As of R2010b, Job Manager Security was introduced to add some extra security to jobs that a submitted using the MathWorks Job Manager. By utilizing this feature, you can restrict who has access to job data, what user account is used to execute tasks, and which users are allowed to submit jobs. For more information about Job Manager Security see the documentation here:
https://www.mathworks.com/help/matlab-parallel-server/set-matlab-job-scheduler-cluster-security.html
NOTE: The Job Manager Security Tools are only available if you are using the MathWorks Job Manager provided with MATLAB Parallel Server.
Security Levels
==========
By default, Job Manager Security is off. There are 4 levels that can be used:
0: (Off) Job Manager Security is off. Any user can access the jobmanager and data. Tasks will run as the user who started the mdce service
1: (User identified) Jobs are identified with a user. When the user accesses the job manager, a user name is required. This user name does not have to match any user on the system and no passwords are required. Any user can access any job, but a dialog box warns users who access other users' jobs.
2: (Password protected) Same as level 1, however, users can only access their own jobs and users must provide a password for jobs. When you start the jobmanager, you create an admin account for the jobmanager. This admin has full access to job data as well. Usernames and passwords do not need to match the system/network name.
3: (System/Network Authenticated) Similar to level 2, however, user accounts must match that of the system/network. Additionally, when tasks are run, these tasks run as the user who submits the job. Requires the use of secure communication using a shared secret key file (see below).
Security Options
==========
In addition to these levels there are some additional options you can set for Job Manager Security. These options as well as the security level are set the in mjs_def file located in $MATLAB/toolbox/parallel/bin (where $MATLAB represents the folder where MATLAB is installed). The mjs_def has the following options for Job Manager Security:
set SECURITY_LEVEL=
Specifies the security level as above.
set USE_SECURE_COMMUNICATION=
Specifies whether the shared key is used for security between the jobmanager and workers. If level 3 security is set, this value must be true.
set SHARED_SECRET_FILE=
Path to the shared secret file. If you set USE_SECURE_COMMUNICATION to true, you must point to the secret file.
set ALLOW_CLIENT_PASSWORD_CACHE=
If true, the jobmanager remembers user passwords for future sessions.
set ALLOWED_USERS=
Names the users that are allowed to submit jobs when using level 1 or higher. To allow all users, set the value to ALL.
set REQUIRE_CLIENT_CERTIFICATE=
If true, all clients must provide a certificate in order to connect to the job manager. This can only be enabled when using secure communication with a shared secret.
set WORKER_DOMAIN=
When using security level 3 on a Windows system, this specifies the required domain name that the workers will run as.
Creating a Shared Secret File
==========
When using the secure communication method, you need to use a shared key file. To generate this key file you can use the following commands:
$MATLAB/toolbox/parallel/bin/createSharedSecret (UNIX)
$MATLAB\toolbox\parallel\bin\createSharedSecret.bat (Windows)
Where $MATLAB is the path to the MATLAB installation. Once complete, you can either place the file on a network share and point each node to it in the mjs_def file, or copy the file locally. If SHARED_SECRET_FILE= is unset, the shared secret is expected in %CHECKPOINTBASE%\security\secret. (See the mjs_def file to find where CHECKPOINTBASE is located).
Implementing Job Manager Security
==========
Job Manager Security is setup when you start the Job Manager and workers. If you already have a Job Manager setup and want to change the security, you must first stop that Job Manager and its associated workers and restart the MATLAB Parallel Server service (run "mdce stop" and then run "mdce start" or restart the service from the Windows Services applet). Once complete, you can use the Admin Center or command line to start the Job Manager and workers. If prompted for a job manager administrator account, this account will serve to be the main account for starting and stopping workers in addition to accessing all job data.
NOTE: Starting in R2019a the following name changes occurred:
- MATLAB Distributed Computing Server was renamed to MATLAB Parallel Server
- mdce_def was renamed to mjs_def
- mdce binary was renamed to mjs
