diff --git a/api/server/middleware.go b/api/server/middleware.go index 77a4e55d85..79f8666460 100644 --- a/api/server/middleware.go +++ b/api/server/middleware.go @@ -169,8 +169,8 @@ func (s *Server) handleWithGlobalMiddlewares(handler httputils.APIFunc) httputil middlewares = append(middlewares, debugRequestMiddleware) } - if len(s.cfg.AuthZPluginNames) > 0 { - s.authZPlugins = authorization.NewPlugins(s.cfg.AuthZPluginNames) + if len(s.cfg.AuthorizationPluginNames) > 0 { + s.authZPlugins = authorization.NewPlugins(s.cfg.AuthorizationPluginNames) middlewares = append(middlewares, s.authorizationMiddleware) } diff --git a/api/server/server.go b/api/server/server.go index 8b3c41a9ae..03200c414f 100644 --- a/api/server/server.go +++ b/api/server/server.go @@ -30,14 +30,14 @@ const versionMatcher = "/v{version:[0-9.]+}" // Config provides the configuration for the API server type Config struct { - Logging bool - EnableCors bool - CorsHeaders string - AuthZPluginNames []string - Version string - SocketGroup string - TLSConfig *tls.Config - Addrs []Addr + Logging bool + EnableCors bool + CorsHeaders string + AuthorizationPluginNames []string + Version string + SocketGroup string + TLSConfig *tls.Config + Addrs []Addr } // Server contains instance details for the server diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index c119b5eb93..53c58a9cf7 100644 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -685,7 +685,7 @@ _docker_daemon() { local options_with_args=" $global_options_with_args --api-cors-header - --authz-plugin + --authorization-plugin --bip --bridge -b --cgroup-parent @@ -717,7 +717,7 @@ _docker_daemon() { " case "$prev" in - --authz-plugin) + --authorization-plugin) __docker_complete_plugins Authorization return ;; diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index fff050c2df..df344a069f 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -590,7 +590,7 @@ __docker_subcommand() { _arguments $(__docker_arguments) \ $opts_help \ "($help)--api-cors-header=[Set CORS headers in the remote API]:CORS headers: " \ - "($help)*--authz-plugin=[Set authorization plugins to load]" \ + "($help)*--authorization-plugin=[Set authorization plugins to load]" \ "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \ "($help)--bip=[Specify network bridge IP]" \ "($help)--cgroup-parent=[Set parent cgroup for all containers]:cgroup: " \ diff --git a/daemon/config.go b/daemon/config.go index 8e46713bc9..8356df846f 100644 --- a/daemon/config.go +++ b/daemon/config.go @@ -14,25 +14,25 @@ const ( // CommonConfig defines the configuration of a docker daemon which are // common across platforms. type CommonConfig struct { - AuthZPlugins []string // AuthZPlugins holds list of authorization plugins - AutoRestart bool - Bridge bridgeConfig // Bridge holds bridge network specific configuration. - Context map[string][]string - DisableBridge bool - DNS []string - DNSOptions []string - DNSSearch []string - ExecOptions []string - ExecRoot string - GraphDriver string - GraphOptions []string - Labels []string - LogConfig container.LogConfig - Mtu int - Pidfile string - RemappedRoot string - Root string - TrustKeyPath string + AuthorizationPlugins []string // AuthorizationPlugins holds list of authorization plugins + AutoRestart bool + Bridge bridgeConfig // Bridge holds bridge network specific configuration. + Context map[string][]string + DisableBridge bool + DNS []string + DNSOptions []string + DNSSearch []string + ExecOptions []string + ExecRoot string + GraphDriver string + GraphOptions []string + Labels []string + LogConfig container.LogConfig + Mtu int + Pidfile string + RemappedRoot string + Root string + TrustKeyPath string // ClusterStore is the storage backend used for the cluster information. It is used by both // multihost networking (to store networks and endpoints information) and by the node discovery @@ -55,7 +55,7 @@ type CommonConfig struct { // from the command-line. func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) { cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options")) - cmd.Var(opts.NewListOptsRef(&config.AuthZPlugins, nil), []string{"-authz-plugin"}, usageFn("List authorization plugins in order from first evaluator to last")) + cmd.Var(opts.NewListOptsRef(&config.AuthorizationPlugins, nil), []string{"-authorization-plugin"}, usageFn("List authorization plugins in order from first evaluator to last")) cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options")) cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file")) cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime")) diff --git a/daemon/info.go b/daemon/info.go index 5678d767ef..f5f6f96c89 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -157,7 +157,7 @@ func (daemon *Daemon) showPluginsInfo() types.PluginsInfo { pluginsInfo.Network = append(pluginsInfo.Network, nd) } - pluginsInfo.Authorization = daemon.configStore.AuthZPlugins + pluginsInfo.Authorization = daemon.configStore.AuthorizationPlugins return pluginsInfo } diff --git a/docker/daemon.go b/docker/daemon.go index e74609041a..e65cb77713 100644 --- a/docker/daemon.go +++ b/docker/daemon.go @@ -177,9 +177,9 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error { } serverConfig := &apiserver.Config{ - AuthZPluginNames: cli.Config.AuthZPlugins, - Logging: true, - Version: dockerversion.Version, + AuthorizationPluginNames: cli.Config.AuthorizationPlugins, + Logging: true, + Version: dockerversion.Version, } serverConfig = setPlatformServerConfig(serverConfig, cli.Config) diff --git a/docs/extend/authorization.md b/docs/extend/authorization.md index 80fa6c94b1..48790833cf 100644 --- a/docs/extend/authorization.md +++ b/docs/extend/authorization.md @@ -12,7 +12,7 @@ weight = -1 # Create an authorization plugin -Docker’s out-of-the-box authorization model is all or nothing. Any user with +Docker's out-of-the-box authorization model is all or nothing. Any user with permission to access the Docker daemon can run any Docker client command. The same is true for callers using Docker's remote API to contact the daemon. If you require greater access control, you can create authorization plugins and add @@ -45,6 +45,9 @@ Authorization plugins must follow the rules described in [Docker Plugin API](plu Each plugin must reside within directories described under the [Plugin discovery](plugin_api.md#plugin-discovery) section. +**Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication +respectively. + ## Basic architecture You are responsible for registering your plugin as part of the Docker daemon @@ -93,14 +96,14 @@ support the Docker client interactions detailed in this section. ### Setting up Docker daemon Enable the authorization plugin with a dedicated command line flag in the -`--authz-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` value. -This value can be the plugin’s socket or a path to a specification file. +`--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` +value. This value can be the plugin’s socket or a path to a specification file. ```bash -$ docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... +$ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... ``` -Docker's authorization subsystem supports multiple `--authz-plugin` parameters. +Docker's authorization subsystem supports multiple `--authorization-plugin` parameters. ### Calling authorized command (allow) diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md index 8bc30a8eca..11bc223dc8 100644 --- a/docs/reference/commandline/daemon.md +++ b/docs/reference/commandline/daemon.md @@ -17,7 +17,7 @@ weight = -1 Options: --api-cors-header="" Set CORS headers in the remote API - --authz-plugin=[] Set authorization plugins to load + --authorization-plugin=[] Set authorization plugins to load -b, --bridge="" Attach containers to a network bridge --bip="" Specify network bridge IP --cgroup-parent= Set parent cgroup for all containers @@ -613,10 +613,10 @@ The currently supported cluster store options are: Docker's access authorization can be extended by authorization plugins that your organization can purchase or build themselves. You can install one or more authorization plugins when you start the Docker `daemon` using the -`--authz-plugin=PLUGIN_ID` option. +`--authorization-plugin=PLUGIN_ID` option. ```bash -docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... +docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... ``` The `PLUGIN_ID` value is either the plugin's name or a path to its specification diff --git a/integration-cli/docker_cli_authz_unix_test.go b/integration-cli/docker_cli_authz_unix_test.go index 92b4a19b63..71a64f3af2 100644 --- a/integration-cli/docker_cli_authz_unix_test.go +++ b/integration-cli/docker_cli_authz_unix_test.go @@ -168,7 +168,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) { c.Assert(s.d.StartWithBusybox(), check.IsNil) // restart the daemon and enable the plugin, otherwise busybox loading // is blocked by the plugin itself - c.Assert(s.d.Restart("--authz-plugin="+testAuthZPlugin), check.IsNil) + c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Allow = true @@ -189,7 +189,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) { } func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) { - err := s.d.Start("--authz-plugin=" + testAuthZPlugin) + err := s.d.Start("--authorization-plugin=" + testAuthZPlugin) c.Assert(err, check.IsNil) s.ctrl.reqRes.Allow = false s.ctrl.reqRes.Msg = unauthorizedMessage @@ -205,7 +205,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) { } func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) { - err := s.d.Start("--authz-plugin=" + testAuthZPlugin) + err := s.d.Start("--authorization-plugin=" + testAuthZPlugin) c.Assert(err, check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Allow = false @@ -222,7 +222,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) { } func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) { - err := s.d.Start("--authz-plugin=" + testAuthZPlugin) + err := s.d.Start("--authorization-plugin=" + testAuthZPlugin) c.Assert(err, check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Err = errorMessage @@ -235,7 +235,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) { } func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) { - err := s.d.Start("--authz-plugin=" + testAuthZPlugin) + err := s.d.Start("--authorization-plugin=" + testAuthZPlugin) c.Assert(err, check.IsNil) s.ctrl.reqRes.Err = errorMessage @@ -247,7 +247,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) { } func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) { - c.Assert(s.d.Start("--authz-plugin="+testAuthZPlugin, "--authz-plugin="+testAuthZPlugin), check.IsNil) + c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin), check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Allow = true diff --git a/man/docker-daemon.8.md b/man/docker-daemon.8.md index 8e4a3acc0b..233a6c8433 100644 --- a/man/docker-daemon.8.md +++ b/man/docker-daemon.8.md @@ -7,7 +7,7 @@ docker-daemon - Enable daemon mode # SYNOPSIS **docker daemon** [**--api-cors-header**=[=*API-CORS-HEADER*]] -[**--authz-plugin**[=*[]*]] +[**--authorization-plugin**[=*[]*]] [**-b**|**--bridge**[=*BRIDGE*]] [**--bip**[=*BIP*]] [**--cgroup-parent**[=*[]*]] @@ -73,7 +73,7 @@ format. **--api-cors-header**="" Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. -**--authz-plugin**="" +**--authorization-plugin**="" Set authorization plugins to load **-b**, **--bridge**="" @@ -473,10 +473,10 @@ Key/Value store. Docker's access authorization can be extended by authorization plugins that your organization can purchase or build themselves. You can install one or more authorization plugins when you start the Docker `daemon` using the -`--authz-plugin=PLUGIN_ID` option. +`--authorization-plugin=PLUGIN_ID` option. ```bash -docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,... +docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... ``` The `PLUGIN_ID` value is either the plugin's name or a path to its specification