[jira] [Updated] (YUNIKORN-656) LDAP resolver for group resolution

Wed, 19 Feb 2025 15:07:06 -0800 


     [ 
https://issues.apache.org/jira/browse/YUNIKORN-656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Craig Condit updated YUNIKORN-656:
----------------------------------
    Target Version: 1.8.0

> LDAP resolver for group resolution
> ----------------------------------
>
>                 Key: YUNIKORN-656
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-656
>             Project: Apache YuniKorn
>          Issue Type: New Feature
>          Components: core - common, security
>            Reporter: Amit Sharma
>            Assignee: Mit Desai
>            Priority: Major
>
> LDAP resolution is a popular method to resolve group memberships. It allows 
> applications to use existing infrastructure of identity repositories to 
> determine the group membership of a particular user. 
> At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
> [https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69]
> To include LDAP resolver, there are 2 methods that can be followed. 
> 1) Modify the OS resolver to allow integration with the LDAP repository using 
> some OS level services like sssd or nsd. 
> 2) Add a new resolver called LDAP resolver that directly connects to the LDAP 
> identity repository and retrieves group information in the required format. 
> The 1st method is a common method used across environments that have other 
> applications running on the same set of machines. It allows the groups to be 
> cached on the physical machine so that all the apps running on those machines 
> can use them. 
> The 2nd method is usually the preferred choice in container environments as 
> all components inside a container are exclusively for the app itself and 
> adding another layer to retrieve the same set of groups that can be retrieved 
> directly from the LDAP repository adds no additional value. In addition to 
> that, apps like Yunikorn have their own caching mechanism. 
> Please suggest the preferred way forward on this. 
> Please note that Microsoft Active Directory(AD) is a popular identity 
> repository that is widely used and this resolver will cover that. However, it 
> won't be limited to just AD. Any repository that accepts 
> [OpenLDAP|https://www.openldap.org] protocol will function with this 
> resolver. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to