github.com/uppal0016/docker_new@v0.0.0-20240123060250-1c98be13ac2c/docs/extend/plugins_authorization.md (about) 1 <!--[metadata]> 2 +++ 3 title = "Access authorization plugin" 4 description = "How to create authorization plugins to manage access control to your Docker daemon." 5 keywords = ["security, authorization, authentication, docker, documentation, plugin, extend"] 6 aliases = ["/engine/extend/authorization/"] 7 [menu.main] 8 parent = "engine_extend" 9 weight = -1 10 +++ 11 <![end-metadata]--> 12 13 14 # Create an authorization plugin 15 16 Docker's out-of-the-box authorization model is all or nothing. Any user with 17 permission to access the Docker daemon can run any Docker client command. The 18 same is true for callers using Docker's remote API to contact the daemon. If you 19 require greater access control, you can create authorization plugins and add 20 them to your Docker daemon configuration. Using an authorization plugin, a 21 Docker administrator can configure granular access policies for managing access 22 to Docker daemon. 23 24 Anyone with the appropriate skills can develop an authorization plugin. These 25 skills, at their most basic, are knowledge of Docker, understanding of REST, and 26 sound programming knowledge. This document describes the architecture, state, 27 and methods information available to an authorization plugin developer. 28 29 ## Basic principles 30 31 Docker's [plugin infrastructure](plugin_api.md) enables 32 extending Docker by loading, removing and communicating with 33 third-party components using a generic API. The access authorization subsystem 34 was built using this mechanism. 35 36 Using this subsystem, you don't need to rebuild the Docker daemon to add an 37 authorization plugin. You can add a plugin to an installed Docker daemon. You do 38 need to restart the Docker daemon to add a new plugin. 39 40 An authorization plugin approves or denies requests to the Docker daemon based 41 on both the current authentication context and the command context. The 42 authentication context contains all user details and the authentication method. 43 The command context contains all the relevant request data. 44 45 Authorization plugins must follow the rules described in [Docker Plugin API](plugin_api.md). 46 Each plugin must reside within directories described under the 47 [Plugin discovery](plugin_api.md#plugin-discovery) section. 48 49 **Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication 50 respectively. 51 52 ## Default user authorization mechanism 53 54 If TLS is enabled in the [Docker daemon](https://docs.docker.com/engine/security/https/), the default user authorization flow extracts the user details from the certificate subject name. 55 That is, the `User` field is set to the client certificate subject common name, and the `AuthenticationMethod` field is set to `TLS`. 56 57 ## Basic architecture 58 59 You are responsible for registering your plugin as part of the Docker daemon 60 startup. You can install multiple plugins and chain them together. This chain 61 can be ordered. Each request to the daemon passes in order through the chain. 62 Only when all the plugins grant access to the resource, is the access granted. 63 64 When an HTTP request is made to the Docker daemon through the CLI or via the 65 remote API, the authentication subsystem passes the request to the installed 66 authentication plugin(s). The request contains the user (caller) and command 67 context. The plugin is responsible for deciding whether to allow or deny the 68 request. 69 70 The sequence diagrams below depict an allow and deny authorization flow: 71 72  73 74  75 76 Each request sent to the plugin includes the authenticated user, the HTTP 77 headers, and the request/response body. Only the user name and the 78 authentication method used are passed to the plugin. Most importantly, no user 79 credentials or tokens are passed. Finally, not all request/response bodies 80 are sent to the authorization plugin. Only those request/response bodies where 81 the `Content-Type` is either `text/*` or `application/json` are sent. 82 83 For commands that can potentially hijack the HTTP connection (`HTTP 84 Upgrade`), such as `exec`, the authorization plugin is only called for the 85 initial HTTP requests. Once the plugin approves the command, authorization is 86 not applied to the rest of the flow. Specifically, the streaming data is not 87 passed to the authorization plugins. For commands that return chunked HTTP 88 response, such as `logs` and `events`, only the HTTP request is sent to the 89 authorization plugins. 90 91 During request/response processing, some authorization flows might 92 need to do additional queries to the Docker daemon. To complete such flows, 93 plugins can call the daemon API similar to a regular user. To enable these 94 additional queries, the plugin must provide the means for an administrator to 95 configure proper authentication and security policies. 96 97 ## Docker client flows 98 99 To enable and configure the authorization plugin, the plugin developer must 100 support the Docker client interactions detailed in this section. 101 102 ### Setting up Docker daemon 103 104 Enable the authorization plugin with a dedicated command line flag in the 105 `--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` 106 value. This value can be the plugin’s socket or a path to a specification file. 107 108 ```bash 109 $ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 110 ``` 111 112 Docker's authorization subsystem supports multiple `--authorization-plugin` parameters. 113 114 ### Calling authorized command (allow) 115 116 ```bash 117 $ docker pull centos 118 ... 119 f1b10cd84249: Pull complete 120 ... 121 ``` 122 123 ### Calling unauthorized command (deny) 124 125 ```bash 126 $ docker pull centos 127 ... 128 docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed. 129 ``` 130 131 ### Error from plugins 132 133 ```bash 134 $ docker pull centos 135 ... 136 docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?. 137 ``` 138 139 ## API schema and implementation 140 141 In addition to Docker's standard plugin registration method, each plugin 142 should implement the following two methods: 143 144 * `/AuthzPlugin.AuthZReq` This authorize request method is called before the Docker daemon processes the client request. 145 146 * `/AuthzPlugin.AuthZRes` This authorize response method is called before the response is returned from Docker daemon to the client. 147 148 #### /AuthzPlugin.AuthZReq 149 150 **Request**: 151 152 ```json 153 { 154 "User": "The user identification", 155 "UserAuthNMethod": "The authentication method used", 156 "RequestMethod": "The HTTP method", 157 "RequestURI": "The HTTP request URI", 158 "RequestBody": "Byte array containing the raw HTTP request body", 159 "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string ", 160 "RequestStatusCode": "Request status code" 161 } 162 ``` 163 164 **Response**: 165 166 ```json 167 { 168 "Allow": "Determined whether the user is allowed or not", 169 "Msg": "The authorization message", 170 "Err": "The error message if things go wrong" 171 } 172 ``` 173 #### /AuthzPlugin.AuthZRes 174 175 **Request**: 176 177 ```json 178 { 179 "User": "The user identification", 180 "UserAuthNMethod": "The authentication method used", 181 "RequestMethod": "The HTTP method", 182 "RequestURI": "The HTTP request URI", 183 "RequestBody": "Byte array containing the raw HTTP request body", 184 "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string", 185 "RequestStatusCode": "Request status code", 186 "ResponseBody": "Byte array containing the raw HTTP response body", 187 "ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string", 188 "ResponseStatusCode":"Response status code" 189 } 190 ``` 191 192 **Response**: 193 194 ```json 195 { 196 "Allow": "Determined whether the user is allowed or not", 197 "Msg": "The authorization message", 198 "Err": "The error message if things go wrong", 199 "ModifiedBody": "Byte array containing a modified body of the raw HTTP body (or null if no changes required)", 200 "ModifiedHeader": "Byte array containing a modified header of the HTTP response (or null if no changes required)", 201 "ModifiedStatusCode": "int containing the modified version of the status code (or 0 if not change is required)" 202 } 203 ``` 204 205 The modified response enables the authorization plugin to manipulate the content 206 of the HTTP response. In case of more than one plugin, each subsequent plugin 207 receives a response (optionally) modified by a previous plugin. 208 209 ### Request authorization 210 211 Each plugin must support two request authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message. 212 213 #### Daemon -> Plugin 214 215 Name | Type | Description 216 -----------------------|-------------------|------------------------------------------------------- 217 User | string | The user identification 218 Authentication method | string | The authentication method used 219 Request method | enum | The HTTP method (GET/DELETE/POST) 220 Request URI | string | The HTTP request URI including API version (e.g., v.1.17/containers/json) 221 Request headers | map[string]string | Request headers as key value pairs (without the authorization header) 222 Request body | []byte | Raw request body 223 224 225 #### Plugin -> Daemon 226 227 Name | Type | Description 228 --------|--------|---------------------------------------------------------------------------------- 229 Allow | bool | Boolean value indicating whether the request is allowed or denied 230 Msg | string | Authorization message (will be returned to the client in case the access is denied) 231 Err | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information) 232 233 ### Response authorization 234 235 The plugin must support two authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message. 236 237 #### Daemon -> Plugin 238 239 240 Name | Type | Description 241 ----------------------- |------------------ |---------------------------------------------------- 242 User | string | The user identification 243 Authentication method | string | The authentication method used 244 Request method | string | The HTTP method (GET/DELETE/POST) 245 Request URI | string | The HTTP request URI including API version (e.g., v.1.17/containers/json) 246 Request headers | map[string]string | Request headers as key value pairs (without the authorization header) 247 Request body | []byte | Raw request body 248 Response status code | int | Status code from the docker daemon 249 Response headers | map[string]string | Response headers as key value pairs 250 Response body | []byte | Raw docker daemon response body 251 252 253 #### Plugin -> Daemon 254 255 Name | Type | Description 256 --------|--------|---------------------------------------------------------------------------------- 257 Allow | bool | Boolean value indicating whether the response is allowed or denied 258 Msg | string | Authorization message (will be returned to the client in case the access is denied) 259 Err | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information)