docs: add SLURMRESTD_SECURITY=disable_user_check

Mention requirement of SLURMRESTD_SECURITY=disable_user_check environment variable definition in slurmrestd service drop-in configuration override. fix #320
rackslab · Aug 26, 2024 · 2c68070 · 2c68070
1 parent 4f1d5df
commit 2c68070
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,6 +40,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     reservations page (#336).
   - Hide users disclosure from jobs filters panel when authentication is
     disabled (#330).
+- docs: Mention requirement of `SLURMRESTD_SECURITY=disable_user_check`
+  environment variable definition in `slurmrestd` service drop-in configuration
+  override (#320).
 
 ## [3.1.0] - 2024-07-03
 

diff --git a/docs/modules/install/pages/quickstart.adoc b/docs/modules/install/pages/quickstart.adoc
@@ -97,6 +97,8 @@ drop-in configuration override for `slurmrestd` daemon:
 # Unset vendor unit ExecStart to avoid cumulative definition
 ExecStart=
 Environment=
+# Disable slurm user security check
+Environment=SLURMRESTD_SECURITY=disable_user_check
 ExecStart=/usr/sbin/slurmrestd $SLURMRESTD_OPTIONS unix:/run/slurmrestd/slurmrestd.socket
 RuntimeDirectory=slurmrestd
 RuntimeDirectoryMode=0755
@@ -105,7 +107,14 @@ Group=slurm
 ----
 
 NOTE: This configuration file makes `slurmrestd` listen for incoming connections
-on Unix socket accessible by Slurm-web.
+on Unix socket accessible by Slurm-web. In this configuration `slurmrestd` is
+executed with special `slurm` user to get more permissions on Slurm cluster.
+This is normally not permitted by `slurmrestd` unless
+`SLURMRESTD_SECURITY=disable_user_check` environment variable is defined. This
+is a security measure that is relevant in many use-cases but not for Slurm-web.
+Indeed, Slurm-web has its own internal security
+xref:conf:policy.adoc[autorization policy] to control users permissions and
+enforce security.
 
 Make `systemd` reload units changes on disk: