Ticket 13107

Summary: Configurable JWT Maximum Token Lifespan
Product: Slurm Reporter: Andrew Maksymowsky <andrew.maksymowsky>
Component: slurmrestdAssignee: Nate Rini <nate>
Status: RESOLVED FIXED QA Contact:
Severity: 4 - Minor Issue    
Priority: --- CC: hinton, nate, sysadmin
Version: 21.08.2   
Hardware: Linux   
OS: Linux   
Site: Sick Kids Slinky Site: ---
Alineos Sites: --- Atos/Eviden Sites: ---
Confidential Site: --- Coreweave sites: ---
Cray Sites: --- DS9 clusters: ---
Google sites: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- NoveTech Sites: ---
Nvidia HWinf-CS Sites: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Tzag Elita Sites: ---
Linux Distro: --- Machine Name:
CLE Version: Version Fixed: 22.05pre1
Target Release: --- DevPrio: ---
Emory-Cloud Sites: ---

Description Andrew Maksymowsky 2022-01-04 08:12:43 MST 
I see in Bug ID 11152 that as of 2021-03-19 10:40:40 MDT it was not possible for admins to restrict the maximum token lifespan of a scontrol generated token. 
From what I can see in the documentation it appears this is still the case. Our site doesn't have an SSO token provider that can issue tokens for us so we've been using scontrol to create the tokens. 

I'm wondering if there are any plans to make a maximum token lifespan a configurable parameter in slurm.conf or something similar ?
Comment 1 Jason Booth 2022-01-04 10:34:46 MST 
Andrew - as mentioned in bug#11152 comment#4

> Not currently. We have AuthAltParameters=disable_token_creation as an option
> to allow admins to provide controlled access to JWT if desired.

The admin can use a script to generate tokens for the users, and there the admin could set the max lifespan. This does not address the Slurm defined option but does give you a workaround to consider.

bug#11152 comment#10

I will have Nate look over this enhancement request and offer some feedback.
Comment 4 Nate Rini 2022-01-11 14:18:06 MST 
(In reply to Jason Booth from comment #1)
> > Not currently. We have AuthAltParameters=disable_token_creation as an option
> > to allow admins to provide controlled access to JWT if desired.
> 
> The admin can use a script to generate tokens for the users, and there the
> admin could set the max lifespan. This does not address the Slurm defined
> option but does give you a workaround to consider.
This was given as a way for sites to disable unprivileged users getting tokens. You site can use something like sudo or a setuid script to enforce your time limits.

We also provide an example on how to generate the tokens in python:
> https://slurm.schedmd.com/jwt.html#compatibility

Please tell me if you need more details how to generate the tokens.

> I will have Nate look over this enhancement request and offer some feedback.
We are looking at possibly adding this in the 22.05 release.
Comment 6 Andrew Maksymowsky 2022-01-11 15:37:12 MST 
Thanks Nate and Jason,

We've got a work around in place and are able to generate tokens for users. 

Longer term we'd be excited to see this in a future release.

Thanks again !
Comment 17 Nate Rini 2022-04-18 19:34:02 MDT 
Andrew,

The new max_token_lifespan limit has been added to AuthAltParameters for the pending slurm-22.05 major release:
> https://github.com/SchedMD/slurm/commit/85516610c0e74887b77a03a97146363921856995

I'm going to close out this ticket but please respond if there are any related questions or issues.

Thanks,
--Nate
Comment 18 Andrew Maksymowsky 2022-04-19 06:40:11 MDT 
Thanks Nate !
Comment 19 Nate Rini 2023-06-06 11:46:39 MDT 
*** Ticket 16897 has been marked as a duplicate of this ticket. ***
Comment 20 Nate Rini 2023-06-06 11:47:08 MDT 
*** Ticket 13695 has been marked as a duplicate of this ticket. ***