Set MATLAB Job Scheduler Cluster Security

Configure and manage security levels for your MATLAB^® Job Scheduler cluster.

In the following instructions, matlabroot refers to the location of your installed MATLAB Parallel Server™ software. Where you see this term used in the instructions that follow, substitute the path to your location.

You can find the mjs_def file in matlabroot/toolbox/parallel/bin for Linux^® (mjs_def.sh) and Windows^® (mjs_def.bat). To learn more about the parameters in mjs_def file, see Define MATLAB Job Scheduler Startup Parameters.

Set Security Level

Set the MATLAB Job Scheduler security level with the SECURITY_LEVEL parameter in the mjs_def file before starting the mjs service on your cluster nodes. The mjs_def file indicates what values you can set and briefly describes each security level.

This table describes the available security levels for accessing MATLAB Job Scheduler and its jobs.

Security Level	Description	User Restrictions
0	No security. Any user can access any job. Tasks are associated with the user who started the `mjs` process on the worker machines (typically root or Local System). This is the default level and is the security level in all releases prior to R2010b. Jobs are associated with the default username, but the software provides no protection.	None
1	Jobs are associated with the submitting user. Any user can access any job. A dialog box warns if the accessed job belongs to another user. Tasks are associated with the user who starts the `mjs` process on the worker machines (typically root or Local System).	A dialog box prompts you to specify a username when you first access the job manager. Your MATLAB Job Scheduler username does not have to match your system or network username. You do not require a password.
2	Jobs have MATLAB Job Scheduler password protection. Jobs and tasks are associated with the submitting user and are password protected. The submitting user can authorize other users to access their jobs and tasks. In this case, an authorized user can enter their own password to access the jobs and tasks. Other unauthorized users cannot access your jobs. Tasks are associated with the user who started the `mjs` process on the worker machines (typically root or Local System).	When you start MATLAB Job Scheduler, you must provide a new password for the job manager administrator account. You can use this account to access all jobs and tasks. If you use LDAP server authentication, you must provide the LDAP server password of the administrator account when MATLAB Job Scheduler prompts you. A dialog box prompts you to specify a username and password when you first access MATLAB Job Scheduler from your MATLAB client session. Your MATLAB Job Scheduler username and password do not have to match your system or network username and password. If you use LDAP server authentication, your MATLAB Job Scheduler username and password must match the username and password in the LDAP server.
3	In addition to the security of level 2, tasks are associated with the submitting user on worker machines. Jobs and tasks are associated with the submitting user and are password protected. Other unauthorized users cannot access your jobs. Tasks are associated with the user who submitted the job.	MATLAB Job Scheduler must use encrypted communication with the workers. For more information, see Set Encrypted Communication. When you start MATLAB Job Scheduler, you must provide a new password for the job manager’s administrator account. You can use this account to access all jobs and tasks. If you use LDAP server authentication, you must provide the LDAP server password of the administrator account when MATLAB Job Scheduler prompts you. A dialog box prompts you to specify a user name and password when you first access MATLAB Job Scheduler from your MATLAB client. Your job manager MATLAB Job Scheduler username and password must be the same as your system or network username and password because the parallel workers must log you in to run the task as you. Read and write permissions to the `CHECKPOINTBASE` folder and all its subfolders must be restricted to the user who starts the `mjs` process. On UNIX systems, the root user must start the `mjs` process on the cluster nodes. On Windows systems, the submitting user must be able to log on locally to every worker machine to successfully run jobs on the cluster. You must grant each submitting user account the `"Allow log on locally"` right. If you disable this right, all the jobs you submit will fail when the cluster starts them. To enable this right, change the `SeInteractiveLogonRight` constant for the user in the User Rights Assignment security policy settings for each machine in the cluster.

Tip

Run the job manager and the workers at the same security level. The job manager does not register a worker running at a lower security level.

Local, MATLAB Job Scheduler, and Network Passwords

For any security level above level 0, when you start MATLAB Job Scheduler (for example, with the startjobmanager command), the software creates a cluster administrator account with the username specified in the ADMIN_USER parameter in the mjs_def file. If you do not specify a username, the administrator account username defaults to admin. The software prompts you to provide a password for the new administrator account. The administrator account has all the necessary permissions for accessing the cluster and all its jobs. To use LDAP server authentication, the username specified in ADMIN_USER must be in the LDAP server.

For any security level, MATLAB Job Scheduler associates every job with the user who submits it. Therefore, whenever you access MATLAB Job Scheduler or a job, MATLAB Job Scheduler must verify your identity.

At security level 0, the software sets the Username property to the login name of the person who creates the job. You can change this value at any time. For all higher security levels, the first time you access MATLAB Job Scheduler, a dialog box prompts you for your username. If the security level is 2 or 3, you must also provide a password. The username and password you provide for MATLAB Job Scheduler must match your network username and password if you are using security level 3 or if the MATLAB Job Scheduler cluster has LDAP server authentication configured. Otherwise, you can create a new username and password for MATLAB Job Scheduler. For convenience, you can choose to save your username and password on the local computer so you do not need to enter them every time you access your job.

For information about changing a password and logging out of a MATLAB Job Scheduler cluster, see changePassword (Parallel Computing Toolbox) and logout (Parallel Computing Toolbox). For more information about LDAP server authentication for MATLAB Job Scheduler clusters, see Configure LDAP Server Authentication for MATLAB Job Scheduler.

Authorize Users for Job and Task Access

This example uses:

Parallel Computing Toolbox Parallel Computing Toolbox

Open Live Script

This example shows how to authorize users to access your job on a MATLAB Job Scheduler cluster with security level 2 or 3. When you create a job and submit it to a MATLAB Job Scheduler cluster, jobs and tasks are associated with the submitting user. These jobs and tasks are password protected so unauthorized users cannot access your jobs.

Use parcluster (Parallel Computing Toolbox) to create a cluster object using the cluster profile 'MyMJSCluster'. Replace 'MyMJSCluster' with the name of your cluster profile. Then, use batch (Parallel Computing Toolbox) to create and submit a job on the cluster.

c = parcluster('MyMJSCluster');
j = batch(c,@rand,1,{2});

You can set the AuthorizedUsers property of a job to authorize user access to that job and its tasks. Each user that you specify must have already used the MATLAB Job Scheduler cluster. Authorize access to a job for users "user1" and "user2".

j.AuthorizedUsers = ["user1","user2"];