Set MJS Cluster Security

Set the Security Level

You set the job manager or MJS security level with the SECURITY_LEVEL parameter in the mdce_def file before starting the mdce service on your cluster nodes. The mdce_def file indicates what values are allowed, and briefly describes each security level.

The following table describes the available security levels for accessing an MJS and its jobs.

Security LevelDescriptionUser Requirements
0

No security.

  • Any user can access any job.

  • Tasks run as the user who started the mdce process on the worker machines (typically root or Local System).

  • This is the default, and is the behavior in all releases prior to R2010b.

  • Jobs are associated with the default user name of the programmer, but no protection is provided.

1

Jobs are identified with the submitting user.

  • Any user can access any job; a dialog warns if the accessed job belongs to another user.

  • Tasks run as the user who started the mdce process on the worker machines (typically root or Local System).

  • A dialog requires you to establish a user name when you first access the job manager.

  • Your job manager (MJS) user name does not have to match your system/network user name.

  • No passwords are used.

2

Job manager (MJS) password protection on jobs.

  • Jobs and tasks are identified with the submitting user, and are password protected. Other users cannot access your jobs.

  • Tasks run as the user who started the mdce process on the worker machines (typically root or Local System).

  • When you start the job manager (MJS), it prompts you to provide a new password for that job manager's admin account, which can be used for accessing all users’ jobs and tasks.

  • A dialog box requires you to establish a user name and password when you first access the job manager (MJS) from the MATLAB client.

  • Your job manager (MJS) user name and password do not have to match your system/network user name and password.

3

In addition to the security of level 2, tasks run as the submitting user on worker machines.

  • Jobs and tasks are identified with the submitting user, and are password protected. Other users cannot access your jobs.

  • Tasks run as the user who submitted the job.

  • On UNIX systems, the mdce process on the cluster nodes must be started by the root user.

  • The job manager (MJS) must use secure communication with the workers (set in the mdce_def file).

  • When you start the job manager (MJS), it prompts you to provide a new password for that job manager’s admin account, which can be used for accessing all users’ jobs and tasks.

  • A dialog box requires you to establish a user name and password when you first access the job manager (MJS) from the MATLAB client.

  • Your job manager (MJS) user name and password must be the same as your system/network user name and password, because the worker must log you in to run the task as you.

  • All users that tasks run as, require read and write permissions to the CHECKPOINTBASE folder and all its subfolders.

The job manager and the workers should run at the same security level. A worker running at too low a security level will fail to register with the job manager, because the job manager does not trust it.

Local, MJS, and Network Passwords

For any security above level 0, when you start the MJS (for example, with the startjobmanager command), a cluster user account named admin is created for this cluster, and you are prompted to provide a password for this new account. The cluster admin account has all the necessary permissions for accessing the cluster and all its jobs.

For any security level, the job manager (MJS) identifies every job with the user who submits the job. Therefore, whenever you access the MJS or a job, the MJS must be aware of who you are.

At security level 0, the MJS and job objects’ UserName property is set to the login name of the person who creates the job; this setting can be changed at any time. For all higher security levels, the first access to the MJS causes a dialog box to open which asks for your username; if the security level is 2 or 3, you must also provide a password. The username and password you provide for the MJS needs to match your network username and password only if you are using security level 3; otherwise, you can create a new username and password unique for the MJS. For your convenience, you can choose how long to save your username and password on the local computer, so that you do not need to enter them every time you access your job.

For information about changing a password and logging out of an MJS, see changePassword and logout.

Set Secure Communication

To establish secure encrypted communication between job manager (MJS), client and workers, set

  • USE_SECURE_COMMUNICATION = true

  • ALL_SERVER_SOCKETS_IN_CLUSTER = true (default)

in the mdce_def file.

Note

If ALL_SERVER_SOCKETS_IN_CLUSTER = false in the mdce_def file, then secure encrypted communication is established between job manager (MJS) and workers only.

You must also provide a value for the SHARED_SECRET_FILE parameter in the mdce_def file, identifying where the file can be found from the job manager (MJS) perspective. To create this file, run either script:

  • matlabroot/toolbox/distcomp/bin/createSharedSecret (UNIX)

  • matlabroot\toolbox\distcomp\bin\createSharedSecret.bat (Windows)

The secret file establishes trust between the processes on different machines.

  • In a shared file system, all the nodes can point to the same secret file, and they can even all share the same mdce_def file.

  • In a nonshared file system, create a secret file with the provided script, then copy the file to each node and make sure each node’s mdce_def file indicates where its particular secret file is located.

Note

Secure communication is required when using job manager (MJS) security level 3.

Was this topic helpful?