Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.

Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 (Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. Signed-off-by: Liron Levin <liron@twistlock.com> Added container create flow test and extended the verification for ps Upstream-commit: 75c353f0ad73bd83ed18e92857dd99a103bb47e3 Component: engine
2015-11-12 13:06:47 +02:00
parent db09b58def
commit 2491643ccf
13 changed files with 1023 additions and 12 deletions
--- a/components/engine/api/server/server.go
+++ b/components/engine/api/server/server.go
@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/api/server/router/system"
 	"github.com/docker/docker/api/server/router/volume"
 	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/pkg/authorization"
 	"github.com/docker/docker/pkg/sockets"
 	"github.com/docker/docker/utils"
 	"github.com/gorilla/mux"
@ -28,13 +29,14 @@ const versionMatcher = "/v{version:[0-9.]+}"

 // Config provides the configuration for the API server
 type Config struct {
-	Logging     bool
-	EnableCors  bool
-	CorsHeaders string
-	Version     string
-	SocketGroup string
-	TLSConfig   *tls.Config
-	Addrs       []Addr
+	Logging          bool
+	EnableCors       bool
+	CorsHeaders      string
+	AuthZPluginNames []string
+	Version          string
+	SocketGroup      string
+	TLSConfig        *tls.Config
+	Addrs            []Addr
 }

 // Server contains instance details for the server
@ -42,6 +44,7 @@ type Server struct {
 	cfg     *Config
 	servers []*HTTPServer
 	routers []router.Router
+	authZPlugins []authorization.Plugin
 }

 // Addr contains string representation of address and its protocol (tcp, unix...).