Isolate volumes to a specific team

Estimated reading time: 3 minutes

This topic applies to Docker Enterprise.

The Docker Enterprise platform business, including products, customers, and employees, has been acquired by Mirantis, inc., effective 13-November-2019. For more information on the acquisition and how it may affect you and your business, refer to the Docker Enterprise Customer FAQ.

In this example, two teams are granted access to volumes in two different resource collections. UCP access control prevents the teams from viewing and accessing each other’s volumes, even though they may be located in the same nodes.

  1. Create two teams.
  2. Create two collections, one for either team.
  3. Create grants to manage access to the collections.
  4. Team members create volumes that are specific to their team.

Create two teams

Navigate to the Organizations & Teams page to create two teams in the “engineering” organization, named “Dev” and “Prod”. Add a user who’s not a UCP administrator to the Dev team, and add another non-admin user to the Prod team. Learn how to create and manage teams.

Create resource collections

In this example, the Dev and Prod teams use two different volumes, which they access through two corresponding resource collections. The collections are placed under the /Shared collection.

  1. In the left pane, click Collections to show all of the resource collections in the swarm.
  2. Find the /Shared collection and click View children.
  3. Click Create collection and name the new collection “dev-volumes”.
  4. Click Create to create the collection.
  5. Click Create collection again, name the new collection “prod-volumes”, and click Create.

Create grants for controlling access to the new volumes

In this example, the Dev team gets access to its volumes from a grant that associates the team with the /Shared/dev-volumes collection, and the Prod team gets access to its volumes from another grant that associates the team with the /Shared/prod-volumes collection.

  1. Navigate to the Grants page and click Create Grant.
  2. In the left pane, click Collections, and in the Swarm collection, click View Children.
  3. In the Shared collection, click View Children.
  4. In the list, find /Shared/dev-volumes and click Select Collection.
  5. Click Roles, and in the dropdown, select Restricted Control.
  6. Click Subjects, and under Select subject type, click Organizations. In the dropdown, pick the engineering organization, and in the Team dropdown, select Dev.
  7. Click Create to grant permissions to the Dev team.
  8. Click Create Grant and repeat the previous steps for the /Shared/prod-volumes collection and the Prod team.

With the collections and grants in place, users can sign in and create volumes in their assigned collections.

Create a volume as a team member

Team members have permission to create volumes in their assigned collection.

  1. Log in as one of the users on the Dev team.
  2. Navigate to the Volumes page to view all of the volumes in the swarm that the user can access.
  3. Click Create volume and name the new volume “dev-data”.
  4. In the left pane, click Collections. The default collection appears. At the top of the page, click Shared, find the dev-volumes collection in the list, and click Select Collection.
  5. Click Create to add the “dev-data” volume to the collection.
  6. Log in as one of the users on the Prod team, and repeat the previous steps to create a “prod-data” volume assigned to the /Shared/prod-volumes collection.

Now you can see role-based access control in action for volumes. The user on the Prod team can’t see the Dev team’s volumes, and if you log in again as a user on the Dev team, you won’t see the Prod team’s volumes.

Sign in with a UCP administrator account, and you see all of the volumes created by the Dev and Prod users.

Where to go next

ucp, grant, role, permission, authentication