[jira] [Commented] (YUNIKORN-658) default user should not be nobody

Mon, 26 Apr 2021 22:29:07 -0700 


    [ 
https://issues.apache.org/jira/browse/YUNIKORN-658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17332936#comment-17332936
 ] 

Weiwei Yang commented on YUNIKORN-658:
--------------------------------------

hi [~wilfreds]

There is document JIRAs under this umbrella to make the related document 
changes. I think Amit is already looking at them.
However, I disagree to not set a value in the default case. The reason is based 
on usability:
With the current approach, we can document that if the user is not defined 
(when ACL is enabled, but not every pod has the label defined), YK defaults to 
nobody as the app user. Users may even see the app got denied with the error 
"user nobody has no access to the queue". It will be a little odd if we say the 
default user is "".  

> default user should not be nobody
> ---------------------------------
>
>                 Key: YUNIKORN-658
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-658
>             Project: Apache YuniKorn
>          Issue Type: Sub-task
>            Reporter: Wilfred Spiegelenburg
>            Priority: Blocker
>
> In YUNIKORN-650 the possibility to read a label from a pod was introduced to 
> specify a user for the pod. Allowing a label to specify the user is in itself 
> not an issue. The side effects of doing this could be an issue:
>  # default behaviour has been changed without documenting it has, this change 
> breaks existing deployments which rely on the old behaviour
>  # the current behaviour is to default to the ServiceAccountName for the pod. 
> This value is always set. The new default is the user nobody as the label is 
> not set.
>  # ACLs cannot be relied on anymore in any current deployment due to the 
> default change.
>  # ACLs can always be bypassed as there is nothing that limits what can be 
> set in the labels, this should be at least announced and documented clearly.
> We should default to the old behaviour and only override with the label if 
> the \{{userLabelKey}} parameter is explicitly set on startup. The default 
> config should *not* set the value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to