The Twistlock AuthZ Broker is a Docker authorization plugin written in Go that enforces access control policies at the Docker daemon level. It functions as a reference implementation for basic authorization mechanisms, operating either directly on the host or inside a container. The plugin integrates with Docker's native authorization plugin framework and relies on Docker authentication plugin support, extracting user identity from certificate common names when the Docker daemon is started with the tlsverify flag.
The core functionality centers on policy-based access control through a continuously monitored policy file located at /var/lib/authz-broker/policy.json. Policies are stored in JSONL format with one policy object per line, and the system dynamically applies changes without requiring plugin restarts. The authorization flow evaluates user policies against incoming Docker API requests, with a route parser translating Docker Remote API URIs and methods into internal action parameters. The plugin logs all requests and authorization responses to standard output, with additional logging options available through syslog and file-based hooks via logrus integration.
Policy definitions support granular access control scenarios. Users can be granted permissions ranging from full command access to specific Docker operations like container creation, log reading, or container inspection. The policy format allows wildcards for users and actions, enabling both broad permissions and fine-grained restrictions. Read-only modes can be applied to limit users to query operations on specific resource types. Examples in the documentation demonstrate policies for individual user access, service account restrictions, and role-based command execution.
The plugin offers flexible deployment options. For containerized deployments, it runs as a Docker container with configurable auditing backends through environment variables. Users can direct audit logs to syslog or local files by mounting appropriate volumes and setting the AUDITOR-HOOK parameter. For standalone deployments, the plugin installs as a host service and integrates with systemd-managed Docker daemons through ExecStart parameter modifications.
The architecture is built on two primary extendable interfaces: the Authorizer interface handles authorization logic, and the Auditor interface manages request and response auditing. This design allows developers to extend the plugin with custom authorization mechanisms and audit backends beyond the basic implementation.
GitGenius activity data shows minimal recent engagement with the repository, with a median and mean issue or pull request response latency of approximately 71,955 hours across tracked items. Shiloh199 appears as the most active contributor tracked by GitGenius with two recorded events. The repository shares contributors with major projects including microsoft/vscode, microsoft/typescript, and rust-lang/rust, suggesting involvement from developers working across multiple significant open-source ecosystems.
The project is licensed under the Apache License, Version 2.0, and is classified across multiple security and container-related domains including container security, access control, policy enforcement, compliance enforcement, and microservices security. The plugin addresses the need for centralized authorization control in containerized environments where Docker daemon access must be restricted based on user identity and operation type.