q3k
/
docker-cli-openbsd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted. 

Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [https://github.com/docker/docker/issues/13697].

This is the official issue of the authorization effort:
https://github.com/docker/docker/issues/14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
master
Liron Levin 2015-11-12 13:06:47 +02:00 committed by Tibor Vass
parent 87f1223216
commit 67d3265c4b
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/extend/authorization.md
View File

@ -91,9 +91,10 @@ Message | string | Authorization message (will be returned to the client in case
### Setting up docker daemon
Authorization plugins are enabled with a dedicated command line argument. The argument contains a comma separated list of the plugin names, which should be the same as the plugins socket or spec file.
Authorization plugins are enabled with a dedicated command line argument. The argument contains the plugin name, which should be the same as the plugins socket or spec file.
Multiple authz-plugin parameters are supported.
```
$ docker -d authz-plugins=plugin1,plugin2,...
$ docker daemon --authz-plugins=plugin1 --auth-plugins=plugin2,...
```
### Calling authorized command (allow)