docs: fix protocols section in architecture page

Mention Slurm internal authentication mechanism (with sackd) and clarify that munge is not actually involved between Slurm-web agent and slurmrestd.
rackslab · Aug 30, 2024 · dcbe631 · dcbe631
1 parent 1c73965
commit dcbe631
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -58,9 +58,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     reservations page (#336).
   - Hide users disclosure from jobs filters panel when authentication is
     disabled (#330).
-- docs: Mention requirement of `SLURMRESTD_SECURITY=disable_user_check`
-  environment variable definition in `slurmrestd` service drop-in configuration
-  override (#320).
+- docs:
+  - Mention requirement of `SLURMRESTD_SECURITY=disable_user_check` environment
+    variable in `slurmrestd` service drop-in configuration override (#320).
+  - Fix protocols section in architecture page to mention Slurm internal
+    authentication mechanism (with `sackd`) and clarify that `munge` is not
+    involved between Slurm-web agent and `slurmrestd`.
 
 ## [3.1.0] - 2024-07-03
 

diff --git a/docs/modules/overview/images/arch/slurm-web_protocols.png b/docs/modules/overview/images/arch/slurm-web_protocols.png
diff --git a/docs/modules/overview/images/arch/slurm-web_protocols.svg b/docs/modules/overview/images/arch/slurm-web_protocols.svg
diff --git a/docs/modules/overview/pages/architecture.adoc b/docs/modules/overview/pages/architecture.adoc
@@ -67,16 +67,18 @@ initial authentication with LDAP directory, users are authenticated between
 these components with https://jwt.io/[JSON Web Token] (JWT).
 
 Communications between *agent* component and Slurm `slurmrestd` daemon are
-performed with HTTP protocol over a Unix socket.
+performed with HTTP protocol over a Unix socket. For security reasons
+`slurmrestd` checks the *agent* runs with the same UID/GID as itself with its
+`rest_auth/local` plugin.
 
-NOTE: Slurm `slurmrestd` supports incoming connections on TCP/IP sockets but
-this configuration is not yet supported by Slurm-web. This is currently a
-limitation in Slurm-web that might change in the future (see
+NOTE: Slurm `slurmrestd` supports incoming connections on TCP/IP sockets with
+`rest_auth/jwt` plugin but this configuration is not yet supported by Slurm-web.
+This is currently a limitation in Slurm-web that might change in the future (see
 https://github.com/rackslab/Slurm-web/issues/313[#313]).
 
 Slurm components communicates with specific binary RPC protocol over TCP/IP
-sockets. Communications between the *agent* and Slurm components are secured
-and user are authenticated with https://dun.github.io/munge/[Munge].
+sockets, secured by either https://dun.github.io/munge/[Munge] or
+https://slurm.schedmd.com/authentication.html#slurm[Slurm internal mechanism].
 
 [#multiclusters]
 == Multi-clusters Distribution