New in Anchore Engine 0.3.0, an open interface for allowing authorization decisions to be made by external plugins has been implemented. The interface is an HTTP API and has a swagger specification that can be found here.
The interface is simple and relies on just a few operations:
Configuring which authorization plugin to use for a service is determined by the: authorization_handler setting in the service’s config section of the config.yaml. The default value is native, but to use an external provider (e.g. the RBAC plugin provided by Anchore Enterprise), set the value to external and provide a authorization_handler_config map object with the url to which requests should be made. For example:
The default (which applies if it is omitted):
services: apiext: authorization_handler: native
To use an external handler:
services: apiext: authorization_handler: external authorization_handler_config: endpoint: "http://localhost:89"
Note: This interface is currently not authenticated or authorized, and should be properly secured via network controls, or ideally, only available on the local host and not externally connected. This is intended to follow a side-car pattern where an authorizer is deployed locally with each external Anchore API component.