[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] We are working on Roles Based Access Control for docker.

From: Clayton Coleman <ccoleman redhat com>
To: Daniel J Walsh <dwalsh redhat com>
Cc: atomic-devel projectatomic io
Subject: Re: [atomic-devel] We are working on Roles Based Access Control for docker.
Date: Mon, 30 Mar 2015 16:40:49 -0400 (EDT)

Concrete use cases from OpenShift and Kubernetes:

1. Kubernetes needs "root level" access to the Docker API
2. OpenShift docker builders need to be able to run "build" with certain arguments (cgroup is set to whatever the caller's cgroup is set to)
3. OpenShift STI builders need to be able to call "run" on a specific base image (same parent_cgroup case as before), "commit", "tag", and "push" only on the image that was just created

We had been originally thinking of doing this as a proxy and enforcing those roles.  I suspect the needs of 2 and 3 are too complex for a simple RBAC policy, but they do reflect an actual use case.

----- Original Message -----
> I have thrown  up some of my original ideas on RBAC separation on
> github,  Described in the readme.md
> 
> https://github.com/rhatdan/docker-rbac
> 
> Please review and tell me if you have other ideas.  I guess we can carry
> the conversation via issues, this email or pull requests.
> 
>

References:
- [atomic-devel] We are working on Roles Based Access Control for docker.
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]