Basic extendable Docker [authorization plugin] (https://github.com/docker/docker/blob/master/docs/extend/authorization.md) that runs on bare-metal or inside a container. The framework depends on [docker authentication plugin support] (moby/moby#18514). Provided by [Twistlock] (https://www.twistlock.com).
The authorization broker is delivered with a reference implementation of basic authorization mechanism, which consist of simple user policies evaluation. The authorization behavior of the plugin in the basic authorization flow is determined from the policy object:
// BasicPolicy represent a single policy object that is evaluated in the authorization flow.
// Each policy object consists of multiple users and Docker actions, where each user belongs to a single policy.
//
// The policies are evaluated according to the following flow:
// For each policy object check
// If the user belongs to the policy
// If action in request in policy allow otherwise deny
// If no appropriate policy found, return deny
//
// Remark: In basic flow, each user must have a unique policy.
// If a user is used by more than one policy, the results may be inconsistent
type BasicPolicy struct {
Actions []string `json:"actions"` // Actions are the docker actions (mapped to authz terminology) that are allowed according to this policy
// Action are are specified as regular expressions
Users []string `json:"users"` // Users are the users for which this policy apply to
Name string `json:"name"` // Name is the policy name
Readonly bool `json:"readonly"` // Readonly indicates this policy only allow get commands
}
For basic authorization flow, all policies reside in a single policy file under /var/lib/twistlock/policy.json
. The file is continuously monitored and no restart is required upon changes.
The file format is one policy JSON object per line. There should be no enclosing list or map, just one map per line.
The policy file should be placed under /var/lib/twistlock/policy.json
.
The conversation between [Docker remote API] (https://docs.docker.com/engine/reference/api/docker_remote_api_v1.21/) (the URI and method that are passed Docker daemon to AuthZ plugin) to internal action parameters is defined by the [route parser] (https://github.com/twistlock/authz/blob/master/core/route_parser.go).
Below are some examples for basic policy scenarios:
- Alice can run all Docker commands:
{"name":"policy_1","users":["alice"],"actions":["*"]}
- All users can all Docker commands:
{"name":"policy_2","users":["*"],"actions":["*"]}
- Alice and Bob can create new containers:
{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}
- Service account can read logs and run container top:
{"name":"policy_4","users":["service_account"],"actions":["container_logs","container_top"]}
- Alice can perform anything on containers:
{"name":"policy_5","users":["alice"],"actions":["container"]}
- Alice can only perform get operations on containers:
{"name":"policy_5","users":["alice"],"actions":["container"], "readonly":true }
The authorization plugin can run as a container application or as a host service.
- Install the containerized version of Twistlock authorization plugin:
$ docker run -d --restart=always -v /var/lib/twistlock/policy.json:/var/lib/twistlock/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz
- Update Docker daemon to run with authorization enabled. For example, if Docker is installed as a systemd service:
$ sudo systemctl edit --full docker.service
- Add authz-plugin parameter to ExecStart parameter
ExecStart=/usr/bin/docker daemon -H fd:// --authz-plugin=twistlock
- Download Twistlock authz binary (todo:link)
- Install Twistlock as a service
$ wget xxx | sudo sh
- Update Docker daemon to run with authorization enabled. For example, if Docker is installed as a systemd service:
$ sudo systemctl edit --full docker.service
add authz-plugin parameter to ExecStart parameter
ExecStart=/usr/bin/docker daemon -H fd:// --authz-plugin=twistlock
$ godep restore
- Build the binary and image:
$ make all
The framework consists of two extendability interfaces, the Authorizer, which handles the authorization flow and the Auditor, which audits the request and response in the authorization flow.
// Authorizer handles the authorization of docker requests and responses
type Authorizer interface {
Init() error // Init initialize the handler
AuthZReq(req *authorization.Request) *authorization.Response // AuthZReq handles the request from docker client
// to docker daemon
AuthZRes(req *authorization.Request) *authorization.Response // AuthZRes handles the response from docker deamon to docker client
}
// Auditor audits the request and response sent from/to docker daemon
type Auditor interface {
// AuditRequest audit the request sent from docker client and the associated authorization response
// Docker client -> authorization -> audit -> Docker daemon
AuditRequest(req *authorization.Request, pluginRes *authorization.Response)
// AuditRequest audit the response sent from docker daemon and the associated authorization response
// Docker daemon -> authorization -> audit -> Docker client
AuditResponse(req *authorization.Request, pluginRes *authorization.Response)
}
Twistlock authorization plugin is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.