Add more granular access control #126
Conversation
The original code will not allow write access (set via the POST var) to endpoints to which read access is not provided. Before this fix, verify_access would allow write-only access to all endpoints if the POST var was set regardless of read access.
| http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool } | ||
| http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool } | ||
| http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP) -m bool } | ||
| http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool } |
There was a problem hiding this comment.
Why these first 4 lines are removed?
There was a problem hiding this comment.
Hi @pedrobaeza, sorry for taking so long to reply. I'm not sure if I understand your question. Only line 52 was removed, the rules for container restart/start/stop are left unchanged.
There was a problem hiding this comment.
The AUTH section is now being audited by the verify_access function, just like all the other sections.
| @@ -45,33 +46,32 @@ backend docker-events | |||
|
|
|||
| frontend dockerfrontend | |||
| bind ${BIND_CONFIG} | |||
| http-request deny unless METH_GET || { env(POST) -m bool } | |||
There was a problem hiding this comment.
Additionally, this line was removed as it would conflict with the new access check. Note that verify_access does not allow methods other than GET and HEAD to pass by default, so it should be perfectly fine to do this.
|
Thanks! It's fine to me. The problem with the tests must be because the python 3.8 version is deprecated. |
|
I have just pushed "Update branch", but it does a merge operation. Can you please rebase it instead to check if CIs are green? cc @josep-tecnativa |
|
Please, Could you rebase and we will see if CI is green after that? |
Hello, I recently ran into an issue when trying to allow watchtower to pull images through this proxy while keeping the other APIs read-only and thought I'd share my solution. This PR introduces a new access check that can grant read/write permissions to any section of the Docker API.
Now, read/write access is managed using XXXXX_READ and XXXXX_WRITE environment variables, where XXXXX represents the Docker API section. For instance, setting CONTAINERS_READ=1 allows GET/HEAD requests to the containers endpoint.
To keep everything backwards compatible, original variable names may still be used to grant read-only access. The POST variable will grant write access to all readable APIs, preserving the functionality of the original code.
If you're interested in merging this, but have some questions or feedback just let me know.