Slurmrestd Access

This page describes how-to setup Slurm slurmrestd service and Slurm-web agent with:

  • TCP/IP socket,

  • JWT authentication,

  • auto token management mode.

< back to all slurmrestd setups

slurmrestd access modes inet jwt auto

Setup Slurm

With jwt authentication method, the client must provide user and token in HTTP headers. Then, slurmrestd service forwards these credentials in RPCs to slurmctld and slurmdbd which are responsible to check expiration and signature of the token .

In this configuration, slurmrestd service and Slurm-web agent can run with unprivileged system users.

Create /etc/systemd/system/slurmrestd.service.d/slurm-web.conf drop-in configuration override for slurmrestd service:

[Service]
# Unset vendor unit ExecStart to avoid cumulative definition
ExecStart=
Environment=
ExecStart=/usr/sbin/slurmrestd $SLURMRESTD_OPTIONS -a rest_auth/jwt [::]:6820
RuntimeDirectory=slurmrestd
RuntimeDirectoryMode=0755
User=slurmrestd
Group=slurmrestd
DynamicUser=yes
With DynamicUser=yes, systemd creates a transient slurmrestd system user during the lifetime of the service and executes the daemon with this unprivileged user.

Reload systemd units and enable the service:

# systemctl daemon-reload && systemctl enable --now slurmrestd.service

Generate random Slurm JWT signing key with restrictive permissions:

# dd if=/dev/random of=/var/spool/slurm/jwt_hs256.key bs=32 count=1
# chown slurm:slurm /var/spool/slurm/jwt_hs256.key
# chmod 0600 /var/spool/slurm/jwt_hs256.key

Edit main Slurm and SlurmDBD configuration to enable JWT alternative authentication:

AuthAltTypes=auth/jwt
AuthAltParameters=jwt_key=/var/spool/slurm/jwt_hs256.key

Restart slurmctld and slurmdbd services to update configuration:

# systemctl restart slurmctld slurmdbd

Setup Agent

Copy Slurm JWT signing key and restrict permissions to this copy:

# cp /var/spool/slurm/jwt_hs256.key /var/lib/slurm-web/slurmrestd.key
# chown slurm-web:slurm-web /var/lib/slurm-web/slurmrestd.key
# chmod 0400 /var/lib/slurm-web/slurmrestd.key

Edit Slurm-web agent configuration file /etc/slurm-web/agent.ini to enable JWT authentication method:

[slurmrestd]
uri=http://localhost:6820
auth=jwt
You can optionally tune lifespan of token generated by Slurm-web with jwt_lifespan configuration parameter (default: 3600 seconds, ie. 1 hour).

To improve security, edit Slurm-web agent service to run as unprivileged slurm-web system user:

  • With native services, edit agent service settings:

    # systemctl edit slurm-web-agent.service

    Add the following lines:

    [Service]
User=slurm-web

    Restart the service:

    # systemctl restart slurm-web-agent.service

  • With production HTTP server, edit agent uWSGI service settings /etc/systemd/system/slurm-web-agent-uwsgi.service:

    --- a/etc/systemd/system/slurm-web-agent-uwsgi.service
+++ b/etc/systemd/system/slurm-web-agent-uwsgi.service
@@ -6,7 +6,7 @@
 # By default, this service runs with slurm admin user for local authentication
 # on slurmrestd. When slurmrestd is setup with JWT authentication, it is
 # recommended to change this value to more restricted slurm-web system user.
-User=slurm
+User=slurm-web
 RuntimeDirectory=slurm-web-agent
 ExecStart=/usr/sbin/uwsgi --ini /usr/share/slurm-web/wsgi/agent/slurm-web-agent.ini

    Reload service units:

    # systemctl daemon-reload

    Restart Slurm-web agent:

    # systemctl restart slurm-web-agent.service

Test Access

To test Slurm-web agent and slurmrestd service configuration parameters, you can run slurm-web-connect-check utility. It tries to send HTTP request to slurmrestd with Slurm-web agent configuration parameters and reports the status. For example:

# /usr/libexec/slurm-web/slurm-web-connect-check
✅ connection successful (slurm: 24.11.0, cluster: hpc)