Ticket 11534

Summary: Support for Amazon Cognito
Product: Slurm Reporter: Brian Christiansen <brian>
Component: slurmctldAssignee: Tim Wickberg <tim>
Status: RESOLVED FIXED QA Contact:
Severity: 5 - Enhancement    
Priority: --- CC: fdm, nate, nick, schedmd-contacts
Version: 21.08.x   
Hardware: Linux   
OS: Linux   
See Also: https://bugs.schedmd.com/show_bug.cgi?id=11916
Site: DS9 (PSLA) Alineos Sites: ---
Atos/Eviden Sites: --- Confidential Site: ---
Coreweave sites: --- Cray Sites: ---
DS9 clusters: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Linux Distro: ---
Machine Name: CLE Version:
Version Fixed: 21.08.0pre1 Target Release: 21.08
DevPrio: --- Emory-Cloud Sites: ---

Description Brian Christiansen 2021-05-05 09:56:37 MDT 
Our understanding is that slurmrestd is limited to using HS256 keys for JWT tokens. We would like to add or change this to support RSA256 keys, which would make it possible for AWS products and customers to use Amazon Cognito to generate JWT tokens for the API.
Comment 2 Tim Wickberg 2021-06-25 17:48:54 MDT 
This has been merged into our master branch and will be available in Slurm 21.08 when released. Commit details follow.

Initial documentation is at https://slurm.schedmd.com/archive/slurm-master/jwt.html .

For testing, I have found the guide at https://sanderknape.com/2020/08/amazon-cognito-jwts-authenticate-amazon-http-api/ to be helpful with manually generating tokens to test with.

If you have any questions on the support please let me know. I will ask our documentation team to elaborate further on the support here and provide some better examples, but the functional changes to Slurm should be complete at this point.

- Tim

commit fb38033e32ce080a244a125d01d4de258fac540a
Author:     Tim Wickberg <tim@schedmd.com>
AuthorDate: Thu Jun 24 13:55:41 2021 -0600

    Document new jwks option in slurm.cond and slurmdbd.conf.

commit 6b00849364bb2b868182c7617db40811eb60a8bf
Author:     Tim Wickberg <tim@schedmd.com>
AuthorDate: Fri Jun 25 15:57:56 2021 -0600

    auth/jwt - add support for RS256 tokens.
    
    Public keys must be provided through a JWKS file (with kid, e, and n
    fields). Multiple public keys are supported.
    
    If enabled, HS256 support will be disabled by default. It can be explicitly
    re-enabled by providing an explicit "jwt_file=" path.
    
    The token must provide either a 'sun' ("Slurm User Name") or 'username'
    field.
    
    Bug 11534.

commit d23cf070c43463bd60f2bdb1e223c848729cd42a
Author:     Tim Wickberg <tim@schedmd.com>
AuthorDate: Thu Jun 24 13:40:40 2021 -0600

    auth/jwt - add pem_key.c and link to build