[ https://issues.apache.org/jira/browse/YUNIKORN-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342910#comment-17342910 ]
Amit Sharma commented on YUNIKORN-649: -------------------------------------- Thanks [~wwei] for approval this. Considering this closed. > [Umbrella] Improvements for user identity retrieval and ACLs > ------------------------------------------------------------ > > Key: YUNIKORN-649 > URL: https://issues.apache.org/jira/browse/YUNIKORN-649 > Project: Apache YuniKorn > Issue Type: Improvement > Components: shim - kubernetes > Reporter: Amit Sharma > Assignee: Amit Sharma > Priority: Critical > Fix For: 0.11 > > > The Kubernetes metadata does not carry user information by design. This can > be referred here. > [https://kubernetes.io/docs/reference/access-authn-authz/authentication/] > Here is how Yunikorn determines the user from k8s metadata (Service Account) > [https://github.com/apache/incubator-yunikorn-k8shim/blob/7648f29e50692fbb760480c586f8e3a1110eb15b/pkg/appmgmt/general/general.go#L126] > The only thing close to any identity is a ServiceAccount. However, this is > not the ideal way of looking at identities as there is no authentication > mechanism for the service account directly. It relies on the authentication > mechanism deployed on the cluster. The cluster authentication mechanism > varies from deployment to deployment. > There are 2 possible ways of doing this. > 1) One generic solution can be to modify the source of the user from > ServiceAccount to a Label/Annotation. > 2) Extending point 1, instead of changing from service account to > label/annotation, it can be a configurable field which defaults to > Label/Annotation. > While point 2 provides more user flexibility, it also reduces the structure > or clear path that Yunikorn can follow in determining a user. > Since Yunikorn is expected to be primarily deployed by owners of a Kubernetes > platform rather than individual applications, we can share a structure using > point 1 as a solution. > Please share your thoughts. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org For additional commands, e-mail: issues-h...@yunikorn.apache.org