This plugin controls the access to Docker commands based on authorization policy. The functionality of authorization is provided by Casbin. Since Docker doesn't perform authentication by now, there's no user information when executing Docker commands. The access that Casbin plugin can control is actually what HTTP method can be performed on what URL path.
For example, when you run docker images
command, the underlying request is really like:
/v1.27/images/json, GET
So Casbin plugin helps you decide whether GET
can be performed on /v1.27/images/json
base on the policy rules you write. The policy file is basic_policy.csv
co-located with the plugin binary by default. And its content is:
p, /v1.27/images/json, GET
The above policy grants anyone to perform GET
on /v1.27/images/json
, and deny all other requests. The response should be like below:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 48b5124b2768 3 months ago 1.84 kB
$ docker info
Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin
The built-in Casbin model is:
[request_definition]
r = obj, act
[policy_definition]
p = obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.obj == p.obj && r.act == p.act
The built-in Casbin policy is:
p, /_ping, GET
p, /v1.27/images/json, GET
For more information about the Casbin model and policy usage like RBAC, ABAC, please refer to: https://github.com/casbin/casbin
Build
$ go get github.com/casbin/casbin-authz-plugin
$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make
$ sudo make install
Run
Run the plugin directly in a shell
$ cd /usr/lib/docker
$ ./casbin-authz-plugin
Run the plugin as a systemd service
$ systemctl daemon-reload
$ systemctl enable casbin-authz-plugin
$ systemctl start casbin-authz-plugin
See whether the plugin starts correctly:
$ journalctl -xe -u casbin-authz-plugin -f
Enable the authorization plugin on docker engine
Step-1: Add authorization plugin to the docker engine configuration
Please add the following cmdline flag to your docker engine (e.g. ExecStart line /lib/systemd/system/docker.service
)
--authorization-plugin casbin-authz-plugin
Step-2: Restart docker engine
$ systemctl daemon-reload
$ systemctl restart docker
Stop and uninstall the plugin as a systemd service
NOTE: Before doing below, remove the authorization-plugin configuration created above and restart the docker daemon.
Stop the plugin service:
$ systemctl stop img-authz-plugin
$ systemctl disable img-authz-plugin
Uninstall the plugin service:
$ make uninstall
Contact
If you have any issues or feature requests, please feel free to contact me at:
License
Apache 2.0