[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.
- From: Stef Walter <stefw redhat com>
- To: Clayton Coleman <ccoleman redhat com>, Stef Walter <stefw redhat com>
- Cc: Daniel J Walsh <dwalsh redhat com>, "atomic-devel projectatomic io" <atomic-devel projectatomic io>
- Subject: Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.
- Date: Tue, 25 Nov 2014 09:04:18 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22.11.2014 17:41, Clayton Coleman wrote:
> We'll need to authorize containers to talk to docker - what
> limitations would polkit have in those circumstances? We can
> ensure we run the requesting container as a known uid, but in some
> cases we may need to rely on other characteristics of the
> container.
Correct me if I'm wrong ... but the linux kernel doesn't yet have a
way to pass credentials other than UID/PID/SELinux context as socket
credentials. Anything that uses the PID to do a lookup for other stuff
(eg: cgroup or namespace of caller) is very broken and racy.
There is a kernel patch being worked on to allow passing of further
credentials. This patch is a prerequisite of kbus, but not strictly
related. Dan may know more about the status of this patch.
Once this kernel feature is available, lots of software will need to
be updated to take advantage of it, including polkit, where new
'subjects' will need to be added for caller cgroup and/or namespace.
Hope that answers the question ... and I didn't miss the point all
together :D
Stef
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlR0N/sACgkQe/sRCNknZa9KywCgpcWWEYjJzum9pjnWnuOKs/Kd
dKMAniaD7jYhk/X3KUShL1xjsFSzvzI2
=YPkW
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]