Adds FilesystemUser Object for NodePublishVolumeRequests #99
Conversation
|
Mmh, I have an issue with the go lang build and the corresponding checks but please feel free to comment & review. |
If you use the same version of golang and protoc that the CI is using, and you're rebuilding the bindings upon making changes to spec.md then it should all work out fine. |
spec.md
Outdated
|
|
||
| // Credentials to authenticate this mapping request. | ||
| // This field is OPTIONAL. | ||
| Credentials mapping_credentials = 4; |
There was a problem hiding this comment.
I'm struggling to understand the need for this field. Are these the credentials of the user? There's already a credentials field for the RPC itself, why do we need even more here? Furthermore, a FilesystemUser object isn't a
"mapping request", as I understand it. To me, FilesystemUser is an identity declaration.
Can you provide a short workflow/illustration that explains how this new credentials field would be used by a plugin?
There was a problem hiding this comment.
Adding this was a request from the last CIS sync conf call. People requested this to be added in order to authenticate the mapping request, personally I also think this could be covered by the existing credentials map but I wanted to follow up on the request.
The FilesystemUser object, if set, defines which identity all file system access requests through this mount is mapped to. This prevents e.g. using the user identity "root:root" inside the container to access files on the mounted file system as user root. The ID "root:root" is mapped to the given FilesystemUser in the backend during rwx access.
The idea of the new credentials field is to provide credentials for the authentication of the mapping setup with the backend. Currently I'm not aware of CO / backend supporting this specific authentication.
|
This is better handled by the identity management system in the CO. |
|
@chakri-nelluri I'm happy to remove the additional credential field, as written in the code comment I added it because it was requested. I don't really think it is required here as the request itself already supports the Credentials map which can contain authorization credentials if the mapping has to be authorized separately. The user/group ID for the mapping however is required as described above. As inside the Container arbitrary user/group identities can be set, this FilesystemUser object allows the CO admins to pin a specific containers access to a filesystem to a fixed defined identity. For example, three containers on the same host may mount the same filesystem mount with:
More detailed motivation for this can be read at https://www.quobyte.com/blog/2017/03/17/the-state-of-secure-storage-access-in-container-infrastructures/ (I think it was already referenced in these discussions, apologies if it has already been read). |
|
I removed the additional credentials field as proposed by @jdef . |
|
Are there any more open issues with this pr (as there have been no further comments)? |
|
In CloudFoundry, user information will flow to the CSI plugins via the open service broker API So, it appears that for CF, we can meet the minimal requirements of this PR without a lot of effort. We would not have group information however. |
|
@julian-hj Can you provide the username (deduct from the X-Broker-API-Originating-Identity header)? from the pointed page it is unclear (to me) whether you can provide information which then can be used by the SP to identify the user for IO operation. |
|
@oritnm I infer from the link that any service request that was initiated by an end user will have the username included as |
|
Note: This is waiting for the action item from 2017-11-01 [1] to see if COs can agree on a simple common FilesystemUser spec. [1] https://docs.google.com/document/d/1-oiNg5V_GtS_JBAEViVBhZ3BYVFlbSz70hreyaD7c5Y/edit# |
|
CO discussion resulted in postponing this till after 0.1 spec release. |
|
@jieyu Hi! Have there been any updates regarding the CO group discussions regarding a common filesystem user field? Perhaps we can discuss this in tomorrows CSI Community sync? |
This adds the Message type FilesystemUser. If a volume in a NodePublishVolumeRequest has volume_capability.access_type set to MountVolume, the filesystem user can optionally be set to a fixed FileSystemUser object. This is done in order to enforce all file access requests through this mount instance to be mapped to the given user and group information. As this mapping is optional, if the user is not set in this volume publication the user and group values are taken as is from the incoming filesystem access request created in the container. If block storage instead of a file system is used this field is ignored.
|
This is pretty stale. We're talking about releasing CSI v1.0 soon and I'm not sure this will be completed by then. Re-labeling as post-1.0 |
saad-ali
added
lifecycle/rotten
|
Any progress here @casusbelli? BTW why the "namespace" is needed in the struct? without this fix in the API, is there other standard why to identify the mount options of the filesystem? |
|
Per https://github.com/container-storage-interface/community/blob/master/governance.md#pull-request-rot closing PR marked as rotten. |
Now that per Node volume publication has been added we can
introduce the user mapping for filesystems discussed about earlier
in PR #30 .
This adds the Message type FilesystemUser. If a volume in a
NodePublishVolumeRequest has volume_capability.access_type set to
MountVolume, the filesystem user can optionally be set to a fixed
FileSystemUser object. This is done in order to enforce all file access
requests through this mount instance to be mapped to the herein given
user and group information.
As this mapping is optional, if the user is not set in this volume
publication the user and group values are taken as is from the
incoming filesystem access requests created in the container.