JSON Web Tokens (JWT) Authentication

Slurm provides a RFC7519 compliant implementation of JSON Web Tokens (JWT). This authentication can be used as an AuthAltType, usually alongside auth/munge as the AuthType.

Prerequisites

JWT requires libjwt. Both the library and the development headers must be available when Slurm is compiled.

Setup

1. Configure and build Slurm for JWT support
2. Add JWT key to controller in StateSaveLocation: Here is an example with StateSaveLocation=/var/spool/slurm/statesave/

   openssl genrsa -out /var/spool/slurm/statesave/jwt_hs256.key 2048
   chown slurm /var/spool/slurm/statesave/jwt_hs256.key
   chmod 0700 /var/spool/slurm/statesave/jwt_hs256.key
   

3. Add JWT as an alternative authentication in slurm.conf:

   AuthAltTypes=auth/jwt
   

4. Restart slurmctld
5. Create tokens for users as desired:

   scontrol token username=$USER
   

   An optional lifespan=$LIFESPAN option can be used to change the token lifespan from the default 1800 seconds. The root account, or SlurmUser account can be used to generate tokens for any user. Alternatively, a user may use the command to generate tokens for themselves by simply calling

   scontrol token
   

6. Export the SLURM_JWT environment variable before calling any Slurm command.

Last modified 21 February 2020