design flaw: authZ plugins

[jessfraz]

No other plugin do you have to set daemon arguments for it. This requires restarting a daemon with different args as each new plugin is added. This is not how any other plugin works. They are all discovered.

I propose making AuthZ work the same. There should have never been a --authorization-plugins flag on the daemon, that setting should be configurable through the docker API after the plugin has started. If there are no AuthZ plugins already loaded the endoint would be free to hit, otherwise it would obviously defer to AuthN/AuthZ plugin that was loaded with regard to ability to change that setting.

[thaJeztah]

IIRC the flag allows specifying the order in which the plugins are called. Not sure that's an important feature, and if that would get lost if this is changed?

ping @liron-l @tiborvass @anusha-ragunathan PTAL

[jessfraz]

so I think that could instead be a setting configuable on the fly by an API
endpoint so it doesnt need a daemon restart even if you want to change it

On Fri, May 13, 2016 at 12:31 PM, Sebastiaan van Stijn <
notifications@github.com> wrote:

IIRC the flag allows specifying the order in which the plugins are called.
Not sure that's an important feature, and if that would get lost if this is
changed?

ping @liron-l https://github.com/liron-l @tiborvass
https://github.com/tiborvass @anusha-ragunathan
https://github.com/anusha-ragunathan PTAL

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#22729 (comment)

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[thaJeztah]

That would be possible through the daemon.json configuration file https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file. if we add it to the list of items that can be reloaded on-the-fly.

Overall, I think this should be looked at, as part of the overall plugin improvements (as proposed in #20363)

[liron-l]

IMO, authentication and authorization methods should be defined in the daemon configuration since:

1. They define the daemon global security scope (as opposed to volume plugins for example, which are container specific).
2. It makes the system state deterministic (secure or insecure).

I agree that adding the authz/authn plugin configuration to the re-loadable settings is a great idea and will solve the daemon restart requirement.

Finally, the multiple plugins parameter is for defining the order of authz plugin execution (practically the order doesn't matter since request is allowed only if all authz plugins allows it).

[tiborvass]

👍 for reloading the setting in the config file

[liron-l]

Possible fix in #22770.

[jessfraz]

Whoa that was so fast!

On Mon, May 16, 2016 at 12:42 PM, Liron Levin notifications@github.com
wrote:

Possible fix in #22770 #22770.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#22729 (comment)

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3