As described in Authentication and Authorization, jobs are submitted as the service user rather than the user who created the task.

In an on-premises HPC environment, running jobs as the submitting user is a requirement of most job schedulers, as various functions may depend on it (for example, file permissions, storage quotas, job, and cost accounting, and QoS).

In ideal circumstances, cloud-native services would talk API to API, passing along tokens to make sure that this occurred. Unfortunately, LSF, Slurm, PBS, and UGE do not currently provide or treat an API as a first-class citizen along with their CLI. Therefore, an API-to-CLI conversion mechanism is needed to allow this type of job submission to happen. This “converter” is called the Process Launcher.

A secondary role of the Process Launcher is to provide user mapping functionality. Often in HPC environments, the username logging in to the system through IAM is not the same as the username that logs in to the HPC system (for a variety of reasons). Therefore, the Process Launcher provides the basic ability to convert username A to username B when username A submits a job.

Because this service is dealing with Auth, it must be able to talk back to Keycloak within the core services.