[jira] [Comment Edited] (YUNIKORN-649) [Umbrella] Improvements for user identity retrieval and ACLs

Tue, 11 May 2021 16:02:07 -0700 


    [ 
https://issues.apache.org/jira/browse/YUNIKORN-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342910#comment-17342910
 ] 

Amit Sharma edited comment on YUNIKORN-649 at 5/11/21, 11:01 PM:
-----------------------------------------------------------------

Thanks [~wwei] for approval. Considering this closed. 


was (Author: avsamit6600):
Thanks [~wwei] for approval this. Considering this closed. 

> [Umbrella] Improvements for user identity retrieval and ACLs
> ------------------------------------------------------------
>
>                 Key: YUNIKORN-649
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-649
>             Project: Apache YuniKorn
>          Issue Type: Improvement
>          Components: shim - kubernetes
>            Reporter: Amit Sharma
>            Assignee: Amit Sharma
>            Priority: Critical
>             Fix For: 0.11
>
>
> The Kubernetes metadata does not carry user information by design. This can 
> be referred here. 
>  [https://kubernetes.io/docs/reference/access-authn-authz/authentication/]
> Here is how Yunikorn determines the user from k8s metadata (Service Account)
> [https://github.com/apache/incubator-yunikorn-k8shim/blob/7648f29e50692fbb760480c586f8e3a1110eb15b/pkg/appmgmt/general/general.go#L126]
> The only thing close to any identity is a ServiceAccount. However, this is 
> not the ideal way of looking at identities as there is no authentication 
> mechanism for the service account directly. It relies on the authentication 
> mechanism deployed on the cluster. The cluster authentication mechanism 
> varies from deployment to deployment. 
> There are 2 possible ways of doing this. 
>  1) One generic solution can be to modify the source of the user from 
> ServiceAccount to a Label/Annotation. 
>  2) Extending point 1, instead of changing from service account to 
> label/annotation, it can be a configurable field which defaults to 
> Label/Annotation. 
> While point 2 provides more user flexibility, it also reduces the structure 
> or clear path that Yunikorn can follow in determining a user.
> Since Yunikorn is expected to be primarily deployed by owners of a Kubernetes 
> platform rather than individual applications, we can share a structure using 
> point 1 as a solution. 
> Please share your thoughts. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org

Reply via email to