@@ -196,18 +196,21 @@ message CreateVolumeRequest {
196196 // validating these parameters. COs will treat these as opaque.
197197 map <string , string > parameters = 5 ;
198198
199- // Credentials used by Controller plugin to authenticate/authorize
200- // volume creation request.
201- // This field contains credential data, for example username and
202- // password. Each key must consist of alphanumeric characters, '-',
203- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
204- // choose to accept binary (non-string) data by using a binary-to-text
205- // encoding scheme, like base64. An SP SHALL advertise the
206- // requirements for credentials in documentation. COs SHALL permit
207- // passing through the required credentials. This information is
208- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
199+ // Secrets required by plugin to complete volume creation request.
200+ // A secret is a string to string map where the key identifies the
201+ // name of the secret (e.g. "username" or "password"), and the value
202+ // contains the secret data (e.g. "bob" or "abc123").
203+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
204+ // Each value MUST contain a valid string. An SP MAY choose to accept
205+ // binary (non-string) data by using a binary-to-text encoding scheme,
206+ // like base64.
207+ // An SP SHALL advertise the requirements for required secret keys and
208+ // values in documentation.
209+ // COs SHALL permit passing through the required secrets.
210+ // This information is sensitive and MUST be treated as such (not
211+ // logged, etc.) by the CO.
209212 // This field is OPTIONAL.
210- map <string , string > controller_create_credentials = 6 ;
213+ map <string , string > create_delete_volume_secrets = 6 ;
211214}
212215
213216message CreateVolumeResponse {
@@ -326,18 +329,21 @@ message DeleteVolumeRequest {
326329 // This field is REQUIRED.
327330 string volume_id = 2 ;
328331
329- // Credentials used by Controller plugin to authenticate/authorize
330- // volume deletion request.
331- // This field contains credential data, for example username and
332- // password. Each key must consist of alphanumeric characters, '-',
333- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
334- // choose to accept binary (non-string) data by using a binary-to-text
335- // encoding scheme, like base64. An SP SHALL advertise the
336- // requirements for credentials in documentation. COs SHALL permit
337- // passing through the required credentials. This information is
338- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
332+ // Secrets required by plugin to complete volume deletion request.
333+ // A secret is a string to string map where the key identifies the
334+ // name of the secret (e.g. "username" or "password"), and the value
335+ // contains the secret data (e.g. "bob" or "abc123").
336+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
337+ // Each value MUST contain a valid string. An SP MAY choose to accept
338+ // binary (non-string) data by using a binary-to-text encoding scheme,
339+ // like base64.
340+ // An SP SHALL advertise the requirements for required secret keys and
341+ // values in documentation.
342+ // COs SHALL permit passing through the required secrets.
343+ // This information is sensitive and MUST be treated as such (not
344+ // logged, etc.) by the CO.
339345 // This field is OPTIONAL.
340- map <string , string > controller_delete_credentials = 3 ;
346+ map <string , string > create_delete_volume_secrets = 3 ;
341347}
342348
343349message DeleteVolumeResponse {}
@@ -363,18 +369,22 @@ message ControllerPublishVolumeRequest {
363369 // REQUIRED.
364370 bool readonly = 5 ;
365371
366- // Credentials used by Controller plugin to authenticate/authorize
367- // controller publish request.
368- // This field contains credential data, for example username and
369- // password. Each key must consist of alphanumeric characters, '-',
370- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
371- // choose to accept binary (non-string) data by using a binary-to-text
372- // encoding scheme, like base64. An SP SHALL advertise the
373- // requirements for credentials in documentation. COs SHALL permit
374- // passing through the required credentials. This information is
375- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
372+ // Secrets required by plugin to to access the specified volume.
373+ // This maybe, for example, a volume decryption key.
374+ // A secret is a string to string map where the key identifies the
375+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
376+ // the value contains the secret data (e.g. "bob232" or "abc123").
377+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
378+ // Each value MUST contain a valid string. An SP MAY choose to accept
379+ // binary (non-string) data by using a binary-to-text encoding scheme,
380+ // like base64.
381+ // An SP SHALL advertise the requirements for required secret keys and
382+ // values in documentation.
383+ // COs SHALL permit passing through the required secrets.
384+ // This information is sensitive and MUST be treated as such (not
385+ // logged, etc.) by the CO.
376386 // This field is OPTIONAL.
377- map <string , string > controller_publish_credentials = 6 ;
387+ map <string , string > volume_secrets = 6 ;
378388
379389 // Attributes of the volume to be used on a node. This field is
380390 // OPTIONAL and MUST match the attributes of the Volume identified
@@ -405,18 +415,22 @@ message ControllerUnpublishVolumeRequest {
405415 // the volume from all nodes it is published to.
406416 string node_id = 3 ;
407417
408- // Credentials used by Controller plugin to authenticate/authorize
409- // controller unpublish request.
410- // This field contains credential data, for example username and
411- // password. Each key must consist of alphanumeric characters, '-',
412- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
413- // choose to accept binary (non-string) data by using a binary-to-text
414- // encoding scheme, like base64. An SP SHALL advertise the
415- // requirements for credentials in documentation. COs SHALL permit
416- // passing through the required credentials. This information is
417- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
418+ // Secrets required by plugin to to access the specified volume.
419+ // This maybe, for example, a volume decryption key.
420+ // A secret is a string to string map where the key identifies the
421+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
422+ // the value contains the secret data (e.g. "bob232" or "abc123").
423+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
424+ // Each value MUST contain a valid string. An SP MAY choose to accept
425+ // binary (non-string) data by using a binary-to-text encoding scheme,
426+ // like base64.
427+ // An SP SHALL advertise the requirements for required secret keys and
428+ // values in documentation.
429+ // COs SHALL permit passing through the required secrets.
430+ // This information is sensitive and MUST be treated as such (not
431+ // logged, etc.) by the CO.
418432 // This field is OPTIONAL.
419- map <string , string > controller_unpublish_credentials = 4 ;
433+ map <string , string > volume_secrets = 4 ;
420434}
421435
422436message ControllerUnpublishVolumeResponse {}
@@ -575,18 +589,22 @@ message NodeStageVolumeRequest {
575589 // This is a REQUIRED field.
576590 VolumeCapability volume_capability = 5 ;
577591
578- // Credentials used by Node plugin to authenticate/authorize node
579- // stage request.
580- // This field contains credential data, for example username and
581- // password. Each key must consist of alphanumeric characters, '-',
582- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
583- // choose to accept binary (non-string) data by using a binary-to-text
584- // encoding scheme, like base64. An SP SHALL advertise the
585- // requirements for credentials in documentation. COs SHALL permit
586- // passing through the required credentials. This information is
587- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
592+ // Secrets required by plugin to to access the specified volume.
593+ // This maybe, for example, a volume decryption key.
594+ // A secret is a string to string map where the key identifies the
595+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
596+ // the value contains the secret data (e.g. "bob232" or "abc123").
597+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
598+ // Each value MUST contain a valid string. An SP MAY choose to accept
599+ // binary (non-string) data by using a binary-to-text encoding scheme,
600+ // like base64.
601+ // An SP SHALL advertise the requirements for required secret keys and
602+ // values in documentation.
603+ // COs SHALL permit passing through the required secrets.
604+ // This information is sensitive and MUST be treated as such (not
605+ // logged, etc.) by the CO.
588606 // This field is OPTIONAL.
589- map <string , string > node_stage_credentials = 6 ;
607+ map <string , string > volume_secrets = 6 ;
590608
591609 // Attributes of the volume to publish. This field is OPTIONAL and
592610 // MUST match the attributes of the VolumeInfo identified by
@@ -609,18 +627,22 @@ message NodeUnstageVolumeRequest {
609627 // This is a REQUIRED field.
610628 string staging_target_path = 3 ;
611629
612- // Credentials used by Node plugin to authenticate/authorize node
613- // unstage request.
614- // This field contains credential data, for example username and
615- // password. Each key must consist of alphanumeric characters, '-',
616- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
617- // choose to accept binary (non-string) data by using a binary-to-text
618- // encoding scheme, like base64. An SP SHALL advertise the
619- // requirements for credentials in documentation. COs SHALL permit
620- // passing through the required credentials. This information is
621- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
630+ // Secrets required by plugin to to access the specified volume.
631+ // This maybe, for example, a volume decryption key.
632+ // A secret is a string to string map where the key identifies the
633+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
634+ // the value contains the secret data (e.g. "bob232" or "abc123").
635+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
636+ // Each value MUST contain a valid string. An SP MAY choose to accept
637+ // binary (non-string) data by using a binary-to-text encoding scheme,
638+ // like base64.
639+ // An SP SHALL advertise the requirements for required secret keys and
640+ // values in documentation.
641+ // COs SHALL permit passing through the required secrets.
642+ // This information is sensitive and MUST be treated as such (not
643+ // logged, etc.) by the CO.
622644 // This field is OPTIONAL.
623- map <string , string > node_unstage_credentials = 4 ;
645+ map <string , string > volume_secrets = 4 ;
624646}
625647
626648message NodeUnstageVolumeResponse {}
@@ -664,24 +686,45 @@ message NodePublishVolumeRequest {
664686 // REQUIRED.
665687 bool readonly = 7 ;
666688
667- // Credentials used by Node plugin to authenticate/authorize node
668- // publish request.
669- // This field contains credential data, for example username and
670- // password. Each key must consist of alphanumeric characters, '-',
671- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
672- // choose to accept binary (non-string) data by using a binary-to-text
673- // encoding scheme, like base64. An SP SHALL advertise the
674- // requirements for credentials in documentation. COs SHALL permit
675- // passing through the required credentials. This information is
676- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
689+ // Secrets required by plugin to to access the specified volume.
690+ // This maybe, for example, a volume decryption key.
691+ // A secret is a string to string map where the key identifies the
692+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
693+ // the value contains the secret data (e.g. "bob232" or "abc123").
694+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
695+ // Each value MUST contain a valid string. An SP MAY choose to accept
696+ // binary (non-string) data by using a binary-to-text encoding scheme,
697+ // like base64.
698+ // An SP SHALL advertise the requirements for required secret keys and
699+ // values in documentation.
700+ // COs SHALL permit passing through the required secrets.
701+ // This information is sensitive and MUST be treated as such (not
702+ // logged, etc.) by the CO.
677703 // This field is OPTIONAL.
678- map <string , string > node_publish_credentials = 8 ;
679-
704+ map <string , string > volume_secrets = 8 ;
705+
706+ // Secrets required by plugin to complete a node publish request.
707+ // This maybe, for example, user credentials for a volume that that
708+ // permits multiple user access and requires per consumer auth.
709+ // A secret is a string to string map where the key identifies the
710+ // name of the secret (e.g. "username" or "password"), and the value
711+ // contains the secret data (e.g. "bob" or "abc123").
712+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
713+ // Each value MUST contain a valid string. An SP MAY choose to accept
714+ // binary (non-string) data by using a binary-to-text encoding scheme,
715+ // like base64.
716+ // An SP SHALL advertise the requirements for required secret keys and
717+ // values in documentation.
718+ // COs SHALL permit passing through the required secrets.
719+ // This information is sensitive and MUST be treated as such (not
720+ // logged, etc.) by the CO.
721+ // This field is OPTIONAL.
722+ map <string , string > workload_secrets = 9 ;
680723
681724 // Attributes of the volume to publish. This field is OPTIONAL and
682725 // MUST match the attributes of the Volume identified by
683726 // `volume_id`.
684- map <string ,string > volume_attributes = 9 ;
727+ map <string ,string > volume_attributes = 10 ;
685728}
686729
687730message NodePublishVolumeResponse {}
@@ -699,18 +742,40 @@ message NodeUnpublishVolumeRequest {
699742 // This is a REQUIRED field.
700743 string target_path = 3 ;
701744
702- // Credentials used by Node plugin to authenticate/authorize node
703- // unpublish request.
704- // This field contains credential data, for example username and
705- // password. Each key must consist of alphanumeric characters, '-',
706- // '_' or '.'. Each value MUST contain a valid string. An SP MAY
707- // choose to accept binary (non-string) data by using a binary-to-text
708- // encoding scheme, like base64. An SP SHALL advertise the
709- // requirements for credentials in documentation. COs SHALL permit
710- // passing through the required credentials. This information is
711- // sensitive and MUST be treated as such (not logged, etc.) by the CO.
745+ // Secrets required by plugin to to access the specified volume.
746+ // This maybe, for example, a volume decryption key.
747+ // A secret is a string to string map where the key identifies the
748+ // name of the secret (e.g. "encryptionKey" or "volumePassword"), and
749+ // the value contains the secret data (e.g. "bob232" or "abc123").
750+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
751+ // Each value MUST contain a valid string. An SP MAY choose to accept
752+ // binary (non-string) data by using a binary-to-text encoding scheme,
753+ // like base64.
754+ // An SP SHALL advertise the requirements for required secret keys and
755+ // values in documentation.
756+ // COs SHALL permit passing through the required secrets.
757+ // This information is sensitive and MUST be treated as such (not
758+ // logged, etc.) by the CO.
759+ // This field is OPTIONAL.
760+ map <string , string > volume_secrets = 4 ;
761+
762+ // Secrets required by plugin to complete a node publish request.
763+ // This maybe, for example, user credentials for a volume that that
764+ // permits multiple user access and requires per consumer auth.
765+ // A secret is a string to string map where the key identifies the
766+ // name of the secret (e.g. "username" or "password"), and the value
767+ // contains the secret data (e.g. "bob" or "abc123").
768+ // Each key must consist of alphanumeric characters, '-', '_' or '.'.
769+ // Each value MUST contain a valid string. An SP MAY choose to accept
770+ // binary (non-string) data by using a binary-to-text encoding scheme,
771+ // like base64.
772+ // An SP SHALL advertise the requirements for required secret keys and
773+ // values in documentation.
774+ // COs SHALL permit passing through the required secrets.
775+ // This information is sensitive and MUST be treated as such (not
776+ // logged, etc.) by the CO.
712777 // This field is OPTIONAL.
713- map <string , string > node_unpublish_credentials = 4 ;
778+ map <string , string > workload_secrets = 5 ;
714779}
715780
716781message NodeUnpublishVolumeResponse {}
0 commit comments