This document describes SLURM authentication plugins and the API which defines them. It is intended as a resource to programmers wishing to write their own SLURM authentication plugins. This is version 0 of the API.
SLURM authentication plugins are SLURM plugins which implement the SLURM authentication API described herein. They must conform to the SLURM Plugin API with the following specifications:
const char plugin_type[]- The major type must be "auth". The minor type can be any recognizable abbreviation for the type of authentication. We recommend, for example:
·
"none" - A plugin
which implements the API without providing any actual authentication service.
·
"authd"
- Brett Chun's Linux authd.
·
"munged"
- LLNL's munge protocol.
·
"krb5" - Kerberos 5
The plugin_name and plugin_version symbols required by the SLURM Plugin API require no specialization for authentication, except note carefully the versioning discussion below.
The programmer is urged to study src/plugins/auth/auth_none.c for an example implementation of a SLURM authentication plugin.
The implementation must support an opaque class, which it defines, to be used as an authentication credential. This class must encapsulate all user-specific information necessary for the operation of the API specification below. The credential is referred to in SLURM code by an anonymous pointer (void *).
The implementation must maintain (though not necessarily directly
export) an enumerated errno to allow SLURM to
discover as practically as possible the reason for any failed API call.
The following enumerated integer values (declared in src/common/slurm_auth.h) must be used when appropriate.
SLURM_AUTH_BADARG
- an argument to an API function was invalid or
malformed.
SLURM_AUTH_MEMORY - a request could not be satisfied because memory for it
could not be allocated.
SLURM_AUTH_NOUSER - a credential is improper because it refers to an
unknown user.
SLURM_AUTH_INVALID - a credential is improper because the validation of
it has failed. This is specifically distinct from the expiration of a credential.
SLURM_AUTH_MISMATCH - a credential could not be properly unpacked
because it is of an incompatible type or version.
These values must not be used as return values in integer-valued
functions in the API. The proper error return value from integer-valued
functions is SLURM_ERROR. While it is most practical to associate a
different errno with each instance of a credential,
this is not necessarily enforced by the API. The implementation should
endeavor to provide useful and pertinent information by whatever means is
practical. In most cases this means an errno
for each credential, since plugins must be
re-entrant. If a plugin maintains a global errno in place of or in addition to a per-credential
errno, it is not required to enforce mutual
exclusion on it. Successful API calls are not required to reset any errno to a known value. However, the initial
value of any errno, prior to any error
condition arising, should be SLURM_SUCCESS.
Plugins may assign implementation-specific values to errno so long as they do not conflict with the
values assigned above. This is done programmatically by assigning plugin-specific errno
values which are arithmetically greater than or equal to the symbol
SLURM_AUTH_FIRST_LOCAL_ERROR.
The
following functions must appear.
Functions which are not implemented should be stubbed.
void *slurm_auth_alloc (void);
Description
Allocates from the free store an anonymous credential
object and returns a pointer to it. The pointer should be valid until
passed to slurm_auth_free() for
disposal. The credential is not expected to be in a usable state until it
is activated by slurm_auth_activate().
SLURM will not pass credentials to the API which have
not been allocated by this function.
Arguments
None.
Returns
A pointer to a newly allocated credential if
successful. On failure the plugin should return
NULL and set its errno to an appropriate value
to indicate the reason for failure.
int slurm_auth_free
(void *cr);
Description
Deallocates a credential that was
allocated with slurm_auth_alloc() and any
associated storage that has been allocated for it during its use.
Arguments
cr -
(input) pointer to the credential which is to be deallocated.
Cannot be NULL.
Returns
SLURM_SUCCESS if successful.
On failure the plugin should return
SLURM_ERROR and set the errno
to an appropriate value to indicate the reason for failure.
int slurm_auth_activate
(void *cr);
Description
Prepares a credential for verification,
usually by some "signing" process. slurm_auth_activate() and slurm_auth_verify() are strictly sequential operations.
A credential which has been successfully activated should be
successfully verified without any further processing, provided it has not
expired. A credential must be activated before it can be
successfully verified. The return values of slurm_auth_get_uid() and slurm_auth_get_gid() may be meaningful after activation
(depending on plugin preference), but are not
considered trustworthy by SLURM until verification.
Arguments
cr -
(input) pointer to the credential which is to be activated.
Cannot be NULL.
Returns
SLURM_SUCCESS if successful. On failure the function should
return SLURM_ERROR and set its errno to an
appropriate value to indicate the reason for failure.
int slurm_auth_verify (void *cr );
Description
Verifies that a credential is in order and
correctly identifies the associated user. It also verifies that the credential
has not expired. If verification is successful, the return values of slurm_auth_get_uid() and slurm_auth_get_gid() in subsequent calls must correspond to
the actual verified system UID and GID of the user associated with the credential.
Verification must fail if the credential has not previously been
activated, even if a credential implementation cannot exist in an unactivated state. A credential's valid term
is defined at activation and verification must fail if the credential
has expired, even if it would otherwise be valid.
Arguments
cr -
(input) pointer to the credential which is to be verified. Cannot be NULL.
Returns
SLURM_SUCCESS if the credential is verified to be in order and has
not expired. If the credential cannot be verified, or if the credential
has expired, the function should return SLURM_ERROR and set its errno to an appropriate value to indicate the reason
for failure.
uid_t slurm_auth_get_uid
(void *cr);
gid_t slurm_auth_get_gid
(void *cr);
Description
Extracts the numerical UID (GID) of the user
corresponding to the given credential. SLURM considers this value
trustworthy only if the credential has been successfully verified using slurm_auth_verify(). An unverified credential
does not immediately give rise to an error condition in these functions, since
this would require a plugin to distinguish between a
verified and an unverified credential, which may be computationally
expensive. A plugin may consider the lack of
verification as an error.
Arguments
cr -
(input) pointer to the credential containing the desired identification.
Cannot be NULL.
Returns
If successful, the Linux UID (GID) associated with
the credential. In case of error, SLURM_AUTH_NOBODY should be
returned and errno set appropriately to
indicate the cause of the failure.
int slurm_auth_pack (void *cr, Buf buf);
Description
Marshals a credential into a buffer for transmission according to
the SLURM packing protocol. All authentication plugins
must first pack the plugin_type
and then the plugin_version
data before any plugin-specific data elements are
packed. slurm_auth_pack() and slurm_auth_pack() are strictly reciprocal. The result
of a packing followed by an unpacking must be a functionally equivalent credential.
A credential is deemed appropriate for marshalling at any time after its
allocation and before its destruction.
Arguments
cr -
(input) pointer to the credential to pack.
buf
- (input/output) the buffer into which the credential should be packed.
Returns
SLURM_SUCCESS if successful.
On failure the plugin should return
SLURM_ERROR and set the errno
to indicate the reason for the failure.
int slurm_auth_unpack (void *cr, Buf buf);
Description
Unmarshals a credential from a buffer
according to the SLURM packing protocol into a supplied (and presumed empty) credential
object. The unmarshalled credential is not
assumed to be activated or verified. The plugin_type and plugin_version data should first be
unpacked from the buffer and verified for applicability. The API does not
enforce that they must be equivalent, merely compatible. Compatibility is
implementation-dependent.
Arguments
cr -
(output) pointer to the credential to pack.
buf
- (input/output) the buffer from which the credential should be
unpacked.
Returns
SLURM_SUCCESS if the credential was successfully unpacked.
In case of failure, the function should return SLURM_ERROR and set errno appropriately to indicate the cause of the
failure. If the function fails, no assumptions are made about the state
of the credential except its suitability for destruction via slurm_auth_free().
int slurm_auth_print (void *cr, FILE *fp);
Description
Writes a human-readable representation of the
credential to a standard I/O stream. There are no strict API constraints
on the behavior of this function, however it is
recommended that the information be as complete and as concise as
possible. For example, lengthy digital "signatures" need not be
printed bitwise, but may be represented by their checksum. The intent is
to provide a depiction of the credential for debugging purposes.
Arguments
None.
Returns
SLURM_SUCCESS if successful.
On failure the plugin should return
SLURM_ERROR and set the errno
appropriately to indicate the cause of failure.
int slurm_auth_errno (void *cr);
Description
Returns the current value of errno.
Whether the value is associated with the given credential or with the plugin as a whole is implementation-dependent.
Because this function can be used to discover the reason why a credential
allocation has failed, the argument is advisory.
Arguments
cr -
(input) pointer to the credential, the status of whose most recently
executed API function is to be returned. This value may be NULL,
indicating that the most recent errno value
applicable to the plugin as a whole is to be
returned.
Returns
The current value of errno
or SLURM_SUCCESS if there is no error to report.
const char *slurm_auth_errstr (int errno);
Description
Provides a human-readable string associated with the given errno. The plugin
need only supply error strings for the errno
values it defines and not for errno values
listed above that are required by the API.
Arguments
errno -
(input) the plugin-specific errno
for which a corresponding error message is desired.
Returns
A pointer to a static error message. This
function must always return a pointer to a string, even if the string is empty
or ambiguous such as "unknown error".
This document describes version 0 of the SLURM Authentication API. Future releases of SLURM may revise this API. An authentication plugin conveys its ability to implement a particular API version using the mechanism outlined for SLURM plugins. In addition, the credential is transmitted along with the version number of the plugin that transmitted it. It is at the discretion of the plugin author whether to maintain data format compatibility across different versions of the plugin.