Uploaded image for project: 'Apache YuniKorn'
  1. Apache YuniKorn
  2. YUNIKORN-1306

[Umbrella] Enhanced user and group handling

    XMLWordPrintableJSON

Details

    Description

      Yunikorn needs a more secure and robust user/group handling.

      Currently, the YK handles users is by using a label on the pod. However, this label can contain anything and no verification is performed by Yunikorn to make sure that the users are what the label say they are. If the label is missing, the submitter is considered to be a "default" user.

      The group support is also lacking. There is a lookup feature in the core, but that is very limited. It's an OS-based lookup similar to how Hadoop works, but YK runs inside a container. Determining which group a user belongs to is too late in the core.

      Yunikorn needs to be able to lookup/detect the real user and group of the workload (be it a pod or a deployment, job, etc) plus provide backward compatibility because there are already solutions built on the existing label.

      Attachments

        Issue Links

          Activity

            People

              pbacsko Peter Bacsko
              pbacsko Peter Bacsko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: