Security

Platform LSF security model

Out of the box, the LSF security model keeps track of user accounts internally. A user account defined in LSF includes a password to provide authentication and an assigned role to provide authorization, such as administrator.

Platform LSF user roles

LSF, without EGO enabled, supports the following roles:
  • LSF user: Has permission to submit jobs to the LSF cluster and view the states of jobs and the cluster.

  • Primary LSF administrator: Has permission to perform clusterwide operations, change configuration files, reconfigure the cluster, and control jobs submitted by all users.

    Configuration files such as lsb.params and lsb.hosts configure all aspects of LSF.

  • LSF administrator: Has permission to perform operations that affect other LSF users.

    • Cluster administrator: Can perform administrative operations on all jobs and queues in the cluster. May not have permission to change LSF configuration files.

    • Queue administrator: Has administrative permissions limited to a specified queue.

    • Hostgroup administrator: Has administrative permissions limited to a specified host group.

    • Usergroup administrator: Has administrative permissions limited to a specified user group.

Platform LSF user roles with Platform EGO enabled

LSF, with EGO enabled, supports the following roles:
  • Cluster Administrator: Can administer any objects and workload in the cluster

  • Consumer Administrator: Can administer any objects and workload in consumers to which they have access

  • Consumer User: Can run workload in consumers to which they have access

User accounts are created and managed in EGO. EGO authorizes users from its user database.

Platform LSF and UNIX user groups

LSF allows you to use any existing UNIX user groups directly by specifying a UNIX user group anywhere an LSF user group can be specified.

External authentication

LSF provides a security plug in for sites that prefer to use external or third-party security mechanisms, such as Kerberos, LDAP, ActiveDirectory, and so on.

You can create a customized eauth executable to provide external authentication of users, hosts, and daemons. Credentials are passed from an external security system. The eauth executable can also be customized to obtain credentials from an operating system or from an authentication protocol such as Kerberos.