[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.
- From: Daniel J Walsh <dwalsh redhat com>
- To: Stef Walter <stefw redhat com>, atomic-devel projectatomic io
- Subject: Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.
- Date: Fri, 21 Nov 2014 15:29:32 -0500
On 11/21/2014 03:19 PM, Stef Walter wrote:
> On 21.11.2014 16:29, Daniel J Walsh wrote:
> > I have begun thinking about securing the docker socket, and I
> > wanted to open a discussion on this to get other peoples ideas.
>
> > Docker currently uses group permissions to control who can connect
> > to the docker socket. If you have the docker daemon listen on the
> > network, then there is no security. The ability to talk to the
> > docker socket is the equivalent of giving the user root, which I
> > blogged about here.
>
> >
> http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-docker-in-fedora/
>
> > I believe we need to start working on fixing this. First I would
> > like to see authentication fixed. We need some mechanism to allow
> > administrators to specify which users are able to manage docker?
>
> I think polkit should be that mechanism. That's what all the other
> system services use or are migrating towards.
>
> Stef
>
Polkit is currently only used for dbus communications, I believe. Not
sure how receptive docker would be
for using polkit.
Also this function needs to be managed. IE How do I add a user to be
able to launch certain containers.
Seems like it would need some kind of database internal to docker.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]