libjob: need signing interface when not configured --with-flux-security #1715
Comments
I think credit goes to you for that idea. At the surface, it seems like a good idea. Unfortunately, I don't know enough about the two interfaces to really say. Sorry. |
|
Another thought - are the config/mech options even useful outside of flux-core (outside of testing really)? could we add a |
There is something that seems slightly off about the current interfaces. Ideally, flux-core could have a generic I think there may be some tricky corner cases, but the generic core APIs should be able to auto-configure themselves by reading a system config file, or perhaps via loading a set of implementations from well defined system paths. Optionally the default configuration could be overridden via a
Just my opinion, but that doesn't sound right to me. In fact, that |
Oh, yeah. That is kind of what I was trying to get at (though less eloquently) |
Problem: users of flux_job_submit() must know whether flux-core was built --with-flux-security or not. Add a FLUX_JOB_PRE_SIGNED flag that allows jobspec to be signed before submission, but change the default so flux_job_submit() signs the jobspec internally. If built --with-flux-security, configure a security context using default config file path and cache it in the flux_t handle. Each time flux_job_submit() is called, the context is reused, and the jobspec is signed with the default mechanism. If built without --with-flux-security, sign using the "sign_none" class. Update flux-job to use the FLUX_JOB_PRE_SIGNED flag if built --with-flux-security. Fixes flux-framework#1715
Problem: users of flux_job_submit() must know whether flux-core was built --with-flux-security or not. Add a FLUX_JOB_PRE_SIGNED flag that allows jobspec to be signed before submission, but change the default so flux_job_submit() signs the jobspec internally. If built --with-flux-security, configure a security context using default config file path and cache it in the flux_t handle. Each time flux_job_submit() is called, the context is reused, and the jobspec is signed with the default mechanism. If built without --with-flux-security, sign using the "sign_none" class. Update flux-job to use the FLUX_JOB_PRE_SIGNED flag if built --with-flux-security. Fixes flux-framework#1715
Problem: users of flux_job_submit() must know whether flux-core was built --with-flux-security or not. Add a FLUX_JOB_PRE_SIGNED flag that allows jobspec to be signed before submission, but change the default so flux_job_submit() signs the jobspec internally. If built --with-flux-security, configure a security context using default config file path and cache it in the flux_t handle. Each time flux_job_submit() is called, the context is reused, and the jobspec is signed with the default mechanism. If built without --with-flux-security, sign using the "sign_none" class. Update flux-job to use the FLUX_JOB_PRE_SIGNED flag if built --with-flux-security. Fixes flux-framework#1715
Problem: users of flux_job_submit() must know whether flux-core was built --with-flux-security or not. Add a FLUX_JOB_PRE_SIGNED flag that allows jobspec to be signed before submission, but change the default so flux_job_submit() signs the jobspec internally. If built --with-flux-security, configure a security context using default config file path and cache it in the flux_t handle. Each time flux_job_submit() is called, the context is reused, and the jobspec is signed with the default mechanism. If built without --with-flux-security, sign using the "sign_none" class. Update flux-job to use the FLUX_JOB_PRE_SIGNED flag if built --with-flux-security. Fixes flux-framework#1715
Problem: users of flux_job_submit() must know whether flux-core was built --with-flux-security or not. Add a FLUX_JOB_PRE_SIGNED flag that allows jobspec to be signed before submission, but change the default so flux_job_submit() signs the jobspec internally. If built --with-flux-security, configure a security context using default config file path and cache it in the flux_t handle. Each time flux_job_submit() is called, the context is reused, and the jobspec is signed with the default mechanism. If built without --with-flux-security, sign using the "sign_none" class. Update flux-job to use the FLUX_JOB_PRE_SIGNED flag if built --with-flux-security. Fixes flux-framework#1715
The current API for job submission requires that users know whether flux-core was built
--with-flux-securityor not. This will not work for external API users. In addition, it complicates the python bindings as discussed in #1709.If security is unavailable, currently jobspec is submitted (and stored) in the clear without post processing, e.g.
It would be trivial to create a signed jobspec using mech=none that could be parsed by flux security, without duplicating code. The format is
HEADER.PAYLOAD.SIGNATUREwhereHEADERis a base64 encoding of the header (see below)PAYLOADis a base64 encoding of the payloadSIGNATUREis the string "none"The header is a kv string (see
src/util/kv.h in flux-security)where
<uid>is the signing userid.The reverse (unwrap) would also be necessary in the ingest module.
I guess the more difficult question is what sort of API should be exported by flux-core for signing that works with and without
--with-flux-security. When built "with", command line tools need a way to override the default flux-security config file for testing, and to override the configured signing mechanism. Currently one must call something like:Maybe (as @SteVwonder was suggesting I think) a generic wrap/unwrap could be added to the
flux_sec_tcontext already in flux-core? That's sounding like a better idea now because it would provide a way to hold the flux-security context (optionally).The text was updated successfully, but these errors were encountered: