Monday, May 16, 2011

FlexLM and Furious: Restricting FlexNet license usage

FlexNet licenses are expensive. Sometimes they can cost all your coffee money so it's no wonder you might want to restrict their usage. The FlexNet framework offers a horrific mechanism for restricting license check-out: the options file. Typically named license.opt, the options file is a configuration file that doesn't make sense to anybody.


image
A typical FlexNet license server folder containing an assortment
of files. The options file is labelled ‘4’. Depending on your region, this
may appear as IV or
.
 
The options file allows you to restrict license check-out to authorized users (informally known as, "stopping those filthy students from other departments too cheap to buy their own darn AutoCAD licenses"). Can you restrict license check-outs to people in an LDAP or Active Directory group? No. You're restricted to lame methods like
  1. Computer name - This might be useful if you want to authorize license checkout to computers in a specific computer lab or the nodes in a high-performance compute (HPC) cluster. If you're a university, your HPC cluster probably consists of over-clocked Celerons in a datacentre. And if you’re a university, your datacentre is probably a broom closet with an Apple sticker on it.

  2. User name - If you include the line INCLUDE matlab USER paul, I will be able to check-out a MATLAB license for my Donald Trump popularity modelling project. But what if I login from a personal laptop where my user account is DoctorPaulMedicineMan? License check-out denied! And did I mention FlexNet treats usernames as case sensitive? If I login as PAUL or even Paul I'll get the same error: check-out denied!

  3. IP address - this is useful in approximately 0% of circumstances. If your users use DHCP, it's useless. If your users VPN in, they're assigned a VPN address which is useless unless you want to give access to everybody who VPNs in (in which case, you're useless). If your desktops use static IP addresses, you've probably got bigger problems than restricting license checkouts.

  4. Subnet - this would be useful if the programmers at Flexera knew how to subnet. In the magical FlexNet world (I'm not sure how to get there but I think it involves being at the Flexera offices and eating lots of mushrooms) there is no such thing as CIDR. To allow all the users in 172.16.0.1/24 access to the AutoCAD license, you simply include the line INCLUDE autocad INTERNET 172.16.0.* Simply place the asterisk in the subnet octet you want to permit! Awesome! Now, what do you do if it's a /25 and the next subnet is full of hungry AutoCAD who will consume all your licenses like piranhas with humans in a villain's lair?

    Piranhas can be restricted using an options files.
     
  5. Display - you can restrict the check-out of licenses to a /dev/tty or Windows Remote Desktop client name. This was last used when tested in 1987 by a Highland Software engineer and the FBI currently offer a $25 million reward for any tips leading to proof this feature is used.

  6. Project - check-out is restricted to users who have a environment variable set. This is unfathomably useless.
With all these useless mechanisms, how can I properly restrict license check-outs? I'm glad you asked.
  1. Free for all! - if you're reading this blog post, you’re probably looking to restrict license usage so a free for all solution probably isn't acceptable in your organization.

  2. License slave - designate somebody in your organization as a 'license slave'. Restrict license checkouts for controlled applications/features using an options file. If a user wants access to a feature, have the license slave add their username or hostname to the options file. To ensure they are always available to update the options file, simply handcuff them to their desk.

  3. Leverage identity management! - Create a security group for each feature/application you want to restrict. For example, if you want to restrict AutoCAD check-outs, create a security group called Authorized AutoCAD Users Bagel. With some clever ETL skills, you can transform the contents of this security group into an options file! Could this be the topic of an upcoming blog post?!

  4. Leverage directory services - The poor man's version of the above. Instead of using your identity management system to convert the contents of a security group into an options file, write a script to do it. Setup a scheduled task to run this script every second. Don't dare comment the script - this will allow somebody beside yourself to understand it which can only undermine your job security.
Thank you for reading. I'm unsure what my next licensing blog post will be on. Maybe alligators. Or that identity leverage thing.
 

No comments:

Post a Comment