Extend Docker authorization with TLS user information #21556
Conversation
Currently Docker authorization framework does not use any user information, which already available in the Docker context for TLS connection. The purpose of this CR is to complete the existing authz work by adding the basic client certificate details (SUBJECT_NAME) and authentication method (TLS) to the authz request. We think this should be the default behavior when no extended authorization module is specified (currently WIP under moby#20883). Signed-off-by: Liron Levin <liron@twistlock.com>
|
@jfrazelle , @thaJeztah , @NathanMcCauley , @diogomonica, @nalind |
|
LGTM |
calavera
added
status/1-design-review
status/2-code-review
and removed
status/0-triage
status/1-design-review
labels
|
LGTM |
|
Does this need changes in the authorization-plugin docs? https://github.com/docker/docker/blob/master/docs/extend/plugins_authorization.md |
|
@liron-l what about adding the whole SubjectDN from the cert? CN feels unnecessarily restrictive. |
|
Thanks all, @thaJeztah I will update the authorization documentation in another PR. |
|
@liron-l I mean taking the whole Subject |
|
@diogomonica you mean running |
…ation docs Following the discussion in moby#21556, adding a short description of the default user authentication mechanism (without requiring authentication plugins) Signed-off-by: Liron Levin <liron@twistlock.com>
|
@liron-l I guess I would like to have a user that is just more than a string. |
|
I agree @diogomonica, I think it is covered by the authentication plugin suggested in #20883 (which passes the full client certificate to the plugin). |
|
Is it possible to make this feature works with swarm? Currently it seems that CN of swarm manager, instead of CN of docker client, goes to the each swarm node. Should I wait for docker-archive/classicswarm#1366? |
|
@npcode Yes, And in general I plan to align Swarm support in AtuhZ+AuthN with Dockers. When and what is merged is not solely depends on me though. |
|
Thank you for your effort, @doronp. I seriously need swarm authz+authn. |
- What I did
For TLS connections, add client subject name to authorization request
- How to verify it
Add integration test, validated manually
Currently Docker authorization framework does not use any user
information, which already available in the Docker context for TLS
connection.
The purpose of this CR is to complete the existing authz work by adding
the basic client certificate details (SUBJECT_NAME) and authentication
method (TLS) to the authz request.
We think this should be the default behavior when no extended
authorization module is specified (currently WIP under #20883).
Signed-off-by: Liron Levin liron@twistlock.com