/casbin-authz-plugin

Docker RBAC & ABAC Authorization Plug-in based on Casbin

Primary LanguageGoApache License 2.0Apache-2.0

Docker RBAC & ABAC Authorization Plugin based on Casbin Go Report Card Build Status GoDoc

This plugin controls the access to Docker commands based on authorization policy. The functionality of authorization is provided by Casbin. Since Docker doesn't perform authentication by now, there's no user information when executing Docker commands. The access that Casbin plugin can control is actually what HTTP method can be performed on what URL path.

For example, when you run docker images command, the underlying request is really like:

/v1.27/images/json, GET

So Casbin plugin helps you decide whether GET can be performed on /v1.27/images/json base on the policy rules you write. The policy file is basic_policy.csv co-located with the plugin binary by default. And its content is:

p, /v1.27/images/json, GET

The above policy grants anyone to perform GET on /v1.27/images/json, and deny all other requests. The response should be like below:

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
hello-world         latest              48b5124b2768        3 months ago        1.84 kB

$ docker info
Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin

The built-in Casbin model is:

[request_definition]
r = obj, act

[policy_definition]
p = obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act

The built-in Casbin policy is:

p, /_ping, GET
p, /v1.27/images/json, GET

For more information about the Casbin model and policy usage like RBAC, ABAC, please refer to: https://github.com/casbin/casbin

Build

$ go get github.com/casbin/casbin-authz-plugin
$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make
$ sudo make install

Run

Run the plugin directly in a shell

$ cd /usr/lib/docker
$ ./casbin-authz-plugin

Run the plugin as a systemd service

$ systemctl daemon-reload
$ systemctl enable casbin-authz-plugin
$ systemctl start casbin-authz-plugin

See whether the plugin starts correctly:

$ journalctl -xe -u casbin-authz-plugin -f

Enable the authorization plugin on docker engine

Step-1: Add authorization plugin to the docker engine configuration

Please add the following cmdline flag to your docker engine (e.g. ExecStart line /lib/systemd/system/docker.service)

--authorization-plugin casbin-authz-plugin

Step-2: Restart docker engine

$ systemctl daemon-reload
$ systemctl restart docker

Stop and uninstall the plugin as a systemd service

NOTE: Before doing below, remove the authorization-plugin configuration created above and restart the docker daemon.

Stop the plugin service:

$ systemctl stop img-authz-plugin
$ systemctl disable img-authz-plugin

Uninstall the plugin service:

$ make uninstall

Contact

If you have any issues or feature requests, please feel free to contact me at:

License

Apache 2.0