Docker Community Forums

Share and learn in the Docker community.

UCP support for network and volume labels


(James Bennett) #1

Hello,

I was wondering if you could share any details on the plans for supporting labels on networks and volumes in the UCP? My current use case is that I would like to have users who have “view only” or “none” for their default permission but they would still be able to view/maintain networks and labels which have a “com.docker.ucp.access.label” for their group with the appropriate permissions. Ideally this would allow us to have fine-grained control of subsets of the objects in the UCP so certain teams can only access objects they are allowed to use.

It seems I have to grant a default permission of “restricted control” for any user to be able to run Docker Compose from the command line against the UCP cluster right now. I found that I would have to create networks and probably volumes ahead of time because Compose doesn’t support labels on those yet. To work around this I created a network with the UCP access label to try things out and configured Compose to use this external network. I then ran this with an unprivileged user with a few different default permissions:

  • No Access - This immediately fails with “access denied”. This wasn’t super surprising since I cannot see any networks in the UCP at all with this setting, but I was hopeful the network label would have allowed this to work.
  • View Only - At this point Compose can create the container but later gets an “access denied” which I’m assuming is happening when it attempts to attach the container to the network.
  • Restricted Control - Compose works like I’d expect with this level of default permission, but this is more access than I was hoping I’d have to grant to most users since they would be able to work with most objects in the UCP at this point.

If there’s another way to work around this issue or any other details I can provide please let me know.

UCP details (if they help):
6 node cluster (3 controllers, 3 nodes) running UCP 1.1.2
Docker Engine 1.11.2-cs4

Thanks,
James


(Vivek Saraswat) #2

Hi James,

Yes, UCP support for networks and volumes is on the roadmap. Look out for label-based network RBAC support in the next major version of UCP. Volume support is a bit more complicated because of the possible use of implied volumes when running a container, but it is something we are working out as well. Thanks for your patience.

In the recent UCP 1.1.3 patch release, we did make some changes that prevent non-admins from editing or deleting UCP/DTR system networks and volumes. That might make it easier for you to give Restricted Control access in the meantime to your users.