Permalink
Browse files

Docker authorization plug-in infrastructure enables extending the fun…

…ctionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.

Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [#13697].

This is the official issue of the authorization effort:
#14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
  • Loading branch information...
liron-l committed Nov 12, 2015
1 parent 630f695 commit 75c353f0ad73bd83ed18e92857dd99a103bb47e3
View
@@ -13,6 +13,7 @@ import (
"github.com/docker/docker/api/server/httputils"
"github.com/docker/docker/dockerversion"
"github.com/docker/docker/errors"
"github.com/docker/docker/pkg/authorization"
"github.com/docker/docker/pkg/version"
"golang.org/x/net/context"
)
@@ -47,6 +48,35 @@ func debugRequestMiddleware(handler httputils.APIFunc) httputils.APIFunc {
}
}
// authorizationMiddleware perform authorization on the request.
func (s *Server) authorizationMiddleware(handler httputils.APIFunc) httputils.APIFunc {
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
// User and UserAuthNMethod are taken from AuthN plugins
// Currently tracked in https://github.com/docker/docker/pull/13994
user := ""
userAuthNMethod := ""
authCtx := authorization.NewCtx(s.authZPlugins, user, userAuthNMethod, r.Method, r.RequestURI)
if err := authCtx.AuthZRequest(w, r); err != nil {
logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
return err
}
rw := authorization.NewResponseModifier(w)
if err := handler(ctx, rw, r, vars); err != nil {
logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, err)
return err
}
if err := authCtx.AuthZResponse(rw, r); err != nil {
logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
return err
}
return nil
}
}
// userAgentMiddleware checks the User-Agent header looking for a valid docker client spec.
func (s *Server) userAgentMiddleware(handler httputils.APIFunc) httputils.APIFunc {
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
@@ -133,6 +163,11 @@ func (s *Server) handleWithGlobalMiddlewares(handler httputils.APIFunc) httputil
middlewares = append(middlewares, debugRequestMiddleware)
}
if len(s.cfg.AuthZPluginNames) > 0 {
s.authZPlugins = authorization.NewPlugins(s.cfg.AuthZPluginNames)
middlewares = append(middlewares, s.authorizationMiddleware)
}
h := handler
for _, m := range middlewares {
h = m(h)
View
@@ -16,6 +16,7 @@ import (
"github.com/docker/docker/api/server/router/system"
"github.com/docker/docker/api/server/router/volume"
"github.com/docker/docker/daemon"
"github.com/docker/docker/pkg/authorization"
"github.com/docker/docker/pkg/sockets"
"github.com/docker/docker/utils"
"github.com/gorilla/mux"
@@ -28,20 +29,22 @@ const versionMatcher = "/v{version:[0-9.]+}"
// Config provides the configuration for the API server
type Config struct {
Logging bool
EnableCors bool
CorsHeaders string
Version string
SocketGroup string
TLSConfig *tls.Config
Addrs []Addr
Logging bool
EnableCors bool
CorsHeaders string
AuthZPluginNames []string
Version string
SocketGroup string
TLSConfig *tls.Config
Addrs []Addr
}
// Server contains instance details for the server
type Server struct {
cfg *Config
servers []*HTTPServer
routers []router.Router
authZPlugins []authorization.Plugin
}
// Addr contains string representation of address and its protocol (tcp, unix...).
View
@@ -14,6 +14,7 @@ const (
// CommonConfig defines the configuration of a docker daemon which are
// common across platforms.
type CommonConfig struct {
AuthZPlugins []string // AuthZPlugins holds list of authorization plugins
AutoRestart bool
Bridge bridgeConfig // Bridge holds bridge network specific configuration.
Context map[string][]string
@@ -54,6 +55,7 @@ type CommonConfig struct {
// from the command-line.
func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) {
cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options"))
cmd.Var(opts.NewListOptsRef(&config.AuthZPlugins, nil), []string{"-authz-plugins"}, usageFn("List of authorization plugins by order of evaluation"))
cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options"))
cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file"))
cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime"))
View
@@ -177,8 +177,9 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
}
serverConfig := &apiserver.Config{
Logging: true,
Version: dockerversion.Version,
AuthZPluginNames: cli.Config.AuthZPlugins,
Logging: true,
Version: dockerversion.Version,
}
serverConfig = setPlatformServerConfig(serverConfig, cli.Config)
@@ -91,9 +91,10 @@ Message | string | Authorization message (will be returned to the client in case
### Setting up docker daemon
Authorization plugins are enabled with a dedicated command line argument. The argument contains a comma separated list of the plugin names, which should be the same as the plugin’s socket or spec file.
Authorization plugins are enabled with a dedicated command line argument. The argument contains the plugin name, which should be the same as the plugin’s socket or spec file.
Multiple authz-plugin parameters are supported.
```
$ docker -d authz-plugins=plugin1,plugin2,...
$ docker daemon --authz-plugins=plugin1 --auth-plugins=plugin2,...
```
### Calling authorized command (allow)
@@ -0,0 +1,228 @@
// +build !windows
package main
import (
"encoding/json"
"fmt"
"github.com/docker/docker/pkg/authorization"
"github.com/docker/docker/pkg/integration/checker"
"github.com/docker/docker/pkg/plugins"
"github.com/go-check/check"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"strings"
)
const testAuthZPlugin = "authzplugin"
const unauthorizedMessage = "User unauthorized authz plugin"
const containerListAPI = "/containers/json"
func init() {
check.Suite(&DockerAuthzSuite{
ds: &DockerSuite{},
})
}
type DockerAuthzSuite struct {
server *httptest.Server
ds *DockerSuite
d *Daemon
ctrl *authorizationController
}
type authorizationController struct {
reqRes authorization.Response // reqRes holds the plugin response to the initial client request
resRes authorization.Response // resRes holds the plugin response to the daemon response
psRequestCnt int // psRequestCnt counts the number of calls to list container request api
psResponseCnt int // psResponseCnt counts the number of calls to list containers response API
requestsURIs []string // requestsURIs stores all request URIs that are sent to the authorization controller
}
func (s *DockerAuthzSuite) SetUpTest(c *check.C) {
s.d = NewDaemon(c)
s.ctrl = &authorizationController{}
}
func (s *DockerAuthzSuite) TearDownTest(c *check.C) {
s.d.Stop()
s.ds.TearDownTest(c)
s.ctrl = nil
}
func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
mux := http.NewServeMux()
s.server = httptest.NewServer(mux)
c.Assert(s.server, check.NotNil, check.Commentf("Failed to start a HTTP Server"))
mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
b, err := json.Marshal(plugins.Manifest{Implements: []string{authorization.AuthZApiImplements}})
c.Assert(err, check.IsNil)
w.Write(b)
})
mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
b, err := json.Marshal(s.ctrl.reqRes)
w.Write(b)
c.Assert(err, check.IsNil)
defer r.Body.Close()
body, err := ioutil.ReadAll(r.Body)
c.Assert(err, check.IsNil)
authReq := authorization.Request{}
err = json.Unmarshal(body, &authReq)
c.Assert(err, check.IsNil)
assertBody(c, authReq.RequestURI, authReq.RequestHeaders, authReq.RequestBody)
assertAuthHeaders(c, authReq.RequestHeaders)
// Count only container list api
if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
s.ctrl.psRequestCnt++
}
s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI)
})
mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
b, err := json.Marshal(s.ctrl.resRes)
c.Assert(err, check.IsNil)
w.Write(b)
defer r.Body.Close()
body, err := ioutil.ReadAll(r.Body)
c.Assert(err, check.IsNil)
authReq := authorization.Request{}
err = json.Unmarshal(body, &authReq)
c.Assert(err, check.IsNil)
assertBody(c, authReq.RequestURI, authReq.ResponseHeaders, authReq.ResponseBody)
assertAuthHeaders(c, authReq.ResponseHeaders)
// Count only container list api
if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
s.ctrl.psResponseCnt++
}
})
err := os.MkdirAll("/etc/docker/plugins", 0755)
c.Assert(err, checker.IsNil)
fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", testAuthZPlugin)
err = ioutil.WriteFile(fileName, []byte(s.server.URL), 0644)
c.Assert(err, checker.IsNil)
}
// assertAuthHeaders validates authentication headers are removed
func assertAuthHeaders(c *check.C, headers map[string]string) error {
for k := range headers {
if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "x-registry") {
c.Errorf("Found authentication headers in request '%v'", headers)
}
}
return nil
}
// assertBody asserts that body is removed for non text/json requests
func assertBody(c *check.C, requestURI string, headers map[string]string, body []byte) {
if strings.Contains(strings.ToLower(requestURI), "auth") && len(body) > 0 {
//return fmt.Errorf("Body included for authentication endpoint %s", string(body))
c.Errorf("Body included for authentication endpoint %s", string(body))
}
for k, v := range headers {
if strings.EqualFold(k, "Content-Type") && strings.HasPrefix(v, "text/") || v == "application/json" {
return
}
}
if len(body) > 0 {
c.Errorf("Body included while it should not (Headers: '%v')", headers)
}
}
func (s *DockerAuthzSuite) TearDownSuite(c *check.C) {
if s.server == nil {
return
}
s.server.Close()
err := os.RemoveAll("/etc/docker/plugins")
c.Assert(err, checker.IsNil)
}
func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
err := s.d.Start("--authz-plugins=" + testAuthZPlugin)
c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Allow = true
// Ensure command successful
out, err := s.d.Cmd("run", "-d", "--name", "container1", "busybox:latest", "top")
c.Assert(err, check.IsNil)
// Extract the id of the created container
res := strings.Split(strings.TrimSpace(out), "\n")
id := res[len(res)-1]
assertURIRecorded(c, s.ctrl.requestsURIs, "/containers/create")
assertURIRecorded(c, s.ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", id))
out, err = s.d.Cmd("ps")
c.Assert(err, check.IsNil)
c.Assert(assertContainerList(out, []string{id}), check.Equals, true)
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
c.Assert(s.ctrl.psResponseCnt, check.Equals, 1)
}
func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
err := s.d.Start("--authz-plugins=" + testAuthZPlugin)
c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = false
s.ctrl.reqRes.Msg = unauthorizedMessage
// Ensure command is blocked
res, err := s.d.Cmd("ps")
c.Assert(err, check.NotNil)
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
c.Assert(s.ctrl.psResponseCnt, check.Equals, 0)
// Ensure unauthorized message appears in response
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: %s\n", unauthorizedMessage))
}
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
err := s.d.Start("--authz-plugins=" + testAuthZPlugin)
c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Allow = false
s.ctrl.resRes.Msg = unauthorizedMessage
// Ensure command is blocked
res, err := s.d.Cmd("ps")
c.Assert(err, check.NotNil)
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
c.Assert(s.ctrl.psResponseCnt, check.Equals, 1)
// Ensure unauthorized message appears in response
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: %s\n", unauthorizedMessage))
}
// assertURIRecorded verifies that the given URI was sent and recorded in the authz plugin
func assertURIRecorded(c *check.C, uris []string, uri string) {
found := false
for _, u := range uris {
if strings.Contains(u, uri) {
found = true
}
}
if !found {
c.Fatalf("Expected to find URI '%s', recorded uris '%s'", uri, strings.Join(uris, ","))
}
}
@@ -133,7 +133,7 @@ func (s *DockerSuite) TestHelpTextVerify(c *check.C) {
// Check each line for lots of stuff
lines := strings.Split(out, "\n")
for _, line := range lines {
c.Assert(len(line), checker.LessOrEqualThan, 90, check.Commentf("Help for %q is too long:\n%s", cmd, line))
c.Assert(len(line), checker.LessOrEqualThan, 91, check.Commentf("Help for %q is too long:\n%s", cmd, line))
if scanForHome && strings.Contains(line, `"`+home) {
c.Fatalf("Help for %q should use ~ instead of %q on:\n%s",
Oops, something went wrong.

0 comments on commit 75c353f

Please sign in to comment.