Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify credentials from 8 to 3 #199

Closed
wants to merge 1 commit into from
Closed

Simplify credentials from 8 to 3 #199

wants to merge 1 commit into from

Conversation

saad-ali
Copy link
Member

@saad-ali saad-ali commented Feb 22, 2018
edited
Loading

Fixes #198

Simplify secrets by specifying a secret per use case instead of per operation (reducing 8 possibilities to 3):

  1. create_delete_volume_secrets
    • Grants ability to create and delete volume requests.
    • Passed to CreateVolume() and DeleteVolume().
  2. volume_secrets
    • Secrets required to access a volume, independent of any consumer.
    • Example: an encryption key for volume.
    • Passed to ControllerPublishVolume(), ControllerUnpublishVolume(), NodeStageVolume(), NodeUnstageVolume(), NodePublishVolume(), NodeUnpublishVolume().
  3. workload_secrets
    • Secrets required to auth a specific consumer of a volume.
    • Example: A single NFS share that permits multiple users access via different credentials.
    • Passed to NodePublishVolume(), NodeUnpublishVolume()

Why? Exposing 8 credentials to end users is confusing for end users (it requires them to understand the inner workings of CO to SP communications), and difficult for COs to do.

@saad-ali saad-ali requested review from jieyu and jdef February 22, 2018 03:17
@sbezverk
Copy link
Contributor

@saad-ali Would it be a bit more precise to use secret instead of secrets in the proposed new names? I suspect this will be mapped to a single object by CO, like k8s' Secret. Having secrets in the name might lead to confusion.

@saad-ali
Copy link
Member Author

@saad-ali Would it be a bit more precise to use secret instead of secrets in the proposed new names? I suspect this will be mapped to a single object by CO, like k8s' Secret. Having secrets in the name might lead to confusion.

I was thinking about that, and it is accurate from the Kubernetes perspective that a single secret can contain the entire map, but from the CSI/Plugin perspective, there is no concept of a Kubernetes secret object, and as far CSI and the Plugin are concerned these are maps containing one or more secrets. So I'd prefer secrets instead of secret.

@saad-ali
Copy link
Member Author

saad-ali commented Feb 22, 2018
edited
Loading

Slept on this, and realized it might be too extreme, and block out the ability for plugins to choose which calls to accept which secrets on (the same secret may not be required in all calls and requiring it everywhere may mean giving access to secret in components the plugin may not want to). Closing this, will comment on alternative on the original issue.

@saad-ali saad-ali closed this Feb 22, 2018
@saad-ali saad-ali deleted the simplifyCreds branch February 22, 2018 18:12
@saad-ali saad-ali restored the simplifyCreds branch February 23, 2018 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jieyu jieyu Awaiting requested review from jieyu

@jdef jdef Awaiting requested review from jdef

Assignees

@jieyu jieyu

@jdef jdef

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@saad-ali @sbezverk @jieyu @jdef