[
https://issues.apache.org/jira/browse/YUNIKORN-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Bacsko updated YUNIKORN-1306:
-----------------------------------
Description:
Yunikorn needs a more secure and robust user/group handling.
Currently, the YK handles users is by using a label on the pod. However, this
label can contain anything and no verification is performed by Yunikorn to make
sure that the users are what the label say they are. If the label is missing,
the submitter is considered to be a "default" user.
The group support is also lacking. There is a lookup feature in the core, but
that is very limited. It's an OS-based lookup similar to how Hadoop works, but
YK runs inside a container. Determining which group a user belongs to is too
late in the core.
Yunikorn needs to be able to lookup/detect the real user and group of the
workload (be it a pod or a deployment, job, etc) plus provide backward
compatibility because there are already solutions built on the existing label.
was:
Yunikorn needs a more secure and robust user/group handling.
Currently, the YK handles users is by using a label on the pod. However, this
label can contain anything and no verification is performed by Yunikorn to make
sure that the users are what the label say they are.
The group support is also lacking. There is a lookup feature in the core, but
that is very limited. It's an OS-based lookup similar to how Hadoop works, but
YK runs inside a container. Determining which group a user belongs to is too
late in the core.
Yunikorn needs to be able to lookup/detect the real user and group of the
workload (be it a pod or a deployment, job, etc) plus provide backward
compatibility because there are already solutions built on the existing label.
> [Umbrella] Enhanced user and group handling
> -------------------------------------------
>
> Key: YUNIKORN-1306
> URL: https://issues.apache.org/jira/browse/YUNIKORN-1306
> Project: Apache YuniKorn
> Issue Type: New Feature
> Components: shim - kubernetes
> Reporter: Peter Bacsko
> Priority: Major
>
> Yunikorn needs a more secure and robust user/group handling.
> Currently, the YK handles users is by using a label on the pod. However, this
> label can contain anything and no verification is performed by Yunikorn to
> make sure that the users are what the label say they are. If the label is
> missing, the submitter is considered to be a "default" user.
> The group support is also lacking. There is a lookup feature in the core, but
> that is very limited. It's an OS-based lookup similar to how Hadoop works,
> but YK runs inside a container. Determining which group a user belongs to is
> too late in the core.
> Yunikorn needs to be able to lookup/detect the real user and group of the
> workload (be it a pod or a deployment, job, etc) plus provide backward
> compatibility because there are already solutions built on the existing label.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
