共用方式為


Understanding Roles of HPC Cluster Users and Administrators

Applies To: Windows HPC Server 2008

In Windows HPC Server 2008, you can designate HPC cluster users (listed in HPC Cluster Manager as Users) and HPC cluster administrators (listed in HPC Cluster Manager as Administrators). HPC cluster administrators have permissions to manage all aspects of Windows HPC Server 2008 and can also submit and manage jobs, tasks, and job templates. In contrast, HPC cluster users only have permissions to manage jobs and tasks that they have submitted to the cluster, and view limited information about jobs that have been submitted by others. This topic provides more details about what each role can do, and how users and groups are assigned to the roles by default during the installation of the cluster. With this information, you can make decisions about how to adjust role assignments to align with your organization's requirements.

Important

As a best practice for enhanced security in your cluster, we recommend that you arrange for the creation of two custom groups in Active Directory Domain Services (AD DS) that you can then use for the appropriate roles in your cluster, one group for HPC cluster users and one for HPC cluster administrators. Then you can remove AD DS default groups from HPC cluster roles. If you do not do this, by default, built-in groups such as Domain Users can run jobs and can see the names of compute nodes in the HPC cluster. For important information about how to use custom groups for HPC cluster users and HPC cluster administrators, see Understanding defaults and making adjustments to HPC cluster users and HPC cluster administrators, later in this topic, and the instructions in Designate Cluster Users and Administrators in Windows HPC Server 2008.

In this topic, the following sections describe the differences between the roles of HPC cluster users and HPC cluster administrators:

  • HPC cluster users

  • HPC cluster administrators

  • Comparison of job scheduling operations that HPC cluster users and HPC cluster administrators can do

Also in this topic, the following sections that describe the relationship between Windows HPC Server 2008 and existing groups in AD DS in the network:

  • Mapping of HPC cluster roles to local groups on cluster nodes

  • Understanding defaults and making adjustments to HPC cluster users and HPC cluster administrators

As with other aspects of security in an HPC cluster, the foundation for the roles of HPC cluster user and HPC cluster administrator is provided by AD DS (through domain controllers in the domain). One way of increasing your understanding of how security is supported for an HPC cluster is to learn about how user, group, and computer accounts (objects) function within a domain. For more information, see Active Directory Domain Services Overview (https://go.microsoft.com/fwlink/?LinkId=117781).

HPC cluster users

Assign a person the role of HPC cluster user if you want that person to be able to perform the following actions, but no others:

  • View the names of HPC clusters and compute nodes in the domain (this does not include the ability to view configuration details or other details of the clusters).

  • Manage jobs and tasks that the user has submitted to the cluster.

  • Diagnose, repair, and resubmit a failed job previously submitted by that user.

  • View the jobs that have been submitted by others (this does not include the ability to view job details and tasks for those jobs).

Note

When an HPC cluster user runs a job, the HPC Job Scheduler Service requires that the user have the right to log on locally on the compute nodes on which the job runs. If you or the domain administrators in your organization usually limit this user right, you will need to arrange for adjustments for HPC cluster users. For more information, see Troubleshoot Access to an HPC Cluster When Logon Rights Have Been Restricted.

HPC cluster administrators

Assign a person the role of HPC cluster administrator if you want that person to be able to perform the following actions:

  • Perform all the actions that an HPC cluster user can perform.

  • Configure the cluster (all nodes) and the cluster network.

    Note that when a person is assigned the role of an HPC cluster administrator, that person is placed in the local Administrators group on the head node and all compute nodes.

  • Deploy and manage nodes (which includes applying a template to a node).

    Note

    Windows HPC Server 2008 stops unauthorized computers from being added to the compute nodes in the cluster. If a node that is not yet authorized is detected, it is marked as Unknown until an HPC cluster administrator adds that node to the cluster by applying a node template to it.

  • Run diagnostic tests on the cluster.

  • Restart a node remotely.

  • Configure the HPC Job Scheduler Service.

  • Submit and manage not only the administrator's own jobs, tasks, and job templates, but also those that are created or submitted by other administrators or users.

Comparison of job scheduling operations that HPC cluster users and HPC cluster administrators can do

The following table compares the job scheduling operations that an HPC cluster user can perform with those that an HPC cluster administrator can perform.

Important

The permissions in the following table are fixed. However, you can control the type of jobs that a particular user or user group can submit by creating job templates. For an example, see Steps: Partitioning a Group of Nodes for a Group of Users.

Job Scheduling Operation HPC Cluster User HPC Cluster Administrator

View jobs (but not job details or tasks) for every user

Yes

Yes

List all compute nodes

Yes

Yes

View own tasks

Yes

Yes

Cancel own job

Yes

Yes

Modify or cancel jobs of other users

No

Yes

View tasks for every user

No

Yes

Configure HPC Job Scheduler settings (using the cluscfg command or the Set-HpcClusterProperty cmdlet)

No

Yes

Create and manage job templates

No

Yes

Run the clusrun command-line tool

No

Yes

Mapping of HPC cluster roles to local groups on cluster nodes

If you examine the local groups on the head node and the compute nodes, you will see that users or groups who you designated as HPC cluster users or HPC cluster administrators appear in the local groups. The following table provides details:

Mapping Explanation

HPC cluster administrators maps to local Administrators group on the head node and on compute nodes

If you place a user or group account in HPC Cluster Manager under Administrators, it has the same effect as if you place the account in the local Administrators group on the head node. The account will be in the local Administrators group on the head node and it will be propagated to the local Administrators group on each compute node.

HPC cluster users maps to local Users group on the head node and on compute nodes

If you place a user or group account in HPC Cluster Manager under Users, it has the same effect as if you place the account in the local Users group on the head node. The account will be in the local Users group on the head node and it will be propagated to the local Users group on each compute node.

Understanding defaults and making adjustments to HPC cluster users and HPC cluster administrators

The process that Windows HPC Server 2008 uses for authentication, and for creating default groups of HPC cluster administrators and HPC cluster users, relies on Active Directory Domain Services (AD DS) in the network. The following sequence describes how AD DS and Windows HPC Server 2008 defaults interact, and how you can adjust group memberships for your HPC cluster after it is installed:

  1. Before the HPC cluster can be installed and configured, AD DS must already be running on one or more domain controllers in the network.

  2. When the server that will eventually serve as the head node in the HPC cluster is joined to the domain, AD DS, by default, makes the following group additions:

    • The Domain Admins group is added to the local Administrators group on the head node.

    • The groups called Domain Users, Authenticated Users, and Interactive are added to the local Users group on the head node.

    These defaults can be changed (in Group Policy) by the network administrators for the domain. (However, it is important to recognize that even if the Domain Admins group is removed from the local Administrators group, a person in the Domain Admins group can add it back to the local Administrators at any time.)

  3. Starting from the time that Windows HPC Server 2008 is installed, the following group relationships are established:

    • All members of the local Administrators group on the head node (this typically includes Domain Admins) automatically become HPC cluster administrators.

    • All members of the local Users group on the head node (typically this includes Domain Users, Authenticated Users, and Interactive) automatically become HPC cluster users.

  4. As needed, as an HPC cluster administrator, you can add or remove HPC cluster users or HPC cluster administrators in HPC Cluster Manager. The accounts that you add must be domain accounts, not just local accounts on the head node.

    As a best practice for enhanced security in your cluster, we recommend that you arrange for the creation of two custom groups in Active Directory Domain Services (AD DS) that you can then use for the appropriate roles in your cluster, one group for HPC cluster users and one for HPC cluster administrators. If you do not do this, the default is that all users in the built-in groups Domain Users, Authenticated Users, and Interactive can run jobs and can see the names of compute nodes in the HPC cluster. To use custom groups rather than built-in groups, complete the following series of actions:

    1. Create, or arrange for a network administrator to create, appropriate custom groups in AD DS. One group should contain the users for your HPC cluster, and another group should contain the administrators for your HPC cluster. The usual interface for creating such groups is Active Directory Users and Computers, but commands or cmdlets can also be used.

    2. In HPC Cluster Manager, remove Domain Users, Authenticated Users, and Interactive from the list of HPC cluster users, and remove Domain Admins from the list of HPC cluster administrators. For instructions, see Designate Cluster Users and Administrators in Windows HPC Server 2008. (However, note that members of Domain Admins have the ability to add the group back to the local Administrators group at any time.)

    3. In HPC Cluster Manager, assign your custom group of users to HPC cluster users, and assign your custom group of administrators to HPC cluster administrators. For instructions, see the link in the previous step.

  5. Windows HPC Server 2008 propagates memberships to the local accounts on the compute nodes approximately every five minutes (depending in part on the order in which a particular compute node is contacted by the head node). On each compute node, membership changes in the HPC cluster administrators group are propagated to the local Administrators group, and membership changes in the HPC cluster users group are propagated to the local Users group.

    If you view the list of HPC cluster users or HPC cluster administrators in shown in HPC Cluster Manager, it is always the current list. If you view the list of local Administrators or local Users on a given compute node at a given time, it may or may not be up-to-date with the list on the head node.

Additional references