You set the job manager or MJS security level with the SECURITY_LEVEL
parameter in the mdce_def
file before starting the mdce service on your
cluster nodes. The mdce_def
file indicates what values are allowed, and
briefly describes each security level.
The following table describes the available security levels for accessing an MJS and its jobs.
Security Level | Description | User Requirements |
---|---|---|
0 |
No security.
|
|
1 |
Jobs are identified with the submitting user.
|
|
2 |
Job manager (MJS) password protection on jobs.
|
|
3 |
In addition to the security of level 2, tasks run as the submitting user on worker machines.
|
|
The job manager and the workers should run at the same security level. A worker running at too low a security level will fail to register with the job manager, because the job manager does not trust it.
For any security above level 0, when you start the MJS (for example, with the startjobmanager
command), a cluster user account named admin
is
created for this cluster, and you are prompted to provide a password for this new account. The
cluster admin
account has all the necessary permissions for accessing the
cluster and all its jobs.
For any security level, the job manager (MJS) identifies every job with the user who submits the job. Therefore, whenever you access the MJS or a job, the MJS must be aware of who you are.
At security level 0, the MJS and job objects’ UserName
property is set
to the login name of the person who creates the job; this setting can be changed at any time.
For all higher security levels, the first access to the MJS causes a dialog box to open which
asks for your username; if the security level is 2 or 3, you must also provide a password. The
username and password you provide for the MJS needs to match your network username and password
only if you are using security level 3; otherwise, you can create a new
username and password unique for the MJS. For your convenience, you can choose how long to save
your username and password on the local computer, so that you do not need to enter them every
time you access your job.
For information about changing a password and logging out of an MJS, see changePassword
and logout
.
To establish secure encrypted communication between job manager (MJS), client and workers, set
USE_SECURE_COMMUNICATION = true
ALL_SERVER_SOCKETS_IN_CLUSTER = true
(default)
in the mdce_def
file.
If ALL_SERVER_SOCKETS_IN_CLUSTER = false
in the
mdce_def
file, then secure encrypted communication is established between
job manager (MJS) and workers only.
You must also provide a value for the SHARED_SECRET_FILE
parameter in
the mdce_def
file, identifying where the file can be found from the job
manager (MJS) perspective. To create this file, run either script:
(UNIX)matlabroot
/toolbox/distcomp/bin/createSharedSecret
(Windows)matlabroot
\toolbox\distcomp\bin\createSharedSecret.bat
The secret file establishes trust between the processes on different machines.
In a shared file system, all the nodes can point to the same secret file, and they can
even all share the same mdce_def
file.
In a nonshared file system, create a secret file with the provided script, then copy the
file to each node and make sure each node’s mdce_def
file indicates where
its particular secret file is located.
Secure communication is required when using job manager (MJS) security level 3.