Cryptography and authentication

Charmed HPC uses and provides options for a couple different cryptography and authentication methods, namely SACK (Slurm Auth and Cred Kiosk), which is Slurm’s internal authentication system, and JWT (JSON Web Tokens).

Slurm credentials and SACK

SACK (Slurm Auth and Cred Kiosk) is Slurm’s internal authentication subsystem that manages creating and validating credentials.

This subsystem is used by the following Charmed HPC Slurm charms:

• slurmctld

• slurmd

• slurmdbd

• slurmrestd

• sackd

SACK requires sharing a cryptographically secure key between all the Slurm nodes in a cluster. To generate this key, the charms use the secrets library from the Python Standard Library, which uses either getrandom(2) if available, and /dev/urandom otherwise.

JSON Web Tokens (JWT)

Some Slurm charms support JSON Web Tokens as an alternative authentication method for a Slurm cluster.

This service is used by the Slurm charms:

• slurmctld

• slurmrestd

A shared private encryption key is required to verify the signature of client tokens. The current method uses RSA with a length of 2048 bits, which is generated using the cryptography package for Python, from PyPI.

The Slurm documentation contains more information about the topic.