vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity
pkg/authorization/plugin.go
Liron Levin ccdb366aa5 Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted. 
Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [https://github.com/docker/docker/issues/13697].

This is the official issue of the authorization effort:
https://github.com/docker/docker/issues/14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
2015-12-08 17:34:15 +02:00

87 lines
2 KiB
Go
Raw Blame History

package authorization
import (
"github.com/Sirupsen/logrus"
"github.com/docker/docker/pkg/plugins"
)
// Plugin allows third party plugins to authorize requests and responses
// in the context of docker API
type Plugin interface {
// AuthZRequest authorize the request from the client to the daemon
AuthZRequest(authReq *Request) (authRes *Response, err error)
// AuthZResponse authorize the response from the daemon to the client
AuthZResponse(authReq *Request) (authRes *Response, err error)
}
// NewPlugins constructs and initialize the authorization plugins based on plugin names
func NewPlugins(names []string) []Plugin {
plugins := make([]Plugin, len(names))
for i, name := range names {
plugins[i] = newAuthorizationPlugin(name)
}
return plugins
}
// authorizationPlugin is an internal adapter to docker plugin system
type authorizationPlugin struct {
plugin *plugins.Plugin
name string
}
func newAuthorizationPlugin(name string) Plugin {
return &authorizationPlugin{name: name}
}
func (a *authorizationPlugin) AuthZRequest(authReq *Request) (authRes *Response, err error) {
logrus.Debugf("AuthZ requset using plugins %s", a.name)
err = a.initPlugin()
if err != nil {
return nil, err
}
authRes = &Response{}
err = a.plugin.Client.Call(AuthZApiRequest, authReq, authRes)
if err != nil {
return nil, err
}
return authRes, nil
}
func (a *authorizationPlugin) AuthZResponse(authReq *Request) (authRes *Response, err error) {
logrus.Debugf("AuthZ response using plugins %s", a.name)
err = a.initPlugin()
if err != nil {
return nil, err
}
authRes = &Response{}
err = a.plugin.Client.Call(AuthZApiResponse, authReq, authRes)
if err != nil {
return nil, err
}
return authRes, nil
}
// initPlugin initialize the authorization plugin if needed
func (a *authorizationPlugin) initPlugin() (err error) {
// Lazy loading of plugins
if a.plugin == nil {
a.plugin, err = plugins.Get(a.name, AuthZApiImplements)
if err != nil {
return err
}
}
return nil
}
View git blame Copy permalink