R2025a Prerelease: Secure Access Control using JWT - Initial Commit

Author: esteinerMW

releases/R2025a/matlab-prodserver/templates/mps-2-configmap.yaml

@@ -43,6 +43,15 @@ data:
     --enable-discovery
     --enable-metrics
     --routes-file ./config/routes.json
+  {{- if .Values.matlabProductionServerSettings.accessControl.enabled }}
+    --access-control-provider OAuth2
+    --access-control-config ./config/jwt_idp.json
+    --access-control-policy ./config/ac_policy.json
+
+  jwt_idp.json: {{ .Values.matlabProductionServerSettings.accessControl.identityProvider | quote }}
+
+  ac_policy.json: {{ .Values.matlabProductionServerSettings.accessControl.policyRules | quote }}
+  {{- end }}
 
   {{- if .Values.optionalSettings.Redis.host }}
   mps_cache_config: |

releases/R2025a/matlab-prodserver/values.yaml

@@ -46,6 +46,49 @@ matlabProductionServerSettings:
     # =================================================================
   # Maximum number of worker processes (per pod).
   numWorkers: 2
+  #
+  # CTF Access Control (OAuth2)
+  # https://www.mathworks.com/help/mps/server/access_control.html
+  # -------------------------------------------------------------
+  accessControl:
+    enabled: false
+    identityProvider: |-
+      {
+        "version": "1.0.0",
+        "jwtIssuer": "URL of the authorization server that issued the JWT",
+        "appId": "String representing the application ID of the client",
+        "jwksUri": "URL of the authorization server public keys",
+        "jwksStrictSSL": false,
+        "jwksTimeOut": 120,
+        "userAttributeName": "email",
+        "groupAttributeName": "groups"
+      }
+    policyRules: |-
+      {
+        "version": "1.0.0",
+        "policy" : [
+          {
+            "id": "policy1",
+            "description": "Access Control policy for MATLAB Production Server",
+            "rule": [
+              {
+                "id": "rule1",
+                "description": "Users that can execute/modify any deployable archive",
+                "subject": { "users": ["[email protected]", "[email protected]"] },
+                "resource": { "ctf": ["*"] },
+                "action": ["execute", "modify"]
+              },
+              {
+                "id": "rule2",
+                "description": "Groups that can execute a specific deployable archive",
+                "subject": { "groups": ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"] },
+                "resource": { "ctf": ["myModel"] },
+                "action": ["execute"]
+              }
+            ]
+          }
+        ]
+      }
   # ----------------------------------------------------
   # Log to pod-local file-system (in addition to stdout)
   localFileLogging: false