twistlock / authz Goto Github PK

See this only on CoreOS 1122.3.0/docker 1.10.3: user name in authz callback always comes empty regardless of /CN in client certificate. Works as described on CoreOS 1409.7.0/ docker 1.12.6
Not plugin issue obviously, but i didn't see docker version requirements in "readme"...

hi When i run the plugin through ./bin/authz-broker

i got error

I have copied the policy file. what is the next step after copy the policy file ?

many thansk

Could you tell me how install this plugin in the host please ?
Because I don’t understand what does wget xxx means. I need full command instead of xxx please.

Many thanks
Ibrahim

Hi I could not copy authz/policy.json to /var/lib/authz-broker/policy.json':
i got this error
/var/lib/authz-broker/policy.json': No such file or directory

but i could copy the file authz/policy.json to /usr/lib/docker/policy.json'

so how i can run it please or how i can solve this problem ?

thansk you

Regular expressions used by Authz are relatively simple and may be bypassed
For example, we allow only the docker start in the policy, and docker pause is not allowed.
Normal access to https://127.0.0.1:2376/v1.23/containers/aa/pause will be rejected
But we can be accessed the url
Https://127.0.0.1:2376/v1.23/containers/aa/pause?aaa=\/start
to bypass Authz’s policy restrictions
The above regular expression can bypass the Authz limit and run docker pause success

Hi,

After compiling the project, connecting the plugin to docker daemon and trying the README policies, I saw in the logs that there was no user object processed by the plugin. This mean that no policy could be applied :(

Any clues ?

log :

Jul 13 17:31:03 localhost authz-broker: {"allow":false,"err":"","fields.msg":"no policy applied (user: '' action: 'image_list')","level":"info","method":"GET","msg":"Request","time":"2016-07-13T17:31:03+02:00","uri":"/v1.22/images/json","user":""}

Thanks :)

Looking for the ability to block specific command options. For example, I want users to be able to create containers using ‘docker run’ but block users from applying the --privileged option. It does not appear that this capability exists. Looks like all or nothing. Can this please be confirmed one way or the other?

hi
I was trying to follow these instructions to build plugin:
Install go 1.5 and docker.
Install godep.
Clone the project.
Restore go dependencies:
$ godep restore
Build the binary and image:
$ make all

I get following error in "make all" step:
CGO_ENABLED=0 go build -o authz-broker -a -installsuffix cgo ./broker/main.go
broker/main.go:8:2: cannot find package "github.com/twistlock/authz/authz" in any of:
/usr/local/go/src/github.com/twistlock/authz/authz (from $GOROOT)
/home/sreeni/authz/src/github.com/twistlock/authz/authz (from $GOPATH)
broker/main.go:9:2: cannot find package "github.com/twistlock/authz/core" in any of:
/usr/local/go/src/github.com/twistlock/authz/core (from $GOROOT)
/home/sreeni/authz/src/github.com/twistlock/authz/core (from $GOPATH)
make: *** [binary] Error 1

Any ideas?
I dont see "twistlock" directory under github.com.

thanks
Sreenivas

How should the daemon be setup in a swarm?

Docker swarm / swarm mode is not mentioned in the documentation, which makes me believe that it doesn't work. The documentation should specify how and if it works in docker swarm mode.

Hi,

could you tell me the full command to install l Twistlock as a service ? because I do not understand wget xxx.

Many thanks.

I am trying on Container Linux by CoreOS 1353.7.0 (Ladybug)
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Wed Apr 26 21:47:57 2017
OS/Arch: linux/amd64
From default account ("core") i've created user "user1" as a member of group docker:
sudo useradd -p "*" -U -m user1 -G docker
i added "readonly" policy for "user1" in /var/lib/authz-broker/policy.json
{"name":"policy_1","users":["user1"],"actions":["container"],"readonly":true}
and launched broker container:
docker run -d --restart=always -v /var/lib/authz-broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
After I ssh into CoreOS system as "user1" I can do pretty much anything with docker, like pulling and removing docker images

Hello,

In the blog post (https://www.twistlock.com/2016/02/18/docker-authz-plugins-twistlocks-contribution-to-the-docker-community/), there was a sample using RBAC authorization.

The “ContainerOps” group can perform “docker –run” and “docker – rm”
{“name”:”policy_1″,”users”:[“ContainerOps”],”actions”:[“container_run”, “container_rm”]}
The audit team can only perform “docker – list”, but nothing else
{“name”:”policy_2″,”users”:[“AuditGroup”],”actions”:[“container”], “readonly”:true}
Alice can run all Docker commands: {“name”:”policy_3″,”users”:[“alice”],”actions”:[“*”]}

• Is it possible to extend the current project to do so ?

Thanks :)

It looks like the install.sh script should copy the twistlock_authz_broker directory into /usr/bin/ but for some reason that directory doesn't exist in the repo:

[root@docker04 authz]# pwd
/var/tmp/authz
[root@docker04 authz]# ls -l
total 32
drwxr-xr-x 2 root root    72 Jul 11 07:21 authz
drwxr-xr-x 2 root root    20 Jul 11 07:21 broker
drwxr-xr-x 2 root root   119 Jul 11 07:21 core
-rwxr-xr-x 1 root root   409 Jul 11 07:21 Dockerfile
drwxr-xr-x 3 root root    54 Jul 11 07:21 Godeps
-rwxr-xr-x 1 root root   389 Jul 11 07:21 install.sh
-rwxr-xr-x 1 root root 11358 Jul 11 07:21 LICENSE
-rwxr-xr-x 1 root root   607 Jul 11 07:21 Makefile
-rwxr-xr-x 1 root root  7489 Jul 11 07:21 README.md
[root@docker04 authz]# cat install.sh
#
#!/usr/bin/env bash

name=twistlock_authz_broker
cp ./twistlock_authz_broker /usr/bin/

cat <<SERVICE > "/lib/systemd/system/twistlock-authz.service"
[Unit]
Description=Twistlock docker authorization plugin
After=syslog.target
[Service]
Type=simple
ExecStart=/usr/bin/authz-broker
[Install]
WantedBy=multi-user.target
SERVICE

# sudo systemctl enable my-app
# sudo systemctl start my-app[root@docker04 authz]#
[root@docker04 authz]# ./install.sh
cp: cannot stat ‘./twistlock_authz_broker’: No such file or directory
[root@docker04 authz]#

When I receive a request to ask if a container can be started I would like to go back to the docker host and get the sha256 of the image thats being started. However I am getting errors indicating the plugin cannot talk to /var/run/docker.sock

I have the following code just trying to list the containers at present

func getContainers() {
	fmt.Printf("***** Container List\n")
	cli, err := client.NewClientWithOpts(client.FromEnv)
	if err != nil {
		panic(err)
	}

	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
	if err != nil {
		panic(err)
	}

	for _, container := range containers {
		fmt.Printf("%s %s\n", container.ID[:10], container.Image)
	}
}

When running my container before creating the plugin I can achieve the desired behaviour by running the container as follows

docker run -v /var/run/docker.sock:/var/run/docker.sock ${TEMPLATE}:${VERSION}

I believe there is some config somewhere in the config.json to achieve the same thing but I cannot seem to do it I have tried

    "PropagatedMount": "/var/run/docker.sock",
    "Mounts": [
      {
          "Type": "bind",
          "Source": "/var/run/docker.sock",
          "Destination": "/var/run/docker.sock",
          "Mode": "",
          "RW": true,
          "Propagation": "rprivate"
      }
  ]

Any thoughts?

I am new to this, so my question might be stupid. :-)

Nevertheless - is this plugin the right place to integrate with corporate LDAP groups to layout who can create/run containers, down to specific stacks?

Here is what I did:

$ cd authz
$ go get -u
$ cd ..
$ make
golint authz/basic.go || exit; golint authz/basic_test.go || exit; golint authz/doc.go || exit; golint broker/main.go || exit; golint core/doc.go || exit; golint core/interfaces.go || exit; golint core/route_parser.go || exit; golint core/route_parser_test.go || exit; golint core/server.go || exit; golint core/types.go || exit;
gofmt -w authz/basic.go authz/basic_test.go authz/doc.go broker/main.go core/doc.go core/interfaces.go core/route_parser.go core/route_parser_test.go core/server.go core/types.go
go vet ./core/.; go vet ./broker/.; go vet ./authz/.;
CGO_ENABLED=0 go build  -o authz-broker -a -installsuffix cgo ./broker/main.go
package main
    imports github.com/docker/docker/vendor/src/github.com/Sirupsen/logrus: use of vendored package not allowed
Makefile:26: recipe for target 'binary' failed
make: *** [binary] Error 1

My go version is 1.6:

$ go version
go version go1.6 linux/amd64

It would be interesting to write more examples about policies.

I want to create a policy that allow to run all users to

1. pull and run any images but without volumes options, name, etc.
2. stop, rm images create by the users

Hi,
Here is my environment:

Go 1.8.1
My GOPATH is ~/go and I clone the project in ~/go/src/twistlock-authz

$ make all
vendor/gopkg.in/yaml.v2/decode_test.go:248: struct field tag a not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:448: struct field tag - not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:694: struct field tag _ not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/decode_test.go:698: struct field tag _ not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:147: struct field tag a not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:158: struct field tag a,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:159: struct field tag b,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:164: struct field tag a,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:165: struct field tag b,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:170: struct field tag a,omitempty,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:175: struct field tag a,omitempty,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:180: struct field tag a,omitempty,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:185: struct field tag a,omitempty,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:190: struct field tag a,omitempty,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:195: struct field tag a,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:196: struct field tag b,omitempty not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:204: struct field tag a,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:209: struct field tag a,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:214: struct field tag a,flow not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:234: struct field tag - not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:344: struct field tag ,inline not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:350: struct field tag ,inline not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
vendor/gopkg.in/yaml.v2/encode_test.go:406: struct field tag _ not compatible with reflect.StructTag.Get: bad syntax for struct tag pair

Creating the following policy allows all users to run all commands: {"name":"policy_1","users":[""],"actions":[""]} which is what was expected. However, running the following policy blocks all users from running any commands (even the root user: {"name":"policy_1","users":["root"],"actions":[""]}. I am running an older docker version (intentionally) which may be the reason the second policy fails. Are there any authz-broker docker version dependencies which would prevent this policy from working?

when running the docker container Error connecting to docker daemon (does docker ps work?)
DEBU[0002] [hijack] End of stdout

DEBU[0003] End of CmdRun(), Waiting for hijack to finish.

Hi,
I do not see much merging of PRs so just want to check to see if this is likely to be merged, I would like to use this plugin for some CI systems.

I would like to make the following updates

• use golang vendor directory - using latest version of godep
• update to use latest package versions - assuming all tests pass
• update to use the authorization plugin helper package (https://github.com/docker/go-plugins-helpers/tree/master/authorization)

Will need to this anyway, just want to get an indication if a PR would be accepted, I don't plan to change how the plugin works, as looks perfect for my needs, so those changes would be minimal

Thanks
Pat

Hi
I am using debian OS. I installed go1.10.2 and godep tools.

how I can clone the project because i got error when I write gith clone https://github.com/twistlock/authz

so could you help me please?

Godeps is not found on branch master. And tag 0.1 tips
"Package (golang.org/x/sys/unix) not found"
I can't build it , please help, thks!

godep: open Godeps/Godeps.json: no such file or directory

I don't see any work is being done on this plugin and if it is being supported. Anyone successfully used this plugin yet??
issue - I have docker version 18.06.1-ce. I followed all the 3 steps mentioned for "Running inside container". Downloaded and ran image successfully however policy.json under /var/lib/authz-broker/ is getting created as directory and not file. Same thing with /var/log/authz.log file. authz.log is getting created as directory. The major problem, when I applied --authorization-plugin=authz-broker flag, the daemon is unable to start because authz-broker doesn't exist in /var/run/docker/plugins.

Docker daemon output
INFO[2018-10-18T08:00:57.112840870-04:00] Docker daemon commit=e68fc7a graphdriver(s)=overlay2 version=18.06.1-ce
WARN[2018-10-18T08:00:57.113232274-04:00] Unable to locate plugin: authz-broker, retrying in 1s
WARN[2018-10-18T08:00:58.114458823-04:00] Unable to locate plugin: authz-broker, retrying in 2s
WARN[2018-10-18T08:01:0.115289904-04:00] Unable to locate plugin: authz-broker, retrying in 4s
WARN[2018-10-18T08:01:04.116593397-04:00] Unable to locate plugin: authz-broker, retrying in 8s
Error validating authorization plugin: plugin "authz-broker" not found

Are the instructions accurate ? Why files are getting created as directories. Am i missing something ?

Hi,

could you tell me how i can compile the project please ?
i am working on raspberry pi (raspian OS).

beacuse i have installed go1.10 and docker and godep and cloned the project but i got error message when i run godep restore.

best,
Ibrahim

I would like to create different users as roles in RBAC. For example, user1 can access container1 while user2 in docker groups like Bob cannot access container1.

as I know Docker daemon only see network requests sent from sockets and no username on the request.

therefore, Is twistlock provide that technique or not ?

Many thanks
Ibrahim

I'd like to see some documentation for this.

I'm curious where do I set things like this:

{"name":"policy_1","users":["alice"],"actions":["*"]}

Also, here's my Docker daemon ExecStart:

ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store consul://0.0.0.0:8500 --label node=server1 --exec-opt native.cgroupdriver=cgroupfs

Do you have any example code on how to filter the response from the daemon to the client ? For example docker ps should not show the same content for all the users.

Hi Team,

Many thanks for this nice plugin !
However, would be nice to have capabilities to run it in a client-server mode (like openpolicyagent does).
Indeed, in a Swarm cluster it makes sense not to have to redeploy the policies on each hosts and have them on a "central" policy server.
I didn't see any documentation regarding such a kind of deployment.
Is it possible or is it a new feature to be developed (and if so is it in your roadmap) ?

Thank you in advance for your feedback

Regards,

Gilles

Hi there.

It looks like the README's build instructions are out of date. The instructions to use godep are now redundant as of ac5bea8.

I'm a complete go noob, but I managed to get the project to build once I moved my git clone to $HOME/go/src/twistlock-authz - only then did it pick up the vendor directory. Is this something that all golangers know?

Hi,

what are the differences between runs the authorization plugin directly on the host or inside a container ?

Many thanks.

Ibrahim

Is there documentation for which authz terms map to which docker commands?

Are there any plans to push the image on Docker hub? The only image listed on the hub is not pullable (i.e. empty)