[
https://issues.apache.org/jira/browse/YUNIKORN-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17343464#comment-17343464
]
Amit Sharma commented on YUNIKORN-656:
--------------------------------------
Thanks [~wilfreds]. Based on the comments, I will convert this into an Umbrella
JIRA.
Following will be the sub-tasks(not necessarily in the same order):
1) LDAP Client
Glad that the LDAP for Go client suggestion is acceptable. will go ahead.
2) Viper framework introduction
For the config, I will start using Viper and restrict it to the resolver & LDAP
config for now. If the framework fits in, we can extend that later.
3) Provide config file via configmap using Helm
> LDAP resolver for group resolution
> ----------------------------------
>
> Key: YUNIKORN-656
> URL: https://issues.apache.org/jira/browse/YUNIKORN-656
> Project: Apache YuniKorn
> Issue Type: New Feature
> Components: core - common, security
> Reporter: Amit Sharma
> Priority: Major
>
> LDAP resolution is a popular method to resolve group memberships. It allows
> applications to use existing infrastructure of identity repositories to
> determine the group membership of a particular user.
> At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
> [https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69]
> To include LDAP resolver, there are 2 methods that can be followed.
> 1) Modify the OS resolver to allow integration with the LDAP repository using
> some OS level services like sssd or nsd.
> 2) Add a new resolver called LDAP resolver that directly connects to the LDAP
> identity repository and retrieves group information in the required format.
> The 1st method is a common method used across environments that have other
> applications running on the same set of machines. It allows the groups to be
> cached on the physical machine so that all the apps running on those machines
> can use them.
> The 2nd method is usually the preferred choice in container environments as
> all components inside a container are exclusively for the app itself and
> adding another layer to retrieve the same set of groups that can be retrieved
> directly from the LDAP repository adds no additional value. In addition to
> that, apps like Yunikorn have their own caching mechanism.
> Please suggest the preferred way forward on this.
> Please note that Microsoft Active Directory(AD) is a popular identity
> repository that is widely used and this resolver will cover that. However, it
> won't be limited to just AD. Any repository that accepts
> [OpenLDAP|https://www.openldap.org] protocol will function with this
> resolver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
