authz plugins: dynamically append authz plugins to middleware chain

[dsheets]

docker plugin install and docker plugin enable for authz plugins "enable" the plugin as listed in docker plugin ls but the plugin is non-functional as it hasn't been added to the authz middleware chain. This is confusing, unintuitive, and does not match the behavior of other plugins. Turning these operations into an error and forcing the plugin into 'disabled' state is not compatible with other design decisions like refusing to start the daemon if a plugin specified in CLI or JSON configuration is 'disabled' (see #33640 where this error condition was distinguished from a missing plugin).

Either:

1. A new plugin state besides 'disabled' and 'enabled' should be introduced like 'available' or 'partial' which becomes complicated for plugins with multiple plugin capabilities (e.g. a volume and authz plugin which can currently enter this strange half-way loaded state for its different capabilities) or...

2. The design decision to refuse to start the daemon with explicitly 'disabled' plugins needs to be revisited or...

3. authz plugins can be enabled and made fully functional dynamically (the simplest option and what this PR does)

This has been discussed previously in at least #22729, #32489, #31836, and #31930 (comment).

The current behavior simply seems broken so I think it would be best for those strongly against a functional docker plugin enable for authz plugins to make their case and suggest an alternative (more states besides 'enabled' and 'disabled'?).

/cc @anusha-ragunathan @riyazdf @jessfraz @liron-l @rogaha @cpuguy83

- What I did

Previously, authz plugins could be installed or enabled using docker plugin commands and they would show as enabled in various status reports like docker plugin ls but they would not actually be active. With this change, authz plugins are now appended to the authz plugin chain when they are dynamically enabled so that docker plugin ls and similar do not lie.

- How I did it

plugin's Manager.Enable now checks for the authz capability and appends the plugin to the authz middleware chain if found.

- How to verify it

287f14b tests that re-enabling an authz plugin behaves as expected.

- Description for the changelog

"authz plugins can now be enabled dynamically with 'docker plugin install' and 'docker plugin enable'"

- A picture of a cute animal (not mandatory but encouraged)

Cebuella pygmaea, or pygmy marmoset, is the smallest monkey in the world with an average weight of just over 100g. It primarily feeds on gums and saps of trees and lives between the ground and 20m in South American forests. It can turn its head 180 degrees and has elaborate communication behaviors.

[riyazdf]

thanks @dsheets for bringing this up! I agree that this is a much more intuitive UX.

My only concern is the failure mode if a docker daemon restarts. If the daemon was using a dynamically enabled authz plugin, I think we should also ensure that the plugin is enabled on restart - I'm not sure what the best way of accomplishing this would be, though.

[dsheets]

@riyazdf good catch! I've updated the patch to append an authz plugin to the middleware chain whenever it is enabled (both during startup and after docker plugin install or docker plugin enable). I used the Handle method of the plugin store for this (relied upon by ipam and network plugins for registration). The CLI and daemon.json remain the only ways to explicitly specify the order of authz plugins (if plugins modify content this is important). As such, using the CLI or daemon.json is still best practice and the preferred way to specify authz plugins.

I'm going to be offline until July 7 but @yallop should be able to answer questions or address concerns in the interim.

[riyazdf]

thanks @dsheets for the update and explaining how it works, this LGTM 👍

[riyazdf]

👍 thanks for adding this restart test

[cpuguy83]

A few tests failing.

[riyazdf]

looks like a failure on the v1 authz plugin teardown that affects followup tests, though I'm not sure how this change affects this directly. cc @yallop

18:31:37 ----------------------------------------------------------------------
18:31:37 FAIL: docker_cli_authz_unix_test.go:73: DockerAuthzSuite.TearDownTest
18:31:37 
18:31:37 docker_cli_authz_unix_test.go:76:
18:31:37     s.ds.TearDownTest(c)
18:31:37 environment/clean.go:143:
18:31:37     t.Fatalf("%v", err)
18:31:37 ... Error: json: cannot unmarshal object into Go value of type []types.NetworkResource
18:31:37 
18:31:37 
18:31:37 ----------------------------------------------------------------------
18:31:37 PANIC: docker_cli_authz_unix_test.go:282: DockerAuthzSuite.TestAuthZPluginAPIDenyResponse
18:31:37 
18:31:37 [d36ba59acdb28] waiting for daemon to start
18:31:37 [d36ba59acdb28] daemon started
18:31:37 
18:31:37 [d36ba59acdb28] exiting daemon
18:31:37 ... Panic: Fixture has panicked (see related PANIC)
18:31:37 
18:31:37 ----------------------------------------------------------------------

[thaJeztah]

ping @dsheets can you work on the failing tests?

[dsheets]

Yes, I'm looking at the failing test. It looks like the command-line-specified authz plugin is being retained as enabled. This causes the test teardown to fail as the authz plugin disallows access to endpoints like /networks and /plugins which are required for teardown.

[dsheets]

The test was failing because the global test daemon and the authz test suite daemon share the plugin spec directory and V1 plugins are activated during queries or retrieval (Get). V1 plugins have no means to disable an installed plugin and so the V1 model and global plugin kinds like authz don't work well together. Any subsystem that retrieved V1 plugins or requested their type would end up activating those plugins and, with global plugin kinds like authz, inserting the plugin into a global processing chain. This caused the available but not-enabled authz plugin under test in docker_cli_authz_unix_test.go to become enabled in the global test daemon during tear down where plugins get enumerated. The plugin would then block further resource enumerations during teardown as designed.

I've fixed this issue by factoring out plugin V2+ handler registration from all-plugin handler registration and only registering an authz V2+ plugin handler to inject middleware. As V1 authz plugins can only be enabled via the daemon command-line, config file, or daemon reload, the handler does not need to run for V1 plugins. V2 plugins have two states: enabled and disabled. If a V2 plugin is enabled, the handler will ensure that it is loaded into the authz middleware chain. If the plugin is disabled, the handler will not be triggered.

[thaJeztah]

ping @cpuguy83 PTAL

[dsheets]

Any review?

[dsheets]

This PR now depends on #34941. I've fixed a number of pre-existing and latent issues that testing state transitions revealed. There are still at least two additional test cases I would like to write before having this merged but I believe the work on names, v1/v2 collisions, and persistent chains can be reviewed now.

[cpuguy83]

Is this ready to go? Needs a rebase.

[djs55]

I don't think @dsheets wants to work on this any more (correct me if I'm wrong, @dsheets!)

I did a quick rebase https://github.com/djs55/docker/tree/authz-dynamic-enable

To my untrained eye the only place where there was an interesting conflict was in pkg/authorization/plugin.go where ddae20c added a field initErr error to the type authorizationPlugin struct . It seemed in this version to be unused so I removed it in the patch which also removed the once sync.Once from the struct ("authz plugins: use fixed, canonical names")

[dsheets]

I will not shepherd this PR any more. I recommend checking the osxfs handover document to see if there were remaining TODO items for this work.

[cpuguy83]

Closing this as this is now quite out of date and no one is actively working on it.