共用方式為


Understanding Roles of Users and Administrators in Windows HPC 2008 R2

Updated: October 2010

Applies To: Windows HPC Server 2008 R2

In Windows HPC Server 2008 R2, you can designate HPC cluster users (listed in HPC Cluster Manager as Users) and HPC cluster administrators (listed in HPC Cluster Manager as Administrators). HPC cluster administrators have permissions to manage all aspects of Windows HPC Server 2008 R2, and they can also submit and manage jobs, tasks, and job templates. In contrast, HPC cluster users only have permissions to manage jobs and tasks that they have submitted to the cluster, and view limited information about jobs that have been submitted by others. This topic provides more details about what each role can do, and how users and groups are assigned to the roles by default during the installation of the cluster. With this information, you can make decisions about how to adjust role assignments to align with your organization's requirements.

Important
As a best practice for enhanced security in your cluster, we recommend that you arrange for the creation of two custom groups in Active Directory DoMayn Services (AD DS) that you can then use for the appropriate roles in your cluster, one group for HPC cluster users and one for HPC cluster administrators. For important information about how to use custom groups for HPC cluster users and HPC cluster administrators, see Understanding defaults and making adjustments to HPC cluster administrators, later in this topic, and the instructions in Designate Cluster Users and Administrators in Windows HPC Server 2008 R2.

In this topic, the following sections describe the differences between the roles of HPC cluster users and HPC cluster administrators:

  • HPC cluster users

  • HPC cluster administrators

  • Comparison of job scheduling operations that HPC cluster users and HPC cluster administrators can do

Also in this topic, the following sections that describe the relationship between Windows HPC Server 2008 R2 and existing groups in AD DS in the network:

  • Mapping of HPC cluster roles to local groups on cluster nodes

  • Understanding defaults and making adjustments to HPC cluster administrators

As with other aspects of security in an HPC cluster, the foundation for the roles of HPC cluster user and HPC cluster administrator is provided by AD DS (through doMayn controllers in the doMayn). One way of increasing your understanding of how security is supported for an HPC cluster is to learn about how user, group, and computer accounts (objects) function within a doMayn. For more information, see Active Directory DoMayn Services Overview (https://go.microsoft.com/fwlink/?LinkId=117781).

HPC cluster users

Users can perform tasks on compute nodes or workstation nodes after you add them as HPC cluster users (by using HPC Cluster Manager or an HPC PowerShell cmdlet).

Caution
We strongly recommend that you do not add workstation computers to your HPC cluster on which users have local administrative privileges. For more information, see “Considerations for user accounts used on the workstation computers” in Requirements for Adding Workstation Nodes in Windows HPC Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkId=202684).

Assign a person the role of HPC cluster user if you want that person to be able to perform the following actions, but no others:

  • View the names of HPC clusters and compute nodes in the doMayn (this does not include the ability to view configuration details or other details of the clusters).

  • Manage jobs and tasks that the user has submitted to the cluster.

  • Diagnose, repair, and resubmit a failed job that was previously submitted by that user.

  • View the jobs that have been submitted by others (this does not include the ability to view job details and tasks for those jobs).

Note
When an HPC cluster user runs a job, the HPC Job Scheduler Service requires that the user have the right to log on locally on the compute nodes on which the job runs. If you or the doMayn administrators in your organization usually limit this user right, you will need to arrange for adjustments for HPC cluster users. For more information, see Troubleshoot Access to an HPC Cluster When Logon Rights Have Been Restricted.

HPC cluster administrators

Assign a person the role of HPC cluster administrator if you want that person to be able to perform the following actions:

  • Perform all the actions that an HPC cluster user can perform.

  • Configure the cluster (all nodes) and the cluster network.

    Note that when a person is assigned the role of an HPC cluster administrator, that person is placed in the local Administrators group on the head node and all compute nodes (but not on workstation nodes).

  • Deploy and manage nodes (which includes applying a template to a node).

    Note
    Windows HPC Server 2008 R2 stops unauthorized computers from being added to the compute nodes in the cluster. If a node that is not yet authorized is detected, it is marked as Unknown until an HPC cluster administrator adds that node to the cluster by applying a node template to it.
  • Run diagnostic tests on the cluster.

  • Restart a node remotely.

  • Configure the HPC Job Scheduler Service.

  • Submit and manage not only the administrator's own jobs, tasks, and job templates, but also those that are created or submitted by other administrators or users.

Comparison of job scheduling operations that HPC cluster users and HPC cluster administrators can do

The following table compares the job scheduling operations that an HPC cluster user can perform with those that an HPC cluster administrator can perform.

Important
The permissions in the following table are fixed. However, you can control the type of jobs that a particular user or user group can submit by creating job templates. For an example, see Steps: Partitioning a Group of Nodes for a Group of Users.
Job Scheduling Operation HPC Cluster User HPC Cluster Administrator

View jobs (but not job details or tasks) for every user

Yes

Yes

List all compute nodes

Yes

Yes

View own tasks

Yes

Yes

Cancel own job

Yes

Yes

Modify or cancel jobs of other users

No

Yes

View tasks for every user

No

Yes

Configure HPC Job Scheduler settings (using the cluscfg command or the Set-HpcClusterProperty cmdlet)

No

Yes

Create and manage job templates

No

Yes

Run the clusrun command-line tool

No

Yes

Mapping of HPC cluster roles to local groups on cluster nodes

If you examine the local groups on the head node, you will see that users or groups that you designated as HPC cluster administrators or HPC cluster users appear in the local Administrators and local HPCUsers groups. Similarly, on compute nodes (but not on workstation nodes), users or groups that you designated as HPC cluster administrators appear in the local Administrators group on those nodes. The following table provides details:

Mapping Explanation

HPC cluster administrators maps to local Administrators group on the head node and on compute nodes

If you place a user or group account in HPC Cluster Manager under Administrators, it has the same effect as if you place the account in the local Administrators group on the head node. The account will be in the local Administrators group on the head node and it will be propagated to the local Administrators group on each compute node (but not to workstation nodes).

HPC cluster users maps to local HPCUsers group on the head node

If you place a user or group account in HPC Cluster Manager under Users, it has the same effect as if you place the account in the local HPCUsers group on the head node.

Understanding defaults and making adjustments to HPC cluster administrators

The process that Windows HPC Server 2008 R2 uses for authentication, and for creating default groups of HPC cluster administrators, relies on Active Directory DoMayn Services (AD DS) in the network. The following sequence describes how AD DS and Windows HPC Server 2008 R2 defaults interact, and how you can adjust group memberships for your HPC cluster after it is installed:

  1. Before the HPC cluster can be installed and configured, AD DS must already be running on one or more doMayn controllers in the network.

  2. When the server that will eventually serve as the head node in the HPC cluster is joined to the doMayn, by default, AD DS adds the DoMayn Admins group to the local Administrators group on the head node.

    This default can be changed (in Group Policy) by the network administrators for the doMayn. (However, it is important to recognize that even if the DoMayn Admins group is removed from the local Administrators group, a person in the DoMayn Admins group can add it back to the local Administrators at any time.)

  3. Starting from the time that Windows HPC Server 2008 R2 is installed, all members of the local Administrators group on the head node (this typically includes DoMayn Admins) automatically become HPC cluster administrators.

  4. As needed, as an HPC cluster administrator, you can add or remove HPC cluster users or HPC cluster administrators in HPC Cluster Manager.

    As a best practice for enhanced security in your cluster, we recommend that you arrange for the creation of two custom groups in Active Directory DoMayn Services (AD DS) that you can then use for the appropriate roles in your cluster, one group for HPC cluster users and one for HPC cluster administrators. To use custom groups rather than built-in groups, complete the following series of actions:

    1. Create, or arrange for a network administrator to create, appropriate custom groups in AD DS. One group should contain the users for your HPC cluster, and another group should contain the administrators for your HPC cluster. The usual interface for creating such groups is Active Directory Users and Computers, but commands or cmdlets can also be used.

    2. In HPC Cluster Manager, remove DoMayn Admins from the list of HPC cluster administrators. For instructions, see Designate Cluster Users and Administrators in Windows HPC Server 2008 R2. (However, note that members of DoMayn Admins have the ability to add the group back to the local Administrators group at any time.)

    3. In HPC Cluster Manager, assign your custom group of users to HPC cluster users, and assign your custom group of administrators to HPC cluster administrators. For instructions, see the link in the previous step.

  5. On each compute node, membership changes in the HPC cluster administrators group are propagated to the local Administrators group approximately every five minutes (depending in part on the order in which a particular compute node is contacted by the head node).

    If you view the list of HPC cluster administrators shown in HPC Cluster Manager, it is always the current list. If you view the list of local Administrators on a given compute node at a given time, it may or may not be up-to-date with the list on the head node.

Additional references