Merge pull request #27293 from anusha-ragunathan/use-pluginv2-authz

Make authz use pluginv2

cmd/dockerd/daemon.go

@@ -275,10 +275,12 @@ func (cli *DaemonCli) start(opts daemonOptions) (err error) {
 		"graphdriver": d.GraphDriverName(),
 	}).Info("Docker daemon")
 
+	cli.d = d
+
+	// initMiddlewares needs cli.d to be populated. Dont change this init order.
 	cli.initMiddlewares(api, serverConfig)
 	initRouter(api, d, c)
 
-	cli.d = d
 	cli.setupConfigReloadTrap()
 
 	// The serve API routine never exits unless an error occurs
@@ -438,6 +440,6 @@ func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config
 	u := middleware.NewUserAgentMiddleware(v)
 	s.UseMiddleware(u)
 
-	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins)
+	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, cli.d.PluginStore)
 	s.UseMiddleware(cli.authzMiddleware)
 }

daemon/daemon.go

@@ -40,6 +40,7 @@ import (
 	"github.com/docker/docker/pkg/fileutils"
 	"github.com/docker/docker/pkg/graphdb"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/registrar"
 	"github.com/docker/docker/pkg/signal"
@@ -47,7 +48,6 @@ import (
 	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/truncindex"
-	plugingetter "github.com/docker/docker/plugin/getter"
 	pluginstore "github.com/docker/docker/plugin/store"
 	"github.com/docker/docker/reference"
 	"github.com/docker/docker/registry"
@@ -96,7 +96,7 @@ type Daemon struct {
 	gidMaps                   []idtools.IDMap
 	layerStore                layer.Store
 	imageStore                image.Store
-	pluginStore               *pluginstore.Store
+	PluginStore               *pluginstore.Store
 	nameIndex                 *registrar.Registrar
 	linkIndex                 *linkIndex
 	containerd                libcontainerd.Client
@@ -559,7 +559,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot
 		driverName = config.GraphDriver
 	}
 
-	d.pluginStore = pluginstore.NewStore(config.Root)
+	d.PluginStore = pluginstore.NewStore(config.Root)
 
 	d.layerStore, err = layer.NewStoreFromOptions(layer.StoreOptions{
 		StorePath:                 config.Root,
@@ -568,7 +568,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot
 		GraphDriverOptions:        config.GraphOptions,
 		UIDMaps:                   uidMaps,
 		GIDMaps:                   gidMaps,
-		PluginGetter:              d.pluginStore,
+		PluginGetter:              d.PluginStore,
 	})
 	if err != nil {
 		return nil, err
@@ -926,7 +926,7 @@ func (daemon *Daemon) configureVolumes(rootUID, rootGID int) (*store.VolumeStore
 		return nil, err
 	}
 
-	volumedrivers.RegisterPluginGetter(daemon.pluginStore)
+	volumedrivers.RegisterPluginGetter(daemon.PluginStore)
 
 	if !volumedrivers.Register(volumesDriver, volumesDriver.Name()) {
 		return nil, fmt.Errorf("local volume driver could not be registered")
@@ -1102,7 +1102,7 @@ func (daemon *Daemon) reloadClusterDiscovery(config *Config) error {
 	if daemon.netController == nil {
 		return nil
 	}
-	netOptions, err := daemon.networkOptions(daemon.configStore, daemon.pluginStore, nil)
+	netOptions, err := daemon.networkOptions(daemon.configStore, daemon.PluginStore, nil)
 	if err != nil {
 		logrus.WithError(err).Warnf("failed to get options with network controller")
 		return nil

daemon/daemon_experimental.go

@@ -13,7 +13,7 @@ func (daemon *Daemon) verifyExperimentalContainerSettings(hostConfig *container.
 }
 
 func pluginInit(d *Daemon, cfg *Config, remote libcontainerd.Remote) error {
-	return plugin.Init(cfg.Root, d.pluginStore, remote, d.RegistryService, cfg.LiveRestoreEnabled, d.LogPluginEvent)
+	return plugin.Init(cfg.Root, d.PluginStore, remote, d.RegistryService, cfg.LiveRestoreEnabled, d.LogPluginEvent)
 }
 
 func pluginShutdown() {

daemon/daemon_unix.go

@@ -613,7 +613,7 @@ func configureKernelSecuritySupport(config *Config, driverName string) error {
 }
 
 func (daemon *Daemon) initNetworkController(config *Config, activeSandboxes map[string]interface{}) (libnetwork.NetworkController, error) {
-	netOptions, err := daemon.networkOptions(config, daemon.pluginStore, activeSandboxes)
+	netOptions, err := daemon.networkOptions(config, daemon.PluginStore, activeSandboxes)
 	if err != nil {
 		return nil, err
 	}

daemon/graphdriver/driver.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 )
 
 // FsMagic unsigned id of the filesystem in use.
@@ -135,11 +135,11 @@ func Register(name string, initFunc InitFunc) error {
 }
 
 // GetDriver initializes and returns the registered driver
-func GetDriver(name, home string, options []string, uidMaps, gidMaps []idtools.IDMap, plugingetter getter.PluginGetter) (Driver, error) {
+func GetDriver(name, home string, options []string, uidMaps, gidMaps []idtools.IDMap, pg plugingetter.PluginGetter) (Driver, error) {
 	if initFunc, exists := drivers[name]; exists {
 		return initFunc(filepath.Join(home, name), options, uidMaps, gidMaps)
 	}
-	if pluginDriver, err := lookupPlugin(name, home, options, plugingetter); err == nil {
+	if pluginDriver, err := lookupPlugin(name, home, options, pg); err == nil {
 		return pluginDriver, nil
 	}
 	logrus.Errorf("Failed to GetDriver graph %s %s", name, home)
@@ -156,10 +156,10 @@ func getBuiltinDriver(name, home string, options []string, uidMaps, gidMaps []id
 }
 
 // New creates the driver and initializes it at the specified root.
-func New(root string, name string, options []string, uidMaps, gidMaps []idtools.IDMap, plugingetter getter.PluginGetter) (Driver, error) {
+func New(root string, name string, options []string, uidMaps, gidMaps []idtools.IDMap, pg plugingetter.PluginGetter) (Driver, error) {
 	if name != "" {
 		logrus.Debugf("[graphdriver] trying provided driver: %s", name) // so the logs show specified driver
-		return GetDriver(name, root, options, uidMaps, gidMaps, plugingetter)
+		return GetDriver(name, root, options, uidMaps, gidMaps, pg)
 	}
 
 	// Guess for prior driver

daemon/graphdriver/plugin.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 )
 
 type pluginClient interface {
@@ -18,8 +18,8 @@ type pluginClient interface {
 	SendFile(string, io.Reader, interface{}) error
 }
 
-func lookupPlugin(name, home string, opts []string, pluginGetter getter.PluginGetter) (Driver, error) {
-	pl, err := pluginGetter.Get(name, "GraphDriver", getter.LOOKUP)
+func lookupPlugin(name, home string, opts []string, pg plugingetter.PluginGetter) (Driver, error) {
+	pl, err := pg.Get(name, "GraphDriver", plugingetter.LOOKUP)
 	if err != nil {
 		return nil, fmt.Errorf("Error looking up graphdriver plugin %s: %v", name, err)
 	}

daemon/graphdriver/plugin_unsupported.go

@@ -2,8 +2,8 @@
 
 package graphdriver
 
-import "github.com/docker/docker/plugin/getter"
+import "github.com/docker/docker/pkg/plugingetter"
 
-func lookupPlugin(name, home string, opts []string, plugingetter getter.PluginGetter) (Driver, error) {
+func lookupPlugin(name, home string, opts []string, pg plugingetter.PluginGetter) (Driver, error) {
 	return nil, ErrNotSupported
 }

hack/vendor.sh

@@ -70,7 +70,7 @@ clone git github.com/RackSec/srslog 365bf33cd9acc21ae1c355209865f17228ca534e
 clone git github.com/imdario/mergo 0.2.1
 
 #get libnetwork packages
-clone git github.com/docker/libnetwork 7b74403be4241aea5b01b56adab5eab82a80698b
+clone git github.com/docker/libnetwork 848cd92ec23e3ab15a36412030ed61e3844b40e1
 clone git github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894
 clone git github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 clone git github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

layer/layer_store.go

@@ -13,8 +13,8 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/stringid"
-	"github.com/docker/docker/plugin/getter"
 	"github.com/vbatts/tar-split/tar/asm"
 	"github.com/vbatts/tar-split/tar/storage"
 )
@@ -45,7 +45,7 @@ type StoreOptions struct {
 	GraphDriverOptions        []string
 	UIDMaps                   []idtools.IDMap
 	GIDMaps                   []idtools.IDMap
-	PluginGetter              getter.PluginGetter
+	PluginGetter              plugingetter.PluginGetter
 }
 
 // NewStoreFromOptions creates a new Store instance

pkg/authorization/middleware.go

@@ -5,6 +5,7 @@ import (
 	"sync"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/pkg/plugingetter"
 	"golang.org/x/net/context"
 )
 
@@ -17,7 +18,8 @@ type Middleware struct {
 
 // NewMiddleware creates a new Middleware
 // with a slice of plugins names.
-func NewMiddleware(names []string) *Middleware {
+func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware {
+	SetPluginGetter(pg)
 	return &Middleware{
 		plugins: newPlugins(names),
 	}

pkg/authorization/plugin.go

@@ -3,6 +3,7 @@ package authorization
 import (
 	"sync"
 
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
 )
 
@@ -33,6 +34,18 @@ func newPlugins(names []string) []Plugin {
 	return plugins
 }
 
+var getter plugingetter.PluginGetter
+
+// SetPluginGetter sets the plugingetter
+func SetPluginGetter(pg plugingetter.PluginGetter) {
+	getter = pg
+}
+
+// GetPluginGetter gets the plugingetter
+func GetPluginGetter() plugingetter.PluginGetter {
+	return getter
+}
+
 // authorizationPlugin is an internal adapter to docker plugin system
 type authorizationPlugin struct {
 	plugin *plugins.Client
@@ -80,7 +93,14 @@ func (a *authorizationPlugin) initPlugin() error {
 	var err error
 	a.once.Do(func() {
 		if a.plugin == nil {
-			plugin, e := plugins.Get(a.name, AuthZApiImplements)
+			var plugin plugingetter.CompatPlugin
+			var e error
+
+			if pg := GetPluginGetter(); pg != nil {
+				plugin, e = pg.Get(a.name, AuthZApiImplements, plugingetter.LOOKUP)
+			} else {
+				plugin, e = plugins.Get(a.name, AuthZApiImplements)
+			}
 			if e != nil {
 				err = e
 				return

plugin/getter/interface.go

@@ -1,26 +0,0 @@
-package getter
-
-import "github.com/docker/docker/pkg/plugins"
-
-const (
-	// LOOKUP doesn't update RefCount
-	LOOKUP = 0
-	// CREATE increments RefCount
-	CREATE = 1
-	// REMOVE decrements RefCount
-	REMOVE = -1
-)
-
-// CompatPlugin is a abstraction to handle both v2(new) and v1(legacy) plugins.
-type CompatPlugin interface {
-	Client() *plugins.Client
-	Name() string
-	IsV1() bool
-}
-
-// PluginGetter is the interface implemented by Store
-type PluginGetter interface {
-	Get(name, capability string, mode int) (CompatPlugin, error)
-	GetAllByCap(capability string) ([]CompatPlugin, error)
-	Handle(capability string, callback func(string, *plugins.Client))
-}

plugin/store/store.go

@@ -3,17 +3,17 @@
 package store
 
 import (
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
-	"github.com/docker/docker/plugin/getter"
 )
 
 // GetAllByCap returns a list of plugins matching the given capability.
-func (ps Store) GetAllByCap(capability string) ([]getter.CompatPlugin, error) {
+func (ps Store) GetAllByCap(capability string) ([]plugingetter.CompatPlugin, error) {
 	pl, err := plugins.GetAll(capability)
 	if err != nil {
 		return nil, err
 	}
-	result := make([]getter.CompatPlugin, len(pl))
+	result := make([]plugingetter.CompatPlugin, len(pl))
 	for i, p := range pl {
 		result[i] = p
 	}
@@ -21,7 +21,7 @@ func (ps Store) GetAllByCap(capability string) ([]getter.CompatPlugin, error) {
 }
 
 // Get returns a plugin matching the given name and capability.
-func (ps Store) Get(name, capability string, _ int) (getter.CompatPlugin, error) {
+func (ps Store) Get(name, capability string, _ int) (plugingetter.CompatPlugin, error) {
 	return plugins.Get(name, capability)
 }
 

plugin/store/store_experimental.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
-	"github.com/docker/docker/plugin/getter"
 	"github.com/docker/docker/plugin/v2"
 	"github.com/docker/docker/reference"
 )
@@ -80,11 +80,11 @@ func (ps *Store) getByCap(name string, capability string) (*v2.Plugin, error) {
 	return p.FilterByCap(capability)
 }
 
-func (ps *Store) getAllByCap(capability string) []getter.CompatPlugin {
+func (ps *Store) getAllByCap(capability string) []plugingetter.CompatPlugin {
 	ps.RLock()
 	defer ps.RUnlock()
 
-	result := make([]getter.CompatPlugin, 0, 1)
+	result := make([]plugingetter.CompatPlugin, 0, 1)
 	for _, p := range ps.plugins {
 		if _, err := p.FilterByCap(capability); err == nil {
 			result = append(result, p)
@@ -132,7 +132,7 @@ func (ps *Store) updatePluginDB() error {
 }
 
 // Get returns a plugin matching the given name and capability.
-func (ps *Store) Get(name, capability string, mode int) (getter.CompatPlugin, error) {
+func (ps *Store) Get(name, capability string, mode int) (plugingetter.CompatPlugin, error) {
 	var (
 		p   *v2.Plugin
 		err error
@@ -176,8 +176,8 @@ func (ps *Store) Get(name, capability string, mode int) (getter.CompatPlugin, er
 }
 
 // GetAllByCap returns a list of plugins matching the given capability.
-func (ps *Store) GetAllByCap(capability string) ([]getter.CompatPlugin, error) {
-	result := make([]getter.CompatPlugin, 0, 1)
+func (ps *Store) GetAllByCap(capability string) ([]plugingetter.CompatPlugin, error) {
+	result := make([]plugingetter.CompatPlugin, 0, 1)
 
 	/* Daemon start always calls plugin.Init thereby initializing a store.
 	 * So store on experimental builds can never be nil, even while

vendor/src/github.com/docker/libnetwork/config/config.go

@@ -6,7 +6,7 @@ import (
 	"github.com/BurntSushi/toml"
 	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/pkg/discovery"
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libnetwork/cluster"
@@ -21,7 +21,7 @@ type Config struct {
 	Cluster         ClusterCfg
 	Scopes          map[string]*datastore.ScopeCfg
 	ActiveSandboxes map[string]interface{}
-	PluginGetter    getter.PluginGetter
+	PluginGetter    plugingetter.PluginGetter
 }
 
 // DaemonCfg represents libnetwork core configuration
@@ -208,7 +208,7 @@ func OptionExecRoot(execRoot string) Option {
 }
 
 // OptionPluginGetter returns a plugingetter for remote drivers.
-func OptionPluginGetter(pg getter.PluginGetter) Option {
+func OptionPluginGetter(pg plugingetter.PluginGetter) Option {
 	return func(c *Config) {
 		c.PluginGetter = pg
 	}

vendor/src/github.com/docker/libnetwork/controller.go

@@ -53,9 +53,9 @@ import (
 	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/pkg/discovery"
 	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
 	"github.com/docker/docker/pkg/stringid"
-	"github.com/docker/docker/plugin/getter"
 	"github.com/docker/libnetwork/cluster"
 	"github.com/docker/libnetwork/config"
 	"github.com/docker/libnetwork/datastore"
@@ -596,7 +596,7 @@ func (c *controller) isDistributedControl() bool {
 	return !c.isManager() && !c.isAgent()
 }
 
-func (c *controller) GetPluginGetter() getter.PluginGetter {
+func (c *controller) GetPluginGetter() plugingetter.PluginGetter {
 	return c.drvRegistry.GetPluginGetter()
 }
 
@@ -1073,7 +1073,7 @@ func (c *controller) loadDriver(networkType string) error {
 }
 
 func (c *controller) loadIPAMDriver(name string) error {
-	if _, err := c.GetPluginGetter().Get(name, ipamapi.PluginEndpointType, getter.LOOKUP); err != nil {
+	if _, err := c.GetPluginGetter().Get(name, ipamapi.PluginEndpointType, plugingetter.LOOKUP); err != nil {
 		if err == plugins.ErrNotFound {
 			return types.NotFoundErrorf(err.Error())
 		}

vendor/src/github.com/docker/libnetwork/driverapi/driverapi.go

@@ -3,7 +3,7 @@ package driverapi
 import (
 	"net"
 
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/libnetwork/discoverapi"
 )
 
@@ -141,7 +141,7 @@ type JoinInfo interface {
 // DriverCallback provides a Callback interface for Drivers into LibNetwork
 type DriverCallback interface {
 	// GetPluginGetter returns the pluginv2 getter.
-	GetPluginGetter() getter.PluginGetter
+	GetPluginGetter() plugingetter.PluginGetter
 	// RegisterDriver provides a way for Remote drivers to dynamically register new NetworkType and associate with a driver instance
 	RegisterDriver(name string, driver Driver, capability Capability) error
 }

vendor/src/github.com/docker/libnetwork/drvregistry/drvregistry.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/libnetwork/driverapi"
 	"github.com/docker/libnetwork/ipamapi"
 	"github.com/docker/libnetwork/types"
@@ -33,7 +33,7 @@ type DrvRegistry struct {
 	ipamDrivers  ipamTable
 	dfn          DriverNotifyFunc
 	ifn          IPAMNotifyFunc
-	pluginGetter getter.PluginGetter
+	pluginGetter plugingetter.PluginGetter
 }
 
 // Functors definition
@@ -54,7 +54,7 @@ type IPAMNotifyFunc func(name string, driver ipamapi.Ipam, cap *ipamapi.Capabili
 type DriverNotifyFunc func(name string, driver driverapi.Driver, capability driverapi.Capability) error
 
 // New retruns a new driver registry handle.
-func New(lDs, gDs interface{}, dfn DriverNotifyFunc, ifn IPAMNotifyFunc, pg getter.PluginGetter) (*DrvRegistry, error) {
+func New(lDs, gDs interface{}, dfn DriverNotifyFunc, ifn IPAMNotifyFunc, pg plugingetter.PluginGetter) (*DrvRegistry, error) {
 	r := &DrvRegistry{
 		drivers:      make(driverTable),
 		ipamDrivers:  make(ipamTable),
@@ -153,7 +153,7 @@ func (r *DrvRegistry) IPAMDefaultAddressSpaces(name string) (string, string, err
 }
 
 // GetPluginGetter returns the plugingetter
-func (r *DrvRegistry) GetPluginGetter() getter.PluginGetter {
+func (r *DrvRegistry) GetPluginGetter() plugingetter.PluginGetter {
 	return r.pluginGetter
 }
 

vendor/src/github.com/docker/libnetwork/ipamapi/contract.go

@@ -4,7 +4,7 @@ package ipamapi
 import (
 	"net"
 
-	"github.com/docker/docker/plugin/getter"
+	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/libnetwork/discoverapi"
 	"github.com/docker/libnetwork/types"
 )
@@ -27,7 +27,7 @@ const (
 // Callback provides a Callback interface for registering an IPAM instance into LibNetwork
 type Callback interface {
 	// GetPluginGetter returns the pluginv2 getter.
-	GetPluginGetter() getter.PluginGetter
+	GetPluginGetter() plugingetter.PluginGetter
 	// RegisterIpamDriver provides a way for Remote drivers to dynamically register with libnetwork
 	RegisterIpamDriver(name string, driver Ipam) error
 	// RegisterIpamDriverWithCapabilities provides a way for Remote drivers to dynamically register with libnetwork and specify capabilities

volume/drivers/extpoint.go

@@ -7,7 +7,7 @@ import (
 	"sync"
 
 	"github.com/docker/docker/pkg/locker"
-	"github.com/docker/docker/plugin/getter"
+	getter "github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/volume"
 )