Yunikorn needs a more secure and robust user/group handling.
Currently, the YK handles users is by using a label on the pod. However, this label can contain anything and no verification is performed by Yunikorn to make sure that the users are what the label say they are. If the label is missing, the submitter is considered to be a "default" user.
The group support is also lacking. There is a lookup feature in the core, but that is very limited. It's an OS-based lookup similar to how Hadoop works, but YK runs inside a container. Determining which group a user belongs to is too late in the core.
Yunikorn needs to be able to lookup/detect the real user and group of the workload (be it a pod or a deployment, job, etc) plus provide backward compatibility because there are already solutions built on the existing label.