Skip to content

CAS Namespaces

Multiple users can share a CAS instance. Since policy names must be unique per CAS instance, there might be conflicts when creating sessions: another user might have already created a session with that name. The standard solution to address such name collisions is to introduce namespaces.

Sessions can be organized hierarchically by creating them within the namespace of another session. Organizations and large teams can benefit from namespaces to structure their sessions and restrict the creation and management of nested sessions to a set of authorized users. If one uses SCONE in the context of Kubernetes, one might want to create a corresponding CAS namespace for each Kubernetes namespace in which one executes confidential services.

Please note that using CAS namespaces requires SCONE Session Language v0.3 or higher.

Namespace Access Policy

SCONE CAS supports namespaces, i.e., a scope for session names, since version 5.1. To create a new namespace, one creates a session with the name of the namespace. By creating a namespace, one automatically controls who can create sessions in this namespace. To control access to namespaces, we added a new access policy option:

name: my-namespace
version: "0.3"

access_policy:
  create_sessions:
    - CREATOR
    - 3s1pm8W6Be6cxvAQRbRP5YXd9YuERAr7KswN97uGtoPkRW87x1
    - ...

To create a new sessions in the namespace my-namespace, one has to provide one of the credentials provided of list create_sessions. If omitted, all entities listed under update will be able to create sessions.

Creating a namespace

To create a new namespace my-namespace, we first create a session description. The session description might be stored in a file policy.yml and look like this

name: my-namespace
version: "0.3"

access_policy:
  read:
   - CREATOR
  update:
   - CREATOR
  create_sessions:
    - CREATOR

We can upload this session with the SCONE CLI as follows:

scone session create policy.yml

In order to create session hello-world in the namespace my-namespace, set the new session's name to:

name: my-namespace/hello-world
version: "0.3"

You must have permission to create the session in this namespace.

Namespaces can be nested. You can use hello-world itself as a namespace.

name: my-namespace/hello-world/project-1
version: "0.3"