Amit Sharma created YUNIKORN-656:
------------------------------------
Summary: LDAP resolver for group resolution
Key: YUNIKORN-656
URL: https://issues.apache.org/jira/browse/YUNIKORN-656
Project: Apache YuniKorn
Issue Type: New Feature
Components: core - common, security
Reporter: Amit Sharma
LDAP resolution is a popular method to resolve group memberships. It allows
applications to use existing infrastructure of identity repositories to
determine the group membership of a particular user.
At the moment, Yunikorn provides 1 way of resolving groups (OS resolver)
https://github.com/apache/incubator-yunikorn-core/blob/4cef5d9ed3bb56909ffd97853dd1c62cbb5d649c/pkg/common/security/usergroup.go#L69
To include LDAP resolver, there are 2 methods that can be followed.
1) Modify the OS resolver to allow integration with the LDAP repository using
some OS level services like sssd or nsd.
2) Add a new resolver called LDAP resolver that directly connects to the LDAP
identity repository and retrieves group information in the required format.
The 1st method is a common method used across environments that have other
applications running on the same set of machines. It allows the groups to be
cached on the physical machine so that all the apps running on those machines
can use them.
The 2nd method is usually the preferred choice in container environments as all
components inside a container are exclusively for the app itself and adding
another layer to retrieve the same set of groups that can be retrieved directly
from the LDAP repository adds no additional value. In addition to that, apps
like Yunikorn have their own caching mechanism.
Please suggest the preferred way forward on this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: dev-h...@yunikorn.apache.org
