[
https://issues.apache.org/jira/browse/YUNIKORN-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331666#comment-17331666
]
Wilfred Spiegelenburg commented on YUNIKORN-656:
------------------------------------------------
For option 1 you do not need to change anything, that already works. The OS
integrates the correct resolver and the group resolutions that are build into
the OS will already pull the values as they should.
Option 2 is a separate and new integration which will require a LDAP client on
the YuniKorn side. If you want to do that then that is a possibility. The
resolver inside YuniKorn is pluggable. It is a far larger feature than
leveraging the OS integration.
There are a lot of details that we should look at and think of before we go
this way. The LDAP connection and search needs a lot of information. We
currently do not have a proper way to get all that config into the core. This
is a big missing piece of functionality. Connections to LDAP need to be
authenticated. That requires user credentials which needs to be communicated
securely. That has an impact on how we can or should communicate the config.
Unsecure (non TLS) connections would also cause lots of problems in deployment
situations.
LDAP surely is an option but one that needs far more design and thought.
> LDAP resolver for group resolution
> ----------------------------------
>
> Key: YUNIKORN-656
> URL: https://issues.apache.org/jira/browse/YUNIKORN-656
> Project: Apache YuniKorn
> Issue Type: New Feature
> Components: core - common, security
> Reporter: Amit Sharma
> Priority: Major
>
> LDAP resolution is a popular method to resolve group memberships. It allows
> applications to use existing infrastructure of identity repositories to
> determine the group membership of a particular user.
> At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
> [https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69]
> To include LDAP resolver, there are 2 methods that can be followed.
> 1) Modify the OS resolver to allow integration with the LDAP repository using
> some OS level services like sssd or nsd.
> 2) Add a new resolver called LDAP resolver that directly connects to the LDAP
> identity repository and retrieves group information in the required format.
> The 1st method is a common method used across environments that have other
> applications running on the same set of machines. It allows the groups to be
> cached on the physical machine so that all the apps running on those machines
> can use them.
> The 2nd method is usually the preferred choice in container environments as
> all components inside a container are exclusively for the app itself and
> adding another layer to retrieve the same set of groups that can be retrieved
> directly from the LDAP repository adds no additional value. In addition to
> that, apps like Yunikorn have their own caching mechanism.
> Please suggest the preferred way forward on this.
> Please note that Microsoft Active Directory(AD) is a popular identity
> repository that is widely used and this resolver will cover that. However, it
> won't be limited to just AD. Any repository that accepts
> [OpenLDAP|https://www.openldap.org] protocol will function with this
> resolver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
