mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Rename authz to authorization for greater clarity
Signed-off-by: Tibor Vass <tibor@docker.com>
This commit is contained in:
parent
1e1a3c9508
commit
5c630ea7c3
11 changed files with 58 additions and 55 deletions
|
@ -169,8 +169,8 @@ func (s *Server) handleWithGlobalMiddlewares(handler httputils.APIFunc) httputil
|
|||
middlewares = append(middlewares, debugRequestMiddleware)
|
||||
}
|
||||
|
||||
if len(s.cfg.AuthZPluginNames) > 0 {
|
||||
s.authZPlugins = authorization.NewPlugins(s.cfg.AuthZPluginNames)
|
||||
if len(s.cfg.AuthorizationPluginNames) > 0 {
|
||||
s.authZPlugins = authorization.NewPlugins(s.cfg.AuthorizationPluginNames)
|
||||
middlewares = append(middlewares, s.authorizationMiddleware)
|
||||
}
|
||||
|
||||
|
|
|
@ -30,14 +30,14 @@ const versionMatcher = "/v{version:[0-9.]+}"
|
|||
|
||||
// Config provides the configuration for the API server
|
||||
type Config struct {
|
||||
Logging bool
|
||||
EnableCors bool
|
||||
CorsHeaders string
|
||||
AuthZPluginNames []string
|
||||
Version string
|
||||
SocketGroup string
|
||||
TLSConfig *tls.Config
|
||||
Addrs []Addr
|
||||
Logging bool
|
||||
EnableCors bool
|
||||
CorsHeaders string
|
||||
AuthorizationPluginNames []string
|
||||
Version string
|
||||
SocketGroup string
|
||||
TLSConfig *tls.Config
|
||||
Addrs []Addr
|
||||
}
|
||||
|
||||
// Server contains instance details for the server
|
||||
|
|
|
@ -685,7 +685,7 @@ _docker_daemon() {
|
|||
local options_with_args="
|
||||
$global_options_with_args
|
||||
--api-cors-header
|
||||
--authz-plugin
|
||||
--authorization-plugin
|
||||
--bip
|
||||
--bridge -b
|
||||
--cgroup-parent
|
||||
|
@ -717,7 +717,7 @@ _docker_daemon() {
|
|||
"
|
||||
|
||||
case "$prev" in
|
||||
--authz-plugin)
|
||||
--authorization-plugin)
|
||||
__docker_complete_plugins Authorization
|
||||
return
|
||||
;;
|
||||
|
|
|
@ -590,7 +590,7 @@ __docker_subcommand() {
|
|||
_arguments $(__docker_arguments) \
|
||||
$opts_help \
|
||||
"($help)--api-cors-header=[Set CORS headers in the remote API]:CORS headers: " \
|
||||
"($help)*--authz-plugin=[Set authorization plugins to load]" \
|
||||
"($help)*--authorization-plugin=[Set authorization plugins to load]" \
|
||||
"($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \
|
||||
"($help)--bip=[Specify network bridge IP]" \
|
||||
"($help)--cgroup-parent=[Set parent cgroup for all containers]:cgroup: " \
|
||||
|
|
|
@ -14,25 +14,25 @@ const (
|
|||
// CommonConfig defines the configuration of a docker daemon which are
|
||||
// common across platforms.
|
||||
type CommonConfig struct {
|
||||
AuthZPlugins []string // AuthZPlugins holds list of authorization plugins
|
||||
AutoRestart bool
|
||||
Bridge bridgeConfig // Bridge holds bridge network specific configuration.
|
||||
Context map[string][]string
|
||||
DisableBridge bool
|
||||
DNS []string
|
||||
DNSOptions []string
|
||||
DNSSearch []string
|
||||
ExecOptions []string
|
||||
ExecRoot string
|
||||
GraphDriver string
|
||||
GraphOptions []string
|
||||
Labels []string
|
||||
LogConfig container.LogConfig
|
||||
Mtu int
|
||||
Pidfile string
|
||||
RemappedRoot string
|
||||
Root string
|
||||
TrustKeyPath string
|
||||
AuthorizationPlugins []string // AuthorizationPlugins holds list of authorization plugins
|
||||
AutoRestart bool
|
||||
Bridge bridgeConfig // Bridge holds bridge network specific configuration.
|
||||
Context map[string][]string
|
||||
DisableBridge bool
|
||||
DNS []string
|
||||
DNSOptions []string
|
||||
DNSSearch []string
|
||||
ExecOptions []string
|
||||
ExecRoot string
|
||||
GraphDriver string
|
||||
GraphOptions []string
|
||||
Labels []string
|
||||
LogConfig container.LogConfig
|
||||
Mtu int
|
||||
Pidfile string
|
||||
RemappedRoot string
|
||||
Root string
|
||||
TrustKeyPath string
|
||||
|
||||
// ClusterStore is the storage backend used for the cluster information. It is used by both
|
||||
// multihost networking (to store networks and endpoints information) and by the node discovery
|
||||
|
@ -55,7 +55,7 @@ type CommonConfig struct {
|
|||
// from the command-line.
|
||||
func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) {
|
||||
cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options"))
|
||||
cmd.Var(opts.NewListOptsRef(&config.AuthZPlugins, nil), []string{"-authz-plugin"}, usageFn("List authorization plugins in order from first evaluator to last"))
|
||||
cmd.Var(opts.NewListOptsRef(&config.AuthorizationPlugins, nil), []string{"-authorization-plugin"}, usageFn("List authorization plugins in order from first evaluator to last"))
|
||||
cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options"))
|
||||
cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file"))
|
||||
cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime"))
|
||||
|
|
|
@ -142,7 +142,7 @@ func (daemon *Daemon) showPluginsInfo() types.PluginsInfo {
|
|||
pluginsInfo.Network = append(pluginsInfo.Network, nd)
|
||||
}
|
||||
|
||||
pluginsInfo.Authorization = daemon.configStore.AuthZPlugins
|
||||
pluginsInfo.Authorization = daemon.configStore.AuthorizationPlugins
|
||||
|
||||
return pluginsInfo
|
||||
}
|
||||
|
|
|
@ -177,9 +177,9 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
|
|||
}
|
||||
|
||||
serverConfig := &apiserver.Config{
|
||||
AuthZPluginNames: cli.Config.AuthZPlugins,
|
||||
Logging: true,
|
||||
Version: dockerversion.Version,
|
||||
AuthorizationPluginNames: cli.Config.AuthorizationPlugins,
|
||||
Logging: true,
|
||||
Version: dockerversion.Version,
|
||||
}
|
||||
serverConfig = setPlatformServerConfig(serverConfig, cli.Config)
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ weight = -1
|
|||
|
||||
# Create an authorization plugin
|
||||
|
||||
Docker’s out-of-the-box authorization model is all or nothing. Any user with
|
||||
Docker's out-of-the-box authorization model is all or nothing. Any user with
|
||||
permission to access the Docker daemon can run any Docker client command. The
|
||||
same is true for callers using Docker's remote API to contact the daemon. If you
|
||||
require greater access control, you can create authorization plugins and add
|
||||
|
@ -45,6 +45,9 @@ Authorization plugins must follow the rules described in [Docker Plugin API](plu
|
|||
Each plugin must reside within directories described under the
|
||||
[Plugin discovery](plugin_api.md#plugin-discovery) section.
|
||||
|
||||
**Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication
|
||||
respectively.
|
||||
|
||||
## Basic architecture
|
||||
|
||||
You are responsible for registering your plugin as part of the Docker daemon
|
||||
|
@ -93,14 +96,14 @@ support the Docker client interactions detailed in this section.
|
|||
### Setting up Docker daemon
|
||||
|
||||
Enable the authorization plugin with a dedicated command line flag in the
|
||||
`--authz-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` value.
|
||||
This value can be the plugin’s socket or a path to a specification file.
|
||||
`--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID`
|
||||
value. This value can be the plugin’s socket or a path to a specification file.
|
||||
|
||||
```bash
|
||||
$ docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...
|
||||
$ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
|
||||
```
|
||||
|
||||
Docker's authorization subsystem supports multiple `--authz-plugin` parameters.
|
||||
Docker's authorization subsystem supports multiple `--authorization-plugin` parameters.
|
||||
|
||||
### Calling authorized command (allow)
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ weight = -1
|
|||
|
||||
Options:
|
||||
--api-cors-header="" Set CORS headers in the remote API
|
||||
--authz-plugin=[] Set authorization plugins to load
|
||||
--authorization-plugin=[] Set authorization plugins to load
|
||||
-b, --bridge="" Attach containers to a network bridge
|
||||
--bip="" Specify network bridge IP
|
||||
--cgroup-parent= Set parent cgroup for all containers
|
||||
|
@ -613,10 +613,10 @@ The currently supported cluster store options are:
|
|||
Docker's access authorization can be extended by authorization plugins that your
|
||||
organization can purchase or build themselves. You can install one or more
|
||||
authorization plugins when you start the Docker `daemon` using the
|
||||
`--authz-plugin=PLUGIN_ID` option.
|
||||
`--authorization-plugin=PLUGIN_ID` option.
|
||||
|
||||
```bash
|
||||
docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...
|
||||
docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
|
||||
```
|
||||
|
||||
The `PLUGIN_ID` value is either the plugin's name or a path to its specification
|
||||
|
|
|
@ -168,7 +168,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
|
|||
c.Assert(s.d.StartWithBusybox(), check.IsNil)
|
||||
// restart the daemon and enable the plugin, otherwise busybox loading
|
||||
// is blocked by the plugin itself
|
||||
c.Assert(s.d.Restart("--authz-plugin="+testAuthZPlugin), check.IsNil)
|
||||
c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)
|
||||
|
||||
s.ctrl.reqRes.Allow = true
|
||||
s.ctrl.resRes.Allow = true
|
||||
|
@ -189,7 +189,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
|
|||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
|
||||
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
s.ctrl.reqRes.Allow = false
|
||||
s.ctrl.reqRes.Msg = unauthorizedMessage
|
||||
|
@ -205,7 +205,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
|
|||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
|
||||
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
s.ctrl.reqRes.Allow = true
|
||||
s.ctrl.resRes.Allow = false
|
||||
|
@ -222,7 +222,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
|
|||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
|
||||
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
s.ctrl.reqRes.Allow = true
|
||||
s.ctrl.resRes.Err = errorMessage
|
||||
|
@ -235,7 +235,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
|
|||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
|
||||
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
s.ctrl.reqRes.Err = errorMessage
|
||||
|
||||
|
@ -247,7 +247,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
|
|||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) {
|
||||
c.Assert(s.d.Start("--authz-plugin="+testAuthZPlugin, "--authz-plugin="+testAuthZPlugin), check.IsNil)
|
||||
c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin), check.IsNil)
|
||||
|
||||
s.ctrl.reqRes.Allow = true
|
||||
s.ctrl.resRes.Allow = true
|
||||
|
|
|
@ -7,7 +7,7 @@ docker-daemon - Enable daemon mode
|
|||
# SYNOPSIS
|
||||
**docker daemon**
|
||||
[**--api-cors-header**=[=*API-CORS-HEADER*]]
|
||||
[**--authz-plugin**[=*[]*]]
|
||||
[**--authorization-plugin**[=*[]*]]
|
||||
[**-b**|**--bridge**[=*BRIDGE*]]
|
||||
[**--bip**[=*BIP*]]
|
||||
[**--cgroup-parent**[=*[]*]]
|
||||
|
@ -73,7 +73,7 @@ format.
|
|||
**--api-cors-header**=""
|
||||
Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all.
|
||||
|
||||
**--authz-plugin**=""
|
||||
**--authorization-plugin**=""
|
||||
Set authorization plugins to load
|
||||
|
||||
**-b**, **--bridge**=""
|
||||
|
@ -473,10 +473,10 @@ Key/Value store.
|
|||
Docker's access authorization can be extended by authorization plugins that your
|
||||
organization can purchase or build themselves. You can install one or more
|
||||
authorization plugins when you start the Docker `daemon` using the
|
||||
`--authz-plugin=PLUGIN_ID` option.
|
||||
`--authorization-plugin=PLUGIN_ID` option.
|
||||
|
||||
```bash
|
||||
docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...
|
||||
docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
|
||||
```
|
||||
|
||||
The `PLUGIN_ID` value is either the plugin's name or a path to its specification
|
||||
|
|
Loading…
Reference in a new issue