feat(conf): support all Slurm-web JWT auth modes

rezib · rezib · commit 34f09141f189 · 2025-04-25T19:04:19.000+02:00
Add support for all Slurm-web to slurmrestd JWT authentication modes,
including auto and static.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -67,6 +67,7 @@ and this project adheres to
     `common_devs_priorities`.
   - Add `slurm_restd_port` variable in inventory to control slurmrestd TCP/IP
     listening port.
+  - Support all Slurm-web to slurmrestd JWT authentication modes.
 - docs:
   - Add sysctl `fs.inotify.max_user_instances` value increase recommendation in
     README.md to avoid weird issue when launching many containers.
diff --git a/conf/group_vars/all.yml b/conf/group_vars/all.yml
@@ -4,7 +4,11 @@ fhpc_local_ca_dir: "{{ fhpc_cluster_state_dir }}/ca"
 fhpc_ldap_server: "{{ groups['admin'][0] }}"
 fhpc_ldap_base: "dc=cluster,dc={{ fhpc_cluster }}"
 fhpc_primary_group: "{{ fhpc_groups[0].name }}"
+fhpc_slurm_with_jwt: false
+fhpc_slurmrestd_with_unix_socket: true
 fhpc_slurmrestd_socket: /run/slurmrestd/slurmrestd.socket
+fhpc_slurmrestd_port: 6820
+fhpc_local_slurm_jwt_key: "{{ fhpc_cluster_state_dir }}/slurm/jwt_hs256.key"
 
 # roles variables
 common_local_ca_dir: "{{ fhpc_local_ca_dir }}"
@@ -36,13 +40,19 @@ slurm_profiles:
 slurm_local_munge_key_file: "{{ fhpc_cluster_state_dir }}/munge/munge.key"
 slurm_local_slurm_key_file: "{{ fhpc_cluster_state_dir }}/slurm/slurm.key"
 slurm_local_mariadb_password_file: "{{ fhpc_cluster_state_dir }}/mariadb/mariadb.password"
-slurm_local_jwt_key_file: "{{ fhpc_cluster_state_dir }}/slurm/jwt_hs256.key"
+slurm_local_jwt_key_file: "{{ fhpc_local_slurm_jwt_key }}"
+slurm_with_jwt: "{{ fhpc_slurm_with_jwt }}"
 slurm_users: "{{ fhpc_users | map(attribute='login') | list }}"
+slurm_restd_with_unix_socket: "{{ fhpc_slurmrestd_with_unix_socket }}"
 slurm_restd_socket: "{{ fhpc_slurmrestd_socket }}"
+slurm_restd_port: "{{ fhpc_slurmrestd_port }}"
 slurm_accounts: "{{ fhpc_groups }}"
 slurm_compute_nodes: "{{ fhpc_nodes['compute'] }}"
 racksdb_database: "{{ fhpc_db }}"
 redis_local_password_file: "{{ fhpc_cluster_state_dir }}/redis/redis.password"
+slurmweb_local_slurmrestd_jwt_key_file: "{{ fhpc_local_slurm_jwt_key }}"
+slurmweb_slurmrestd_uri: "{{ fhpc_slurmrestd_with_unix_socket | ternary('unix:' ~ fhpc_slurmrestd_socket, 'http://localhost:' ~ fhpc_slurmrestd_port ) }}"
+slurmweb_slurmrestd_auth: "{{ fhpc_slurm_with_jwt | ternary('jwt', 'local') }}"
 slurmweb_slurmrestd_socket: "{{ fhpc_slurmrestd_socket }}"
 slurmweb_http_server_names:
 - "{{ slurmweb_hostname }}"
@@ -51,7 +61,11 @@ slurmweb_agent_settings_defaults:
   service:
     cluster: "{{ fhpc_cluster }}"
   slurmrestd:
-    socket: "{{ fhpc_slurmrestd_socket }}"
+    uri: "{{ slurmweb_slurmrestd_uri }}"
+    auth: "{{ slurmweb_slurmrestd_auth }}"
+    jwt_mode: "{{ slurmweb_slurmrestd_jwt_mode }}"
+    jwt_key: "{{ slurmweb_slurmrestd_jwt_key }}"
+    jwt_token: "{{ slurmweb_slurmrestd_jwt_token | default(omit) }}"
   cache:
     enabled: yes
     password: "{{ lookup('ansible.builtin.file', redis_local_password_file) }}"
diff --git a/conf/roles/slurmweb/defaults/main.yml b/conf/roles/slurmweb/defaults/main.yml
@@ -4,6 +4,12 @@ slurmweb_hostname: "{{ inventory_hostname }}"
 slurmweb_http_server_names:
 - "{{ slurmweb_hostname }}"
 slurmweb_jwt_key: /var/lib/slurm-web/jwt.key
+slurmweb_slurmrestd_uri: unix:/run/slurmrestd/slurmrestd.socket
+slurmweb_slurmrestd_auth: local
+slurmweb_slurmrestd_jwt_mode: auto
+slurmweb_slurmrestd_jwt_key: /var/lib/slurm-web/slurmrestd_jwt_hs256.key
+slurmweb_slurmrestd_jwt_token: null
+slurmweb_local_slurmrestd_jwt_key_file: jwt_hs256.key  # dummy
 slurmweb_agent_subdir: agent
 slurmweb_agent_settings_defaults: {}
 slurmweb_gateway_settings_defaults: {}
diff --git a/conf/roles/slurmweb/tasks/main.yml b/conf/roles/slurmweb/tasks/main.yml
@@ -8,6 +8,30 @@
     name: "{{ slurmweb_packages }}"
     state: latest
 
+- name: Obtain Slurm JWT
+  block:
+  - name: Generate JWT with Slurm scontrol
+    ansible.builtin.command: scontrol token lifespan=infinite username=slurm
+    register: slurmweb_slurm_scontrol_generate
+
+  - name: Setting slurmrestd JWT fact
+    ansible.builtin.set_fact:
+      slurmweb_slurmrestd_jwt_token: "{{ slurmweb_slurm_scontrol_generate.stdout | split('=') | last }}"
+  when:
+  - slurmweb_slurmrestd_auth == 'jwt'
+  - slurmweb_slurmrestd_jwt_mode == 'static'
+
+- name: Deploy slurm JWT signing key
+  ansible.builtin.copy:
+    src: "{{ slurmweb_local_slurmrestd_jwt_key_file }}"
+    dest: "{{ slurmweb_slurmrestd_jwt_key }}"
+    owner: slurm  # FIXME: agent and key must run as slurm-web when uri is http
+    group: slurm
+    mode: 0400
+  when:
+  - slurmweb_slurmrestd_auth == 'jwt'
+  - slurmweb_slurmrestd_jwt_mode == 'auto'
+
 - name: Deploy Slurm-web configuration files
   ansible.builtin.template:
     src: "{{ item }}.ini.j2"
@@ -21,6 +45,9 @@
   notify:
   - Restart slurm-web-{{ item }} uWSGI
 
+#
+# slurm-web-gen-jwt-key needs gateway configuration file.
+#
 - name: Create JWT signing key
   ansible.builtin.command:
     cmd: /usr/libexec/slurm-web/slurm-web-gen-jwt-key
