JSON Web Tokens (JWT) Authentication

Slurm provides a RFC7519 compliant implementation of JSON Web Tokens (JWT). This authentication can be used as an AuthAltType, usually alongside auth/munge as the AuthType. The only supported communication direction is from a client connecting to slurmctld, which means that certain commands (specifically interactive jobs using srun) are currently not supported for hosts with only auth/jwt enabled.

Prerequisites

JWT requires libjwt. Both the library and the development headers must be available when Slurm is compiled.

Setup

1. Configure and build Slurm for JWT support
2. Add JWT key to controller in StateSaveLocation: Here is an example with StateSaveLocation=/var/spool/slurm/statesave/

   openssl genrsa -out /var/spool/slurm/statesave/jwt_hs256.key 2048
   chown slurm /var/spool/slurm/statesave/jwt_hs256.key
   chmod 0700 /var/spool/slurm/statesave/jwt_hs256.key
   

3. Add JWT as an alternative authentication in slurm.conf:

   AuthAltTypes=auth/jwt
   

4. Restart slurmctld
5. Create tokens for users as desired:

   scontrol token username=$USER
   

   An optional lifespan=$LIFESPAN option can be used to change the token lifespan from the default 1800 seconds. The root account, or SlurmUser account can be used to generate tokens for any user. Alternatively, a user may use the command to generate tokens for themselves by simply calling

   scontrol token
   

6. Export the SLURM_JWT environment variable before calling any Slurm command.

Last modified 30 September 2020