From c39dff3ecd5512cd8ab55318d58734ebf86650af Mon Sep 17 00:00:00 2001 From: Dima Stopel Date: Tue, 8 Dec 2015 14:54:33 +0200 Subject: [PATCH] Fixing documentation according to comments by @moxiegirl and @thaJeztah Signed-off-by: Dima Stopel --- authorization/api.md | 83 -------------------------------------------- 1 file changed, 83 deletions(-) delete mode 100644 authorization/api.md diff --git a/authorization/api.md b/authorization/api.md deleted file mode 100644 index 4cf16bc..0000000 --- a/authorization/api.md +++ /dev/null @@ -1,83 +0,0 @@ -# Docker Authorization Plug-in API - -## Introduction - -Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted. - -Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. - -The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. - -This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 - -(Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. - -## Docker daemon configuration - -In order to add a single authentication plug-in or a set of such, please use the following command line argument: - -``` docker -d authz-plugin=authZPlugin1,authZPlugin2 ``` - -## API - -The skeleton code for a typical plug-in can be found here [ADD LINK]. The plug-in must implement two AP methods: - -1. */AuthzPlugin.AuthZReq* - this is the _authorize request_ method that is called before executing the Docker operation. -1. */AuthzPlugin.AuthZRes* - this is the _authorize response_ method that is called before returning the response to the client. - -#### /AuthzPlugin.AuthZReq - -**Request**: - -``` -{ - "User": "The user identification" - "UserAuthNMethod": "The authentication method used" - "RequestMethod": "The HTTP method" - "RequestUri": "The HTTP request URI" - "RequestBody": "Byte array containing the raw HTTP request body" - "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string " - "RequestStatusCode": "Request status code" -} -``` - -**Response**: - -``` -{ - "Allow" : "Determined whether the user is allowed or not" - "Msg": "The authorization message" -} -``` - -#### /AuthzPlugin.AuthZRes - -**Request**: -``` -{ - "User": "The user identification" - "UserAuthNMethod": "The authentication method used" - "RequestMethod": "The HTTP method" - "RequestUri": "The HTTP request URI" - "RequestBody": "Byte array containing the raw HTTP request body" - "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string" - "RequestStatusCode": "Request status code" - "ResponseBody": "Byte array containing the raw HTTP response body" - "ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string" - "ResponseStatusCode":"Response status code" -} -``` - -**Response**: -``` -{ - "Allow" : "Determined whether the user is allowed or not" - "Msg": "The authorization message" - "ModifiedBody": "Byte array containing a modified body of the raw HTTP body (or nil if no changes required)" - "ModifiedHeader": "Byte array containing a modified header of the HTTP response (or nil if no changes required)" - "ModifiedStatusCode": "int containing the modified version of the status code (or 0 if not change is required)" -} -``` - -The modified response enables the authorization plug-in to manipulate the content of the HTTP response. -In case of more than one plug-in, each subsequent plug-in will received a response (optionally) modified by a previous plug-in. \ No newline at end of file