Security considerations

[petrovicboban]

As it is, anyone who has access to singularity, can deploy anything to be executed as root user. Basically, this is almost the same as they have ssh access to root account. Singularity does not have any concept of user/groups authentication and authorization.
How to allow certain teams or team members to deploy jobs to singularity, but with some constraints? For example, task can be executed only as a user from specific list. Or command can not match some regex. That's all use cases of importance if you have multiple teams with clearly defined privileges. Right now, singularity makes those privilege separation completely useless.

[ssalinas]

Singularity already has a concept of authorization, however it is not well exposed or easy to use as of yet. Currently, there is an ldap-backed authorization method you can use. The user in question is passed in as a header, and the groups for that user compared against the group/readWriteGroups/readOnlyGroups for the request they are trying to access. There isn't any authentication in Singularity yet however.

We are already working on #1635 which adds a more flexible way to set this up and provide user details to Singularity. With that PR I plan on adding documentation on how to set it up and take advantage of these features