hbm icon indicating copy to clipboard operation
hbm copied to clipboard

Published 20 hours ago verified publisher icon kassisol

Documentation for Adding Policies

Open janz29 opened this issue 7 years ago • 17 comments

Hi,

I have been looking for some documentation on how to properly add policies to hbm. Is there any available? If this is the wrong place to ask, can you point me in the right direction.

Thank you,

janz29 avatar Dec 26 '17 20:12 janz29

Hi,

There is the website http://harbormaster.io/docs/ which is not complete and not up to date. I'm working on updating it.

To add a policy you need to have 2 elements, a group and a collection. By default, all Docker commands and restricted parameters are allowed. To change that behavior, an option needs to be set to true, then all commands will be blocked and so need to be white-listed.

hbm config set authorization true

First create an user and group. If Docker Daemon is listening on Unix socket, the only user will be root.

hbm group add local
hbm user add root
hbm user member --add local root

Then create a collection to which resources will be assigned to. Resources could be anything from Docker commands to images, volumes, restricted parameters like --privileged; --net=host and so on... A list of types and values can be found on that page.

hbm collection add collection1
hbm resource add --type action --value info info
hbm resource add --type action --value version version
hbm resource member --add collection1 info
hbm resource member --add collection1 version

To finish create the policy.

hbm policy add --group local --collection collection1 policy1

Let me know if you have any questions.

Thanks

ghost avatar Dec 29 '17 15:12 ghost

When I read your plugin code, there are much more features to control docker commandline. Could you let me know when you will update the documentation?

Thanks!

odg0318 avatar Jan 19 '18 02:01 odg0318

sure, i will post a message here when documentation will be updated

ghost avatar Jan 19 '18 12:01 ghost

Is there anyway for you policy configs to stick even after the service restarts? I have added the policies and set authorization to true, but anytime the hbm service is restarted the machine loses the config value.

janz29 avatar Jan 22 '18 18:01 janz29

how do you start the service?

ghost avatar Jan 22 '18 18:01 ghost

i just saw the another report and added the service to automatically start with authorization set to true. Is it possible to set up a call at some point? It can be very useful to us!

janz29 avatar Jan 22 '18 18:01 janz29

@janz29 related to #12 ?

odg0318 avatar Jan 23 '18 10:01 odg0318

Yes related to #12

janz29 avatar Jan 23 '18 15:01 janz29

I have started to update documentation in the directory docs, not published on the website yet.

Let me know if you have any feedback.

Thanks

ghost avatar Feb 05 '18 22:02 ghost

@janz29 @odg0318 the docs are updated on the website. Let me know what you think.

Thank you

ghost avatar Apr 09 '18 11:04 ghost

@juliengk Looks good. i noticed on the get started page the link to the installation page is broken. I would also suggest adding some examples if possible.

janz29 avatar Apr 09 '18 13:04 janz29

@juliengk I agree with @janz29 suggestion. More examples per each command help developers easily understood. For example, it is hard to use Volume type to add. In my case, I should have read many codes to use it. Anyway much better. Thanks

odg0318 avatar Apr 09 '18 16:04 odg0318

all right. I will add more examples.

Thank you

ghost avatar Apr 09 '18 16:04 ghost

Hi, so it cannot used in RBAC if TLS is not enabled in docker daemon?

caoruidong avatar Apr 15 '18 17:04 caoruidong

@caoruidong As I know, no way. Only root is set to an user variable on a handler.

odg0318 avatar Apr 15 '18 17:04 odg0318

https://docs.docker.com/engine/extend/plugins_authorization/#default-user-authorization-mechanism

ghost avatar Apr 15 '18 17:04 ghost

Thank you guys. I got it.

caoruidong avatar Apr 16 '18 06:04 caoruidong