[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.

Hash: SHA1

On 22.11.2014 17:41, Clayton Coleman wrote:
> We'll need to authorize containers to talk to docker - what 
> limitations would polkit have in those circumstances?  We can
> ensure we run the requesting container as a known uid, but in some
> cases we may need to rely on other characteristics of the
> container.

Correct me if I'm wrong ... but the linux kernel doesn't yet have a
way to pass credentials other than UID/PID/SELinux context as socket
credentials. Anything that uses the PID to do a lookup for other stuff
 (eg: cgroup or namespace of caller) is very broken and racy.

There is a kernel patch being worked on to allow passing of further
credentials. This patch is a prerequisite of kbus, but not strictly
related. Dan may know more about the status of this patch.

Once this kernel feature is available, lots of software will need to
be updated to take advantage of it, including polkit, where new
'subjects' will need to be added for caller cgroup and/or namespace.

Hope that answers the question ... and I didn't miss the point all
together :D

Version: GnuPG v1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]