twistlock / authz Goto Github PK
View Code? Open in Web Editor NEWDocker Authorization Plugin
License: Apache License 2.0
Docker Authorization Plugin
License: Apache License 2.0
See this only on CoreOS 1122.3.0/docker 1.10.3: user name in authz callback always comes empty regardless of /CN in client certificate. Works as described on CoreOS 1409.7.0/ docker 1.12.6
Not plugin issue obviously, but i didn't see docker version requirements in "readme"...
Could you tell me how install this plugin in the host please ?
Because I don’t understand what does wget xxx means. I need full command instead of xxx please.
Many thanks
Ibrahim
Hi I could not copy authz/policy.json to /var/lib/authz-broker/policy.json':
i got this error
/var/lib/authz-broker/policy.json': No such file or directory
but i could copy the file authz/policy.json to /usr/lib/docker/policy.json'
so how i can run it please or how i can solve this problem ?
thansk you
Regular expressions used by Authz are relatively simple and may be bypassed
For example, we allow only the docker start in the policy, and docker pause is not allowed.
Normal access to https://127.0.0.1:2376/v1.23/containers/aa/pause will be rejected
But we can be accessed the url
Https://127.0.0.1:2376/v1.23/containers/aa/pause?aaa=\/start
to bypass Authz’s policy restrictions
The above regular expression can bypass the Authz limit and run docker pause success
Hi,
After compiling the project, connecting the plugin to docker daemon and trying the README policies, I saw in the logs that there was no user object
processed by the plugin. This mean that no policy could be applied :(
Any clues ?
log :
Jul 13 17:31:03 localhost authz-broker: {"allow":false,"err":"","fields.msg":"no policy applied (user: '' action: 'image_list')","level":"info","method":"GET","msg":"Request","time":"2016-07-13T17:31:03+02:00","uri":"/v1.22/images/json","user":""}
Thanks :)
Looking for the ability to block specific command options. For example, I want users to be able to create containers using ‘docker run’ but block users from applying the --privileged option. It does not appear that this capability exists. Looks like all or nothing. Can this please be confirmed one way or the other?
hi
I was trying to follow these instructions to build plugin:
Install go 1.5 and docker.
Install godep.
Clone the project.
Restore go dependencies:
$ godep restore
Build the binary and image:
$ make all
I get following error in "make all" step:
CGO_ENABLED=0 go build -o authz-broker -a -installsuffix cgo ./broker/main.go
broker/main.go:8:2: cannot find package "github.com/twistlock/authz/authz" in any of:
/usr/local/go/src/github.com/twistlock/authz/authz (from $GOROOT)
/home/sreeni/authz/src/github.com/twistlock/authz/authz (from $GOPATH)
broker/main.go:9:2: cannot find package "github.com/twistlock/authz/core" in any of:
/usr/local/go/src/github.com/twistlock/authz/core (from $GOROOT)
/home/sreeni/authz/src/github.com/twistlock/authz/core (from $GOPATH)
make: *** [binary] Error 1
Any ideas?
I dont see "twistlock" directory under github.com.
thanks
Sreenivas
How should the daemon be setup in a swarm?
Docker swarm / swarm mode is not mentioned in the documentation, which makes me believe that it doesn't work. The documentation should specify how and if it works in docker swarm mode.
Hi,
could you tell me the full command to install l Twistlock as a service ? because I do not understand wget xxx.
Many thanks.
I am trying on Container Linux by CoreOS 1353.7.0 (Ladybug)
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
From default account ("core") i've created user "user1" as a member of group docker:
sudo useradd -p "*" -U -m user1 -G docker
i added "readonly" policy for "user1" in /var/lib/authz-broker/policy.json
{"name":"policy_1","users":["user1"],"actions":["container"],"readonly":true}
and launched broker container:
docker run -d --restart=always -v /var/lib/authz-broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
After I ssh into CoreOS system as "user1" I can do pretty much anything with docker, like pulling and removing docker images
Hello,
In the blog post (https://www.twistlock.com/2016/02/18/docker-authz-plugins-twistlocks-contribution-to-the-docker-community/), there was a sample using RBAC authorization.
The “ContainerOps” group can perform “docker –run” and “docker – rm”
{“name”:”policy_1″,”users”:[“ContainerOps”],”actions”:[“container_run”, “container_rm”]}
The audit team can only perform “docker – list”, but nothing else
{“name”:”policy_2″,”users”:[“AuditGroup”],”actions”:[“container”], “readonly”:true}
Alice can run all Docker commands: {“name”:”policy_3″,”users”:[“alice”],”actions”:[“*”]}
Thanks :)
It looks like the install.sh script should copy the twistlock_authz_broker directory into /usr/bin/ but for some reason that directory doesn't exist in the repo:
[root@docker04 authz]# pwd
/var/tmp/authz
[root@docker04 authz]# ls -l
total 32
drwxr-xr-x 2 root root 72 Jul 11 07:21 authz
drwxr-xr-x 2 root root 20 Jul 11 07:21 broker
drwxr-xr-x 2 root root 119 Jul 11 07:21 core
-rwxr-xr-x 1 root root 409 Jul 11 07:21 Dockerfile
drwxr-xr-x 3 root root 54 Jul 11 07:21 Godeps
-rwxr-xr-x 1 root root 389 Jul 11 07:21 install.sh
-rwxr-xr-x 1 root root 11358 Jul 11 07:21 LICENSE
-rwxr-xr-x 1 root root 607 Jul 11 07:21 Makefile
-rwxr-xr-x 1 root root 7489 Jul 11 07:21 README.md
[root@docker04 authz]# cat install.sh
#
#!/usr/bin/env bash
name=twistlock_authz_broker
cp ./twistlock_authz_broker /usr/bin/
cat <<SERVICE > "/lib/systemd/system/twistlock-authz.service"
[Unit]
Description=Twistlock docker authorization plugin
After=syslog.target
[Service]
Type=simple
ExecStart=/usr/bin/authz-broker
[Install]
WantedBy=multi-user.target
SERVICE
# sudo systemctl enable my-app
# sudo systemctl start my-app[root@docker04 authz]#
[root@docker04 authz]# ./install.sh
cp: cannot stat ‘./twistlock_authz_broker’: No such file or directory
[root@docker04 authz]#
When I receive a request to ask if a container can be started I would like to go back to the docker host and get the sha256 of the image thats being started. However I am getting errors indicating the plugin cannot talk to /var/run/docker.sock
I have the following code just trying to list the containers at present
func getContainers() {
fmt.Printf("***** Container List\n")
cli, err := client.NewClientWithOpts(client.FromEnv)
if err != nil {
panic(err)
}
containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
if err != nil {
panic(err)
}
for _, container := range containers {
fmt.Printf("%s %s\n", container.ID[:10], container.Image)
}
}
When running my container before creating the plugin I can achieve the desired behaviour by running the container as follows
docker run -v /var/run/docker.sock:/var/run/docker.sock ${TEMPLATE}:${VERSION}
I believe there is some config somewhere in the config.json to achieve the same thing but I cannot seem to do it I have tried
"PropagatedMount": "/var/run/docker.sock",
"Mounts": [
{
"Type": "bind",
"Source": "/var/run/docker.sock",
"Destination": "/var/run/docker.sock",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
]
Any thoughts?
I am new to this, so my question might be stupid. :-)
Nevertheless - is this plugin the right place to integrate with corporate LDAP groups to layout who can create/run containers, down to specific stacks?
Here is what I did:
$ cd authz
$ go get -u
$ cd ..
$ make
golint authz/basic.go || exit; golint authz/basic_test.go || exit; golint authz/doc.go || exit; golint broker/main.go || exit; golint core/doc.go || exit; golint core/interfaces.go || exit; golint core/route_parser.go || exit; golint core/route_parser_test.go || exit; golint core/server.go || exit; golint core/types.go || exit;
gofmt -w authz/basic.go authz/basic_test.go authz/doc.go broker/main.go core/doc.go core/interfaces.go core/route_parser.go core/route_parser_test.go core/server.go core/types.go
go vet ./core/.; go vet ./broker/.; go vet ./authz/.;
CGO_ENABLED=0 go build -o authz-broker -a -installsuffix cgo ./broker/main.go
package main
imports github.com/docker/docker/vendor/src/github.com/Sirupsen/logrus: use of vendored package not allowed
Makefile:26: recipe for target 'binary' failed
make: *** [binary] Error 1
My go version is 1.6:
$ go version
go version go1.6 linux/amd64
It would be interesting to write more examples about policies.
I want to create a policy that allow to run all users to
Hi,
Here is my environment:
Go 1.8.1
My GOPATH is ~/go and I clone the project in ~/go/src/twistlock-authz
$ make all
vendor/gopkg.in/yaml.v2/decode_test.go:248: struct field tag a
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:448: struct field tag -
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:694: struct field tag _
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:698: struct field tag _
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:147: struct field tag a
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:158: struct field tag a,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:159: struct field tag b,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:164: struct field tag a,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:165: struct field tag b,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:170: struct field tag a,omitempty,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:175: struct field tag a,omitempty,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:180: struct field tag a,omitempty,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:185: struct field tag a,omitempty,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:190: struct field tag a,omitempty,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:195: struct field tag a,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:196: struct field tag b,omitempty
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:204: struct field tag a,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:209: struct field tag a,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:214: struct field tag a,flow
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:234: struct field tag -
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:344: struct field tag ,inline
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:350: struct field tag ,inline
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:406: struct field tag _
not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
Creating the following policy allows all users to run all commands: {"name":"policy_1","users":[""],"actions":[""]} which is what was expected. However, running the following policy blocks all users from running any commands (even the root user: {"name":"policy_1","users":["root"],"actions":[""]}. I am running an older docker version (intentionally) which may be the reason the second policy fails. Are there any authz-broker docker version dependencies which would prevent this policy from working?
when running the docker container Error connecting to docker daemon (does docker ps work?)
DEBU[0002] [hijack] End of stdout
DEBU[0003] End of CmdRun(), Waiting for hijack to finish.
Hi,
I do not see much merging of PRs so just want to check to see if this is likely to be merged, I would like to use this plugin for some CI systems.
I would like to make the following updates
Will need to this anyway, just want to get an indication if a PR would be accepted, I don't plan to change how the plugin works, as looks perfect for my needs, so those changes would be minimal
Thanks
Pat
Hi
I am using debian OS. I installed go1.10.2 and godep tools.
how I can clone the project because i got error when I write gith clone https://github.com/twistlock/authz
so could you help me please?
Godeps is not found on branch master. And tag 0.1 tips
"Package (golang.org/x/sys/unix) not found"
I can't build it , please help, thks!
godep: open Godeps/Godeps.json: no such file or directory
I don't see any work is being done on this plugin and if it is being supported. Anyone successfully used this plugin yet??
issue - I have docker version 18.06.1-ce. I followed all the 3 steps mentioned for "Running inside container". Downloaded and ran image successfully however policy.json under /var/lib/authz-broker/ is getting created as directory and not file. Same thing with /var/log/authz.log file. authz.log is getting created as directory. The major problem, when I applied --authorization-plugin=authz-broker flag, the daemon is unable to start because authz-broker doesn't exist in /var/run/docker/plugins.
Are the instructions accurate ? Why files are getting created as directories. Am i missing something ?
Hi,
could you tell me how i can compile the project please ?
i am working on raspberry pi (raspian OS).
beacuse i have installed go1.10 and docker and godep and cloned the project but i got error message when i run godep restore.
best,
Ibrahim
I would like to create different users as roles in RBAC. For example, user1 can access container1 while user2 in docker groups like Bob cannot access container1.
as I know Docker daemon only see network requests sent from sockets and no username on the request.
therefore, Is twistlock provide that technique or not ?
Many thanks
Ibrahim
I'd like to see some documentation for this.
I'm curious where do I set things like this:
{"name":"policy_1","users":["alice"],"actions":["*"]}
Also, here's my Docker daemon ExecStart:
ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store consul://0.0.0.0:8500 --label node=server1 --exec-opt native.cgroupdriver=cgroupfs
Do you have any example code on how to filter the response from the daemon to the client ? For example docker ps should not show the same content for all the users.
Hi Team,
Many thanks for this nice plugin !
However, would be nice to have capabilities to run it in a client-server mode (like openpolicyagent does).
Indeed, in a Swarm cluster it makes sense not to have to redeploy the policies on each hosts and have them on a "central" policy server.
I didn't see any documentation regarding such a kind of deployment.
Is it possible or is it a new feature to be developed (and if so is it in your roadmap) ?
Thank you in advance for your feedback
Regards,
Gilles
Hi there.
It looks like the README's build instructions are out of date. The instructions to use godep are now redundant as of ac5bea8.
I'm a complete go noob, but I managed to get the project to build once I moved my git clone to $HOME/go/src/twistlock-authz - only then did it pick up the vendor directory. Is this something that all golangers know?
Hi,
what are the differences between runs the authorization plugin directly on the host or inside a container ?
Many thanks.
Ibrahim
Is there documentation for which authz terms map to which docker commands?
Are there any plans to push the image on Docker hub? The only image listed on the hub is not pullable (i.e. empty)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.