vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Fixing documentation according to comments by @moxiegirl and @thaJeztah

Browse source 
Signed-off-by: Dima Stopel <dima@twistlock.com>
This commit is contained in:
Dima Stopel 2015-12-08 14:54:33 +02:00 committed by Liron Levin
parent ccdb366aa5
commit c39dff3ecd
1 changed files with 0 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
authorization/api.md
View file

@ -1,83 +0,0 @@
# Docker Authorization Plug-in API
## Introduction
Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.
Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client.
The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697].
This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674
(Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker.
## Docker daemon configuration
In order to add a single authentication plug-in or a set of such, please use the following command line argument:
``` docker -d authz-plugin=authZPlugin1,authZPlugin2 ```
## API
The skeleton code for a typical plug-in can be found here [ADD LINK]. The plug-in must implement two AP methods:
1. */AuthzPlugin.AuthZReq* - this is the _authorize request_ method that is called before executing the Docker operation.
1. */AuthzPlugin.AuthZRes* - this is the _authorize response_ method that is called before returning the response to the client.
#### /AuthzPlugin.AuthZReq
**Request**:
```
{
"User": "The user identification"
"UserAuthNMethod": "The authentication method used"
"RequestMethod": "The HTTP method"
"RequestUri": "The HTTP request URI"
"RequestBody": "Byte array containing the raw HTTP request body"
"RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string "
"RequestStatusCode": "Request status code"
}
```
**Response**:
```
{
"Allow" : "Determined whether the user is allowed or not"
"Msg": "The authorization message"
}
```
#### /AuthzPlugin.AuthZRes
**Request**:
```
{
"User": "The user identification"
"UserAuthNMethod": "The authentication method used"
"RequestMethod": "The HTTP method"
"RequestUri": "The HTTP request URI"
"RequestBody": "Byte array containing the raw HTTP request body"
"RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string"
"RequestStatusCode": "Request status code"
"ResponseBody": "Byte array containing the raw HTTP response body"
"ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string"
"ResponseStatusCode":"Response status code"
}
```
**Response**:
```
{
"Allow" : "Determined whether the user is allowed or not"
"Msg": "The authorization message"
"ModifiedBody": "Byte array containing a modified body of the raw HTTP body (or nil if no changes required)"
"ModifiedHeader": "Byte array containing a modified header of the HTTP response (or nil if no changes required)"
"ModifiedStatusCode": "int containing the modified version of the status code (or 0 if not change is required)"
}
```
The modified response enables the authorization plug-in to manipulate the content of the HTTP response.
In case of more than one plug-in, each subsequent plug-in will received a response (optionally) modified by a previous plug-in.