flux-config-security(5)¶
DESCRIPTION¶
The flux-security
project concentrates the security sensitive portions
of Flux. To maintain isolation, it implements two independent TOML
configuration hierarchies, separate from the rest of Flux. Their paths are
set when flux-security
is built and cannot be altered at runtime:
${sysconfdir}/flux/imp/conf.d/*.toml
Configuration file(s) for flux-imp(8), described in flux-config-security-imp(5).
${sysconfdir}/flux/security/conf.d/*.toml
Configuration file(s) for the signing library, described in flux-config-security-sign(5).
As with flux-config(5), Flux security configuration files follow the
TOML file format, with configuration subdivided by function into separate TOML
tables. The tables for each hierarchy may all appear in a single .toml
file or be fragmented in multiple files that match the appropriate
glob(7) pattern. The configuration is assumed to be identical for
all Flux components across a given Flux instance.
Security configuration files, including the conf.d
directory and individual
.toml
files, must be appropriately locked down:
owner of
root
group of
root
must not be writable by others
must not be a symbolic link
.toml
files must be regular files
There is no mechanism to tell Flux components to reread the Flux security configurations when they change. Most Flux security users such as flux-mini(1) or flux-imp(8) are short lived and read the latest configuration on each invocation. There are two considerations to be aware of when updating the signing configuration, however:
The
job-ingest
service validates the signatures of job requests. As a flux-broker(1) plugin, it runs for the duration of the rank 0 broker and could reject job submissions if a mismatched signing configuration is picked up by the job submission tools.Pending jobs could fail to start if the signing configuration used when they were submitted no longer matches the signing configuration read by the IMP at job startup.
It is therefore recommended that the Flux instance be cleared of pending jobs and fully stopped when updating the signing configuration.
RESOURCES¶
Flux: http://flux-framework.org
Flux Administrator's Guide: https://flux-framework.readthedocs.io/en/latest/adminguide.html
TOML: Tom's Obvious Minimal Language: https://toml.io/en/
RFC 15: Independent Minister of Privilege for Flux: The Security IMP: https://flux-framework.readthedocs.io/projects/flux-rfc/en/latest/spec_15.html
SEE ALSO¶
flux-config(5), flux-config-security-imp(5), flux-config-security-sign(5)