I have added plugin opa-docker-authz to docker to control what users can/cannot do. I want the users to only be able to mount/bind their own home directory, but I can’t configure that because docker isn’t reporting username/UID to the authorization plugin. This is probably because there’s no authentication going on (users ssh into server and then start docker). Is it possible to configure some form of “authentication” that will only pass the user’s name/UID to docker and then to the authorization plugin?
Facinating finding. I wasn’t aware of this plugin.
Please keep us posted if you should ever solve the problem
I took a short look at the doku and found an example, where they declare HttpHeaders in a users docker client config file (
~/.docker/config.json) and process them as input in the rules. I can image this approach can be used to pass any user specific information to the opa plugin. Instead of using usernames you could generate per user tokens to prevent easy guessing of other user accounts (or use jwt? I am curious how to integrate it into the mix)
May I ask how you determin the uid of the bind-mount on the host in the Rego OPA rules?