github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/cli/docs/extend/plugins_authorization.md (about) 1 --- 2 description: "How to create authorization plugins to manage access control to your Docker daemon." 3 keywords: "security, authorization, authentication, docker, documentation, plugin, extend" 4 redirect_from: 5 - "/engine/extend/authorization/" 6 --- 7 8 <!-- This file is maintained within the docker/cli GitHub 9 repository at https://github.com/docker/cli/. Make all 10 pull requests against that repo. If you see this file in 11 another repository, consider it read-only there, as it will 12 periodically be overwritten by the definitive file. Pull 13 requests which include edits to this file in other repositories 14 will be rejected. 15 --> 16 17 # Access authorization plugin 18 19 This document describes the Docker Engine plugins generally available in Docker 20 Engine. To view information on plugins managed by Docker Engine, 21 refer to [Docker Engine plugin system](index.md). 22 23 Docker's out-of-the-box authorization model is all or nothing. Any user with 24 permission to access the Docker daemon can run any Docker client command. The 25 same is true for callers using Docker's Engine API to contact the daemon. If you 26 require greater access control, you can create authorization plugins and add 27 them to your Docker daemon configuration. Using an authorization plugin, a 28 Docker administrator can configure granular access policies for managing access 29 to the Docker daemon. 30 31 Anyone with the appropriate skills can develop an authorization plugin. These 32 skills, at their most basic, are knowledge of Docker, understanding of REST, and 33 sound programming knowledge. This document describes the architecture, state, 34 and methods information available to an authorization plugin developer. 35 36 ## Basic principles 37 38 Docker's [plugin infrastructure](plugin_api.md) enables 39 extending Docker by loading, removing and communicating with 40 third-party components using a generic API. The access authorization subsystem 41 was built using this mechanism. 42 43 Using this subsystem, you don't need to rebuild the Docker daemon to add an 44 authorization plugin. You can add a plugin to an installed Docker daemon. You do 45 need to restart the Docker daemon to add a new plugin. 46 47 An authorization plugin approves or denies requests to the Docker daemon based 48 on both the current authentication context and the command context. The 49 authentication context contains all user details and the authentication method. 50 The command context contains all the relevant request data. 51 52 Authorization plugins must follow the rules described in [Docker Plugin API](plugin_api.md). 53 Each plugin must reside within directories described under the 54 [Plugin discovery](plugin_api.md#plugin-discovery) section. 55 56 > **Note** 57 > 58 > The abbreviations `AuthZ` and `AuthN` mean authorization and authentication 59 > respectively. 60 61 ## Default user authorization mechanism 62 63 If TLS is enabled in the [Docker daemon](https://docs.docker.com/engine/security/https/), the default user authorization flow extracts the user details from the certificate subject name. 64 That is, the `User` field is set to the client certificate subject common name, and the `AuthenticationMethod` field is set to `TLS`. 65 66 ## Basic architecture 67 68 You are responsible for registering your plugin as part of the Docker daemon 69 startup. You can install multiple plugins and chain them together. This chain 70 can be ordered. Each request to the daemon passes in order through the chain. 71 Only when all the plugins grant access to the resource, is the access granted. 72 73 When an HTTP request is made to the Docker daemon through the CLI or via the 74 Engine API, the authentication subsystem passes the request to the installed 75 authentication plugin(s). The request contains the user (caller) and command 76 context. The plugin is responsible for deciding whether to allow or deny the 77 request. 78 79 The sequence diagrams below depict an allow and deny authorization flow: 80 81 ![Authorization Allow flow](images/authz_allow.png) 82 83 ![Authorization Deny flow](images/authz_deny.png) 84 85 Each request sent to the plugin includes the authenticated user, the HTTP 86 headers, and the request/response body. Only the user name and the 87 authentication method used are passed to the plugin. Most importantly, no user 88 credentials or tokens are passed. Finally, not all request/response bodies 89 are sent to the authorization plugin. Only those request/response bodies where 90 the `Content-Type` is either `text/*` or `application/json` are sent. 91 92 For commands that can potentially hijack the HTTP connection (`HTTP 93 Upgrade`), such as `exec`, the authorization plugin is only called for the 94 initial HTTP requests. Once the plugin approves the command, authorization is 95 not applied to the rest of the flow. Specifically, the streaming data is not 96 passed to the authorization plugins. For commands that return chunked HTTP 97 response, such as `logs` and `events`, only the HTTP request is sent to the 98 authorization plugins. 99 100 During request/response processing, some authorization flows might 101 need to do additional queries to the Docker daemon. To complete such flows, 102 plugins can call the daemon API similar to a regular user. To enable these 103 additional queries, the plugin must provide the means for an administrator to 104 configure proper authentication and security policies. 105 106 ## Docker client flows 107 108 To enable and configure the authorization plugin, the plugin developer must 109 support the Docker client interactions detailed in this section. 110 111 ### Setting up Docker daemon 112 113 Enable the authorization plugin with a dedicated command line flag in the 114 `--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` 115 value. This value can be the plugin’s socket or a path to a specification file. 116 Authorization plugins can be loaded without restarting the daemon. Refer 117 to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reload-behavior) for more information. 118 119 ```console 120 $ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 121 ``` 122 123 Docker's authorization subsystem supports multiple `--authorization-plugin` parameters. 124 125 ### Calling authorized command (allow) 126 127 ```console 128 $ docker pull centos 129 <...> 130 f1b10cd84249: Pull complete 131 <...> 132 ``` 133 134 ### Calling unauthorized command (deny) 135 136 ```console 137 $ docker pull centos 138 <...> 139 docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed. 140 ``` 141 142 ### Error from plugins 143 144 ```console 145 $ docker pull centos 146 <...> 147 docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?. 148 ``` 149 150 ## API schema and implementation 151 152 In addition to Docker's standard plugin registration method, each plugin 153 should implement the following two methods: 154 155 * `/AuthZPlugin.AuthZReq` This authorize request method is called before the Docker daemon processes the client request. 156 157 * `/AuthZPlugin.AuthZRes` This authorize response method is called before the response is returned from Docker daemon to the client. 158 159 #### /AuthZPlugin.AuthZReq 160 161 **Request**: 162 163 ```json 164 { 165 "User": "The user identification", 166 "UserAuthNMethod": "The authentication method used", 167 "RequestMethod": "The HTTP method", 168 "RequestURI": "The HTTP request URI", 169 "RequestBody": "Byte array containing the raw HTTP request body", 170 "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string " 171 } 172 ``` 173 174 **Response**: 175 176 ```json 177 { 178 "Allow": "Determined whether the user is allowed or not", 179 "Msg": "The authorization message", 180 "Err": "The error message if things go wrong" 181 } 182 ``` 183 184 #### /AuthZPlugin.AuthZRes 185 186 **Request**: 187 188 ```json 189 { 190 "User": "The user identification", 191 "UserAuthNMethod": "The authentication method used", 192 "RequestMethod": "The HTTP method", 193 "RequestURI": "The HTTP request URI", 194 "RequestBody": "Byte array containing the raw HTTP request body", 195 "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string", 196 "ResponseBody": "Byte array containing the raw HTTP response body", 197 "ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string", 198 "ResponseStatusCode":"Response status code" 199 } 200 ``` 201 202 **Response**: 203 204 ```json 205 { 206 "Allow": "Determined whether the user is allowed or not", 207 "Msg": "The authorization message", 208 "Err": "The error message if things go wrong" 209 } 210 ``` 211 212 ### Request authorization 213 214 Each plugin must support two request authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message. 215 216 #### Daemon -> Plugin 217 218 Name | Type | Description 219 -----------------------|-------------------|------------------------------------------------------- 220 User | string | The user identification 221 Authentication method | string | The authentication method used 222 Request method | enum | The HTTP method (GET/DELETE/POST) 223 Request URI | string | The HTTP request URI including API version (e.g., v.1.17/containers/json) 224 Request headers | map[string]string | Request headers as key value pairs (without the authorization header) 225 Request body | []byte | Raw request body 226 227 228 #### Plugin -> Daemon 229 230 Name | Type | Description 231 --------|--------|---------------------------------------------------------------------------------- 232 Allow | bool | Boolean value indicating whether the request is allowed or denied 233 Msg | string | Authorization message (will be returned to the client in case the access is denied) 234 Err | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information) 235 236 ### Response authorization 237 238 The plugin must support two authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message. 239 240 #### Daemon -> Plugin 241 242 243 Name | Type | Description 244 ----------------------- |------------------ |---------------------------------------------------- 245 User | string | The user identification 246 Authentication method | string | The authentication method used 247 Request method | string | The HTTP method (GET/DELETE/POST) 248 Request URI | string | The HTTP request URI including API version (e.g., v.1.17/containers/json) 249 Request headers | map[string]string | Request headers as key value pairs (without the authorization header) 250 Request body | []byte | Raw request body 251 Response status code | int | Status code from the docker daemon 252 Response headers | map[string]string | Response headers as key value pairs 253 Response body | []byte | Raw docker daemon response body 254 255 256 #### Plugin -> Daemon 257 258 Name | Type | Description 259 --------|--------|---------------------------------------------------------------------------------- 260 Allow | bool | Boolean value indicating whether the response is allowed or denied 261 Msg | string | Authorization message (will be returned to the client in case the access is denied) 262 Err | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information)