Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify credentials from 8 to 3 #199

Closed
wants to merge 1 commit into from
Closed

Simplify credentials from 8 to 3 #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
245 changes: 155 additions & 90 deletions csi.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,18 +196,21 @@ message CreateVolumeRequest {
// validating these parameters. COs will treat these as opaque.
map<string, string> parameters = 5;

// Credentials used by Controller plugin to authenticate/authorize
// volume creation request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to complete volume creation request.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "username" or "password"), and the value
// contains the secret data (e.g. "bob" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> controller_create_credentials = 6;
map<string, string> create_delete_volume_secrets = 6;
}

message CreateVolumeResponse {
Expand Down Expand Up @@ -326,18 +329,21 @@ message DeleteVolumeRequest {
// This field is REQUIRED.
string volume_id = 2;

// Credentials used by Controller plugin to authenticate/authorize
// volume deletion request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to complete volume deletion request.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "username" or "password"), and the value
// contains the secret data (e.g. "bob" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> controller_delete_credentials = 3;
map<string, string> create_delete_volume_secrets = 3;
}

message DeleteVolumeResponse {}
Expand All @@ -363,18 +369,22 @@ message ControllerPublishVolumeRequest {
// REQUIRED.
bool readonly = 5;

// Credentials used by Controller plugin to authenticate/authorize
// controller publish request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> controller_publish_credentials = 6;
map<string, string> volume_secrets = 6;

// Attributes of the volume to be used on a node. This field is
// OPTIONAL and MUST match the attributes of the Volume identified
Expand Down Expand Up @@ -405,18 +415,22 @@ message ControllerUnpublishVolumeRequest {
// the volume from all nodes it is published to.
string node_id = 3;

// Credentials used by Controller plugin to authenticate/authorize
// controller unpublish request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> controller_unpublish_credentials = 4;
map<string, string> volume_secrets = 4;
}

message ControllerUnpublishVolumeResponse {}
Expand Down Expand Up @@ -575,18 +589,22 @@ message NodeStageVolumeRequest {
// This is a REQUIRED field.
VolumeCapability volume_capability = 5;

// Credentials used by Node plugin to authenticate/authorize node
// stage request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> node_stage_credentials = 6;
map<string, string> volume_secrets = 6;

// Attributes of the volume to publish. This field is OPTIONAL and
// MUST match the attributes of the VolumeInfo identified by
Expand All @@ -609,18 +627,22 @@ message NodeUnstageVolumeRequest {
// This is a REQUIRED field.
string staging_target_path = 3;

// Credentials used by Node plugin to authenticate/authorize node
// unstage request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> node_unstage_credentials = 4;
map<string, string> volume_secrets = 4;
}

message NodeUnstageVolumeResponse {}
Expand Down Expand Up @@ -664,24 +686,45 @@ message NodePublishVolumeRequest {
// REQUIRED.
bool readonly = 7;

// Credentials used by Node plugin to authenticate/authorize node
// publish request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> node_publish_credentials = 8;

map<string, string> volume_secrets = 8;

// Secrets required by plugin to complete a node publish request.
// This maybe, for example, user credentials for a volume that that
// permits multiple user access and requires per consumer auth.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "username" or "password"), and the value
// contains the secret data (e.g. "bob" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> workload_secrets = 9;

// Attributes of the volume to publish. This field is OPTIONAL and
// MUST match the attributes of the Volume identified by
// `volume_id`.
map<string,string> volume_attributes = 9;
map<string,string> volume_attributes = 10;
}

message NodePublishVolumeResponse {}
Expand All @@ -699,18 +742,40 @@ message NodeUnpublishVolumeRequest {
// This is a REQUIRED field.
string target_path = 3;

// Credentials used by Node plugin to authenticate/authorize node
// unpublish request.
// This field contains credential data, for example username and
// password. Each key must consist of alphanumeric characters, '-',
// '_' or '.'. Each value MUST contain a valid string. An SP MAY
// choose to accept binary (non-string) data by using a binary-to-text
// encoding scheme, like base64. An SP SHALL advertise the
// requirements for credentials in documentation. COs SHALL permit
// passing through the required credentials. This information is
// sensitive and MUST be treated as such (not logged, etc.) by the CO.
// Secrets required by plugin to access the specified volume.
// This maybe, for example, a volume decryption key.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "encryptionKey" or "volumePassword"), and
// the value contains the secret data (e.g. "bob232" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> volume_secrets = 4;

// Secrets required by plugin to complete a node publish request.
// This maybe, for example, user credentials for a volume that that
// permits multiple user access and requires per consumer auth.
// A secret is a string to string map where the key identifies the
// name of the secret (e.g. "username" or "password"), and the value
// contains the secret data (e.g. "bob" or "abc123").
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Each value MUST contain a valid string. An SP MAY choose to accept
// binary (non-string) data by using a binary-to-text encoding scheme,
// like base64.
// An SP SHALL advertise the requirements for required secret keys and
// values in documentation.
// COs SHALL permit passing through the required secrets.
// This information is sensitive and MUST be treated as such (not
// logged, etc.) by the CO.
// This field is OPTIONAL.
map<string, string> node_unpublish_credentials = 4;
map<string, string> workload_secrets = 5;
}

message NodeUnpublishVolumeResponse {}
Expand Down
Loading