[
https://issues.apache.org/jira/browse/YUNIKORN-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342944#comment-17342944
]
Wilfred Spiegelenburg commented on YUNIKORN-656:
------------------------------------------------
The LDAP for Go client uses an acceptable license so we can use that in our
project. That is a good step forward.
This Jira should be the start of getting a scheduler config defined and remove
the need for all the command line switches. Lots of projects I have seen use
"github.com/spf13/viper" and "github.com/spf13/cobra" to do the heavy lifting
for them. The use of cobra might be limited for us but viper gives us all we
need from a config perspective.
For now I think we can settle on a simple file that can be mounted as a config
map. That can be easily changed to be monitored by viper later on and rolled
into a generic config for the scheduler.
For secrets we should leverage the standard K8s way of distributing secrets and
weave that into the deployment:
[https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/]
Like you said we do not need that in the first iteration. We can figure that
out after adding the basic LDAP setup.
> LDAP resolver for group resolution
> ----------------------------------
>
> Key: YUNIKORN-656
> URL: https://issues.apache.org/jira/browse/YUNIKORN-656
> Project: Apache YuniKorn
> Issue Type: New Feature
> Components: core - common, security
> Reporter: Amit Sharma
> Priority: Major
>
> LDAP resolution is a popular method to resolve group memberships. It allows
> applications to use existing infrastructure of identity repositories to
> determine the group membership of a particular user.
> At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
> [https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69]
> To include LDAP resolver, there are 2 methods that can be followed.
> 1) Modify the OS resolver to allow integration with the LDAP repository using
> some OS level services like sssd or nsd.
> 2) Add a new resolver called LDAP resolver that directly connects to the LDAP
> identity repository and retrieves group information in the required format.
> The 1st method is a common method used across environments that have other
> applications running on the same set of machines. It allows the groups to be
> cached on the physical machine so that all the apps running on those machines
> can use them.
> The 2nd method is usually the preferred choice in container environments as
> all components inside a container are exclusively for the app itself and
> adding another layer to retrieve the same set of groups that can be retrieved
> directly from the LDAP repository adds no additional value. In addition to
> that, apps like Yunikorn have their own caching mechanism.
> Please suggest the preferred way forward on this.
> Please note that Microsoft Active Directory(AD) is a popular identity
> repository that is widely used and this resolver will cover that. However, it
> won't be limited to just AD. Any repository that accepts
> [OpenLDAP|https://www.openldap.org] protocol will function with this
> resolver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
