Documentation ¶
Overview ¶
Package authz consist of specific authorization and auditing implementations supported mechanism: basic authorization - basic policy evaluation based on JSON policy files basic auditing - basic auditing to log file (JSON format) - only incoming request is audited
Index ¶
Constants ¶
const ( // AuditHookSyslog indicates logs are streamed to local syslog AuditHookSyslog = "syslog" // AuditHookFile indicates logs are streamed to local syslog AuditHookFile = "file" // AuditHookStdout indicates logs are streamed to stdout AuditHookStdout = "" )
Variables ¶
This section is empty.
Functions ¶
func NewBasicAuditor ¶
func NewBasicAuditor(settings *BasicAuditorSettings) core.Auditor
NewBasicAuditor returns a new authz auditor that uses the specified logging hook (e.g., syslog or stdout)
func NewBasicAuthZAuthorizer ¶
func NewBasicAuthZAuthorizer(settings *BasicAuthorizerSettings) core.Authorizer
NewBasicAuthZAuthorizer creates a new basic authorizer
Types ¶
type BasicAuditorSettings ¶
type BasicAuditorSettings struct { LogHook string // LogHook is the log hook used to audit authorization data LogPath string // LogPath is the path to audit log file (if file hook is specified) }
BasicAuditorSettings are settings used by the basic auditor
type BasicAuthorizerSettings ¶
type BasicAuthorizerSettings struct {
PolicyPath string // PolicyPath is the path to the policy settings
}
BasicAuthorizerSettings provides settings for the basic authoerizer flow
type BasicPolicy ¶
type BasicPolicy struct { Actions []string `json:"actions"` // Actions are the docker actions (mapped to authz terminology) that are allowed according to this policy // Action are are specified as regular expressions Users []string `json:"users"` // Users are the users for which this policy apply to Name string `json:"name"` // Name is the policy name Readonly bool `json:"readonly"` // Readonly indicates this policy only allow get commands }
BasicPolicy represent a single policy object that is evaluated in the authorization flow. Each policy object consists of multiple users and docker actions, where each user belongs to a single policy.
The policies are evaluated according to the following flow:
For each policy object check If the user belongs to the policy If action in request in policy allow otherwise deny If no appropriate policy found, return deny
Remark: In basic flow, each user must have a unique policy. If a user is used by more than one policy, the results may be inconsistent