Segregate logically Portainer resources using projects

[ricardona]

I am looking for a way to declare access privileges in the compose file or from docker CLI. Because, when you recreate a container, it removes the privileges so you have to redefine every time the restriction.

I would like to define a new concept project.

Teams --has--> Users
   |             |----has-->projects
   |----has-->projects

The resource (container, network, volume, etc.) will have one project. The resource project will be defined with the label io.portainer.project. Example: if the resource has label io.portainer.project=dev, then, each team or user will have the access privileges if it belongs to the dev project.

Related #1257

[deviantony]

Sounds like what UCP is doing with collections, thoughts @ncresswell ? We might go further than simply managing UAC with projects, we could also give the ability to remove all the resources associated to a project via the UI, for example.

[ncresswell]

UCP’s collections are somewhat similar, but they go one step further and can restrict the execution of a collection to a specified node or nodes in the cluster. This is how they achieve their multi-tenancy. I want to do something similar, but not through the assignment to a host, but with the creation of resource pools. We already know the total capacity of the cluster (CPU/RAM) so we should be able to define a model whereby when a resource pool is defined, we can set the maximum resources able to be consumed by all containers running within that pool (which means we force the use of CPU/Memory constraints). This is a little different from what you are asking though; it seems you are after a way to logically group/visualise all created stacks/services/containers/networks/volumes/secrets/configs for a particular team into a “project”. Given this is primarily a visualisation / human aid, it shouldn’t be too hard to add. We do need to ensure that access control can be set at the project level and it automatically propagate through. From: Anthony Lapenna [mailto:[email protected]] Sent: Tuesday, 21 August 2018 3:13 AM To: portainer/portainer <[email protected]> Cc: Neil Cresswell <[email protected]>; Mention <[email protected]> Subject: Re: [portainer/portainer] Segregate logically Portainer resources using projects (#2190) Sounds like what UCP is doing with collections, thoughts @ncresswell<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ncresswell&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=A78sjh5vpYB9-pewAN-vDsbn5Ln8Z9P1bbVOULcDY3s&s=ts7BF1GZzWJQBG0ag_8JpPvVQmx8Z2dMebv8M5GAvNg&e=> ? We might go further than simply managing UAC with projects, we could also give the ability to remove all the resources associated to a project via the UI, for example. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2190-23issuecomment-2D414352353&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=A78sjh5vpYB9-pewAN-vDsbn5Ln8Z9P1bbVOULcDY3s&s=MYdTva9tQW4bmn0mwXelD3L07hHi-sRLCiLnAdkK4YA&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlWQRqCA14XrdInqhrCLqrh36oLP5ks5uStHjgaJpZM4WEMO1&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=A78sjh5vpYB9-pewAN-vDsbn5Ln8Z9P1bbVOULcDY3s&s=WKCCNigy7b1Q5-QD6qTqLdpEqDmj-NRYfQAOL-740xo&e=>.

[deviantony]

Link to the resource pool issue: #1664