Skip to content

enhance authz interface for policies#1

Open
mapuri wants to merge 2 commits intomasterfrom
authz_work
Open

enhance authz interface for policies#1
mapuri wants to merge 2 commits intomasterfrom
authz_work

Conversation

@mapuri
Copy link

@mapuri mapuri commented Jan 16, 2016

This patch contains changes to:

  • introduce a policy map (as discussed in our earlier meetings and inline with discussion here Proposal: Policy Extension Point moby/moby#18647 (comment))
  • the authz plugin interface to allow passing policies from plugin to daemon
    • additionally, since multiple authz plugins can be chained, the policies are also passed to subsequent plugins in the chain giving them a chance to update the policy, if needed
  • add the policies returned by the authz plugin to the container's config. This is visible when we do docker inspect.

Next steps:

  • review this PR and see if it is inline with what we want to propose to docker folks
  • update the documentation on authz plugins
  • I will continue to work on implementing a authz plugin (in contiv/policyengine repo) that adheres to the updated interface
    • and possibly incorporate the structures from @jainvipin 's (soon to be sent) PR on concrete policy structures, discussion for which is already undergoing I believe on github-gist
  • make changes to libnetwork and volume driver interface to accept and pass policies down to drivers
  • see if we can implement the authz interface in volplugin and docknetplugin itself to avoid having a yet another daemon for storage and network policies.

Note: some of the changes are in vendor directory which implies this will possibly be merged as separate PRs in docker, if it get's accepted that is :).

/cc @shaleman @jainvipin @erikh @unclejack

@mapuri mapuri force-pushed the authz_work branch 3 times, most recently from 7105dbc to d176624 Compare January 16, 2016 01:57
@jainvipin
Copy link

jainvipin commented Jan 16, 2016

@mapuri - basic structure looks right to me - thanks! Some comments:

jainvipin
jainvipin reviewed Jan 16, 2016
View reviewed changes
api/server/router/container/container_routes.go Outdated
Copy link

@jainvipin jainvipin Jan 16, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious why warn here? if policies are not associated with the ctx, then it is ok right?

Copy link
Author

@mapuri mapuri Jan 16, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is just a log message for type assertion failure.

Yes, it is ok for no policies to be associated. If policies are not associated then we just set the map as empty on the next line so that it is not nil.

@mapuri
Copy link
Author

mapuri commented Jan 16, 2016

@jainvipin thanks for the review.

I will update the documentation and test cases as well and push them in this PR.

@mapuri mapuri force-pushed the authz_work branch 7 times, most recently from e5534df to 124246d Compare January 23, 2016 00:26
@mapuri
Copy link
Author

mapuri commented Jan 23, 2016

@jainvipin @shaleman

I have updated the policy related structure to be in line with the proposal here https://gist.github.com/jainvipin/8b1677f041534df576b2

PTAL when you get a chance.

jainvipin
jainvipin reviewed Jan 31, 2016
View reviewed changes
vendor/src/github.com/docker/engine-api/types/container/network_policy_attribute.go Outdated
Copy link

@jainvipin jainvipin Jan 31, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we incorporate direction and PeerGroupId to the code? Ref the updated doc in the link below...

@mapuri mapuri force-pushed the authz_work branch 2 times, most recently from 483a48d to d9c25e5 Compare February 2, 2016 02:15
@mapuri mapuri force-pushed the authz_work branch 2 times, most recently from 8399cb4 to 47346b8 Compare February 29, 2016 20:29
@mapuri
modify authz plugin interface to allow passing policies from plugin t…
839ce2d 
…o daemon

Also hooked container create handler to set the policies in container config.

Signed-off-by: Madhav Puri <madhav.puri@gmail.com>
@mapuri mapuri force-pushed the authz_work branch 3 times, most recently from 8d94690 to bafd8e6 Compare March 8, 2016 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mapuri @jainvipin