How do we handle the authentication while submitting an MATLAB Distributed Computing Server (MDCS) job that uses MICROSOFT Windows HPC Scheduler from MATLAB Production Server?
How job credentials are handled in an HPC cluster
Job submission credentials are sent from the client computer to the head node computer across a .NET Remoting secure channel. Authentication for the .NET Remoting secure channel is performed at the client computer and at the head node computer using Active Directory Domain Services (AD DS). Credentials are encrypted on the head node computer using 256bit Advanced Encryption Standard (AES). The encryption key is created and stored on the head node computer under a secured registry key in the Service Control Manager (SCM) service record for each management and scheduler service. The registry key is added to the Access Control List (ACL) in a way that only the service has access to this data.
When a job is ready to run on compute nodes, the Job Scheduler decrypts the job submission credentials using the same key and sends the credentials over a secure .NET Remoting channel to the compute nodes. The compute nodes then create a user logon token based on the job submission credentials received, which are deleted after the job initialization is completed. On the head node, the encrypted password remains in the Job Scheduler database until the job record is deleted.
How to set the credentials in the MATLAB Production Server?
HPC server provides the ability to set the credentials using the 'hpccred setcreds' API.
First you need to install HPC client utilities on the system where MATLAB Production Server (MPS) is installed.
Then you can set the credentials to use for the user the MPS workers are running as since they will be submitting jobs. The scheduler stores the credentials in the credential cache. Administrators that are setting the credentials for a specified user must supply the credential password.
hpccred setcreds [/password:{<password>|*}] [/scheduler:<name>] [/user:[<domain>\]<user_name>]
To set the credentials for the user with a user name of 'someone' in the CONTOSO domain in the cached credentials that the HPC Job Scheduler Service uses to submit jobs, use the following command and enter the password for the user when prompted (interactive prompt which has to be authorized by logging into the system):
hpccred setcreds /user:CONTOSO\someone
Similarly, use the following command to submit a job to the SCHED scheduler without any password prompt:
hpccred setcreds /user:CONTOSO\someone /password:password123 /scheduler:SCHED
Please note that this API was introduced in HPC Pack 2008 R2 with Service Pack 2 (SP2) and refer to the following link for more information on using the 'hpccred setcreds' API:
