Multiple users can share a CAS instance. Since policy names must be unique per CAS instance, there might be conflicts when creating sessions: another user might have already created a session with that name. The standard solution to address such name collisions is to introduce namespaces.
Sessions can be organized hierarchically by creating them within the namespace of another session. Organizations and large teams can benefit from namespaces to structure their sessions and restrict the creation and management of nested sessions to a set of authorized users. If one uses SCONE in the context of Kubernetes, one might want to create a corresponding CAS namespace for each Kubernetes namespace in which one executes confidential services.
Namespace Access Policy
SCONE CAS supports namespaces, i.e., a scope for session names, since version 5.1. To create a new namespace, one creates a session with the name of the namespace. By creating a namespace, one automatically controls who can create sessions in this namespace. To control access to namespaces, we added a new access policy option:
name: my-namespace access_policy: create_sessions: - CREATOR - 3s1pm8W6Be6cxvAQRbRP5YXd9YuERAr7KswN97uGtoPkRW87x1 - ...
To create a new sessions in the namespace
my-namespace, one has to provide one of the credentials provided of list
create_sessions. If omitted, all entities listed under
update will be able to create sessions.
Creating a namespace
To create a new namespace
my-namespace, we first create a session description.
The session description might be stored in a file
policy.yml and look like this
name: my-namespace access_policy: read: - CREATOR update: - CREATOR create_sessions: - CREATOR
We can upload this session with the SCONE CLI as follows:
scone session create policy.yml
In order to create session
hello-world in the namespace
my-namespace, set the new session's name to:
You must have permission to create the session in this namespace.
Namespaces can be nested. You can use
hello-world itself as a namespace.