Platform LSF Administration Guide Version 6.2
Chapter 40
Authentication
Administering Platform LSF
571
About Host Authentication
When a batch job or a remote execution request is received, LSF first determines the
user’s identity. Once the user’s identity is known, LSF decides whether it can trust the
host from which the request comes from.
Trust LSF host
LSF normally allows remote execution by all users except root, from all hosts in the LSF
cluster; LSF trusts all hosts that are configured into your cluster. The reason behind this
is that by configuring an LSF cluster you are turning a network of machines into a single
computer. Users must have valid accounts on all hosts. This allows any user to run a job
with their own permission on any host in the cluster. Remote execution requests and
batch job submissions are rejected if they come from a host not in the LSF cluster.
A site can configure an external executable to perform additional user or host
authorization. By defining LSF_AUTH to be
eauth in lsf.conf, the LSF daemon
will invoke
eauth -s when it receives a request that needs authentication and
authorization. For example,
eauth can check if the client user is on a list of authorized
users or if a host has the necessary privilege to be trusted.
/etc/hosts.equiv (UNIX)
If the LSF_USE_HOSTEQUIV parameter is set in the lsf.conf file, LSF uses the
same remote execution access control mechanism as the
rsh command. When a job is
run on a remote host, the user name and originating host are checked using the
ruserok(3) function on the remote host.
The
ruserok(3) function checks in the /etc/hosts.equiv file and the user’s
$HOME/.rhosts file to decide if the user has permission to execute jobs.
The name of the local host should be included in this list. RES calls
ruserok() for
connections from the local host.
mbatchd calls ruserok() on the master host, so
every LSF user must have a valid account and remote execution permission on the
master host.
The disadvantage of using the
/etc/hosts.equiv and $HOME/.rhosts files is that
these files also grant permission to use the
rlogin and rsh commands without giving
a password. Such access is restricted by security policies at some sites.
For more information
See the hosts.equiv(5) and ruserok(3) man pages for details on the format of the
files and the access checks performed.