Documentation

Set MATLAB Job Scheduler Cluster Security

Set the Security Level

You set the MATLAB® Job Scheduler security level with the SECURITY_LEVEL parameter in the mjs_def file before starting the mjs service on your cluster nodes. The mjs_def file indicates what values are allowed, and briefly describes each security level.

The following table describes the available security levels for accessing a MATLAB Job Scheduler and its jobs.

Security LevelDescriptionUser Requirements
0

No security.

  • Any user can access any job.

  • Tasks run as the user who started the mjs process on the worker machines (typically root or Local System).

  • This is the default, and is the behavior in all releases prior to R2010b.

  • Jobs are associated with the default user name of the programmer, but no protection is provided.

1

Jobs are identified with the submitting user.

  • Any user can access any job; a dialog warns if the accessed job belongs to another user.

  • Tasks run as the user who started the mjs process on the worker machines (typically root or Local System).

  • A dialog requires you to establish a user name when you first access the job manager.

  • Your MATLAB Job Scheduler user name does not have to match your system/network user name.

  • No passwords are used.

2

Job manager MATLAB Job Scheduler password protection on jobs.

  • Jobs and tasks are identified with the submitting user, and are password protected. Other users cannot access your jobs.

  • Tasks run as the user who started the mjs process on the worker machines (typically root or Local System).

  • When you start the MATLAB Job Scheduler, it prompts you to provide a new password for that job manager's admin account, which can be used for accessing all users’ jobs and tasks.

  • A dialog box requires you to establish a user name and password when you first access the MATLAB Job Scheduler from the MATLAB client.

  • Your MATLAB Job Scheduler user name and password do not have to match your system/network user name and password.

3

In addition to the security of level 2, tasks run as the submitting user on worker machines.

  • Jobs and tasks are identified with the submitting user, and are password protected. Other users cannot access your jobs.

  • Tasks run as the user who submitted the job.

  • On UNIX systems, the mjs process on the cluster nodes must be started by the root user.

  • The MATLAB Job Scheduler must use secure communication with the workers (set in the mjs_def file).

  • When you start the MATLAB Job Scheduler, it prompts you to provide a new password for that job manager’s admin account, which can be used for accessing all users’ jobs and tasks.

  • A dialog box requires you to establish a user name and password when you first access the MATLAB Job Scheduler from the MATLAB client.

  • Your job manager MATLAB Job Scheduler user name and password must be the same as your system/network user name and password, because the worker must log you in to run the task as you.

  • All users that tasks run as, require read and write permissions to the CHECKPOINTBASE folder and all its subfolders.

The job manager and the workers should run at the same security level. A worker running at too low a security level will fail to register with the job manager, because the job manager does not trust it.

Local, MATLAB Job Scheduler, and Network Passwords

For any security above level 0, when you start the MATLAB Job Scheduler (for example, with the startjobmanager command), a cluster user account named admin is created for this cluster, and you are prompted to provide a password for this new account. The cluster admin account has all the necessary permissions for accessing the cluster and all its jobs.

For any security level, the MATLAB Job Scheduler identifies every job with the user who submits the job. Therefore, whenever you access the MATLAB Job Scheduler or a job, the MATLAB Job Scheduler must be aware of who you are.

At security level 0, the MATLAB Job Scheduler and job objects’ UserName property is set to the login name of the person who creates the job; this setting can be changed at any time. For all higher security levels, the first access to the MATLAB Job Scheduler causes a dialog box to open which asks for your username; if the security level is 2 or 3, you must also provide a password. The username and password you provide for the MATLAB Job Scheduler needs to match your network username and password only if you are using security level 3; otherwise, you can create a new username and password unique for the MATLAB Job Scheduler. For your convenience, you can choose how long to save your username and password on the local computer, so that you do not need to enter them every time you access your job.

For information about changing a password and logging out of a MATLAB Job Scheduler, see changePassword and logout.

Set Secure Communication

To establish secure encrypted communication between MATLAB Job Scheduler, client and workers, set

  • USE_SECURE_COMMUNICATION = true

  • ALL_SERVER_SOCKETS_IN_CLUSTER = true (default)

in the mjs_def file. Secure encrypted communication is provided via SSLSocket using TLSv1.2 only.

Note

If ALL_SERVER_SOCKETS_IN_CLUSTER = false in the mjs_def file, then secure encrypted communication is established between MATLAB Job Scheduler and workers only.

You must also provide a value for the SHARED_SECRET_FILE parameter in the mjs_def file, identifying where the file can be found from the MATLAB Job Scheduler perspective. To create this file, run either script:

  • matlabroot/toolbox/parallel/bin/createSharedSecret (UNIX)

  • matlabroot\toolbox\parallel\bin\createSharedSecret.bat (Windows)

The secret file establishes trust between the processes on different machines.

  • In a shared file system, all the nodes can point to the same secret file, and they can even all share the same mjs_def file.

  • In a nonshared file system, create a secret file with the provided script, then copy the file to each node and make sure each node’s mjs_def file indicates where its particular secret file is located.

Note

Secure communication is required when using MATLAB Job Scheduler security level 3.