Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Controlling docker access with Centrify Privilege Elevation

11 April,19 at 11:50 AM

Docker is a tool that can package an application and its dependencies in a virtual container that can run on any Linux server. This helps enable flexibility and portability on where the application can run, whether on premisespublic cloudprivate cloudbare metal, etc.


The docker command set allows an administrator to download, start, stop, delete and manage docker containers. 


By default, a user must be root or a member of the wheel group in order to run docker commands. 


This presents a number of challenges in an enterprise environment, when the root account must be used to manage docker.   


With Centrify Privilege Elevation (dzdo), it's possible to grant permissions to a user to run docker commands, without giving out the root account.  We can also restrict which docker commands a user can run,  when they run the commands. We can enforce multifactor authentication before the command is run, and record the entire session.


The goal is to have a complete chain of attribution back to a specific user when a task is completed on the docker server. 

  • Which user logged in?
  • How did they log in, did they use multi-factor?
  • What permissions do they have? 
  • What commands did they run? 
  • Are the permissions permanent, or should they expire? 

To create a basic docker management privilege set:


Open the Centrify DirectManage Administration console. 


1) Create a Unix Right Definition for the docker command. 


Docker lives at /usr/bin/docker, so set the path to "Standard user path"


 Screen Shot 2017-12-21 at 12.06.57 PM.pngConfiguring a dzdo unix command to run docker



If you enter "docker *", this will enable the user to run any docker command. 


Create a role definition for the new Docker Admin role. 



 Screen Shot 2017-12-22 at 11.59.22 AM.pngCreate a role definition for Docker Admin


Assign the docker command to the docker role definition. 

Screen Shot 2017-12-22 at 12.00.40 PM.pngAssign the docker right to the role definition


Decide whether you want to require multifactor authentication before a container is started or stopped, then configure that in the command.


You could get more granular by defining separate unix commands for each docker command you want to manage. 


Some examples of granularity : 

Enable users to start and stop containers, but not delete them.

>docker run *

>docker stop *

>docker container kill *


Enable users to check the status of containers

> docker ps *

> docker images *


 Assign the new role to users either permanently or on a temporary basis. 



As part of orchestration, the Centrify Identity Broker for Active Directory agent can be automatically installed on new linux machines when they are spun up to host docker and containers.  

User permissions will be automatically assigned to the appropriate developers/administrators on initial startup.


Centrify orchestration scripts are located in github right here :


Additional reference: Docker TechCenter