Docker is a tool that can package an application and its dependencies in a virtual container that can run on any Linux server. This helps enable flexibility and portability on where the application can run, whether on premises, public cloud, private cloud, bare metal, etc.
The docker command set allows an administrator to download, start, stop, delete and manage docker containers.
By default, a user must be root or a member of the wheel group in order to run docker commands.
This presents a number of challenges in an enterprise environment, when the root account must be used to manage docker.
With Centrify Privilege Elevation (dzdo), it's possible to grant permissions to a user to run docker commands, without giving out the root account. We can also restrict which docker commands a user can run, when they run the commands. We can enforce multifactor authentication before the command is run, and record the entire session.
The goal is to have a complete chain of attribution back to a specific user when a task is completed on the docker server.
- Which user logged in?
- How did they log in, did they use multi-factor?
- What permissions do they have?
- What commands did they run?
- Are the permissions permanent, or should they expire?
To create a basic docker management privilege set:
Open the Centrify DirectManage Administration console.
1) Create a Unix Right Definition for the docker command.
Docker lives at /usr/bin/docker, so set the path to "Standard user path"
Configuring a dzdo unix command to run docker
If you enter "docker *", this will enable the user to run any docker command.
Create a role definition for the new Docker Admin role.
Create a role definition for Docker Admin
Assign the docker command to the docker role definition.
Assign the docker right to the role definition
Decide whether you want to require multifactor authentication before a container is started or stopped, then configure that in the command.
You could get more granular by defining separate unix commands for each docker command you want to manage.
Some examples of granularity :
Enable users to start and stop containers, but not delete them.
>docker run *
>docker stop *
>docker container kill *
Enable users to check the status of containers
> docker ps *
> docker images *
Assign the new role to users either permanently or on a temporary basis.
As part of orchestration, the Centrify Identity Broker for Active Directory agent can be automatically installed on new linux machines when they are spun up to host docker and containers.
User permissions will be automatically assigned to the appropriate developers/administrators on initial startup.
Centrify orchestration scripts are located in github right here :
Additional reference: Docker TechCenter