LSF Version 7.3 - Platform LSF Configuration Reference
The variable … Represents the …
aux_data_file
Location of the temporary file that stores encrypted authentication data
aux_data_status
File in which eauth -s stores authentication status. When used with Kerberos
authentication, eauth -s writes the source of authentication to this file if
authentication fails. For example, if mbatchd to mbatchd authentication fails, eauth
-s writes "mbatchd" to the file defined by aux_data_status. If user to mbatchd
authentication fails, eauth -s writes "user" to the aux_data_status file.
user_auth_data
External authentication data passed from the client host
The variables required for the eauth executable depend on how you implement external authentication at your site.
For eauth parsing, unused variables are marked by '''.
User credentials
When an LSF user submits a job or issues a command, the LSF daemon that receives the request verifies the identity
of the user by checking the user credentials. External authentication provides the greatest security of all LSF
authentication methods because the user credentials are obtained from an external source, such as a database, and then
encrypted prior to transmission. For Windows hosts, external authentication is the only truly secure type of LSF
authentication.
Host credentials
LSF first authenticates users and then checks host credentials. LSF accepts requests sent from all hosts configured as
part of the LSF cluster, including floating clients and any hosts that are dynamically added to the cluster. LSF rejects
requests sent from a non-LSF host. If your cluster requires additional host authentication, you can write an eauth
executable that verifies both user and host credentials.
Daemon credentials
Daemon authentication provides a secure channel for passing credentials between hosts, mediated by the master host.
The master host mediates authentication by means of the eauth executable, which ensures secure passing of credentials
between submission hosts and execution hosts, even though the submission host does not know which execution host
will be selected to run a job.
Daemon authentication applies to the following communications between LSF daemons:
•
mbatchd requests to sbatchd
•
sbatchd updates to mbatchd
•
PAM interactions with res
•
mbatchd to mbatchd (in a MultiCluster environment)
Kerberos authentication
Kerberos authentication is an extension of external daemon authentication, providing authentication of LSF users and
daemons during client-server interactions. The eauth executable provided with the Platform integration package uses
Kerberos Version 5 APIs for interactions between mbatchd and sbatchd, and between pam and res. When you use
Kerberos authentication for a cluster or MultiCluster, authentication data is encrypted along the entire path from job
submission through to job completion.
You can also use Kerberos authentication for delegation of rights (forwarding credentials) when a job requires a
Kerberos ticket during job execution. LSF ensures that a ticket-granting ticket (TGT) can be forwarded securely to the
execution host. LSF also automatically renews Kerberos credentials by means of daemon wrapper scripts.
Feature: External authentication
20 Platform LSF Configuration Reference