OPA policy to allow docker exec

Question

I've deployed the OPA docker plugin as per instruction. And everything was fine until I've tried to create custom docker API permissions for docker exec.

I've added following section to authz.rego file:

allow {
    user_id := input.Headers["Authz-User"]
    users[user_id].readOnly
    input.path[0] == "/v1.41/containers/busybox/exec"
    input.Method == "POST"
}

But it still gives me error when I try to run following bash command: docker exec -it busybox sh under Bob test user as per instruction.

journalctl -u docker.service provides following error: level=error msg="AuthZRequest for POST /v1.41/containers/busybox/exec returned error: authorization denied by plugin openpolicyagent/opa-docker-authz-v2:0.4: request rejected by administrative policy"

The funny thing is when I comment out input.path section it works as full RW user so the rule works but the strict mention of API path - does not. Maybe I'm specifying it in a wrong way?

Tried different variations like:

input.path == ["/v1.41/containers/busybox/exec"]
input.path = ["/v1.41/containers/busybox/exec"]
input.path = ["/v1.41*"]
input.path = ["/v1.41/*"]
input.path = ["/v1.41%"]
input.path = ["/v1.41/%"]

Also would appreciate advice on how to allow exec operations for any container not only the specified one.

Thanks in advance!

Answer 1

Looking at the input map provided to OPA, you should find both input.Path, input.PathPlain and input.PathArr:

input := map[string]interface{}{
    "Headers":    r.RequestHeaders,
    "Path":       r.RequestURI,
    "PathPlain":  u.Path,
    "PathArr":    strings.Split(u.Path, "/"),
    "Query":      u.Query(),
    "Method":     r.RequestMethod,
    "Body":       body,
    "User":       r.User,
    "AuthMethod": r.UserAuthNMethod,
}

There's no lowercase input.path available, but using any of the other alternatives should work.