Skip to content

Commit 2d978b8

Browse files
docs(authz): clarify daemon parsing semantics
Signed-off-by: mickael emirkanian <mickael.emirkanian@docker.com>
1 parent 40a8e8e commit 2d978b8

1 file changed

Lines changed: 12 additions & 9 deletions

File tree

docs/extend/plugins_authorization.md

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,18 @@ The Engine's authorization middleware fails closed: when a plugin returns an err
9595
the request is denied and the error is surfaced to the client. Plugins should also fail closed: if the plugin
9696
cannot confidently evaluate a request, it should return an error or `Allow: false`.
9797

98+
> [!WARNING]
99+
> Because the plugin receives the [**raw** request body](#authzpluginauthzreq) from the daemon, it must
100+
> apply the same decoding semantics as the daemon to be sure it evaluates the request the daemon will
101+
> act on. The daemon decodes JSON with Go's [`encoding/json.Unmarshal`](https://pkg.go.dev/encoding/json#Unmarshal).
102+
>
103+
> The same requirement applies to the response body. Plugins that depend on `ResponseBody`
104+
> inspection for redaction or content-filtering should restrict their policies to endpoints
105+
> whose response is produced as a single write (typical of REST-style API responses). For
106+
> commands whose responses are streamed or are likely to exceed the [buffer](#response-body-size-and-partial-buffering) through multiple
107+
> writes, do not rely on `ResponseBody` for security-relevant decisions; perform the filtering
108+
> in a separate layer in front of the daemon.
109+
98110
### Response body size and partial buffering
99111

100112
The internal buffer that holds the response body between the daemon's HTTP
@@ -111,15 +123,6 @@ is the practical effect of this 64 KiB threshold combined with the
111123
is immediately drained to the client and is therefore no longer available
112124
for plugin inspection by the time the handler returns.
113125

114-
> [!NOTE]
115-
> Plugins that depend on `ResponseBody` inspection for redaction or
116-
> content-filtering should restrict their policies to endpoints whose
117-
> response is produced as a single write (typical of REST-style API
118-
> responses). For commands whose responses are streamed or are likely to
119-
> exceed the buffer through multiple writes, do not rely on `ResponseBody`
120-
> for security-relevant decisions; perform the filtering in a separate
121-
> layer in front of the daemon.
122-
123126
During request/response processing, some authorization flows might
124127
need to do additional queries to the Docker daemon. To complete such flows,
125128
plugins can call the daemon API similar to a regular user. To enable these

0 commit comments

Comments
 (0)