Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

simple CA setup for initial single-cluster deployment #38

Open
garlick opened this issue Jan 10, 2018 · 1 comment
Open

simple CA setup for initial single-cluster deployment #38

garlick opened this issue Jan 10, 2018 · 1 comment

Comments

@garlick
Copy link
Member

garlick commented Jan 10, 2018

We need a way for users to obtain CA-signed certs, used to submit jobs. This should be a secure operation that minimizes chances for disclosure of the CA private key. There are lots of ways that this could be set up. I wanted to open this issue to discuss possible practical ways to do it on a single cluster running Flux.
@garlick
Copy link
Member Author

garlick commented Jan 10, 2018
edited
Loading

@grondo reminded me that we had talked about a flux imp ca sub-command that would use the IMP's setuid privilege to access the CA private key.

For example, a keygen utility could generate an unsigned cert, then pass the public part to flux imp ca sign. The IMP sets the userid in the cert based on the real uid that ran it, and returns the signed public cert to the keygen utility, which then writes it out.

The site would control the distribution of the CA private key; on a single-cluster deployment, perhaps limiting it to a login node.

This scheme would require the IMP to be installed with o+x permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@garlick