question

junminpark-8774 avatar image
0 Votes"
junminpark-8774 asked prmanhas-MSFT commented

Permission on the HPC Cluster Manager

Hi Team,
We are using HPC Pack 2016 Update 3(5.3.6450.0) on Service Fabric Cluster.
There is some confusion about permission on the HPC Cluster Manager.
We create 2 domain user accounts like testuser1, testuser2 on Domain Controller.

[permission]
testuser1 -> domain user, add user role on HPC Cluster Manager for connect HPC Job Manager
testuser2 -> only domain user

We create sample job “powershell 1..10000” and submit job as shown in the following setting.

[Job Setting]
Job Owner -> testuser1
Run as User -> testuser2
Job is created, submitted, and Finished.

Testuser2 does not have any permission to access HPC Cluster Manager.
Only testuser1 add user role permission on HPC Cluster Manager.
How can the job submit and complete when the Run as User is testuser2?

Thanks.

azure-hpc-pack
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

prmanhas-MSFT avatar image
0 Votes"
prmanhas-MSFT answered prmanhas-MSFT commented

@junminpark-8774 Apologies for the delay in response and all the inconvenience caused because of the issue.

HPC cluster users have permissions to submit their own tasks and jobs to the cluster, and to manage tasks and jobs that they have submitted. When a job that was submitted by an HPC cluster user fails, the user is able to diagnose, repair, and resubmit that job. Although HPC cluster users can see the jobs that have been submitted by others users, they cannot cancel those jobs or resubmit them. Also, HPC cluster users cannot view the job details and tasks for jobs that they did not submit themselves.

You can add domain users and groups to the cluster in different roles to access cluster resources. For example, HPC cluster administrators have permissions to manage all aspects of the cluster, and HPC cluster users can create, submit, and modify their own jobs. Domain users or groups that have not been added to the cluster cannot access cluster resources.
You can set permissions for the job templates that you create to limit the job templates that specific cluster users or groups can use when submitting jobs to your HPC cluster. You can also set permissions for managing the job templates, by granting specific users or groups the permission to edit, copy, and delete a job template.

Below documentation might be helpful as well:

https://docs.microsoft.com/en-us/powershell/high-performance-computing/understanding-user-roles?view=hpc19-ps

https://docs.microsoft.com/en-us/powershell/high-performance-computing/set-job-template-permissions?view=hpc19-ps

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for answer my question.

As said in the question above, testuser2 has not any permission to access HPC Cluster.
testuser2 has only domain users permission and has not added any the HPC role.

According to your answer, users who are not added with the HPC user role will not be able to access HPC cluster resources.
Testuser1 which has the HPC user role is the Job Owner, but why can testuser2 which is the Run as User perform and complete the job?
If testuser2 which is the Run as User doesn't have permission to access the HPC Cluster resource, isn't the Job supposed to fail?

Thanks.

0 Votes 0 ·

@junminpark-8774 Domain users with HPC user role can submit job and tasks and manage them. The RunAs user under which a task runs could be any domain user that can access the compute node. So in the your test, testuser1 can submit job with testuser2 as RunAs user, however testuser2 cannot submit job.

Domain users with HPC administrator role can not only submit job and tasks, but also manage the cluster resources e.g. deploying and managing compute nodes.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.



0 Votes 0 ·