Youâre right, but we should debate whether itâs appropriate to represent credentials in the models (in the ConnectsTo relationship to the Endpoint capability specifically). Without additional grammar support, those credentials would have
to be supplied somehow just like any other properties, and presumably reflected in an instance model, and potentially logged in log files. Orchestrators may need to treat credentials/secrets/etc differently from other properties.
Chris
From: adam souzis <adam@souzis.com>
Sent: Thursday, October 29, 2020 1:47 PM
To: Chris Lauwers <lauwers@ubicity.com>
Cc: tosca@lists.oasis-open.org
Subject: Re: [tosca] comment on WD02, Rev04: Eliminated the credential keyname from the repository definition
Hi Chris,
I think in general TOSCA is doing alright here because concretely you provide credentials to a particular endpoint and TOSCA endpoints already support credentials. In the case of a repository, it itself is essentially an endpoint, in that
it is basically an URI -- so it needs credentials too. I think the bigger picture is what I mentioned on the other thread about repositories: That they should be first class entities similar to artifacts and then each profile can define their own types of
repositories with their own properties -- including a credential property. This would solve the issue that led to their removal.
-- Adam
á
On Thu, Oct 29, 2020 at 1:26 PM Chris Lauwers <lauwers@ubicity.com> wrote:
Hi Adam,
Yes, we should revisit that decision. The motivation for removing the key was as follows:
- The âtypeâ for the credential value provided using the âcredentialâ keyword was âtosca.datatypes.Credentialâ, which is defined in the Simple Profile. Since the Simple Profile types are no longer part of the TOSCA standard, we could no longer use that type. There were proposals made to use some sort of opaque type, but those proposals have not yet been agreed on.
- Repository definitions are the only TOSCA abstractions that require credentials. However, in real-world deployments, all entities that one communicates with require credentials. Should we look at security/privacy/admission control in a broader context first, before deciding on a specific solution for repositories?
In any event, youâre correct that this is something that needs to be addressed.
Thanks,
Chris
From: tosca@lists.oasis-open.org <tosca@lists.oasis-open.org> On Behalf Of adam souzis
Sent: Thursday, October 29, 2020 12:54 PM
To: tosca@lists.oasis-open.org
Subject: [tosca] comment on WD02, Rev04: Eliminated the credential keyname from the repository definition
One thing I noticed reviewing WD02 on the call today was the removal of the credentials key from repository definitions. In order to support container image artifacts, Unfurl let's you define container registries as repositories and it needs those credentials to be able access a private registry (which are quite common). So are we sure we want to remove this?
Thanks,
Adam
á