I am trying on Container Linux by CoreOS 1353.7.0 (Ladybug)
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
From default account ("core") i've created user "user1" as a member of group docker:
sudo useradd -p "*" -U -m user1 -G docker
i added "readonly" policy for "user1" in /var/lib/authz-broker/policy.json
{"name":"policy_1","users":["user1"],"actions":["container"],"readonly":true}
and launched broker container:
docker run -d --restart=always -v /var/lib/authz-broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
After I ssh into CoreOS system as "user1" I can do pretty much anything with docker, like pulling and removing docker images

Hi @lvic4594, did you configure dockerd to use the authz plugin?
--authorization-plugin list Authorization plugins to load
Also, consider installing the authz code as a v2 authorization plugin, this will require some changes in the code.

Got it for "user1": (Error response from daemon: authorization denied by plugin authz-broker: no policy applied (user: '' action: 'docker_info')). Using system default: https://index.docker.io/v1/
Error response from daemon: authorization denied by plugin authz-broker: no policy applied (user: '' action: 'image_create'). That looks like expected behavior.

Sorry, don't see anything about "v2 authorization plugin" in the link you've provided... Why should I consider doing that?
Thank you

I am trying to allow default user "core" to perform any docker operations:
policy.json:
{"name":"policy_1","users":["core"],"actions":["*"]}
{"name":"policy_2","users":["user1"],"actions":["container"],"readonly":true}

but when i run "docker ps" as "core" i have the following error:
Error response from daemon: authorization denied by plugin authz-broker: no policy applied (user: '' action: 'container_list')

@lvic4594 currently only TLS authorization is supported so you need to configure docker with TLS certificate and provide a client certificate. See instructions

After I followed directions, I have the following error:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

systemctl list-units | grep docker
docker-tcp.socket loaded active listening Docker Socket for the API
docker.socket loaded active listening Docker Socket for the API

I've configured dockerd and docker for TLS authorization using your link. It doesn't seem to help: on any policy like
{"name":"policy_1","users":[""],"actions":[""]}
or
{"name":"policy_1","users":[""],"actions":[""]}
I see the same error:
Error response from daemon: authorization denied by plugin authz-broker: no policy applied (user: 'client' action: 'container_list')

You need to set the name of the user: client, and the action, in the allow list.

like: {"name":"policy_1","users":["client"],"actions":["*"]} in policy.json?
What's the "allow list"?
Sorry, I tried to use example from readme, don't have any other resource. Can i have some example?

The action you want to apply, as written in the plugin log container_list. But ensure first that the plugin is actually loading the policy you specified and not another file. You should see a log like loaded z policy. Also note that we use regex matching, so empty strings for action should also work (so i assume you policy was not loaded).

You should see a log like loaded z policy. Should see it where?

More specifically: where's plugin log container_list? I don't see it with "find"

The plugin logs when the policy is loaded, if you did not put it in the correct place, nothing will work.

According to "readme", the place is /var/lib/authz-broker/policy.json; that's where i put it...

I have created the file /var/lib/authz-broker/policy.json

I suggest that you check inside the container that the policy is mounted and updated.

seems like chicken and egg problem: i start dockerd with --authorization-plugin=authz-broker : then I cannot "docker run" eg load plugin. Is there default policy file?

i see "loaded" message when i start plugin:
time="2017-05-24T20:49:41Z" level=info msg="Loaded '1' policies"

Hi, since I don't understand exactly what you did. I suggest you debug the plugin using the source code.
Specifically,

# From the root repository
$ make
# run the binary 
$ ./authz-broker --debug --policy-file /var/lib/authz-broker/policy.json
# This is the policy.json file
# {"name":"policy_1","users":["","*"],"actions":[""]}
# from **another** terminal stop docker and run it with the plugin
$ sudo service docker stop
$ sudo dockerd --authorization-plugin authz-broker
# from **another** terminal, check the plugin
 docker ps

Shouldn't i also run "authz-broker" as root?
Shouldn't i also set env vars from dockerfile, like AUTHORIZER=basic?
Anyway, here's the output from "authz-broker":
INFO[0128] Loaded '1' policies
DEBU[0145] Received AuthZ request, method: 'GET', url: '/v1.24/containers/json'
DEBU[0145] no policy applied (user: 'client' action: 'container_list')
{"allow":false,"err":"","fields.msg":"no policy applied (user: 'client' action: 'container_list')","level":"info","method":"GET","msg":"Request","time":"2017-05-25T14:33:02Z","uri":"/v1.24/containers/json","user":"client"}
And "docker ps" results in
Error response from daemon: authorization denied by plugin authz-broker: no policy applied (user: 'client' action: 'container_list')
So, it looks as policy is loaded but not parsed.

Does selinux=enabled makes any difference?
here's my dockerd line:
dockerd --authorization-plugin=authz-broker --tlsverify --tlscacert=/home/core/ca.pem --tlscert=/home/core/server-cert.pem --tlskey=/home/core/server-key.pem -H=0.0.0.0:2378 --insecure-registry=0.0.0.0/0 --selinux-enabled

it looks like something is wrong with your policy. I suggest you add prints in the code and debug it.
You need to have

{"name":"policy_1","users":["client"],"actions":[""]}

or

{"name":"policy_1","users":["client"],"actions":["container_list"]}

{"name":"policy_1","users":["client"],"actions":["*"]} - this works. It looks as something is wrong not with my policy but with your matching in AuthZReq:
for _, user := range policy.Users {
if user == authZReq.User {
...
eg regexp is not used to match user vs. policy user
Where's"client" in AuthZReq coming from?

In authorization, you can't match a user name against regular expression only against the full name (otherwise, people might impersonate you).
client is the CN (common name) in the certificate you generated. This is propagated via docker not authz.

I'm going to close the issue, since it appears there is no problem with the code. As said, feel free to contribute with pull requests to improve the documentation or code.

The policy examples in "readme" could certainly be improved from this experience

Thanks for your feedback, feel free to contribute a pull request.

Thanks for your help. One more question: suppose i want authorization policies per shell users, not certificates. Can this plugin work without ssl certificates?

Hi @lvic4594, no.
The docker daemon only supports TLS authentication.
twistlock offers local (unix) and LDAP authentication in our dev/enterprise edition.

No, this scenario is not supported. I suggest you read docker documentation.

No.