IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Add a new idea Subscribe
Status Delivered
Workspace Spectrum LSF
Created by Guest
Created on Feb 3, 2020

RELATED IDEAS

one to many job mapping

-- the job submission user needs be one particular user,

-- the job execution user should be mapped to various users.



In order for LSF to support such use case, an enhancement is to add

1) a new bsub option to specify the job execution user

2) a new UserMapping section in lsb.users to define policy for user mapping, for example, the EXECUTION_USER (user/user group) whom a SUBMISSION_USER (user/user group) can to be mapped to.

What the customer seeks is the ability to allow one user to submit jobs to run as other users.

Requirements:

We must be able to specify which user can run as other users.
Imagine there is a LSF config file called lsf.one2many. It looks like this (below). We can add and remove as many 'one to many' users as we wish.
# elevated user or group # users or groups they can run as
cromwell bpappas,cking,apappas
pallas mjohnston, amy, doug

This means that user cromwell can run jobs as users bpappas,cking,apappas.
This means that user pallas can run jobs as users mjohnston, amy, doug

Note, the examples above show users that need this privilege. Groups should be uses as well. groups of user with privileges and groups of users they can run as.

# elevated group # users or groups they can run as
cmgroup bpappas,cking,apappas
pmgroup jgroup, amy, doug


2. bsub must be able to allow a user to attempt to run as other users using a flag like -o2m.

Example:
$whoami
cromwell

$bsub -o2m apappas


3. LSF should fail on a job submission if the user is not allowed to submit the job as another user. It must thrown out an error like it would for other error scenarios.

Example error output:
$whoami
cromwell
$bsub -o2m doug


4. LSF must charge the resource utilization (cpu time used, etc) to the user that actually runs the job on the execution or batch node.


Here are some scenarios to better express what they require:

$whoami
cromwell

$bsub -o2m apappas


$ssh node001
$ps| grep
1234 apappas >some job>

$bsub -o2m doug




$whoami
pallas

$bsub -o2m doug


$ssh node002
$ps| grep
5678 doug


$ cat lsb.one2many
# elevated user #users that can run as: user1,user2, user3, ...
cromwell bpappas,cking,apappas
pallas mjohnston, amy, doug

Imagine there is a command called b02m and it shows who can run as other users:

$bo2m
cromwell bpappas,cking,apappas
pallas mjohnston, amy, doug

  • Guest
    Reply
    |     Aug 12, 2020

    We have provided a sample wrapper to do this

    https://github.com/IBMSpectrumComputing/lsf-utils/tree/master/bsubmit

    An example:

    cromwell $ cat $LSF_ENVDIR/lsf.usermapping
    #submit users or groups #execute users or groups
    cromwell bpappas,cking,apappas
    pmgroup jgroup

    cromwell $ bsubmit --user apappas sleep 10. # bsubmit is a setuid program

  • Guest
    Reply
    |     Apr 30, 2020

    The sudo option, though nice, does not account for the nuances sought in this RFE. Thank you for writing me re: this rfe

  • Guest
    Reply
    |     Mar 30, 2020

    In many organizations the LSF Administrator is not the root user nor are they responsible for IT Security.

    Adding an option where the LSF Administrator can arbitrarily set up mappings with no further authentication/authorization would introduce a significant security risk = e.g. they could set studentgrp->financegrp.

    As previously stated "sudo -u user bsub a.out" would accomplish what you asked for - submission as a different user and accounting done with the executing user. It would also have the benefit of being subject to the sites sudoer security policy.

    Alternatively a setuid wrapper around bsub could be used - this of course would be at the sites own risk as there is no authentication/authorization for this mappings.

  • Guest
    Reply
    |     Feb 4, 2020

    Could this not be handled as part of the submission, so the work gets submitted as the correct user?
    "sudo user bsub job"

  • Guest
    Reply
    |     Feb 3, 2020

    Bill,

    We had an RFE a few years ago something like the following:

    Begin Queue

    EXECUTION_USER = blah
    USERS = userGroup1 userGroup2 ...

    End Queue

    The upside of this is that it makes setting this up pretty easy. The downside is that you get a little bit of queue sprawl. What do you think about this approach?

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.