Docker Authorization Plugin based on Casbin
This plugin controls the access to Docker commands based on authorization policy. The functionality of authorization is provided by Casbin. Since Docker doesn't perform authentication by now, there's no user information when executing Docker commands. The access that Casbin plugin can control is actually what HTTP method can be performed on what URL path.
For example, when you run
docker imagescommand, the underlying request is really like:
/v1.27/images/json, GET
So Casbin plugin helps you decide whether
GETcan be performed on
/v1.27/images/jsonbase on the policy rules you write. The policy file is
basic_policy.csvco-located with the plugin binary by default. And its content is:
p, /v1.27/images/json, GET
The above policy grants anyone to perform
GETon
/v1.27/images/json, and deny all other requests. The response should be like below:
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest 48b5124b2768 3 months ago 1.84 kB$ docker info Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin
The built-in Casbin model is:
[request_definition] r = obj, act[policy_definition] p = obj, act
[policy_effect] e = some(where (p.eft == allow))
[matchers] m = r.obj == p.obj && r.act == p.act
The built-in Casbin policy is:
p, /_ping, GET p, /v1.27/images/json, GET
For more information about the Casbin model and policy usage like RBAC, ABAC, please refer to: https://github.com/casbin/casbin
$ apt install golang-go # install go language $ mkdir /usr/local/go $ export GOPATH=/usr/local/go
$ go get github.com/casbin/casbin-authz-plugin $ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin $ make $ sudo make install
$ cd /usr/lib/docker $ mkdir examples $ cp basic_model.conf examples/. $ cp basic_policy.csv examples/. $ ./casbin-authz-plugin
Below should be an example of display when command above is run:
2017/10/21 03:47:39 Current directory: /usr/lib/docker 2017/10/21 03:47:39 Casbin model: examples/basic_model.conf 2017/10/21 03:47:39 Casbin policy: examples/basic_policy.csv 2017/10/21 03:47:39 [Model:] 2017/10/21 03:47:39 p.p: obj, act 2017/10/21 03:47:39 e.e: some(where (p_eft == allow)) 2017/10/21 03:47:39 m.m: r_obj == p_obj && r_act == p_act 2017/10/21 03:47:39 r.r: obj, act 2017/10/21 03:47:39 [Policy:] 2017/10/21 03:47:39 [p : obj, act : [[/_ping GET] [/v1.27/images/json GET]]]
$ systemctl status casbin-authz-plugin● casbin-authz-plugin.service - Docker RBAC & ABAC Authorization Plugin based on Casbin Loaded: loaded (/lib/systemd/system/casbin-authz-plugin.service; disabled; vendor preset: enabled) Active: inactive (dead)
$ vi /lib/systemd/system/casbin-authz-plugin.service[Service] WorkingDirectory=/usr/lib/docker
systemctl status casbin-authz-plugin, please use the latter
WorkingDirectorymay not be the one given depending on where you put the plugin
$ systemctl daemon-reload $ systemctl enable casbin-authz-plugin $ systemctl start casbin-authz-plugin
$ systemctl edit docker[Service] ExecStart= ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin
systemctl status docker, please use the latter
--authorization-plugin=casbin-authz-pluginif there are more options on the pre-defined
ExecStartplease retain them
$ systemctl daemon-reload $ systemctl restart docker
$ journalctl -xe -u casbin-authz-plugin -f
$ docker images
docker imagesis denied, simply proceed to Step-8 for the solution
$ vi /usr/lib/docker/examples/basic_policy.csvp, /v1.29/images/json, GET
$ systemctl restart casbin-authz-plugin
examples/basic_policy.csvthat the docker client is throwing which is shown in
journalctllike
obj: /v1.29/images/json, act: GET res: denied
$GOPATHto the directory where you put the plugin from
go get
$ docker images $ docker ps $ docker info
docker imagesis still denied please check STEP-8 more carefully
NOTE: Before doing below, remove the authorization-plugin configuration added above and restart the docker daemon.
Removing the authorization plugin on docker
$ systemctl edit docker#[Service] #ExecStart= #ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin
$ systemctl restart docker
Stop the plugin service:
$ systemctl stop casbin-authz-plugin $ systemctl disable casbin-authz-plugin
Uninstall the plugin service:
$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin $ make uninstall
If you have any issues or feature requests, please feel free to contact me at: - https://github.com/casbin/casbin/issues - [email protected]
Apache 2.0