From 67d3265c4bd6413434cff3614b0f5339e3b05024 Mon Sep 17 00:00:00 2001 From: Liron Levin Date: Thu, 12 Nov 2015 13:06:47 +0200 Subject: [PATCH] Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted. Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 (Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. Signed-off-by: Liron Levin Added container create flow test and extended the verification for ps --- docs/extend/authorization.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/extend/authorization.md b/docs/extend/authorization.md index 2f722e6fa2..7b599b28c7 100644 --- a/docs/extend/authorization.md +++ b/docs/extend/authorization.md @@ -91,9 +91,10 @@ Message | string | Authorization message (will be returned to the client in case ### Setting up docker daemon -Authorization plugins are enabled with a dedicated command line argument. The argument contains a comma separated list of the plugin names, which should be the same as the plugin’s socket or spec file. +Authorization plugins are enabled with a dedicated command line argument. The argument contains the plugin name, which should be the same as the plugin’s socket or spec file. +Multiple authz-plugin parameters are supported. ``` -$ docker -d authz-plugins=plugin1,plugin2,... +$ docker daemon --authz-plugins=plugin1 --auth-plugins=plugin2,... ``` ### Calling authorized command (allow)