casbin / docker-casbin-plugin Goto Github PK

View Code? Open in Web Editor NEW

213.0 6.0 15.0 35 KB

Docker RBAC and ABAC Authorization Plugin Based on Casbin: https://github.com/casbin/casbin

Home Page: https://docs.docker.com/engine/extend/legacy_plugins/#authorization-plugins

License: Apache License 2.0

Go 84.18% Makefile 15.82%

docker authorization access-control rbac abac plugin casbin auth go golang

docker-casbin-plugin's Introduction

Docker Authorization Plugin Based on Casbin

This plugin controls the access to Docker commands based on authorization policy. The functionality of authorization is provided by Casbin. Since Docker doesn't perform authentication by now, there's no user information when executing Docker commands. The access that Casbin plugin can control is actually what HTTP method can be performed on what URL path.

For example, when you run docker images command, the underlying request is really like:

/v1.27/images/json, GET

So Casbin plugin helps you decide whether GET can be performed on /v1.27/images/json base on the policy rules you write. The policy file is basic_policy.csv co-located with the plugin binary by default. And its content is:

p, /v1.27/images/json, GET

The above policy grants anyone to perform GET on /v1.27/images/json, and deny all other requests. The response should be like below:

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
hello-world         latest              48b5124b2768        3 months ago        1.84 kB

$ docker info
Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin

The built-in Casbin model is:

[request_definition]
r = obj, act

[policy_definition]
p = obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act

The built-in Casbin policy is:

p, /_ping, GET
p, /v1.27/images/json, GET

For more information about the Casbin model and policy usage like RBAC, ABAC, please refer to: https://github.com/casbin/casbin

For "non-golang developer" users

$ apt install golang-go  # install go language
$ mkdir /usr/local/go
$ export GOPATH=/usr/local/go

The installation command above is for Ubuntu, other distros may have different commands for installing go
The export can be changed according to your satisfaction

Build

$ go get github.com/casbin/casbin-authz-plugin
$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make
$ sudo make install

Run

Run the plugin directly in a shell

$ cd /usr/lib/docker
$ mkdir examples
$ cp basic_model.conf examples/.
$ cp basic_policy.csv examples/.
$ ./casbin-authz-plugin

Below should be an example of display when command above is run:

2017/10/21 03:47:39 Current directory: /usr/lib/docker
2017/10/21 03:47:39 Casbin model: examples/basic_model.conf
2017/10/21 03:47:39 Casbin policy: examples/basic_policy.csv
2017/10/21 03:47:39 [Model:]
2017/10/21 03:47:39 p.p: obj, act
2017/10/21 03:47:39 e.e: some(where (p_eft == allow))
2017/10/21 03:47:39 m.m: r_obj == p_obj && r_act == p_act
2017/10/21 03:47:39 r.r: obj, act
2017/10/21 03:47:39 [Policy:]
2017/10/21 03:47:39 [p :  obj, act :  [[/_ping GET] [/v1.27/images/json GET]]]

Enable the authorization plugin on docker engine

Step-1: Determine where the systemd service of the plugin is located

$ systemctl status casbin-authz-plugin

● casbin-authz-plugin.service - Docker RBAC & ABAC Authorization Plugin based on Casbin
   Loaded: loaded (/lib/systemd/system/casbin-authz-plugin.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

You can see the directory on the Loaded label

Step-2: Add the WorkingDirectory of th plugin's systemd service

$ vi /lib/systemd/system/casbin-authz-plugin.service

[Service]
WorkingDirectory=/usr/lib/docker

If the service directory above is different than the one that returned from the systemctl status casbin-authz-plugin, please use the latter
The WorkingDirectory may not be the one given depending on where you put the plugin

Step-3: Run the plugin as a systemd service

$ systemctl daemon-reload
$ systemctl enable casbin-authz-plugin
$ systemctl start casbin-authz-plugin

Step-4: Edit the Execstart of th plugin's systemd service

$ systemctl edit docker

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin

If the service directory above is different than the one that returned from the systemctl status docker, please use the latter
Just add --authorization-plugin=casbin-authz-plugin if there are more options on the pre-defined ExecStart please retain them

Step-5: Restart docker engine

$ systemctl daemon-reload
$ systemctl restart docker

Step-6 Activate the plugin logs:

$ journalctl -xe -u casbin-authz-plugin -f

STEP-7 Do a quick test

$ docker images

if docker images is denied, simply proceed to Step-8 for the solution

Step-8 Changing the policy

$ vi /usr/lib/docker/examples/basic_policy.csv

p, /v1.29/images/json, GET

$ systemctl restart casbin-authz-plugin

take note that versioning is also included on the authorization. The given policy states /v1.27/. So edit the version in examples/basic_policy.csv that the docker client is throwing which is shown in journalctl like obj: /v1.29/images/json, act: GET res: denied
you can change the $GOPATH to the directory where you put the plugin from go get
Check the logs for more confirmation

Step-9 Test again:

$ docker images
$ docker ps
$ docker info

If docker images is still denied please check STEP-8 more carefully
These should smoothly enable

Stop and uninstall the plugin as a systemd service

NOTE: Before doing below, remove the authorization-plugin configuration added above and restart the docker daemon.

Removing the authorization plugin on docker

$ systemctl edit docker

#[Service]
#ExecStart=
#ExecStart=/usr/bin/dockerd --authorization-plugin=casbin-authz-plugin

$ systemctl restart docker

Stop the plugin service:

$ systemctl stop casbin-authz-plugin
$ systemctl disable casbin-authz-plugin

Uninstall the plugin service:

$ cd $GOPATH/src/github.com/casbin/casbin-authz-plugin
$ make uninstall

Contact

If you have any issues or feature requests, please feel free to contact me at:

License

Apache 2.0

docker-casbin-plugin's People

Contributors

Stargazers

Watchers

Forkers

kevdowney dean-christian-armada joaopedrotaveira aburan28 odg0318 cluo bianhezhen forkkit yejinlei ihiui2020 rayer4u afghanistanyn ai2hub sinhasantos selflocking

docker-casbin-plugin's Issues

Apply group policy

Hello,

In the blog post (https://www.twistlock.com/2016/02/18/docker-authz-plugins-twistlocks-contribution-to-the-docker-community/), there was a sample using RBAC authorization.

The “ContainerOps” group can perform “docker –run” and “docker – rm”
{“name”:”policy_1″,”users”:[“ContainerOps”],”actions”:[“container_run”, “container_rm”]}
The audit team can only perform “docker – list”, but nothing else
{“name”:”policy_2″,”users”:[“AuditGroup”],”actions”:[“container”], “readonly”:true}
Alice can run all Docker commands: {“name”:”policy_3″,”users”:[“alice”],”actions”:[“*”]}
Is it possible to extend the current project to do so ?
Thanks :)

Hi @ahmed-bacha, this repo is also a Docker authorization plugin. And it's based on Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

So I think this is what you need if you want a RBAC function. And I think it's better than the twistlock one. I'm glad to improve it further if you are interested in it and have any other requests:)

run authorization plugin

Hi,

what are the differences between runs the authorization plugin directly on the host or inside a container ?

Many thanks.

Ibrahim

Questions

Rootlesskit

Hi ,

With Rootlesskit that will provided by docker. Can I add subject to the casbin model ?

package github.com/casbin/casbin/v2/effect: cannot find package

**sorry for distrube you

I run cabin many times
but i tride to run it today i got this message****

 $ go get github.com/casbin/casbin-authz-plugin
package github.com/casbin/casbin/v2/effect: cannot find package "github.com/casbin/casbin/v2/effect" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/effect (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/effect (from $GOPATH)
package github.com/casbin/casbin/v2/log: cannot find package "github.com/casbin/casbin/v2/log" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/log (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/log (from $GOPATH)
package github.com/casbin/casbin/v2/model: cannot find package "github.com/casbin/casbin/v2/model" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/model (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/model (from $GOPATH)
package github.com/casbin/casbin/v2/persist: cannot find package "github.com/casbin/casbin/v2/persist" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/persist (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/persist (from $GOPATH)
package github.com/casbin/casbin/v2/persist/file-adapter: cannot find package "github.com/casbin/casbin/v2/persist/file-adapter" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/persist/file-adapter (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/persist/file-adapter (from $GOPATH)
package github.com/casbin/casbin/v2/rbac: cannot find package "github.com/casbin/casbin/v2/rbac" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/rbac (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/rbac (from $GOPATH)
package github.com/casbin/casbin/v2/rbac/default-role-manager: cannot find package "github.com/casbin/casbin/v2/rbac/default-role-manager" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/rbac/default-role-manager (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/rbac/default-role-manager (from $GOPATH)
package github.com/casbin/casbin/v2/util: cannot find package "github.com/casbin/casbin/v2/util" in any of:
        /usr/local/go/src/github.com/casbin/casbin/v2/util (from $GOROOT)
        /home/pi/go/src/github.com/casbin/casbin/v2/util (from $GOPATH)

could you tell me how i van sovle it please ?

isolation for users within the containers

Hi
I am PhD student and I am going to create docker authorization plugin model to provide isolation for users within the docker container by using access control.

therefore, Could you help me please to create this model ?

Best,
Ibrahim

sudo docker exec -d b5a94da7aa67 touch xxx

Hi i added this rule to the policy file

p, /v1.38/containers/b5a94da7aa67/exec , POST

(b5a94da7aa67) container ID
but when i run the folowing command i got error from authorisation plugin, the authorisation plugin deny the request.

sudo docker exec -d b5a94da7aa67 touch xxx
Error response from daemon: authorization denied by plugin casbin-authz-plugin:                                                                              
Access denied by casbin plugin

Override response from daemon

Do you have any example code on how to filter the response from the daemon to the client ? For example docker ps should not show the same content for all the users.

Hi @ungureanuvladvictor, this is another Docker authorization plugin based on Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC. Maybe it can do what you need, but it needs a little work. Do you still need this filter function?

Can I use casbin-authz running dockerd with unix socket?

Hello.

In the document, tcp connection is used in systemd configuration

ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2376 --authorization-plugin=casbin-authz-plugin

I don't want to use tcp connection but unix socket set by default.

Can I use casbin-authz running dockerd with unix socket?

Update this to use a golang vendor directory and use the docker plugin helper package

Hi,
I do not see much merging of PRs so just want to check to see if this is likely to be merged, I would like to use this plugin for some CI systems.

I would like to make the following updates

use golang vendor directory - using latest version of godep
update to use latest package versions - assuming all tests pass
update to use the authorization plugin helper package (https://github.com/docker/go-plugins-helpers/tree/master/authorization)
Will need to this anyway, just want to get an indication if a PR would be accepted, I don't plan to change how the plugin works, as looks perfect for my needs, so those changes would be minimal

Thanks
Pat

Hi @pmcgrath, this repo is also a Docker authorization plugin. And it's based on Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

This plugin uses Docker authorization plugin helper package to build. And I think it's better than the twistlock one. I'm glad to improve it further if you are interested in it and have any other requests:)

[Bug] Model empty

Hello.

I am trying to use this plugin but it does not load the model. Below I explain my tests and results. All my tests have been made in CentOS 7 with casbin 1.0.0 and casbin-authz-plugin master branch code. Could you please advise what is wrong in my configuration or how could the issue be solved? Very thanks in advance.

After compiling the plugin with make and sudo make install, systemctl daemon-reload and sudo systemctl start casbin-authz-plugin are executed to start the plugin service. However, the service fails with the following error:

● casbin-authz-plugin.service - Docker RBAC & ABAC Authorization Plugin based on Casbin
   Loaded: loaded (/usr/lib/systemd/system/casbin-authz-plugin.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-09-01 07:49:04 UTC; 7s ago
  Process: 3551 ExecStart=/usr/lib/docker/casbin-authz-plugin (code=exited, status=2)
 Main PID: 3551 (code=exited, status=2)

Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: /home/centos/go_path/src/github.com/casbin/casbin/enforcer.go:109 +0xf6
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: github.com/casbin/casbin.NewEnforcer(0xc82003be18, 0x1, 0x1, 0x7120e0)
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: /home/centos/go_path/src/github.com/casbin/casbin/enforcer.go:86 +0xa57
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: main.newPlugin(0x82fb80, 0xb, 0x2, 0x0, 0x0)
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: /home/centos/go_path/src/github.com/casbin/casbin-authz-plugin/plugin.go:25 +0x102
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: main.main()
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3551]: /home/centos/go_path/src/github.com/casbin/casbin-authz-plugin/main.go:30 +0x1ac
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal systemd[1]: casbin-authz-plugin.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal systemd[1]: Unit casbin-authz-plugin.service entered failed state.
Sep 01 07:49:04 ip-172-31-21-67.eu-west-1.compute.internal systemd[1]: casbin-authz-plugin.service failed.

I have overcome this issue pointing the config file with -config option in the ExecStart sentence of the /etc/systemd/system/multi-user.target.wants/casbin-authz-plugin.service file:

[Unit]
Description=Docker RBAC & ABAC Authorization Plugin based on Casbin
Before=docker.service
After=network.target casbin-authz-plugin.socket
Requires=casbin-authz-plugin.socket docker.service

[Service]
ExecStart=/usr/lib/docker/casbin-authz-plugin -config /usr/lib/docker/casbin.conf

[Install]
WantedBy=multi-user.target

Nevertheless, after daemon-reload and systemctl restart, the service starts but without model:

● casbin-authz-plugin.service - Docker RBAC & ABAC Authorization Plugin based on Casbin
   Loaded: loaded (/usr/lib/systemd/system/casbin-authz-plugin.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-09-01 07:51:08 UTC; 4s ago
 Main PID: 3625 (casbin-authz-pl)
   CGroup: /system.slice/casbin-authz-plugin.service
           └─3625 /usr/lib/docker/casbin-authz-plugin -config /usr/lib/docker/casbin.conf

Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal systemd[1]: Started Docker RBAC & ABAC Authorization Plugin based on Casbin.
Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal systemd[1]: Starting Docker RBAC & ABAC Authorization Plugin based on Casbin...
Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:51:08 Casbin config: /usr/lib/docker/casbin.conf
Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:51:08 [Model:]

/usr/lib/docker/casbin.conf:

# Example configuration file for casbin
# https://github.com/casbin/casbin
#
# This file follows the CONF format.
#

[default]
# The file path to the model:
model_path = /usr/lib/docker/basic_model.conf

# The persistent method for policy, can be two values: file or database.
# policy_backend = file
# policy_backend = database
policy_backend = file

[file]
# The file path to the policy:
policy_path = /usr/lib/docker/basic_policy.csv

[database]
driver = mysql
data_source = root:@tcp(127.0.0.1:3306)/

/usr/lib/docker/basic_model.conf:

[request_definition]
r = obj, act

[policy_definition]
p = obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act

/usr/lib/docker/basic_policy.csv:

p, /_ping, GET
p, /v1.27/images/json, GET

When a docker command is executed (for instance ps -a), the following error appear in journalctl -xe -u casbin-authz-plugin (nil pointer error because the model is empty I have understood):


Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:51:08 Casbin config: /usr/lib/docker/casbin.conf
Sep 01 07:51:08 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:51:08 [Model:]
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:52:19 http: panic serving @: runtime error: invalid memory address or nil pointer dereference
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: goroutine 19 [running]:
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*conn).serve.func1(0xc820080380)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1389 +0xc1
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: panic(0x7ae700, 0xc82000e090)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/runtime/panic.go:443 +0x4e9
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/casbin/casbin.(*Enforcer).Enforce(0xc820056640, 0xc82003d810, 0x2, 0x2, 0xc820059240)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/casbin/casbin/enforcer.go:237 +0x20e5
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: main.(*CasbinAuthZPlugin).AuthZReq(0xc82005e080, 0x0, 0x0, 0x0, 0x0, 0xc8200591c8, 0x3, 0xc8200591e0, 0x6, 0x0, ...)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/casbin/casbin-authz-plugin/plugin.go:41 +0x22b
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc8200591c8, 0x3, 0xc8200591e0, 0x6, 0x0, 0x0, ...)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0x89
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0x7fe1a4d53b78, 0xc8200d04e0, 0xc8200e0000)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x1da
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.HandlerFunc.ServeHTTP(0xc820059030, 0x7fe1a4d53b78, 0xc8200d04e0, 0xc8200e0000)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1618 +0x3a
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*ServeMux).ServeHTTP(0xc82005b4a0, 0x7fe1a4d53b78, 0xc8200d04e0, 0xc8200e0000)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1910 +0x17d
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.serverHandler.ServeHTTP(0xc820080200, 0x7fe1a4d53b78, 0xc8200d04e0, 0xc8200e0000)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:2081 +0x19e
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*conn).serve(0xc820080380)
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1472 +0xf2e
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: created by net/http.(*Server).Serve
Sep 01 07:52:19 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:2137 +0x44e
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: 2017/09/01 07:52:34 http: panic serving @: runtime error: invalid memory address or nil pointer dereference
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: goroutine 6 [running]:
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*conn).serve.func1(0xc8200f6400)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1389 +0xc1
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: panic(0x7ae700, 0xc82000e090)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/runtime/panic.go:443 +0x4e9
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/casbin/casbin.(*Enforcer).Enforce(0xc820056640, 0xc82003d810, 0x2, 0x2, 0xc8200592e0)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/casbin/casbin/enforcer.go:237 +0x20e5
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: main.(*CasbinAuthZPlugin).AuthZReq(0xc82005e080, 0x0, 0x0, 0x0, 0x0, 0xc820059290, 0x3, 0xc8200c6d80, 0x1c, 0x0, ...)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/casbin/casbin-authz-plugin/plugin.go:41 +0x22b
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc820059290, 0x3, 0xc8200c6d80, 0x1c, 0x0, 0x0, ...)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0x89
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0x7fe1a4d53b78, 0xc8200d0680, 0xc8200fc1c0)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /home/centos/go_path/src/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x1da
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.HandlerFunc.ServeHTTP(0xc820059030, 0x7fe1a4d53b78, 0xc8200d0680, 0xc8200fc1c0)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1618 +0x3a
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*ServeMux).ServeHTTP(0xc82005b4a0, 0x7fe1a4d53b78, 0xc8200d0680, 0xc8200fc1c0)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1910 +0x17d
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.serverHandler.ServeHTTP(0xc820080200, 0x7fe1a4d53b78, 0xc8200d0680, 0xc8200fc1c0)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:2081 +0x19e
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: net/http.(*conn).serve(0xc8200f6400)
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:1472 +0xf2e
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: created by net/http.(*Server).Serve
Sep 01 07:52:34 ip-172-31-21-67.eu-west-1.compute.internal casbin-authz-plugin[3625]: /usr/lib/golang/src/net/http/server.go:2137 +0x44e

package context: unrecognized import path "context"

Connecting back to the Docker host

When I receive a request to ask if a container can be started I would like to go back to the docker host and get the sha256 of the image thats being started. However I am getting errors indicating the plugin cannot talk to /var/run/docker.sock

I have the following code just trying to list the containers at present

func getContainers() {
	fmt.Printf("***** Container List\n")
	cli, err := client.NewClientWithOpts(client.FromEnv)
	if err != nil {
		panic(err)
	}

	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
	if err != nil {
		panic(err)
	}

	for _, container := range containers {
		fmt.Printf("%s %s\n", container.ID[:10], container.Image)
	}
}

When running my container before creating the plugin I can achieve the desired behaviour by running the container as follows

docker run -v /var/run/docker.sock:/var/run/docker.sock ${TEMPLATE}:${VERSION}

I believe there is some config somewhere in the config.json to achieve the same thing but I cannot seem to do it I have tried

    "PropagatedMount": "/var/run/docker.sock",
    "Mounts": [
      {
          "Type": "bind",
          "Source": "/var/run/docker.sock",
          "Destination": "/var/run/docker.sock",
          "Mode": "",
          "RW": true,
          "Propagation": "rprivate"
      }
  ]

Any thoughts?

Unable to install docker-casbin-plugin

Hi,

I'm trying to following the steps to install docker-casbin-plugin and not able move forward.
That too code updated 4 years back.

Whether this plugin is working?
I'm following the link - https://casdoor.org/docs/basic/try-with-docker to install, But no luck for me.
Guide me on the same.

cd /usr/lib/docker

Hi,

I got this error when i run cd /usr/lib/docker : Not a directory.

I have run it when I work in single node. Now I have created cluster (supercomputer 4 nodes) but when I want to run casbin plugin I got this error cd /usr/lib/docker : Not a dirctory.

can you help me please ?

Best
Ibrahim

Recommended system of using Casbin's basic model?

Hi,

could you recommend any available system to run this model with the subject:

[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

because i cannot run this model with the subject on the docker so I would like to run the system on any available system.

Many thanks,
Ibrahim

will dockerlint restrict user from installing ssh and telnet ?

Hi @daashayani, this repo is also a Docker authorization plugin. And it's based on Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

If you are saying that if the Docker user can be restricted from installing a software inside a Docker container, I'm afraid not.

p, /v1.27/images/json, GET

Hi,

Is it possible to add user to this policy "p, /v1.27/images/json, GET" ?
for example I would like to make this policy enable just for Bob. (p, Bob /v1.27/images/json, GET)

I added subject in the basic_model.conf file but I got error message from the sock when I run the previous policy with user.

Many Thanks
Ibrahim

Instructions on running and enabling is not working

I always get an error when trying to run the plugin

Oct 13 14:35:52 azure-staging systemd[1]: Started Docker RBAC & ABAC Authorization Plugin based on Casbin.
-- Subject: Unit casbin-authz-plugin.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit casbin-authz-plugin.service has finished starting up.
-- 
-- The start-up result is done.
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: 2017/10/13 14:35:52 Casbin model: examples/basic_model.conf
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: 2017/10/13 14:35:52 Casbin policy: examples/basic_policy.csv
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: panic: open examples/basic_model.conf: no such file or directory
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: goroutine 1 [running]:
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: panic(0x79a200, 0xc82000f290)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/lib/go-1.6/src/runtime/panic.go:481 +0x3e6
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: github.com/casbin/casbin/model.Model.LoadModel(0xc82000f230, 0x87f1e0, 0x19)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin/model/model.go:95 +0x85
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: github.com/casbin/casbin.(*Enforcer).LoadModel(0xc82004a700)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin/enforcer.go:163 +0x7f
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: github.com/casbin/casbin.(*Enforcer).InitWithFile(0xc82004a700, 0x87f1e0, 0x19, 0x87f200, 0x19)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin/enforcer.go:109 +0xf6
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: github.com/casbin/casbin.NewEnforcer(0xc82003de08, 0x2, 0x2, 0x717220)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin/enforcer.go:73 +0x4b7
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: main.newPlugin(0x87f1e0, 0x19, 0x87f200, 0x19, 0xc82000aff0, 0x0, 0x0)
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin-authz-plugin/plugin.go:25 +0x18b
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]: main.main()
Oct 13 14:35:52 azure-staging casbin-authz-plugin[46424]:         /usr/local/go/bin/src/github.com/casbin/casbin-authz-plugin/main.go:32 +0x32a
Oct 13 14:35:52 azure-staging systemd[1]: casbin-authz-plugin.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Oct 13 14:35:52 azure-staging systemd[1]: casbin-authz-plugin.service: Unit entered failed state.
Oct 13 14:35:52 azure-staging systemd[1]: casbin-authz-plugin.service: Failed with result 'exit-code'.

Nothing happens when I Enable the authorization plugin

P.S.

I am not a golang developer so debugging this is very hard for me

docker.socket

I would like t edit docker.socket file and make it for a partcuilar user.
example:

[Socket] 
ListenStream=/var/run/docker.sock
SocketMode=0660
SoketUser=pi
SocketGroup=docker

so SocketUser will be equal pi instead of root because I would like to add the subject in the casbin model.
but I got error message from the socket.

is there anyway to make it in the casbin ?

many thanks

alice, data1, read

Hi,

what do you mean in data1 ? is it container , image or object within the image.

Many Thanks,
Ibrahim

Document how this module relates to swarm mode

How should the daemon be setup in a swarm?

Docker swarm / swarm mode is not mentioned in the documentation, which makes me believe that it doesn't work. The documentation should specify how and if it works in docker swarm mode.

Hi @alexanderkjeldaas, this repo is also a Docker authorization plugin. And it's based on Casbin, a new authorization library which supports flexible access control models like ACL, RBAC, ABAC.

Docker Swarm is the cluster for Docker daemons. So the auth plugin still works in Docker Swarm. But only works for that one daemon. We need to have a solution to manage all auth plugins attached to Docker daemons inside a Docker Swarm cluster.

Step 8-Changed the policy

Hi
I have Changed the policy in step 8 but I got the same output which is Error response from daemon: authorization denied by plugin casbin-authz-plugin: Access denied by casbin plugin

I changed the policy to:

p, /v1.29/images/json, GET

could you tell me how to solve this problem please ?