[
https://issues.apache.org/jira/browse/YUNIKORN-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331734#comment-17331734
]
Amit Sharma commented on YUNIKORN-656:
--------------------------------------
[~wilfreds] Thanks for the response.
Keeping the conversation to Option 2 here:
You are absolutely right on the following fronts.
1) LDAP requires a lot of information ( about 8-10 values ) such as LDAP_HOST,
LDAP_PORT etc. There is no good way of passing that to the core.
2) LDAP does require us to hold credentials and it should be used or
communicated securely in an ideal scenario.
I do have a crude version of LDAP resolver patched to Yunikorn internally. We
required it to be able to use Yunikorn effectively from an ACL standpoint. I
call it crude because it does cut some corners that have been highlighted in
this discussion. What simplified my task was that the resolver is pluggable so
as long as I am providing a list of groups in the required format, it does its
job.
Here is what we can do
1) Identify a method/way/setup to pass configs to the core(Helm-chart -->
Deployment --> Env --> Core) or may be a JSON/YAML formatted properties file
that can be mounted on the pod (using a configmap) for core to pickup along
with a YUNIKORN_RESOLVER="LDAP" switch passed as an environment variable.
2) Provide an initial option to connect --insecure by default. It will bring
the functionality into the system and then we can later add a --secure option.
This is from a managing the credential standpoint. For connecting to LDAP using
LDAPS(secure), it is primarily dependent on the environment one is using. In
general, applications leave in the option to the user of the app to select
between secure or unprotected connection.
For the LDAP Client, we can use this one: [LDAP for
Go|https://github.com/go-ldap/ldap]
> LDAP resolver for group resolution
> ----------------------------------
>
> Key: YUNIKORN-656
> URL: https://issues.apache.org/jira/browse/YUNIKORN-656
> Project: Apache YuniKorn
> Issue Type: New Feature
> Components: core - common, security
> Reporter: Amit Sharma
> Priority: Major
>
> LDAP resolution is a popular method to resolve group memberships. It allows
> applications to use existing infrastructure of identity repositories to
> determine the group membership of a particular user.
> At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
> [https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69]
> To include LDAP resolver, there are 2 methods that can be followed.
> 1) Modify the OS resolver to allow integration with the LDAP repository using
> some OS level services like sssd or nsd.
> 2) Add a new resolver called LDAP resolver that directly connects to the LDAP
> identity repository and retrieves group information in the required format.
> The 1st method is a common method used across environments that have other
> applications running on the same set of machines. It allows the groups to be
> cached on the physical machine so that all the apps running on those machines
> can use them.
> The 2nd method is usually the preferred choice in container environments as
> all components inside a container are exclusively for the app itself and
> adding another layer to retrieve the same set of groups that can be retrieved
> directly from the LDAP repository adds no additional value. In addition to
> that, apps like Yunikorn have their own caching mechanism.
> Please suggest the preferred way forward on this.
> Please note that Microsoft Active Directory(AD) is a popular identity
> repository that is widely used and this resolver will cover that. However, it
> won't be limited to just AD. Any repository that accepts
> [OpenLDAP|https://www.openldap.org] protocol will function with this
> resolver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
