flux-config-security-sign(5)¶
DESCRIPTION¶
Flux jobs are signed by job submission tools like flux-mini(1).
The signature is verified upon receipt by the Flux job-ingest service,
and at launch time by flux-imp(8). A signing library provided by the
flux-security project performs the cryptographic signing and verification.
The library is configured by the security configuration hierarchy, as
described in flux-config-security(5). One of three signing mechanisms
may be configured:
- munge
The job request is enclosed in a MUNGE credential whose originating UID can be verified at any location within the MUNGE domain. This is the preferred mechanism as it has undergone the most extensive auditing.
- curve
The job request is signed and verified using public key signatures as implemented by libsodium. This mechanism was implemented as a proof of concept during design and has not yet received adequate review to be considered secure on a real system.
- none
No-op mechanism. This mechanism is used when the submitting user and Flux instance owner are the same, as in a single user instance where signature verification is not required. DO NOT list it in the
allowed-typeskey described below.
This page describes the keys that may be listed in the [sign] table:
KEYS¶
- max-ttl
An integer value that defines the length of time, in seconds, that a signature should remain valid. In effect, it limits the amount of time a job can be pending in the queue. Recommended value: 1209600 (2 weeks).
- default-type
A string value that defines the default mechanism used to sign jobs if the submitting user is not the instance owner. Recommended value:
"munge".- allowed-types
A list of mechanisms that may be considered for signature verification. Recommended value:
[ "munge" ].
The following keys apply only to the munge mechanism:
- munge.socket-path
A string value that overrides the default MUNGE socket path. This is needed only if the MUNGE daemon used to sign Flux jobs is running on a socket path other than the one compiled into
libmunge.
The following keys apply only to the curve mechanism:
- curve.require-ca
A boolean value that determines whether the signing certificate should be validated against a certificate authority before use.
- curve.cert-path
A string value that overrides the signing certificate path, normally
.flux/curve/sigin the user's home directory.
EXAMPLE¶
[sign]
max-ttl = 1209600 # 2 weeks
default-type = "munge"
allowed-types = [ "munge" ]
RESOURCES¶
Flux: http://flux-framework.org
RFC 15: Independent Minister of Privilege for Flux: The Security IMP: https://flux-framework.readthedocs.io/projects/flux-rfc/en/latest/spec_15.html
MUNGE (MUNGE Uid 'N' Gid Emporium) https://dun.github.io/munge/
libsodium https://doc.libsodium.org/