I’ve got a question/request about the Docker authorization plugin API, but I’m not sure where the right place is to ask. I’ll ask here, but if this isn’t the place, please help direct me to a more appropriate forum. (I’m totally new to these forums.)
I’m writing an authorization plugin and finding a challenge in relating the AuthZReq phase to the subsequent AuthZRes phase for the same client API request. For reference, see plugin call sequence documented here:
https://docs.docker.com/engine/extend/plugins_authorization/#basic-principles
This is useful, for example, in order to authorize a “create” type API call during the AuthZReq phase and then intercept the new object ID in the AuthZRes phase. I can manage a hash of some partially identifying request characteristics supplied by the Docker daemon to the plugin in both phases, like <user, api call, target object ID, URL, HTTP method> but these do not distinguish identical requests made repeatedly. There is nothing like a client request ID, potentially referring to the single client-to-daemon API call that is the very context for the two authorization plugin calls.
Is there a reliable way to relate the AuthZReq and AuthZReq call together which process the same underlying client request? Where would I request such a feature as adding a client request ID be considered?
Thanks very much to all for your kind direction.