user_credentials problems #140
Comments
|
For problem 2 above, a better solution would be to rename:
For problem 1, a kink with the proposed solution is that |
|
Hi @saad-ali,
Do you mean in the |
|
Hi @saad-ali, I understand your concerns, but I do wonder if you're unintentionally overcomplicating things? Issue 1
This proposal complicates the relationship between the CO and the SP. The Controller SP is responsible for providing credentials to be used by the CO for calls to Node SPs? I thought the purpose of defining credentials as part of the spec was to avoid having to pre-configure credentials for the SP process/container? This seems to take things back to the way they were before . Issue 2
I wonder if there is value in renaming the fields since credentials sent along with an RPC automatically become associated with that RPC's purpose IMO. For example: message CreateVolume {
// These are implied to be credentials used to
// create a volume.
map<string, string> user_credentialsmessage ControllerPublishVolume {
// These are implied to be credentials used by a
// controller to publish a volume.
map<string, string> user_credentialsAnd so on and so forth. Is there value in renaming those fields to basically contain an RPC-eponymous prefix? Besides, didn't we all agree you had to work on the error PR before touching anything else? :) |
|
Hi @saad-ali, @clintkitson explained what you were trying to convey, and it makes more sense now. I believe he'll follow up here in case anyone else is as easily confused as me :) |
|
@akutz I belive the confusion here relates to how Storage system/API level creds are relevant and used for most platforms. But some platforms are have volume-level authorization that happen in many forms. I see the usefulness in either a) enabling the plugin to pass auth for the volume back on a create response or b) enabling the plugin to create auth, pass it to the storage platform in some way, and then pass this auth back. It sounds like Saad's suggestion would enable this. |
|
Hi @clintkitson, Thanks! Yeah, I think what confused me was the notion of the SP returning credentials. When you referred to the SP returning a token it made more sense. There are:
I suppose the latter are credentials in the purest sense, but as I was already thinking about concrete implementations I was considering EBS roles and how there can be discrete roles for creation, publication, etc. In EBS the volume authorization key isn't really referred to as one of those roles, so I didn't consider it as a credential. |
The CSI calls
CreateVolumeRequest,DeleteVolumeRequest,ControllerPublishVolumeRequest,ControllerUnpublishVolume,NodePublishVolume, andNodeUnpublishVolumeall allowuser_credentialsto be passed in.A few problems with this:
user_credentialson Publish calls, and the volume is dynamically provisioned with aCreateVolumeRequest, how does the user or CO decide what credentials to pass into the Publish calls?CreateVolumeRequest.user_credentialsin ControllerPublish/Unpublish calls tovolume_credentialsand clarify in the comment that it should not (can not) be used to auth a workload or user). We would have to do the same thing for "MountDevice" proposed in Consider a "MountDevice" equivalent step #119.The text was updated successfully, but these errors were encountered: