF_SERVERDIR in Cluster2 includes an eauth executable named eauth.KRB.