[Dev] [Multiuser] Multi-user support and containers.

Jacek Pielaszkiewicz j.pielaszkie at samsung.com
Wed Apr 16 11:42:52 GMT 2014


Hi,


      Together with my team I'm working on containers in TIZEN. Regarding 
to open discussion about multi-user support I would like share our proposal 
and show how we imagine multi-user support in containers.

      Our assumptions are:

1. We assumed that any application/services located in containers will be
able 
   access services located on host or on other containers. 

   It implicate that must exists in system a global service (Cynara) that
will 
   control security policy for whole system.
 
2. The Cynara will control security policies for both services located
directly 
   on the host as well as in containers. 

   Containers will not have own Cyrana instance. We don't see any benefits
for that.
   It will only complicate the solution because and so some security rules
will have 
   to be applied on host (a container must have access to some services
located directly 
   on host or in other containers).
   
   All containers must share common IPC to allow containers services
communicate 
   with global Cyrana instance.

3. We assumed that new user can be created on host and in containers as
well. 
   Containers and host will have dedicated service to mage user (for example
gumd).
   
   A user creation/update in the container will trigger the creation/update 
   of the corresponding user on the host.

   User management services on host and in containers will have to populate 
   security politics into Cynara (in case of user creation/update). 
 
4. Installer (responsible for setup new and removal existing application) 
   will have to populate required by application security politics into
Cyrana. 

5. The Cynara identify security policy by user id. Therefore all users on 
   the system (on host and in containers) will have to have unique ids. It
cause that:

  - any user created in any container and on the host must be registered in
Cynara

  - any user in system (on the host and in any container) must have unique
id. 

  - In case if "user namespaces" is not available or is not use, any
service/application 
    running in the container that interact with external services should not
be run as root 
    user (UID = 0) - problem how to distinguish "container root" from "host
root".

  - In case if "user namespaces" is available all container users/groups ids

    must be mapped into unique range.

      The enclosed files show as example two typical usage scenarios -
service usage 
authorization and user creation. Examples show cases from a container
perspective.

      I will be grateful for your opinions and comments.

Best regards


Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielaszkie at samsung.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: service-authorization.jpg
Type: image/jpeg
Size: 63704 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20140416/488d12b8/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: users-managment.jpg
Type: image/jpeg
Size: 100427 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20140416/488d12b8/attachment-0003.jpg>


More information about the Dev mailing list