From 98d6a589db5a07c694b99244a5261b066344aec5 Mon Sep 17 00:00:00 2001
From: Morris Jette <jette@schedmd.com>
Date: Fri, 27 Feb 2015 13:00:32 -0800
Subject: [PATCH] Add AuthInfo option of "cred_expire=#"

Use this to specify the lifetime of a job step credential.
---
 NEWS                                    |  2 ++
 RELEASE_NOTES                           |  2 ++
 doc/man/man5/slurm.conf.5               | 24 ++++++++++++---
 src/common/slurm_cred.c                 | 19 +++++++++++-
 src/common/slurm_protocol_api.c         | 39 +++++++++++++------------
 src/plugins/auth/munge/auth_munge.c     | 25 ++++++----------
 src/plugins/crypto/munge/crypto_munge.c | 26 +++++++----------
 7 files changed, 82 insertions(+), 55 deletions(-)

diff --git a/NEWS b/NEWS
index 2511b722f74..6204b38be0e 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ documents those changes that are of interest to users and administrators.
  -- Set the delay time for job requeue to the job credential lifetime (600
     seconds by default). This insures that prolog runs on every node when a
     job is requeued. (This change will slow down launch of re-queued jobs).
+ -- Add AuthInfo option of "cred_expire=#" to specify the lifetime of a job
+    step credential.
 
 * Changes in Slurm 15.08.0pre2
 ==============================
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index a30bd99e564..97fcacbb061 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -89,6 +89,8 @@ CONFIGURATION FILE CHANGES (see man appropriate man page for details)
  -- Interpret a partition configuration of "Nodes=ALL" in slurm.conf as
     including all nodes defined in the cluster.
  -- Added new configuration parameters PowerParameters and PowerPlugin.
+ -- Add AuthInfo option of "cred_expire=#" to specify the lifetime of a job
+    step credential.
 
 DBD CONFIGURATION FILE CHANGES (see "man slurmdbd.conf" for details)
 ====================================================================
diff --git a/doc/man/man5/slurm.conf.5 b/doc/man/man5/slurm.conf.5
index b082c03d5fa..cddef2b175a 100644
--- a/doc/man/man5/slurm.conf.5
+++ b/doc/man/man5/slurm.conf.5
@@ -267,12 +267,28 @@ Additional information to be used for authentication of communications
 between the Slurm daemons (slurmctld and slurmd) and the Slurm
 clients.  The interpretation of this option is specific to the
 configured \fBAuthType\fR.
-In the case of \fIauth/munge\fR and \fIcrypto/munge\fR, the value
-of this parameter can specify the socket of a MUNGE daemon other than
-the default MUNGE daemon (e.g. "socket=/var/run/munge/munge.socket.2") or
-the credential time to live in seconds (e.g. "ttl=300").
 Multiple options may be specified in a comma delimited list.
 If not specified, the default authentication information will be used.
+.RS
+.TP 14
+\fBcred_expire\fR
+Default job step credential lifetime, in seconds (e.g. "cred_expire=1200").
+It must be sufficiently long enough to load user environment, run prolog,
+deal with the slurmd getting paged out of memory, etc.
+This also controls how long a requeued job must wait before starting again.
+The default value is 1200 seconds.
+.TP
+\fBsocket\fR
+Path name to a MUNGE daemon socket to use
+(e.g. "socket=/var/run/munge/munge.socket.2").
+The default value is "/var/run/munge/munge.socket.2".
+Used by \fIauth/munge\fR and \fIcrypto/munge\fR.
+.TP
+\fBttl\fR
+Credential lifetime, in seconds (e.g. "ttl=300").
+The default value is dependent upon the Munge installation, but is typically
+300 seconds.
+.RE
 
 .TP
 \fBAuthType\fR
diff --git a/src/common/slurm_cred.c b/src/common/slurm_cred.c
index adeb95a0cec..38d8d015c48 100644
--- a/src/common/slurm_cred.c
+++ b/src/common/slurm_cred.c
@@ -3,6 +3,7 @@
  *****************************************************************************
  *  Copyright (C) 2002-2007 The Regents of the University of California.
  *  Copyright (C) 2008-2010 Lawrence Livermore National Security.
+ *  Portions Copyright (C) 2015 SchedMD <http://www.schedmd.com>.
  *  Produced at Lawrence Livermore National Laboratory (cf, DISCLAIMER).
  *  Written by Morris Jette <jette1@llnl.gov>.
  *  CODE-OCEC-09-009. All rights reserved.
@@ -75,6 +76,8 @@ typedef struct sbcast_cred sbcast_cred_t;		/* opaque data type */
  * Default credential information expiration window.
  * Long enough for loading user environment, running prolog,
  * and dealing with the slurmd getting paged out of memory.
+ * The default value may be altered with the configuration option of this sort:
+ * "AuthInfo=cred_expire=600"
  */
 #define DEFAULT_EXPIRATION_WINDOW 1200
 
@@ -234,6 +237,7 @@ static pthread_mutex_t g_context_lock = PTHREAD_MUTEX_INITIALIZER;
 static bool init_run = false;
 static time_t crypto_restart_time = (time_t) 0;
 static List sbcast_cache_list = NULL;
+static int cred_expire = DEFAULT_EXPIRATION_WINDOW;
 
 /*
  * Static prototypes:
@@ -292,6 +296,7 @@ static char * timestr (const time_t *tp, char *buf, size_t n);
 
 static int _slurm_crypto_init(void)
 {
+	char	*auth_info, *tok;
 	char    *plugin_type = "crypto";
 	char	*type = NULL;
 	int	retval = SLURM_SUCCESS;
@@ -299,6 +304,18 @@ static int _slurm_crypto_init(void)
 	if ( init_run && g_context )  /* mostly avoid locks for better speed */
 		return retval;
 
+	if ((auth_info = slurm_get_auth_info())) {
+		if ((tok = strstr(auth_info, "cred_expire="))) {
+			cred_expire = atoi(tok + 12);
+			if (cred_expire < 5) {
+				error("AuthInfo=cred_expire=%d invalid",
+				      cred_expire);
+				cred_expire = DEFAULT_EXPIRATION_WINDOW;
+			}
+		xfree(auth_info);
+		}
+	}
+
 	slurm_mutex_lock( &g_context_lock );
 	if (crypto_restart_time == (time_t) 0)
 		crypto_restart_time = time(NULL);
@@ -1604,7 +1621,7 @@ _slurm_cred_ctx_alloc(void)
 	slurm_mutex_init(&ctx->mutex);
 	slurm_mutex_lock(&ctx->mutex);
 
-	ctx->expiry_window = DEFAULT_EXPIRATION_WINDOW;
+	ctx->expiry_window = cred_expire;
 	ctx->exkey_exp     = (time_t) -1;
 
 	xassert(ctx->magic = CRED_CTX_MAGIC);
diff --git a/src/common/slurm_protocol_api.c b/src/common/slurm_protocol_api.c
index 00deb4acdb8..2a98061a04a 100644
--- a/src/common/slurm_protocol_api.c
+++ b/src/common/slurm_protocol_api.c
@@ -3,7 +3,7 @@
  *****************************************************************************
  *  Copyright (C) 2002-2007 The Regents of the University of California.
  *  Copyright (C) 2008-2010 Lawrence Livermore National Security.
- *  Copyright (C) 2010-2014 SchedMD LLC.
+ *  Copyright (C) 2010-2015 SchedMD LLC.
  *  Copyright (C) 2013      Intel, Inc.
  *  Produced at Lawrence Livermore National Laboratory (cf, DISCLAIMER).
  *  Written by Kevin Tew <tew1@llnl.gov>, et. al.
@@ -1465,18 +1465,13 @@ char *slurm_get_accounting_storage_pass(void)
  */
 extern char *slurm_get_auth_info(void)
 {
-	static bool loaded_auth_info = false;
-	static char *auth_info = NULL;
+	char *auth_info;
 	slurm_ctl_conf_t *conf;
 
-	if (loaded_auth_info)
-		return auth_info;
-
 	conf = slurm_conf_lock();
 	auth_info = xstrdup(conf->authinfo);
 	slurm_conf_unlock();
 
-	loaded_auth_info = true;
 	return auth_info;
 }
 
@@ -1505,6 +1500,7 @@ extern int slurm_get_auth_ttl(void)
 	} else {
 		ttl = 0;
 	}
+	xfree(auth_info);
 
 	return ttl;
 }
@@ -2808,8 +2804,9 @@ int slurm_receive_msg(slurm_fd_t fd, slurm_msg_t *msg, int timeout)
 		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
 					  _global_auth_key() );
 	} else {
-		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
-					  slurm_get_auth_info() );
+		char *auth_info = slurm_get_auth_info();
+		rc = g_slurm_auth_verify( auth_cred, NULL, 2, auth_info );
+		xfree(auth_info);
 	}
 
 	if (rc != SLURM_SUCCESS) {
@@ -2986,8 +2983,9 @@ List slurm_receive_msgs(slurm_fd_t fd, int steps, int timeout)
 		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
 					  _global_auth_key() );
 	} else {
-		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
-					  slurm_get_auth_info() );
+		char *auth_info = slurm_get_auth_info();
+		rc = g_slurm_auth_verify( auth_cred, NULL, 2, auth_info );
+		xfree(auth_info);
 	}
 
 	if (rc != SLURM_SUCCESS) {
@@ -3225,8 +3223,9 @@ int slurm_receive_msg_and_forward(slurm_fd_t fd, slurm_addr_t *orig_addr,
 		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
 					  _global_auth_key() );
 	} else {
-		rc = g_slurm_auth_verify( auth_cred, NULL, 2,
-					  slurm_get_auth_info() );
+		char *auth_info = slurm_get_auth_info();
+		rc = g_slurm_auth_verify( auth_cred, NULL, 2, auth_info );
+		xfree(auth_info);
 	}
 
 	if (rc != SLURM_SUCCESS) {
@@ -3322,10 +3321,13 @@ int slurm_send_node_msg(slurm_fd_t fd, slurm_msg_t * msg)
 	 * but we may need to generate the credential again later if we
 	 * wait too long for the incoming message.
 	 */
-	if (msg->flags & SLURM_GLOBAL_AUTH_KEY)
+	if (msg->flags & SLURM_GLOBAL_AUTH_KEY) {
 		auth_cred = g_slurm_auth_create(NULL, 2, _global_auth_key());
-	else
-		auth_cred = g_slurm_auth_create(NULL, 2, slurm_get_auth_info());
+	} else {
+		char *auth_info = slurm_get_auth_info();
+		auth_cred = g_slurm_auth_create(NULL, 2, auth_info);
+		xfree(auth_info);
+	}
 
 	if (msg->forward.init != FORWARD_INIT) {
 		forward_init(&msg->forward, NULL);
@@ -3339,8 +3341,9 @@ int slurm_send_node_msg(slurm_fd_t fd, slurm_msg_t * msg)
 			auth_cred = g_slurm_auth_create(NULL, 2,
 							_global_auth_key());
 		} else {
-			auth_cred = g_slurm_auth_create(NULL, 2,
-							slurm_get_auth_info());
+			char *auth_info = slurm_get_auth_info();
+			auth_cred = g_slurm_auth_create(NULL, 2, auth_info);
+			xfree(auth_info);
 		}
 	}
 	if (auth_cred == NULL) {
diff --git a/src/plugins/auth/munge/auth_munge.c b/src/plugins/auth/munge/auth_munge.c
index fe355070812..ae9f2f5a468 100644
--- a/src/plugins/auth/munge/auth_munge.c
+++ b/src/plugins/auth/munge/auth_munge.c
@@ -688,28 +688,21 @@ _print_cred(munge_ctx_t ctx)
 	cred_info_destroy(mi);
 }
 
-/* Convert AuthInfo to a socket path. Accepts two input formats:
- * 1) <path>		(Old format)
- * 2) socket=<path>[,]	(New format)
+/* Convert AuthInfo to a socket path. Accepts "socket=<path>[,]"
  * NOTE: Caller must xfree return value
  */
 static char *_auth_opts_to_socket(char *opts)
 {
 	char *socket = NULL, *sep, *tmp;
 
-	if (!opts)
-		return NULL;
-
-	tmp = strstr(opts, "socket=");
-	if (tmp) {	/* New format */
-		socket = xstrdup(tmp + 7);
-		sep = strchr(socket, ',');
-		if (sep)
-			sep[0] = '\0';
-	} else if (strchr(opts, '=')) {
-		;	/* New format, but socket not specified */
-	} else {
-		socket = xstrdup(opts);	/* Old format */
+	if (opts) {
+		tmp = strstr(opts, "socket=");
+		if (tmp) {	/* New format */
+			socket = xstrdup(tmp + 7);
+			sep = strchr(socket, ',');
+			if (sep)
+				sep[0] = '\0';
+		}
 	}
 
 	return socket;
diff --git a/src/plugins/crypto/munge/crypto_munge.c b/src/plugins/crypto/munge/crypto_munge.c
index 3a0a436ca9b..38aeab1a6ae 100644
--- a/src/plugins/crypto/munge/crypto_munge.c
+++ b/src/plugins/crypto/munge/crypto_munge.c
@@ -113,9 +113,7 @@ enum local_error_code {
 
 static uid_t slurm_user = 0;
 
-/* Convert AuthInfo to a socket path. Accepts two input formats:
- * 1) <path>		(Old format)
- * 2) socket=<path>[,]	(New format)
+/* Convert AuthInfo to a socket path. Parses input format "socket=<path>[,]".
  * NOTE: Caller must xfree return value
  */
 static char *_auth_opts_to_socket(void)
@@ -123,19 +121,15 @@ static char *_auth_opts_to_socket(void)
 	char *socket = NULL, *sep, *tmp;
 	char *opts = slurm_get_auth_info();
 
-	if (!opts)
-		return NULL;
-
-	tmp = strstr(opts, "socket=");
-	if (tmp) {	/* New format */
-		socket = xstrdup(tmp + 7);
-		sep = strchr(socket, ',');
-		if (sep)
-			sep[0] = '\0';
-	} else if (strchr(opts, '=')) {
-		;	/* New format, but socket not specified */
-	} else {
-		socket = xstrdup(tmp);	/* Old format */
+	if (opts) {
+		tmp = strstr(opts, "socket=");
+		if (tmp) {	/* New format */
+			socket = xstrdup(tmp + 7);
+			sep = strchr(socket, ',');
+			if (sep)
+				sep[0] = '\0';
+		}
+		xfree(opts);
 	}
 
 	return socket;
-- 
GitLab