Configure Group-Based Authorization in MATLAB Online Server
Authorization is the process of granting users access to resources based on certain criteria, such as the group they belong to (group-based authorization) or the action they are performing (policy-based authorization). MATLAB® Online Server™ supports group-based authorization, which controls the user groups that can access the MATLAB configurations running on the server.
To configure group-based authorization in MATLAB Online Server, you must update these microservices:
In the authentication service,
authnz
, configure access to the user groups defined in your organization's identity provider (IdP).In the MATLAB pool service,
matlab-pool
, configure the user groups that can access MATLAB.
Prerequisites
MATLAB Online Server is installed. See Installation.
Your organization's IdP is integrated with MATLAB Online Server. To configure MATLAB Online Server to work with your IdP, see Configure User Authentication in MATLAB Online Server.
You know which groups are allowed to access MATLAB. To get information about your organization's groups, contact your organization's directory services administrator or MATLAB administrator.
Configure Groups in Authentication Service
Configure the authnz
service to obtain information about the groups
specified in your IdP.
In a plain-text editor, open the authnz.yaml
configuration
file.
server_root
/overrides/cluster
/namespace
/authnz.yaml
is the root folder of your MATLAB Online Server installation. For example:server_root
matlab_online_server
is the name of your Kubernetes® cluster. For example:cluster
matlab-online-server
is the Kubernetes namespace you used to deploy MATLAB Online Server. For example:namespace
mathworks
In the subjectAttributeMapping
section of your identity provider
configuration, locate the groups
field. In this field, specify the
name of the attribute in your IdP that contains the groups your organization uses (for
example, "groups"
or "roles"
). Enclose the group
attribute in quotes.
In this sample configuration, the attribute that configures groups in the IdP is named
"userGroups"
. For details on configuring other fields, see Configure User Authentication in MATLAB Online Server.
identityProviders: - id: ... ... subjectAttributeMapping: ... groups: "userGroups" ... |
Deploy the updated configuration to the server by redeploying the
authnz
service. From the MATLAB
Online Server root folder, run these commands:
./mosadm undeploy authnz
./mosadm deploy authnz
Configure MATLAB Access By Group
In each MATLAB configuration file on your server, add the allowed group information.
If the server has only one MATLAB configuration, in a plain-text editor, open the
matlab-pool.yaml
configuration file.server_root
/overrides/cluster
/namespace
/matlab-pool.yamlIf the server has multiple MATLAB configurations, open their configuration files. These files are nested one level deeper, in a
matlab-pool
folder. For example:server_root
/overrides/cluster
/namespace
/matlab-pool/R2024a.yamlserver_root
/overrides/cluster
/namespace
/matlab-pool/R2024a-gpu.yaml
In the resourceDefinition
section of each MATLAB configuration file, in the allowedGroups
field, specify
the groups that can access that MATLAB configuration. For example:
resourceDefinition: allowedGroups: - "group1" - "group2*" |
This configuration enables access to the following users:
Any user in
group1
Any user in a group that starts with
group2
(for example,group2
,group2a
, orgroup2_gpu
)
The asterisk (*
) is a wildcard character that
represents zero or more characters. MATLAB
Online Server uses the industry-standard glob pattern for specifying wildcard patterns.
For details, see the Wikipedia article on glob programming.
Deploy the updated configuration to the server.
For a single MATLAB configuration, redeploy the
matlab-pool
service. For example:./mosadm undeploy matlab-pool
./mosadm deploy matlab-poolFor multiple MATLAB configurations, redeploy the services in the
matlab-pool
folder. For example:./mosadm undeploy R2024a R2024a-gpu
./mosadm deploy R2024a R2024a-gpu
The next time that users sign in to MATLAB Online™, they can access only the MATLAB configurations that their groups grant them access to.