GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → open-policy-agent → opa-docker-authz

open-policy-agent / opa-docker-authz

Licence: Apache-2.0 license
A policy-enabled authorization plugin for Docker.

Programming Languages

go
31211 projects - #10 most used programming language
Open Policy Agent
39 projects
Makefile
30231 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

dockerauthorizationopa

Projects that are alternatives of or similar to opa-docker-authz

opal
Policy and data administration, distribution, and real-time updates on top of Open Policy Agent
Stars: ✭ 459 (+585.07%)
Mutual labels:  authorization, opa
opa-java-spring-client
Simple Spring client for working with the Open Policy Agent
Stars: ✭ 19 (-71.64%)
Mutual labels:  authorization, opa
Opa
An open source, general-purpose policy engine.
Stars: ✭ 5,939 (+8764.18%)
Mutual labels:  authorization, opa
opa-spring-security
Open Policy Agent for Spring Security
Stars: ✭ 19 (-71.64%)
Mutual labels:  authorization, opa
opa-kafka-plugin
Open Policy Agent (OPA) plug-in for Kafka authorization
Stars: ✭ 46 (-31.34%)
Mutual labels:  authorization, opa
raider
OWASP Raider: a novel framework for manipulating the HTTP processes of persistent sessions
Stars: ✭ 88 (+31.34%)
Mutual labels:  authorization
react-redux-jwt-auth
React Redux: Token Authentication example with JWT, React Router, Axios, Thunk Middleware
Stars: ✭ 86 (+28.36%)
Mutual labels:  authorization
firebase-spring-boot-rest-api-authentication
Firebase Spring Boot Rest API Authentication
Stars: ✭ 172 (+156.72%)
Mutual labels:  authorization
nexus3-github-oauth-plugin
This nexus plugin provides a way to authenticate/authorize your users based on Github.
Stars: ✭ 52 (-22.39%)
Mutual labels:  authorization
MovieGo
A Website implemented using MERN (MongoDB, ExpressJS, ReactJS and NodeJS) stack, which allows users to sign-in/register and book movie tickets online.
Stars: ✭ 26 (-61.19%)
Mutual labels:  authorization
dart-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Dart/Flutter
Stars: ✭ 30 (-55.22%)
Mutual labels:  authorization
hapi-doorkeeper
User authentication for web servers
Stars: ✭ 14 (-79.1%)
Mutual labels:  authorization
react-jwt-auth
React JWT Authentication & Authorization example - React.js Login and Registration example
Stars: ✭ 307 (+358.21%)
Mutual labels:  authorization
gothic
🦇 Gothic is a user registration and authentication SWT/JWT microservice. It supports REST, gRPC, and gRPC Web API, reCAPTCHA & a variety of DBs with Gorm.
Stars: ✭ 65 (-2.99%)
Mutual labels:  authorization
auth
🔑 Laravel Authentication package with built-in two-factor (Authy) and social authentication (Socialite).
Stars: ✭ 39 (-41.79%)
Mutual labels:  authorization
beyondauth
a traefik / nginx companion to create an identity aware proxy like beyondcorp
Stars: ✭ 26 (-61.19%)
Mutual labels:  authorization
ccheck
A command line tool for validating Kubernetes configs with rego
Stars: ✭ 63 (-5.97%)
Mutual labels:  opa
spring-boot-login-example
Spring Boot Login and Registration example with MySQL, JWT, Rest Api - Spring Boot Spring Security Login example
Stars: ✭ 50 (-25.37%)
Mutual labels:  authorization
gotrue
A JWT based API for managing users and issuing JWT tokens
Stars: ✭ 325 (+385.07%)
Mutual labels:  authorization
postee
Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Stars: ✭ 160 (+138.81%)
Mutual labels:  opa
View All Similar Projects ➔

opa-docker-authz

This project is used to show how OPA can help policy-enable an existing service.

In this example, we policy-enable the authorization functionality available in the Docker Engine, which is implemented using a plugin architecture. Plugins were introduced in the Docker Engine in 1.10, as a v1 implementation, and further extended in 1.13, as a v2 implementation. Plugins that adhere to the former are often termed legacy plugins, whilst the latter are termed managed plugins.

opa-docker-authz is an authorization plugin for the Docker Engine, and can be run as a legacy plugin, or as a managed plugin. The managed plugin is the recommended configuration.

Usage

See the detailed example to setup a running example of this plugin.

Build

A makefile is provided for creating different artifacts, each of which requires Docker:

  • make build - builds the opa-docker-authz binary
  • make image - builds a Docker image for use as a legacy plugin
  • make plugin - builds a managed plugin

Install

To make use of the opa-docker-authz plugin, TLS must be enabled, in order for the Docker daemon to authenticate the client user. The client's X.509 certificate subject common name, should be configured with the user who is the subject of the authorization request.

Managed Plugin

The managed plugin is a special pre-built Docker image, and as such, has no prior knowledge of the user's intended policy. OPA policy is defined using the Rego language, which for the purposes of the opa-docker-authz plugin, is either contained within a file (using the -policy-file argument) or fetched from bundles through an OPA configuration file (using the -config-file argument). Since the latter option allows not just remote bundles, but any of the OPA management features such as decision logging, it is the recommended choice. The plugin needs to be made aware of either the location of the policy file, or the config file, during its installation.

In order to provide user-defined OPA policy or config, the plugin is configured with a bind mount; /etc/docker is mounted at /opa inside the plugin's container, which is its working directory. If you define your config in a file located at the path /etc/docker/config/opa-conf.yaml, for example, it will be available to the plugin at /opa/config/opa-conf.yaml.

If the plugin is installed without a reference to a Rego policy file, or a config file, all authorization requests sent to the plugin by the Docker daemon, fail open, and are authorized by the plugin.

The following steps detail how to install the managed plugin.

Download the opa-docker-authz plugin from the Docker Hub (depending on how your Docker environment is configured, you may need to execute the following commands using the sudo utility), and specify the location of the policy file, or config file, using the opa-args key, and an appropriate value:

$ docker plugin install --alias opa-docker-authz openpolicyagent/opa-docker-authz-v2:0.8 opa-args="-config-file /opa/config/opa-conf.yaml"
Plugin "openpolicyagent/opa-docker-authz-v2:<VERSION>" is requesting the following privileges:
 - mount: [/etc/docker]
Do you grant the above permissions? [y/N] y
...
Installed plugin openpolicyagent/opa-docker-authz-v2:<VERSION>

Check the plugin is installed and enabled:

$ docker plugin ls
ID                  NAME                      ENABLED
cab1329e2a5a        opa-docker-authz:latest   true

With the plugin installed and enabled, the Docker daemon needs to be configured to make use of the plugin. There are a couple of ways of doing this, but perhaps the easiest is to add a configuration option to the daemon's configuration file (usually /etc/docker/daemon.json):

{
    "authorization-plugins": ["openpolicyagent/opa-docker-authz-v2:0.8"]
}

To update the Docker daemon's configuration, send a HUP signal to its process:

$ sudo kill -HUP $(pidof dockerd)

The Docker daemon will now send authorization requests for all Docker client API calls, to the opa-docker-authz plugin, for evaluation.

Legacy Plugin

If you prefer to use the legacy plugin, it needs to be started as a container, before applying the same configuration to the Docker daemon, as detailed above:

$ docker container run -d --restart=always --name opa-docker-authz \
    -v /run/docker/plugins:/run/docker/plugins \
    -v $HOME/opa/policies:/opa \
    openpolicyagent/opa-docker-authz:0.6 -policy-file /opa/authz.rego

Logs

If using the plugin with the -config-file option, full decision logging capabilities - including configuring remote endpoints - is at your disposal.

If using a policy file, the activity describing the interaction between the Docker daemon and the authorization plugin, and the authorization decisions made by OPA, can be found in the daemon's logs. Their location is dependent on the host operating system configuration.

Logs are generated in a json format similar to decision logs:

{
  "config_hash": "a2e84e38eafd14a816194357860b253becbc739e601cf4307078413a0a578a89",
  "decision_id": "8d4c6d08-b56e-4625-b66c-3e6c00d7a6e7",
  "input": {
    "AuthMethod": "",
    "Body": null,
    "Headers": {
      "Content-Length": "0",
      "Content-Type": "text/plain",
      "User-Agent": "Docker-Client/19.03.11 (linux)"
    },
    "Method": "POST",
    "Path": "/v1.40/images/create?fromImage=registry.company.com%3A8885%2Fbash\\u0026tag=latest",
    "PathArr": [
      "",
      "v1.40",
      "images",
      "create"
    ],
    "PathPlain": "/v1.40/images/create",
    "Query": {
      "fromImage": [
        "registry.company.com:8885/bash"
      ],
      "tag": [
        "latest"
      ]
    },
    "User": ""
  },
  "labels": {
    "app": "opa-docker-authz",
    "id": "396f1138-ea63-4be0-9ce0-3184cb20b1dd",
    "opa_version": "v0.18.0",
    "plugin_version": "0.8"
  },
  "result": true,
  "timestamp": "2020-06-16T16:44:54.328705305Z"
}

Uninstall

Uninstalling the opa-docker-authz plugin is the reverse of installing. First, remove the configuration applied to the Docker daemon, not forgetting to send a HUP signal to the daemon's process.

If you're using the legacy plugin, use the docker container rm -f opa-docker-authz command to remove the plugin. Otherwise, use the docker plugin rm -f opa-docker-authz command to remove the managed plugin.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].