Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/casbin/casbin-authz-plugin below:

casbin/docker-casbin-plugin: Docker RBAC and ABAC Authorization Plugin Based on Casbin: https://github.com/casbin/casbin

This plugin controls the access to Docker commands based on authorization policy. The functionality of authorization is provided by Casbin. Since Docker doesn't perform authentication by now, there's no user information when executing Docker commands. The access that Casbin plugin can control is actually what HTTP method can be performed on what URL path.

For example, when you run docker images command, the underlying request is really like:

So Casbin plugin helps you decide whether GET can be performed on /v1.27/images/json base on the policy rules you write. The policy file is basic_policy.csv co-located with the plugin binary by default. And its content is:

p, /v1.27/images/json, GET

The above policy grants anyone to perform GET on /v1.27/images/json, and deny all other requests. The response should be like below:

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
hello-world         latest              48b5124b2768        3 months ago        1.84 kB

$ docker info
Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin

The built-in Casbin model is:

[request_definition]
r = obj, act

[policy_definition]
p = obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act

The built-in Casbin policy is:

p, /_ping, GET
p, /v1.27/images/json, GET

For more information about the Casbin model and policy usage like RBAC, ABAC, please refer to: https://github.com/casbin/casbin

$ apt install golang-go  # install go language
$ mkdir /usr/local/go
$ export GOPATH=/usr/local/go

• The installation command above is for Ubuntu, other distros may have different commands for installing go
• The export can be changed according to your satisfaction

$ go get github.com/casbin/casbin-authz-plugin
$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make
$ sudo make install

$ cd /usr/lib/docker
$ mkdir examples
$ cp basic_model.conf examples/.
$ cp basic_policy.csv examples/.
$ ./casbin-authz-plugin

Below should be an example of display when command above is run:

2017/10/21 03:47:39 Current directory: /usr/lib/docker
2017/10/21 03:47:39 Casbin model: examples/basic_model.conf
2017/10/21 03:47:39 Casbin policy: examples/basic_policy.csv
2017/10/21 03:47:39 [Model:]
2017/10/21 03:47:39 p.p: obj, act
2017/10/21 03:47:39 e.e: some(where (p_eft == allow))
2017/10/21 03:47:39 m.m: r_obj == p_obj && r_act == p_act
2017/10/21 03:47:39 r.r: obj, act
2017/10/21 03:47:39 [Policy:]
2017/10/21 03:47:39 [p :  obj, act :  [[/_ping GET] [/v1.27/images/json GET]]]

$ systemctl status casbin-authz-plugin

● casbin-authz-plugin.service - Docker RBAC & ABAC Authorization Plugin based on Casbin
   Loaded: loaded (/lib/systemd/system/casbin-authz-plugin.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

• You can see the directory on the Loaded label

$ vi /lib/systemd/system/casbin-authz-plugin.service

[Service]
WorkingDirectory=/usr/lib/docker

• If the service directory above is different than the one that returned from the systemctl status casbin-authz-plugin, please use the latter
• The WorkingDirectory may not be the one given depending on where you put the plugin

$ systemctl daemon-reload
$ systemctl enable casbin-authz-plugin
$ systemctl start casbin-authz-plugin

$ systemctl edit docker

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin

• If the service directory above is different than the one that returned from the systemctl status docker, please use the latter
• Just add --authorization-plugin=casbin-authz-plugin if there are more options on the pre-defined ExecStart please retain them

$ systemctl daemon-reload
$ systemctl restart docker

$ journalctl -xe -u casbin-authz-plugin -f

• if docker images is denied, simply proceed to Step-8 for the solution

$ vi /usr/lib/docker/examples/basic_policy.csv

p, /v1.29/images/json, GET

$ systemctl restart casbin-authz-plugin

• take note that versioning is also included on the authorization. The given policy states /v1.27/. So edit the version in examples/basic_policy.csv that the docker client is throwing which is shown in journalctl like obj: /v1.29/images/json, act: GET res: denied
• you can change the $GOPATH to the directory where you put the plugin from go get
• Check the logs for more confirmation

$ docker images
$ docker ps
$ docker info

• If docker images is still denied please check STEP-8 more carefully
• These should smoothly enable

NOTE: Before doing below, remove the authorization-plugin configuration added above and restart the docker daemon.

Removing the authorization plugin on docker

$ systemctl edit docker

#[Service]
#ExecStart=
#ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin

$ systemctl restart docker

Stop the plugin service:

$ systemctl stop casbin-authz-plugin
$ systemctl disable casbin-authz-plugin

Uninstall the plugin service:

$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make uninstall

If you have any issues or feature requests, please feel free to contact me at:

• https://github.com/casbin/casbin/issues
• hsluoyz@gmail.com

Apache 2.0

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4