[
https://issues.apache.org/jira/browse/YUNIKORN-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815517#comment-17815517
]
Wilfred Spiegelenburg edited comment on YUNIKORN-2281 at 3/13/24 12:23 AM:
---------------------------------------------------------------------------
As a current workaround could you use the config for the oidc tokens? The
default prefix for a {{\--oidc-username-claim}} is a full URL. if anything else
than the email is used. The OpenID authenticator in K8s is configurable and
could use a simple text string and not the full URL. This can be configured via
the {{\--oidc-username-prefix{}}}.
See [https://kubernetes.io/docs/reference/access-authn-authz/authentication/]
Supporting a full URL as the username could have all kinds of side effects when
we start rendering them in the web UI or when service moves around.
Updating jira as something to look at for the next release.
edit: fix up the rendering of the options.
was (Author: wifreds):
As a current workaround could you use the config for the oidc tokens? The
default prefix for a {{--oidc-username-claim}} is a full URL. if anything else
than the email is used. The OpenID authenticator in K8s is configurable and
could use a simple text string and not the full URL. This can be configured via
the {{--oidc-username-prefix}}.
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Supporting a full URL as the username could have all kinds of side effects when
we start rendering them in the web UI.
Updating jira as something to look at for the next release.
> Can't use OIDC username in config
> ---------------------------------
>
> Key: YUNIKORN-2281
> URL: https://issues.apache.org/jira/browse/YUNIKORN-2281
> Project: Apache YuniKorn
> Issue Type: New Feature
> Reporter: Dmitry
> Priority: Major
>
> Currently only alphanumeric chars are allowed in usernames. We're using
> CiLogon OIDC users, in the form of "http://cilogon.org/serverA/users/123456";,
> which is denied in configuration by the admission controller:
> > error: configmaps "yunikorn-configs" could not be patched: admission
> > webhook "admission-webhook.yunikorn.validate-conf" denied the request:
> > invalid limit user name 'http://cilogon.org/serverA/users/123456' in limit
> > definition
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
