Configure Group-Based Authorization in MATLAB Online Server
Authorization is the process of granting users access to resources based on certain criteria, such as the group they belong to (group-based authorization) or the action they are performing (policy-based authorization). MATLAB® Online Server™ supports group-based authorization, which controls the user groups that can access the MATLAB configurations running on the server.
To configure group-based authorization in MATLAB Online Server, you must update these microservices:
In the authentication service,
authnz, configure access to the user groups defined in your organization's identity provider (IdP).In the MATLAB pool service,
matlab-pool, configure the user groups that can access MATLAB.
Prerequisites
MATLAB Online Server is installed. See Installation.
Your organization's IdP is integrated with MATLAB Online Server. To configure MATLAB Online Server to work with your IdP, see Configure User Authentication in MATLAB Online Server.
You know which groups are allowed to access MATLAB. To get information about your organization's groups, contact your organization's directory services administrator or MATLAB administrator.
Configure Groups in Authentication Service
Configure the authnz service to obtain information about the groups
specified in your IdP.
In a plain-text editor, open the authnz.yaml configuration
file.
<server-root>/overrides/<cluster-name>/<namespace-name>/authnz.yaml<server-root>is the MATLAB Online Server installation folder.<cluster-name>is the name of the Kubernetes® cluster.<namespace-name>is the namespace of the MATLAB Online Server deployment.
Sample path:
~/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yamlIn the subjectAttributeMapping section of your identity provider
configuration, locate the groups field. In this field, specify the
name of the attribute in your IdP that contains the groups your organization uses (for
example, "groups" or "roles"). Enclose the group
attribute in quotes.
In this sample configuration, the attribute that configures groups in the IdP is named
"userGroups". For details on configuring other fields, see Configure User Authentication in MATLAB Online Server.
identityProviders:
- id: ...
...
subjectAttributeMapping:
...
groups: "userGroups"
... |
Deploy the updated configuration to the server by redeploying the
authnz service. From the MATLAB
Online Server root folder, run these commands:
./mosadm undeploy authnz
./mosadm deploy authnzConfigure MATLAB Access by Group
In each MATLAB configuration file on your server, add the allowed group information.
If the server has only one MATLAB configuration, in a plain-text editor, open the
matlab-pool.yamlconfiguration file.<server-root>/overrides/<cluster-name>/<namespace-name>/matlab-pool.yamlIf the server has multiple MATLAB configurations, open their configuration files. These files are nested one level deeper, in a
matlab-poolfolder. For example:<server-root>/overrides/<cluster-name>/<namespace-name>/matlab-pool/R2024b.yaml <server-root>/overrides/<cluster-name>/<namespace-name>/matlab-pool/R2024b-gpu.yaml
In the resourceDefinition section of each MATLAB configuration file, in the allowedGroups field, specify
the groups that can access that MATLAB configuration. For example:
resourceDefinition: allowedGroups: - "group1" - "group2*" |
This configuration enables access to the following users:
Any user in
group1Any user in a group that starts with
group2(for example,group2,group2a, orgroup2_gpu)
The asterisk (*) is a wildcard character that
represents zero or more characters. MATLAB
Online Server uses the industry-standard glob pattern for specifying wildcard patterns.
For details, see the Wikipedia article on glob programming.
Deploy the updated configuration to the server.
For a single MATLAB configuration, redeploy the
matlab-poolservice. For example:./mosadm undeploy matlab-pool ./mosadm deploy matlab-poolFor multiple MATLAB configurations, redeploy the services in the
matlab-poolfolder. For example:./mosadm undeploy R2024b R2024b-gpu ./mosadm deploy R2024b R2024b-gpu
The next time that users sign in to MATLAB Online™, they can access only the MATLAB configurations that their groups grant them access to.
Related Topics
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)