Ticket 12472

Summary: Question about JWT authentication
Product: Slurm Reporter: Jonathon Anderson <jonathon.anderson>
Component: slurmrestdAssignee: Nate Rini <nate>
Status: RESOLVED INFOGIVEN QA Contact:
Severity: 4 - Minor Issue    
Priority: --- CC: nate
Version: 20.02.4   
Hardware: Linux   
OS: Linux   
Site: University of Colorado Slinky Site: ---
Alineos Sites: --- Atos/Eviden Sites: ---
Confidential Site: --- Coreweave sites: ---
Cray Sites: --- DS9 clusters: ---
Google sites: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- NoveTech Sites: ---
Nvidia HWinf-CS Sites: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Tzag Elita Sites: ---
Linux Distro: --- Machine Name:
CLE Version: Version Fixed:
Target Release: --- DevPrio: ---
Emory-Cloud Sites: ---

Description Jonathon Anderson 2021-09-12 21:51:16 MDT 
We are just getting started with JWT authentication.

- Is it possible to generate a list of generated keys?
- Is it possible to see a list of keys that have been used?
- Is it possible to revoke a key without changing out the signing key for the entire cluster?

Thanks.

~jonathon
Comment 1 Nate Rini 2021-09-13 09:30:46 MDT 
(In reply to Jonathon Anderson from comment #0)
> - Is it possible to generate a list of generated keys?
Not currently. They are not recorded except for logging from slurmctld which do not include the actual generated values.

> - Is it possible to see a list of keys that have been used?
Not currently. Use of the tokens is logged by user but the individual key used is not.

> - Is it possible to revoke a key without changing out the signing key for
> the entire cluster?
Not currently. If additional control is needed for JWT tokens being used with slurmrestd, then I suggest looking into an authenticating proxy that will allow your site to give the control wanted.

Also, customers are always welcome to submit RFE tickets.
Comment 2 Jonathon Anderson 2021-09-14 10:23:59 MDT 
Thanks for confirming. We may submit some RFE tickets on this in the future.

One more thing: the docs talk about configuration allowing us to limit the maximum token length administratively, but I don't see the configuration parameter documented. How can we configure slurm with a maximum token lifespan for regular-user tokens (e.g., to set a maximum "seconds" value in `scontrol token lifespan=<seconds>`)?
Comment 3 Nate Rini 2021-09-14 10:29:22 MDT 
(In reply to Jonathon Anderson from comment #2)
> One more thing: the docs talk about configuration allowing us to limit the
> maximum token length administratively, but I don't see the configuration
> parameter documented. How can we configure slurm with a maximum token
> lifespan for regular-user tokens (e.g., to set a maximum "seconds" value in
> `scontrol token lifespan=<seconds>`)?

This is done via disabling users ability to create tickets directly in slurm.conf:
> AuthAltParameters=disable_token_creation

Then using a trusted intermediary, such as a sudo script, that will enforce your site policy and runs as SlurmUser to create tokens for users. Generating the tickets outside of Slurm is also possible and an example is here:
> https://slurm.schedmd.com/jwt.html
Comment 4 Nate Rini 2021-09-22 16:14:04 MDT 
Jonathon

I'm going to close this ticket as it appears there are no more questions.

Thanks,
--Nate