diff --git a/conf/files/security.json.sample b/conf/files/security.json.sample
index f341ab3..111e736 100644
--- a/conf/files/security.json.sample
+++ b/conf/files/security.json.sample
@@ -1,9 +1,9 @@
 {
-    "Open": true,
+    "Open": false,
     "Users": [
         "www", "db"
     ],
     "Ext": [
-        "sh", "py"
+        ".sh", ".py"
     ]
 }
\ No newline at end of file
diff --git a/models/errors.go b/models/errors.go
index 39836a4..ce61697 100644
--- a/models/errors.go
+++ b/models/errors.go
@@ -13,4 +13,6 @@ var (
 
 	ErrEmptyNodeGroupName = errors.New("Name of node group is empty.")
 	ErrIllegalNodeGroupId = errors.New("Invalid node group id that includes illegal characters such as '/'.")
+
+	InvalidJobErr = errors.New("invalid job")
 )
diff --git a/models/job.go b/models/job.go
index bcc658a..b341f30 100644
--- a/models/job.go
+++ b/models/job.go
@@ -120,7 +120,11 @@ func GetJobs() (jobs map[string]*Job, err error) {
 			continue
 		}
 
-		job.splitCmd()
+		if !job.Valid() {
+			log.Warnf("job[%s] is invalid", string(j.Key))
+			continue
+		}
+
 		jobs[job.ID] = job
 	}
 	return
@@ -137,7 +141,9 @@ func GetJobFromKv(kv *mvccpb.KeyValue) (job *Job, err error) {
 		return
 	}
 
-	job.splitCmd()
+	if !job.Valid() {
+		err = InvalidJobErr
+	}
 	return
 }
 
@@ -282,3 +288,43 @@ func (j *Job) Cmds(nid string, gs map[string]*Group) (cmds map[string]*Cmd) {
 
 	return
 }
+
+// 安全选项验证
+func (j *Job) Valid() bool {
+	if len(j.cmd) == 0 {
+		j.splitCmd()
+	}
+
+	security := conf.Config.Security
+	if !security.Open {
+		return true
+	}
+
+	return j.validUser() && j.validCmd()
+}
+
+func (j *Job) validUser() bool {
+	if len(conf.Config.Security.Users) == 0 {
+		return true
+	}
+
+	for _, u := range conf.Config.Security.Users {
+		if j.User == u {
+			return true
+		}
+	}
+	return false
+}
+
+func (j *Job) validCmd() bool {
+	if len(conf.Config.Security.Ext) == 0 {
+		return true
+	}
+
+	for _, ext := range conf.Config.Security.Ext {
+		if strings.HasSuffix(j.cmd[0], ext) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/node/node.go b/node/node.go
index 582e413..12883e0 100644
--- a/node/node.go
+++ b/node/node.go
@@ -335,7 +335,7 @@ func (n *Node) watchJobs() {
 			case ev.IsCreate():
 				job, err := models.GetJobFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}
 
@@ -344,7 +344,7 @@ func (n *Node) watchJobs() {
 			case ev.IsModify():
 				job, err := models.GetJobFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}
 
@@ -367,7 +367,7 @@ func (n *Node) watchGroups() {
 			case ev.IsCreate():
 				g, err := models.GetGroupFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}
 
@@ -375,7 +375,7 @@ func (n *Node) watchGroups() {
 			case ev.IsModify():
 				g, err := models.GetGroupFromKv(ev.Kv)
 				if err != nil {
-					log.Warnf(err.Error())
+					log.Warnf("err: %s, kv: %s", err.Error(), ev.Kv.String())
 					continue
 				}