kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Rename authz to authorization for greater clarity

Browse source 
Signed-off-by: Tibor Vass <tibor@docker.com>
This commit is contained in:
Tibor Vass 2016-01-12 19:38:18 -05:00
parent 1e1a3c9508
commit 5c630ea7c3
11 changed files with 58 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
api/server/middleware.go
View file

@ -169,8 +169,8 @@ func (s *Server) handleWithGlobalMiddlewares(handler httputils.APIFunc) httputil
middlewares = append(middlewares, debugRequestMiddleware) middlewares = append(middlewares, debugRequestMiddleware)
} }
if len(s.cfg.AuthZPluginNames) > 0 { if len(s.cfg.AuthorizationPluginNames) > 0 {
s.authZPlugins = authorization.NewPlugins(s.cfg.AuthZPluginNames) s.authZPlugins = authorization.NewPlugins(s.cfg.AuthorizationPluginNames)
middlewares = append(middlewares, s.authorizationMiddleware) middlewares = append(middlewares, s.authorizationMiddleware)
} }

16
api/server/server.go
View file

@ -30,14 +30,14 @@ const versionMatcher = "/v{version:[0-9.]+}"
// Config provides the configuration for the API server // Config provides the configuration for the API server
type Config struct { type Config struct {
Logging bool Logging bool
EnableCors bool EnableCors bool
CorsHeaders string CorsHeaders string
AuthZPluginNames []string AuthorizationPluginNames []string
Version string Version string
SocketGroup string SocketGroup string
TLSConfig *tls.Config TLSConfig *tls.Config
Addrs []Addr Addrs []Addr
} }
// Server contains instance details for the server // Server contains instance details for the server

4
contrib/completion/bash/docker
View file

@ -685,7 +685,7 @@ _docker_daemon() {
local options_with_args=" local options_with_args="
$global_options_with_args $global_options_with_args
--api-cors-header --api-cors-header
--authz-plugin --authorization-plugin
--bip --bip
--bridge -b --bridge -b
--cgroup-parent --cgroup-parent
@ -717,7 +717,7 @@ _docker_daemon() {
" "
case "$prev" in case "$prev" in
--authz-plugin) --authorization-plugin)
__docker_complete_plugins Authorization __docker_complete_plugins Authorization
return return
;; ;;

2
contrib/completion/zsh/_docker
View file

@ -590,7 +590,7 @@ __docker_subcommand() {
_arguments $(__docker_arguments) \ _arguments $(__docker_arguments) \
$opts_help \ $opts_help \
"($help)--api-cors-header=[Set CORS headers in the remote API]:CORS headers: " \ "($help)--api-cors-header=[Set CORS headers in the remote API]:CORS headers: " \
"($help)*--authz-plugin=[Set authorization plugins to load]" \ "($help)*--authorization-plugin=[Set authorization plugins to load]" \
"($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \ "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \
"($help)--bip=[Specify network bridge IP]" \ "($help)--bip=[Specify network bridge IP]" \
"($help)--cgroup-parent=[Set parent cgroup for all containers]:cgroup: " \ "($help)--cgroup-parent=[Set parent cgroup for all containers]:cgroup: " \

40
daemon/config.go
View file

@ -14,25 +14,25 @@ const (
// CommonConfig defines the configuration of a docker daemon which are // CommonConfig defines the configuration of a docker daemon which are
// common across platforms. // common across platforms.
type CommonConfig struct { type CommonConfig struct {
AuthZPlugins []string // AuthZPlugins holds list of authorization plugins AuthorizationPlugins []string // AuthorizationPlugins holds list of authorization plugins
AutoRestart bool AutoRestart bool
Bridge bridgeConfig // Bridge holds bridge network specific configuration. Bridge bridgeConfig // Bridge holds bridge network specific configuration.
Context map[string][]string Context map[string][]string
DisableBridge bool DisableBridge bool
DNS []string DNS []string
DNSOptions []string DNSOptions []string
DNSSearch []string DNSSearch []string
ExecOptions []string ExecOptions []string
ExecRoot string ExecRoot string
GraphDriver string GraphDriver string
GraphOptions []string GraphOptions []string
Labels []string Labels []string
LogConfig container.LogConfig LogConfig container.LogConfig
Mtu int Mtu int
Pidfile string Pidfile string
RemappedRoot string RemappedRoot string
Root string Root string
TrustKeyPath string TrustKeyPath string
// ClusterStore is the storage backend used for the cluster information. It is used by both // ClusterStore is the storage backend used for the cluster information. It is used by both
// multihost networking (to store networks and endpoints information) and by the node discovery // multihost networking (to store networks and endpoints information) and by the node discovery
@ -55,7 +55,7 @@ type CommonConfig struct {
// from the command-line. // from the command-line.
func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) { func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) {
cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options")) cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options"))
cmd.Var(opts.NewListOptsRef(&config.AuthZPlugins, nil), []string{"-authz-plugin"}, usageFn("List authorization plugins in order from first evaluator to last")) cmd.Var(opts.NewListOptsRef(&config.AuthorizationPlugins, nil), []string{"-authorization-plugin"}, usageFn("List authorization plugins in order from first evaluator to last"))
cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options")) cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options"))
cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file")) cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file"))
cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime")) cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime"))

2
daemon/info.go
View file

@ -142,7 +142,7 @@ func (daemon *Daemon) showPluginsInfo() types.PluginsInfo {
pluginsInfo.Network = append(pluginsInfo.Network, nd) pluginsInfo.Network = append(pluginsInfo.Network, nd)
} }
pluginsInfo.Authorization = daemon.configStore.AuthZPlugins pluginsInfo.Authorization = daemon.configStore.AuthorizationPlugins
return pluginsInfo return pluginsInfo
} }

6
docker/daemon.go
View file

@ -177,9 +177,9 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
} }
serverConfig := &apiserver.Config{ serverConfig := &apiserver.Config{
AuthZPluginNames: cli.Config.AuthZPlugins, AuthorizationPluginNames: cli.Config.AuthorizationPlugins,
Logging: true, Logging: true,
Version: dockerversion.Version, Version: dockerversion.Version,
} }
serverConfig = setPlatformServerConfig(serverConfig, cli.Config) serverConfig = setPlatformServerConfig(serverConfig, cli.Config)

13
docs/extend/authorization.md
View file

@ -12,7 +12,7 @@ weight = -1
# Create an authorization plugin # Create an authorization plugin
Dockers out-of-the-box authorization model is all or nothing. Any user with Docker's out-of-the-box authorization model is all or nothing. Any user with
permission to access the Docker daemon can run any Docker client command. The permission to access the Docker daemon can run any Docker client command. The
same is true for callers using Docker's remote API to contact the daemon. If you same is true for callers using Docker's remote API to contact the daemon. If you
require greater access control, you can create authorization plugins and add require greater access control, you can create authorization plugins and add
@ -45,6 +45,9 @@ Authorization plugins must follow the rules described in [Docker Plugin API](plu
Each plugin must reside within directories described under the Each plugin must reside within directories described under the
[Plugin discovery](plugin_api.md#plugin-discovery) section. [Plugin discovery](plugin_api.md#plugin-discovery) section.
**Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication
respectively.
## Basic architecture ## Basic architecture
You are responsible for registering your plugin as part of the Docker daemon You are responsible for registering your plugin as part of the Docker daemon
@ -93,14 +96,14 @@ support the Docker client interactions detailed in this section.
### Setting up Docker daemon ### Setting up Docker daemon
Enable the authorization plugin with a dedicated command line flag in the Enable the authorization plugin with a dedicated command line flag in the
`--authz-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` value. `--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID`
This value can be the plugins socket or a path to a specification file. value. This value can be the plugins socket or a path to a specification file.
```bash ```bash
$ docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... $ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
``` ```
Docker's authorization subsystem supports multiple `--authz-plugin` parameters. Docker's authorization subsystem supports multiple `--authorization-plugin` parameters.
### Calling authorized command (allow) ### Calling authorized command (allow)

6
docs/reference/commandline/daemon.md
View file

@ -17,7 +17,7 @@ weight = -1
Options: Options:
--api-cors-header="" Set CORS headers in the remote API --api-cors-header="" Set CORS headers in the remote API
--authz-plugin=[] Set authorization plugins to load --authorization-plugin=[] Set authorization plugins to load
-b, --bridge="" Attach containers to a network bridge -b, --bridge="" Attach containers to a network bridge
--bip="" Specify network bridge IP --bip="" Specify network bridge IP
--cgroup-parent= Set parent cgroup for all containers --cgroup-parent= Set parent cgroup for all containers
@ -613,10 +613,10 @@ The currently supported cluster store options are:
Docker's access authorization can be extended by authorization plugins that your Docker's access authorization can be extended by authorization plugins that your
organization can purchase or build themselves. You can install one or more organization can purchase or build themselves. You can install one or more
authorization plugins when you start the Docker `daemon` using the authorization plugins when you start the Docker `daemon` using the
`--authz-plugin=PLUGIN_ID` option. `--authorization-plugin=PLUGIN_ID` option.
```bash ```bash
docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
``` ```
The `PLUGIN_ID` value is either the plugin's name or a path to its specification The `PLUGIN_ID` value is either the plugin's name or a path to its specification

12
integration-cli/docker_cli_authz_unix_test.go
View file

@ -168,7 +168,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
c.Assert(s.d.StartWithBusybox(), check.IsNil) c.Assert(s.d.StartWithBusybox(), check.IsNil)
// restart the daemon and enable the plugin, otherwise busybox loading // restart the daemon and enable the plugin, otherwise busybox loading
// is blocked by the plugin itself // is blocked by the plugin itself
c.Assert(s.d.Restart("--authz-plugin="+testAuthZPlugin), check.IsNil) c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)
s.ctrl.reqRes.Allow = true s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Allow = true s.ctrl.resRes.Allow = true
@ -189,7 +189,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
} }
func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
err := s.d.Start("--authz-plugin=" + testAuthZPlugin) err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = false s.ctrl.reqRes.Allow = false
s.ctrl.reqRes.Msg = unauthorizedMessage s.ctrl.reqRes.Msg = unauthorizedMessage
@ -205,7 +205,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
} }
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
err := s.d.Start("--authz-plugin=" + testAuthZPlugin) err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = true s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Allow = false s.ctrl.resRes.Allow = false
@ -222,7 +222,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
} }
func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
err := s.d.Start("--authz-plugin=" + testAuthZPlugin) err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = true s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Err = errorMessage s.ctrl.resRes.Err = errorMessage
@ -235,7 +235,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
} }
func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
err := s.d.Start("--authz-plugin=" + testAuthZPlugin) err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
s.ctrl.reqRes.Err = errorMessage s.ctrl.reqRes.Err = errorMessage
@ -247,7 +247,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
} }
func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) {
c.Assert(s.d.Start("--authz-plugin="+testAuthZPlugin, "--authz-plugin="+testAuthZPlugin), check.IsNil) c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin), check.IsNil)
s.ctrl.reqRes.Allow = true s.ctrl.reqRes.Allow = true
s.ctrl.resRes.Allow = true s.ctrl.resRes.Allow = true

8
man/docker-daemon.8.md
View file

@ -7,7 +7,7 @@ docker-daemon - Enable daemon mode
# SYNOPSIS # SYNOPSIS
**docker daemon** **docker daemon**
[**--api-cors-header**=[=*API-CORS-HEADER*]] [**--api-cors-header**=[=*API-CORS-HEADER*]]
[**--authz-plugin**[=*[]*]] [**--authorization-plugin**[=*[]*]]
[**-b**|**--bridge**[=*BRIDGE*]] [**-b**|**--bridge**[=*BRIDGE*]]
[**--bip**[=*BIP*]] [**--bip**[=*BIP*]]
[**--cgroup-parent**[=*[]*]] [**--cgroup-parent**[=*[]*]]
@ -73,7 +73,7 @@ format.
**--api-cors-header**="" **--api-cors-header**=""
Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all.
**--authz-plugin**="" **--authorization-plugin**=""
Set authorization plugins to load Set authorization plugins to load
**-b**, **--bridge**="" **-b**, **--bridge**=""
@ -473,10 +473,10 @@ Key/Value store.
Docker's access authorization can be extended by authorization plugins that your Docker's access authorization can be extended by authorization plugins that your
organization can purchase or build themselves. You can install one or more organization can purchase or build themselves. You can install one or more
authorization plugins when you start the Docker `daemon` using the authorization plugins when you start the Docker `daemon` using the
`--authz-plugin=PLUGIN_ID` option. `--authorization-plugin=PLUGIN_ID` option.
```bash ```bash
docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
``` ```
The `PLUGIN_ID` value is either the plugin's name or a path to its specification The `PLUGIN_ID` value is either the plugin's name or a path to its specification