Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.

Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 (Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. Signed-off-by: Liron Levin <liron@twistlock.com> Added container create flow test and extended the verification for ps
2015-11-12 13:06:47 +02:00 · 2015-11-12 13:06:47 +02:00 · ccdb366aa5
commit ccdb366aa5
parent cd655d8b48
6 changed files with 741 additions and 0 deletions
--- a/authorization/plugin.go
+++ b/authorization/plugin.go
@ -0,0 +1,87 @@
+package authorization
+
+import (
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/pkg/plugins"
+)
+
+// Plugin allows third party plugins to authorize requests and responses
+// in the context of docker API
+type Plugin interface {
+
+	// AuthZRequest authorize the request from the client to the daemon
+	AuthZRequest(authReq *Request) (authRes *Response, err error)
+
+	// AuthZResponse authorize the response from the daemon to the client
+	AuthZResponse(authReq *Request) (authRes *Response, err error)
+}
+
+// NewPlugins constructs and initialize the authorization plugins based on plugin names
+func NewPlugins(names []string) []Plugin {
+	plugins := make([]Plugin, len(names))
+	for i, name := range names {
+		plugins[i] = newAuthorizationPlugin(name)
+	}
+	return plugins
+}
+
+// authorizationPlugin is an internal adapter to docker plugin system
+type authorizationPlugin struct {
+	plugin *plugins.Plugin
+	name   string
+}
+
+func newAuthorizationPlugin(name string) Plugin {
+	return &authorizationPlugin{name: name}
+}
+
+func (a *authorizationPlugin) AuthZRequest(authReq *Request) (authRes *Response, err error) {
+
+	logrus.Debugf("AuthZ requset using plugins %s", a.name)
+
+	err = a.initPlugin()
+	if err != nil {
+		return nil, err
+	}
+
+	authRes = &Response{}
+	err = a.plugin.Client.Call(AuthZApiRequest, authReq, authRes)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return authRes, nil
+}
+
+func (a *authorizationPlugin) AuthZResponse(authReq *Request) (authRes *Response, err error) {
+
+	logrus.Debugf("AuthZ response using plugins %s", a.name)
+
+	err = a.initPlugin()
+	if err != nil {
+		return nil, err
+	}
+
+	authRes = &Response{}
+	err = a.plugin.Client.Call(AuthZApiResponse, authReq, authRes)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return authRes, nil
+}
+
+// initPlugin initialize the authorization plugin if needed
+func (a *authorizationPlugin) initPlugin() (err error) {
+
+	// Lazy loading of plugins
+	if a.plugin == nil {
+		a.plugin, err = plugins.Get(a.name, AuthZApiImplements)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}