You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@yunikorn.apache.org by "Peter Bacsko (Jira)" <ji...@apache.org> on 2022/09/06 11:26:00 UTC

[jira] [Updated] (YUNIKORN-1306) [Umbrella] Enhanced user and group handling

     [ https://issues.apache.org/jira/browse/YUNIKORN-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Peter Bacsko updated YUNIKORN-1306:
-----------------------------------
    Description: 
Yunikorn needs a more secure and robust user/group handling.

Currently, the YK handles users is by using a label on the pod. However, this label can contain anything and no verification is performed by Yunikorn to make sure that the users are what the label say they are. If the label is missing, the submitter is considered to be a "default" user.

The group support is also lacking. There is a lookup feature in the core, but that is very limited. It's an OS-based lookup similar to how Hadoop works, but YK runs inside a container. Determining which group a user belongs to is too late in the core.

Yunikorn needs to be able to lookup/detect the real user and group of the workload (be it a pod or a deployment, job, etc) plus provide backward compatibility because there are already solutions built on the existing label.

  was:
Yunikorn needs a more secure and robust user/group handling.

Currently, the YK handles users is by using a label on the pod. However, this label can contain anything and no verification is performed by Yunikorn to make sure that the users are what the label say they are. 

The group support is also lacking. There is a lookup feature in the core, but that is very limited. It's an OS-based lookup similar to how Hadoop works, but YK runs inside a container. Determining which group a user belongs to is too late in the core.

Yunikorn needs to be able to lookup/detect the real user and group of the workload (be it a pod or a deployment, job, etc) plus provide backward compatibility because there are already solutions built on the existing label.


> [Umbrella] Enhanced user and group handling
> -------------------------------------------
>
>                 Key: YUNIKORN-1306
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-1306
>             Project: Apache YuniKorn
>          Issue Type: New Feature
>          Components: shim - kubernetes
>            Reporter: Peter Bacsko
>            Priority: Major
>
> Yunikorn needs a more secure and robust user/group handling.
> Currently, the YK handles users is by using a label on the pod. However, this label can contain anything and no verification is performed by Yunikorn to make sure that the users are what the label say they are. If the label is missing, the submitter is considered to be a "default" user.
> The group support is also lacking. There is a lookup feature in the core, but that is very limited. It's an OS-based lookup similar to how Hadoop works, but YK runs inside a container. Determining which group a user belongs to is too late in the core.
> Yunikorn needs to be able to lookup/detect the real user and group of the workload (be it a pod or a deployment, job, etc) plus provide backward compatibility because there are already solutions built on the existing label.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org