Security¶
Gurobi Remote Services define a set of user roles to control privileged access. Access to the Cluster Manager is authenticated. For local accounts, a password policy can be defined. In addition, the Cluster Manager can be integrated with an LDAP repository for centralized account management. Communication can be encrypted using TLS v1.2 or later. If a Cluster Manager is not deployed, communication can still be encrypted, but access is controlled through a set of predefined passwords instead.
User Roles¶
Users of Gurobi Remote Services will fall into one of four possible roles: system administrator, administrator, standard user, or read-only user. The system administrator is in charge of setting up the cluster, adding and removing nodes, etc. Administrators monitor usage of the cluster. They can monitor the length of the server queue, kill jobs, etc. Standard users are the programs running on client machines that ultimately submit jobs or batches to the cluster. Read-only users can only monitor jobs submitted by other users.
The Gurobi distribution includes a number of tools that are relevant to the people in these roles. These are all covered in much more detail later on, but we will briefly describe how they fit with the various roles here.
System Administrator¶
The system administrator installs and manages a Remote Services cluster and the different components. Gurobi Remote Services provides the following tools to help with this:
grb_rs is the program that runs on the Compute Server and Distributed Worker nodes. The system administrator will need to configure and start it on all of the nodes of a Remote Services cluster.
grb_rsm is the program that runs the Cluster Manager. The system administrator will need to configure and start it on one or more machines, as needed. The system administrator will also need to set up the Database and configure its connection.
grbcluster is used to issue commands to an already-running cluster. Examples of system administrator commands include adding or removing nodes, and enabling or disabling job processing on a cluster. This tool provides a number of commands; type
grbcluster —-help
for a full list.Finally, most of the important responsibilities of the system administrator, including user management and cluster health monitoring, can also be performed through the Web User Interface of the Cluster Manager.
For more details, please refer to the section on setting up and administering a cluster.
Administrator¶
An administrator monitors and manages the flow of jobs through a Remote
Services cluster. Examples of administrator commands include aborting
jobs, changing cluster parameters and checking licenses. The primary
tool for doing so is grbcluster. You can get a
full list of available commands by typing grbcluster —-help
. All of
these functions are also exposed in the Web User Interface of the
Cluster Manager.
Standard Client¶
A Remote Services client submits jobs or batches to the cluster. This is
done through a user application or through the Gurobi command-line tool
gurobi_cl (which is documented in the
Gurobi Command-Line Tool
section of the
Gurobi Reference Manual). Submitting a
job to a Remote Services cluster is typically just a matter of running
the appropriate program. We will provide a simple example in the next
section.
Clients can also use the grbcluster command to
monitor the state of their jobs and of the Remote Services queue.
Example commands include listing active jobs, listing recently executed
jobs, displaying the log of a recent job, etc. You can get a full list
of available commands by typing grbcluster —-help
. grbcluster
can also be used to submit batches.
Finally, clients can access the Web User Interface of the Cluster
Manager. All of the functions provided by grbcluster
are available
in the web application, including submitting batches using a
drag-and-drop interface.
Read-only Users¶
Read-only users can only monitor optimization tasks. They can list jobs and batches, access history, display the log of a job, etc. They are not allowed to submit jobs or batches to the cluster, nor can they abort jobs.
Authentication¶
The Cluster Manager authenticates all communication using one of two approaches: interactive login using a username and password, or an API key.
When a client provides a username and password, a JWT token is returned
that is valid for a relatively short period of time (default is 8 hours
and can be changed in the Cluster Manager configuration). This is handy
when using the Web User Interface or command-line tools such as
gurobi_cl
or grbcluster
.
An API key is composed of an access ID and a secret key. API keys are the recommended method for connecting to the Cluster Manager from an application. When creating an API key, you can specify an optional application name and a description to help keep track of how the key is being used. Once a key is created, you can download an associated client license file, which contains the API access ID, the secret key, and the Cluster Manager URL. This file can be used by client applications and command-line tools to connect to the Cluster Manager. The Cluster Manager keeps track of the timestamp and IP address of the last API key usage. The owner of the API key or the system administrator can enable or disable an API key. These features simplify the task of monitoring API keys, detecting unwanted usage, and safely rotating keys by disabling previous keys before permanently deleting them.
For each account, the system administrator can enable or disable
interactive login or API key authentication. This can be done at
creation time, or it can be done later by editing the account
properties. An account that only allows interactive login will not be
allowed to create, use, or manage API keys. An account that only allows
API key authentication (known as a system account
) can only be used
for programmatic access through the REST API.
The system administrator can disable and later reenable a user account. When an account has been disabled, interactive login and/or API key authentication will fail and access to the Cluster Manager will not be granted. Disabled accounts will appear with a grayed icon in the user account table. The tooltip will indicate the reason.
To simplify installation, the Cluster Manager initially has three default users with predefined passwords:
standard user:
gurobi
/pass
administrator:
admin
/admin
system administrator:
sysadmin
/cluster
You should of course change the passwords or delete these accounts before actually using the cluster.
Password Policy¶
The Cluster Manager supports password policies to ensure that passwords for local accounts match configurable security standards. Through a password policy, the system administrator can specify the minimum length of a password and can require that a password contain a mix of upper and lower case characters, digits, or symbols. Any changes to a policy will apply only when new passwords are created; previously created password will remain valid. In addition, the system administrator can define a maximum number of failed login attempts before the account is locked. When a user account has been locked, a message will appear on the login page, and the user will be asked to contact a system administrator. The system administrator can then change the password to unlock the user account.
LDAP Integration¶
The Cluster Manager can be integrated with an LDAP repository. This integration can be configured in the Cluster Manager settings section. The system administrator can specify connection parameters (including the use of LDAPS for encrypted communication), account filtering, and account mapping. Once activated, users will be given access based on the user accounts defined in the LDAP server.
Accounts with a system administrator role can log in using their local passwords, which enables them to administer the cluster even if there is a problem with the LDAP configuration. System administrators will need to log in using the special login page by following the “System Administrator Log in” link at the top of the main login page. System accounts (i.e., accounts with no interactive login) can always gain access using API keys only.
The Cluster Manager continually synchronizes user accounts with the LDAP server in the background. If a given user account is no longer mapped to the LDAP filter in place, it will be disabled. In particular, if an account was created before the integration with the LDAP server and if it is not mapped to the defined LDAP filter in place, it will be disabled. The same policy will apply during migration from local accounts to LDAP. Two important exceptions are system administrator accounts and system accounts, which will not be disabled for this reason.
Encryption¶
All of the components deployed in a Remote Services cluster can support TLS-encrypted communication. The Cluster Manager and the Compute Server nodes can be configured to use HTTPS with TLS v1.2 or later.
The server components support configurable TLS v1.2 cipher suites and
policies with a configuration property (TLS_CIPHERS)
. You can list
the supported cipher suites and policies using the (grb_rs ciphers
)
command. TLS v1.3 will be used if the client supports it, and in that
case, standard cipher suites for this protocol version will
automatically be selected. When using the Gurobi library, TLS v1.3 will
be used only when the client is running on a Linux platform.
MongoDB, Amazon DocumentDB, and Azure CosmosDB also support encrypted communications and data encryption at rest, if necessary.
In addition, you have the option to use either the Cluster Manager itself or the load balancer in front of the Cluster Manager to remove the TLS encryption. In this case, HTTPS is used by clients, but internal communication between the Cluster Manager and the nodes would be unencrypted using HTTP. This is convenient when the cluster nodes reside in an isolated, secure network.
Security in a Self-Managed Cluster¶
When a Remote Services cluster is deployed without a Cluster Manager, authentication is more limited. Each node authenticates access according to predefined passwords, which are stored and optionally hashed in the configuration file. There is a password for each role (standard user, administrator and system administrator). All nodes of the cluster must use the same passwords, and they cannot be changed dynamically. Note that communication can also be encrypted using HTTPS.