Docker 1.10 Security Features, Part 2: Authorization Plug-In

Docker 1.10 Security Features, Part 2: Authorization Plug-In

In the first part of this trilogy we focused on Docker 1.10 and its seccomp capabilities. In this post we’ll explore the authorization plug-in architecture, another feature which was released as part of Docker 1.10.

The Docker User Authorization Challenge

Before the release of this version of Docker, users either had full admin privileges or none at all.

This meant that there was no segregation of duties, and no separation of access privileges between different containers running on the same host. It made Docker deployment in production challenging, as you couldn’t limit application owners to access only their application's containers.

Download 'Security for Containers: 5 Things DevOps Need to Do' eBook Today!

In addition, regular users that were members of the “Docker” group could easily elevate their privileges to root access. This was enabled by running a container as a privileged container, and from it getting full access to the host, including loading kernel modules.

Enter the Authorization Plug-In

The new the plug-in which was released as part of Docker 1.10 allows security vendors to add authorization plug-ins to Docker. This makes it easier to control user access to Docker commands and resources. With such plug-ins, you can assign different privileges to different users for each container.

Alice, for example, might be a full admin of the CRM containers, while Bob is an auditor and can only view container logs. The access policy itself is determined by the plug-in authorization engine.

I’m happy to announce that Scalock officially released an authorization plug-in for Docker 1.10, allowing the integration of our extensive access control policy engine into any Docker-based environment. This is in addition to even more fine-grained access control capabilities that are native to the Scalock solution.

The new authorization plug-in architecture is another step forward toward making Docker container environments enterprise-ready, while it retains great flexibility in managing the access control policy.

Amir Jerbi

Amir is the Co-Founder and CTO at Aqua. Amir has 20 years of security software experience in technical leadership positions. Amir co-founded Aqua with the vision of creating a security solution that will be simpler and lighter than traditional security products. Prior to Aqua, he was a Chief Architect at CA Technologies, in charge of the host based security product line, building enterprise grade security products for Global 1000 companies. Amir has 14 cloud and virtual security patents under his belt. In his free time, Amir enjoys backpacking in exotic places.