Your plugin must support calling the `deny` command to report on the outcome of a plugin interaction. This call returns messages to Docker's command line informing the user of the outcome of each call.
```
$ docker pull centos
…
Authorization failed. Pull command for user 'john_doe' is denied by authorization plugin 'ACME' with message ‘[ACME] User 'john_doe' is not allowed to perform the pull command’
```
Where multiple authorization plugins are installed, multiple messages are expected.
## API schema and implementation
Sample code for a typical plugin can be found here [ADD LINK]. In addition to Docker's standard plugin registration method, each plugin should implement the following two methods:
*`/AuthzPlugin.AuthZReq` This authorize request method is called before the Docker daemon processes the client request.
*`/AuthzPlugin.AuthZRes` This authorize response method is called before the response is returned from Docker daemon to the client.
#### /AuthzPlugin.AuthZReq
**Request**:
```
{
"User": "The user identification"
"UserAuthNMethod": "The authentication method used"
"RequestMethod": "The HTTP method"
"RequestUri": "The HTTP request URI"
"RequestBody": "Byte array containing the raw HTTP request body"
"RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string "
"RequestStatusCode": "Request status code"
}
```
**Response**:
```
{
"Allow" : "Determined whether the user is allowed or not"
"Msg": "The authorization message"
}
```
#### /AuthzPlugin.AuthZRes
**Request**:
```
{
"User": "The user identification"
"UserAuthNMethod": "The authentication method used"
"RequestMethod": "The HTTP method"
"RequestUri": "The HTTP request URI"
"RequestBody": "Byte array containing the raw HTTP request body"
"RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string"
"RequestStatusCode": "Request status code"
"ResponseBody": "Byte array containing the raw HTTP response body"
"ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string"
"ResponseStatusCode":"Response status code"
}
```
**Response**:
```
{
"Allow" : "Determined whether the user is allowed or not"
"Msg": "The authorization message"
"ModifiedBody": "Byte array containing a modified body of the raw HTTP body (or nil if no changes required)"
"ModifiedHeader": "Byte array containing a modified header of the HTTP response (or nil if no changes required)"
"ModifiedStatusCode": "int containing the modified version of the status code (or 0 if not change is required)"
}
```
The modified response enables the authorization plugin to manipulate the content
of the HTTP response. In case of more than one plugin, each subsequent plugin
receives a response (optionally) modified by a previous plugin.
### Request authorization
Each plugin must support two request authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message.
The plugin must support two authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message.