mirror of
https://github.com/ClusterCockpit/cc-docker.git
synced 2025-03-15 03:15:56 +01:00
fix + feat: working JWT auth for slurm restd and other daemons
This commit is contained in:
parent
07b09a82bb
commit
255f05bee7
@ -1,4 +1,3 @@
|
||||
JWT="eyJhbGciOiJSUzI1NiIsICJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzbHVybSJ9.dzAHf1Ojoa149uRCCWY1eP3vDyCIZCOZ3h554R-KJJ8-OP0CJ0ymvSkFISLcYcyd9vVKmaYdSN3tWEF6bNZEmyX7G560i1MbkNFvhkhNVSPLKEKNPs38h5ra3ZlTlLlxAlDzXRAAn6UEEgKdm5vx4Jhec7ptaRL_zeSFpTS5fJPc0QE1Cm7e7nU39-9e8l4WU4KpRMxT6ANFm22_G4-mSA-AgCAvKQFzj2FInKsXDUTGlliNJuAgFxf-9LQxoeAknOQhEqcTXii_yBy9DNcT03pdNcAu5Ru4_qlX62vroInU_eh5mWQyiUdXN9Wj_OfMmfLoYFkJeUFYexBMZnSBgg"
|
||||
|
||||
# curl -X 'GET' -v 'http://localhost:6820/slurm/v0.0.39/ping' -H "X-SLURM-USER-NAME:slurm" -H "X-SLURM-USER-TOKEN:$SLURM_JWT"
|
||||
curl -v --unix-socket data/slurm/tmp/slurmrestd.socket 'http://localhost:6820/slurm/v0.0.39/ping'
|
||||
SLURM_JWT=$(cat data/slurm/secret/jwt_token.txt)
|
||||
curl -X 'GET' -v 'http://localhost:6820/slurm/v0.0.39/ping' --location --silent --show-error -H "X-SLURM-USER-NAME: root" -H "X-SLURM-USER-TOKEN: $SLURM_JWT"
|
||||
# curl -v --unix-socket data/slurm/tmp/slurmrestd.socket 'http://localhost:6820/slurm/v0.0.39/ping'
|
@ -72,7 +72,6 @@ services:
|
||||
volumes:
|
||||
- ${DATADIR}/slurm/home:/home
|
||||
- ${DATADIR}/slurm/secret:/.secret
|
||||
- ${DATADIR}/slurm/tmp:/tmp:rw
|
||||
- ./slurm/controller/slurm.conf:/home/config/slurm.conf
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
@ -92,11 +91,9 @@ services:
|
||||
volumes:
|
||||
- ${DATADIR}/slurm/home:/home
|
||||
- ${DATADIR}/slurm/secret:/.secret
|
||||
- ${DATADIR}/slurm/tmp:/tmp:rw
|
||||
- ./slurm/database/slurmdbd.conf:/home/config/slurmdbd.conf
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- ${DATADIR}/slurm/state:/var/lib/slurm/d
|
||||
ports:
|
||||
- "6819:6819"
|
||||
|
||||
@ -111,7 +108,6 @@ services:
|
||||
volumes:
|
||||
- ${DATADIR}/slurm/home:/home
|
||||
- ${DATADIR}/slurm/secret:/.secret
|
||||
- ${DATADIR}/slurm/tmp:/tmp:rw
|
||||
- ./slurm/worker/cgroup.conf:/home/config/cgroup.conf
|
||||
- ./slurm/controller/slurm.conf:/home/config/slurm.conf
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
@ -124,16 +120,15 @@ services:
|
||||
hostname: slurmrestd
|
||||
build:
|
||||
context: ./slurm/rest
|
||||
args:
|
||||
uid_u: ${UID_U}
|
||||
gid_g: ${GID_G}
|
||||
environment:
|
||||
- SLURM_JWT=daemon
|
||||
- SLURMRESTD_DEBUG=9
|
||||
depends_on:
|
||||
- slurmctld
|
||||
privileged: true
|
||||
volumes:
|
||||
- ${DATADIR}/slurm/home:/home
|
||||
- ${DATADIR}/slurm/secret:/.secret
|
||||
- ${DATADIR}/slurm/tmp:/tmp:rw
|
||||
- ./slurm/controller/slurm.conf:/home/config/slurm.conf
|
||||
- ./slurm/rest/slurmrestd.conf:/home/config/slurmrestd.conf
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
|
27
jwt_verifier.py
Normal file
27
jwt_verifier.py
Normal file
@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env python3
|
||||
import sys
|
||||
import os
|
||||
import pprint
|
||||
import json
|
||||
import time
|
||||
from datetime import datetime, timedelta, timezone
|
||||
|
||||
from jwt import JWT
|
||||
from jwt.jwa import HS256
|
||||
from jwt.jwk import jwk_from_dict
|
||||
from jwt.utils import b64decode,b64encode
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
sys.exit("verify_jwt.py [JWT Token]");
|
||||
|
||||
with open("data/slurm/secret/jwt_hs256.key", "rb") as f:
|
||||
priv_key = f.read()
|
||||
|
||||
signing_key = jwk_from_dict({
|
||||
'kty': 'oct',
|
||||
'k': b64encode(priv_key)
|
||||
})
|
||||
|
||||
a = JWT()
|
||||
b = a.decode(sys.argv[1], signing_key, algorithms=["HS256"])
|
||||
print(b)
|
@ -9,10 +9,10 @@ RUN ARCH=$(uname -m) && yum install -y https://rpmfind.net/linux/almalinux/8.10/
|
||||
|
||||
RUN groupadd -g 981 munge \
|
||||
&& useradd -m -c "MUNGE Uid 'N' Gid Emporium" -d /var/lib/munge -u 981 -g munge -s /sbin/nologin munge \
|
||||
&& groupadd -g 982 slurm \
|
||||
&& useradd -m -c "Slurm workload manager" -d /var/lib/slurm -u 982 -g slurm -s /bin/bash slurm \
|
||||
&& groupadd -g 1000 worker \
|
||||
&& useradd -m -c "Workflow user" -d /home/worker -u 1000 -g worker -s /bin/bash worker
|
||||
&& groupadd -g 1000 slurm \
|
||||
&& useradd -m -c "Slurm workload manager" -d /var/lib/slurm -u 1000 -g slurm -s /bin/bash slurm \
|
||||
&& groupadd -g 982 worker \
|
||||
&& useradd -m -c "Workflow user" -d /home/worker -u 982 -g worker -s /bin/bash worker
|
||||
|
||||
RUN yum install -y munge munge-libs rng-tools \
|
||||
python3 gcc openssl openssl-devel \
|
||||
|
@ -13,9 +13,8 @@ _delete_secrets() {
|
||||
sudo rm -rf /.secret/munge.key
|
||||
sudo rm -rf /.secret/worker-secret.tar.gz
|
||||
sudo rm -rf /.secret/setup-worker-ssh.sh
|
||||
sudo rm -rf /.secret/jwt.key
|
||||
sudo rm -rf /.secret/jwt_public.key
|
||||
sudo rm -rf /.secret/jwt_token.key
|
||||
sudo rm -rf /.secret/jwt_hs256.key
|
||||
sudo rm -rf /.secret/jwt_token.txt
|
||||
|
||||
echo "Done removing secrets"
|
||||
ls /.secret/
|
||||
@ -94,27 +93,48 @@ _copy_secrets() {
|
||||
}
|
||||
|
||||
_openssl_jwt_key() {
|
||||
cd /.secret
|
||||
openssl rand -base64 32 > jwt.key
|
||||
# openssl genpkey -algorithm RSA -out jwt.key -pkeyopt rsa_keygen_bits:2048
|
||||
# openssl rsa -pubout -in jwt.key -out jwt_public.key
|
||||
cd ..
|
||||
|
||||
mkdir -p /var/spool/slurm/statesave
|
||||
dd if=/dev/random of=/var/spool/slurm/statesave/jwt_hs256.key bs=32 count=1
|
||||
chown slurm:slurm /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chmod 0600 /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chown slurm:slurm /var/spool/slurm/statesave
|
||||
chmod 0755 /var/spool/slurm/statesave
|
||||
cp /var/spool/slurm/statesave/jwt_hs256.key /.secret/jwt_hs256.key
|
||||
chmod 777 /.secret/jwt_hs256.key
|
||||
}
|
||||
|
||||
_generate_jwt_token() {
|
||||
PEM=$(cat /etc/config/jwt.key)
|
||||
USER=\"slurm\"
|
||||
NOW=$(date +%s)
|
||||
IAT="${NOW}"
|
||||
EXP=$((${NOW} + 3600000))
|
||||
HEADER_RAW='{"alg":"HS256", "typ":"JWT"}'
|
||||
HEADER=$(echo -n "${HEADER_RAW}" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
|
||||
PAYLOAD_RAW='{"iss":'${USER}'}'
|
||||
PAYLOAD=$(echo -n "${PAYLOAD_RAW}" | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
|
||||
HEADER_PAYLOAD="${HEADER}"."${PAYLOAD}"
|
||||
SIGNATURE=$(openssl dgst -sha256 -sign <(echo -n "${PEM}") <(echo -n "${HEADER_PAYLOAD}") | openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
|
||||
JWT="${HEADER_PAYLOAD}"."${SIGNATURE}"
|
||||
echo $JWT | cat >/.secret/jwt_token.txt
|
||||
|
||||
secret_key=$(cat /var/spool/slurm/statesave/jwt_hs256.key)
|
||||
start_time=$(date +%s)
|
||||
exp_time=$((start_time + 100000000))
|
||||
base64url() {
|
||||
# Don't wrap, make URL-safe, delete trailer.
|
||||
base64 -w 0 | tr '+/' '-_' | tr -d '='
|
||||
}
|
||||
|
||||
jwt_header=$(echo -n '{"alg":"HS256","typ":"JWT"}' | base64url)
|
||||
|
||||
jwt_claims=$(cat <<EOF |
|
||||
{
|
||||
"sun": "root",
|
||||
"exp": $exp_time,
|
||||
"iat": $start_time
|
||||
}
|
||||
EOF
|
||||
jq -Mcj '.' | base64url)
|
||||
# jq -Mcj => Monochrome output, compact output, join lines
|
||||
|
||||
jwt_signature=$(echo -n "${jwt_header}.${jwt_claims}" |
|
||||
openssl dgst -sha256 -hmac "$secret_key" -binary | base64url)
|
||||
|
||||
# Use the same colours as jwt.io, more-or-less.
|
||||
echo "$(tput setaf 1)${jwt_header}$(tput sgr0).$(tput setaf 5)${jwt_claims}$(tput sgr0).$(tput setaf 6)${jwt_signature}$(tput sgr0)"
|
||||
|
||||
jwt="${jwt_header}.${jwt_claims}.${jwt_signature}"
|
||||
|
||||
echo $jwt | cat >/.secret/jwt_token.txt
|
||||
chmod 777 /.secret/jwt_token.txt
|
||||
}
|
||||
|
||||
@ -162,23 +182,24 @@ _slurmctld() {
|
||||
chmod 600 /etc/slurm/slurm.conf
|
||||
fi
|
||||
|
||||
_openssl_jwt_key
|
||||
|
||||
if [ ! -f /.secret/jwt.key ]; then
|
||||
echo "### Missing jwt.key ###"
|
||||
exit 1
|
||||
else
|
||||
cp /.secret/jwt.key /etc/config/jwt.key
|
||||
chown slurm: /etc/config/jwt.key
|
||||
chmod 0600 /etc/config/jwt.key
|
||||
fi
|
||||
|
||||
_generate_jwt_token
|
||||
|
||||
sudo yum install -y nc
|
||||
sudo yum install -y procps
|
||||
sudo yum install -y iputils
|
||||
sudo yum install -y lsof
|
||||
sudo yum install -y jq
|
||||
|
||||
_openssl_jwt_key
|
||||
|
||||
if [ ! -f /.secret/jwt_hs256.key ]; then
|
||||
echo "### Missing jwt.key ###"
|
||||
exit 1
|
||||
else
|
||||
cp /.secret/jwt_hs256.key /etc/config/jwt_hs256.key
|
||||
chown slurm: /etc/config/jwt_hs256.key
|
||||
chmod 0600 /etc/config/jwt_hs256.key
|
||||
fi
|
||||
|
||||
_generate_jwt_token
|
||||
|
||||
while ! nc -z slurmdbd 6819; do
|
||||
echo "Waiting for slurmdbd to be ready..."
|
||||
|
@ -23,7 +23,7 @@ SlurmctldPidFile=/var/run/slurm/d/slurmctld.pid
|
||||
SlurmdPidFile=/var/run/slurm/d/slurmd.pid
|
||||
ProctrackType=proctrack/linuxproc
|
||||
AuthAltTypes=auth/jwt
|
||||
AuthAltParameters=jwt_key=/etc/config/jwt.key
|
||||
AuthAltParameters=jwt_key=/var/spool/slurm/statesave/jwt_hs256.key
|
||||
#PluginDir=
|
||||
#CacheGroups=0
|
||||
#FirstJobId=
|
||||
@ -71,9 +71,9 @@ SelectTypeParameters=CR_CPU_Memory
|
||||
#PriorityMaxAge=1-0
|
||||
#
|
||||
# LOGGING
|
||||
SlurmctldDebug=3
|
||||
SlurmctldDebug=6
|
||||
SlurmctldLogFile=/var/log/slurm/slurmctld.log
|
||||
SlurmdDebug=3
|
||||
SlurmdDebug=6
|
||||
SlurmdLogFile=/var/log/slurm/slurmd.log
|
||||
JobCompType=jobcomp/filetxt
|
||||
JobCompLoc=/var/log/slurm/jobcomp.log
|
||||
|
@ -74,14 +74,17 @@ _slurmdbd() {
|
||||
fi
|
||||
|
||||
echo "checking for jwt.key"
|
||||
while [ ! -f /.secret/jwt.key ]; do
|
||||
while [ ! -f /.secret/jwt_hs256.key ]; do
|
||||
echo "."
|
||||
sleep 1
|
||||
done
|
||||
|
||||
cp /.secret/jwt.key /etc/config/jwt.key
|
||||
chown slurm: /etc/config/jwt.key
|
||||
chmod 0400 /etc/config/jwt.key
|
||||
mkdir -p /var/spool/slurm/statesave
|
||||
chown slurm:slurm /var/spool/slurm/statesave
|
||||
chmod 0755 /var/spool/slurm/statesave
|
||||
cp /.secret/jwt_hs256.key /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chown slurm: /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chmod 0600 /var/spool/slurm/statesave/jwt_hs256.key
|
||||
|
||||
echo ""
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
AuthType=auth/munge
|
||||
#AuthInfo=/var/run/munge/munge.socket.2
|
||||
AuthAltTypes=auth/jwt
|
||||
AuthAltParameters=jwt_key=/etc/config/jwt.key
|
||||
AuthAltParameters=jwt_key=/var/spool/slurm/statesave/jwt_hs256.key
|
||||
# slurmDBD info
|
||||
DbdAddr=slurmdbd
|
||||
DbdHost=slurmdbd
|
||||
|
@ -1,15 +1,10 @@
|
||||
FROM clustercockpit/slurm.base:24.05.3
|
||||
LABEL org.opencontainers.image.authors="jan.eitzinger@fau.de"
|
||||
|
||||
ARG uid_u
|
||||
ARG gid_g
|
||||
ENV uid_u=${uid_u}
|
||||
ENV gid_g=${gid_g}
|
||||
|
||||
# clean up
|
||||
RUN rm -f /root/rpmbuild/RPMS/slurm-*.rpm \
|
||||
&& yum clean all \
|
||||
&& rm -rf /var/cache/yum
|
||||
|
||||
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
||||
ENTRYPOINT /docker-entrypoint.sh $uid_u $gid_g
|
||||
ENTRYPOINT ["/docker-entrypoint.sh"]
|
||||
|
@ -4,18 +4,8 @@ set -e
|
||||
# Determine the system architecture dynamically
|
||||
ARCH=$(uname -m)
|
||||
SLURM_VERSION="24.05.3"
|
||||
SLURMRESTD="/tmp/slurmrestd.socket"
|
||||
# SLURM_JWT=daemon
|
||||
|
||||
uid_u="${1:-}"
|
||||
gid_g="${2:-}"
|
||||
|
||||
echo Your container args are: "$@"
|
||||
|
||||
# Change the uid
|
||||
# usermod -u "${uid_u}" slurm
|
||||
# Change the gid
|
||||
# groupmod -g "${gid_g}" slurm
|
||||
# SLURMRESTD="/tmp/slurmrestd.socket"
|
||||
SLURM_JWT=daemon
|
||||
|
||||
# start sshd server
|
||||
_sshd_host() {
|
||||
@ -50,14 +40,6 @@ _munge_start_using_key() {
|
||||
|
||||
_enable_slurmrestd() {
|
||||
|
||||
cd /tmp
|
||||
mkdir statesave
|
||||
dd if=/dev/random of=/tmp/statesave/jwt_hs256.key bs=32 count=1
|
||||
chown slurm:slurm /tmp/statesave/jwt_hs256.key
|
||||
chmod 0600 /tmp/statesave/jwt_hs256.key
|
||||
chown slurm:slurm /tmp/statesave
|
||||
chmod 0755 /tmp/statesave
|
||||
|
||||
cat >/usr/lib/systemd/system/slurmrestd.service <<EOF
|
||||
[Unit]
|
||||
Description=Slurm REST daemon
|
||||
@ -78,8 +60,7 @@ Restart=always
|
||||
RestartSec=5
|
||||
# Group=
|
||||
# Default to listen on both socket and slurmrestd port
|
||||
ExecStart=/usr/sbin/slurmrestd -f /etc/config/slurmrestd.conf -a rest_auth/jwt $SLURMRESTD_OPTIONS -vvvvvv -s dbv0.0.39,v0.0.39 unix:$SLURMRESTD 0.0.0.0:6820
|
||||
# /usr/sbin/slurmrestd -f /etc/config/slurmrestd.conf -vvvvvv -a rest_auth/jwt -s dbv0.0.39,v0.0.39 -u slurm unix:$SLURMRESTD 0.0.0.0:6820
|
||||
ExecStart=/usr/sbin/slurmrestd -f /etc/config/slurmrestd.conf -a rest_auth/jwt $SLURMRESTD_OPTIONS -vvvvvv -s dbv0.0.39,v0.0.39 0.0.0.0:6820
|
||||
# Enable auth/jwt be default, comment out the line to disable it for slurmrestd
|
||||
Environment="SLURM_JWT=daemon"
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
@ -113,8 +94,6 @@ _slurmrestd() {
|
||||
|
||||
touch /var/log/slurmrestd.log
|
||||
chown slurm: /var/log/slurmrestd.log
|
||||
chown worker: /tmp
|
||||
chmod 770 /tmp
|
||||
|
||||
if [[ ! -f /home/config/slurmrestd.conf ]]; then
|
||||
echo "### Missing slurm.conf ###"
|
||||
@ -126,7 +105,7 @@ _slurmrestd() {
|
||||
fi
|
||||
|
||||
echo "checking for jwt.key"
|
||||
while [ ! -f /.secret/jwt.key ]; do
|
||||
while [ ! -f /.secret/jwt_hs256.key ]; do
|
||||
echo "."
|
||||
sleep 1
|
||||
done
|
||||
@ -137,9 +116,12 @@ _slurmrestd() {
|
||||
sudo yum install -y lsof
|
||||
sudo yum install -y socat
|
||||
|
||||
cp /.secret/jwt.key /etc/config/jwt.key
|
||||
chown slurm: /etc/config/jwt.key
|
||||
chmod 0400 /etc/config/jwt.key
|
||||
mkdir -p /var/spool/slurm/statesave
|
||||
chown slurm:slurm /var/spool/slurm/statesave
|
||||
chmod 0755 /var/spool/slurm/statesave
|
||||
cp /.secret/jwt_hs256.key /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chown slurm: /var/spool/slurm/statesave/jwt_hs256.key
|
||||
chmod 0400 /var/spool/slurm/statesave/jwt_hs256.key
|
||||
|
||||
echo ""
|
||||
|
||||
@ -148,7 +130,7 @@ _slurmrestd() {
|
||||
# _enable_slurmrestd
|
||||
# sudo ln -s /usr/lib/systemd/system/slurmrestd.service /etc/systemd/system/multi-user.target.wants/slurmrestd.service
|
||||
|
||||
/usr/sbin/slurmrestd -f /etc/config/slurmrestd.conf -vvvvvv -s dbv0.0.39,v0.0.39 -u worker unix:$SLURMRESTD 0.0.0.0:6820
|
||||
SLURMRESTD_SECURITY=disable_user_check SLURMRESTD_DEBUG=9 /usr/sbin/slurmrestd -f /etc/config/slurmrestd.conf -a rest_auth/jwt -s dbv0.0.39,v0.0.39 -u slurm 0.0.0.0:6820
|
||||
echo "Started slurmrestd"
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user