@@ -169,8 +169,8 @@ func (s *Server) handleWithGlobalMiddlewares(handler httputils.APIFunc) httputil

 		middlewares = append(middlewares, debugRequestMiddleware)

 	}

-	if len(s.cfg.AuthZPluginNames) > 0 {

-		s.authZPlugins = authorization.NewPlugins(s.cfg.AuthZPluginNames)

+	if len(s.cfg.AuthorizationPluginNames) > 0 {

+		s.authZPlugins = authorization.NewPlugins(s.cfg.AuthorizationPluginNames)

 		middlewares = append(middlewares, s.authorizationMiddleware)

 	}

@@ -30,14 +30,14 @@ const versionMatcher = "/v{version:[0-9.]+}"

 // Config provides the configuration for the API server

 type Config struct {

-	Logging          bool

-	EnableCors       bool

-	CorsHeaders      string

-	AuthZPluginNames []string

-	Version          string

-	SocketGroup      string

-	TLSConfig        *tls.Config

-	Addrs            []Addr

+	Logging                  bool

+	EnableCors               bool

+	CorsHeaders              string

+	AuthorizationPluginNames []string

+	Version                  string

+	SocketGroup              string

+	TLSConfig                *tls.Config

+	Addrs                    []Addr

 }

 // Server contains instance details for the server

@@ -685,7 +685,7 @@ _docker_daemon() {

 	local options_with_args="

 		$global_options_with_args

 		--api-cors-header

-		--authz-plugin

+		--authorization-plugin

 		--bip

 		--bridge -b

 		--cgroup-parent

@@ -717,7 +717,7 @@ _docker_daemon() {

 	"

 	case "$prev" in

-		--authz-plugin)

+		--authorization-plugin)

 			__docker_complete_plugins Authorization

 			return

 			;;

@@ -590,7 +590,7 @@ __docker_subcommand() {

             _arguments $(__docker_arguments) \

                 $opts_help \

                 "($help)--api-cors-header=[Set CORS headers in the remote API]:CORS headers: " \

-                "($help)*--authz-plugin=[Set authorization plugins to load]" \

+                "($help)*--authorization-plugin=[Set authorization plugins to load]" \

                 "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \

                 "($help)--bip=[Specify network bridge IP]" \

                 "($help)--cgroup-parent=[Set parent cgroup for all containers]:cgroup: " \

@@ -14,25 +14,25 @@ const (

 // CommonConfig defines the configuration of a docker daemon which are

 // common across platforms.

 type CommonConfig struct {

-	AuthZPlugins  []string // AuthZPlugins holds list of authorization plugins

-	AutoRestart   bool

-	Bridge        bridgeConfig // Bridge holds bridge network specific configuration.

-	Context       map[string][]string

-	DisableBridge bool

-	DNS           []string

-	DNSOptions    []string

-	DNSSearch     []string

-	ExecOptions   []string

-	ExecRoot      string

-	GraphDriver   string

-	GraphOptions  []string

-	Labels        []string

-	LogConfig     container.LogConfig

-	Mtu           int

-	Pidfile       string

-	RemappedRoot  string

-	Root          string

-	TrustKeyPath  string

+	AuthorizationPlugins []string // AuthorizationPlugins holds list of authorization plugins

+	AutoRestart          bool

+	Bridge               bridgeConfig // Bridge holds bridge network specific configuration.

+	Context              map[string][]string

+	DisableBridge        bool

+	DNS                  []string

+	DNSOptions           []string

+	DNSSearch            []string

+	ExecOptions          []string

+	ExecRoot             string

+	GraphDriver          string

+	GraphOptions         []string

+	Labels               []string

+	LogConfig            container.LogConfig

+	Mtu                  int

+	Pidfile              string

+	RemappedRoot         string

+	Root                 string

+	TrustKeyPath         string

 	// ClusterStore is the storage backend used for the cluster information. It is used by both

 	// multihost networking (to store networks and endpoints information) and by the node discovery

@@ -55,7 +55,7 @@ type CommonConfig struct {

 // from the command-line.

 func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string) string) {

 	cmd.Var(opts.NewListOptsRef(&config.GraphOptions, nil), []string{"-storage-opt"}, usageFn("Set storage driver options"))

-	cmd.Var(opts.NewListOptsRef(&config.AuthZPlugins, nil), []string{"-authz-plugin"}, usageFn("List authorization plugins in order from first evaluator to last"))

+	cmd.Var(opts.NewListOptsRef(&config.AuthorizationPlugins, nil), []string{"-authorization-plugin"}, usageFn("List authorization plugins in order from first evaluator to last"))

 	cmd.Var(opts.NewListOptsRef(&config.ExecOptions, nil), []string{"-exec-opt"}, usageFn("Set exec driver options"))

 	cmd.StringVar(&config.Pidfile, []string{"p", "-pidfile"}, defaultPidFile, usageFn("Path to use for daemon PID file"))

 	cmd.StringVar(&config.Root, []string{"g", "-graph"}, defaultGraph, usageFn("Root of the Docker runtime"))

@@ -142,7 +142,7 @@ func (daemon *Daemon) showPluginsInfo() types.PluginsInfo {

 		pluginsInfo.Network = append(pluginsInfo.Network, nd)

 	}

-	pluginsInfo.Authorization = daemon.configStore.AuthZPlugins

+	pluginsInfo.Authorization = daemon.configStore.AuthorizationPlugins

 	return pluginsInfo

 }

@@ -177,9 +177,9 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {

 	}

 	serverConfig := &apiserver.Config{

-		AuthZPluginNames: cli.Config.AuthZPlugins,

-		Logging:          true,

-		Version:          dockerversion.Version,

+		AuthorizationPluginNames: cli.Config.AuthorizationPlugins,

+		Logging:                  true,

+		Version:                  dockerversion.Version,

 	}

 	serverConfig = setPlatformServerConfig(serverConfig, cli.Config)

@@ -12,7 +12,7 @@ weight = -1

 # Create an authorization plugin

-Docker’s out-of-the-box authorization model is all or nothing. Any user with

+Docker's out-of-the-box authorization model is all or nothing. Any user with

 permission to access the Docker daemon can run any Docker client command. The

 same is true for callers using Docker's remote API to contact the daemon. If you

 require greater access control, you can create authorization plugins and add

@@ -45,6 +45,9 @@ Authorization plugins must follow the rules described in [Docker Plugin API](plu

 Each plugin must reside within directories described under the 

 [Plugin discovery](plugin_api.md#plugin-discovery) section.

+**Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication

+respectively.

+

 ## Basic architecture

 You are responsible for registering your plugin as part of the Docker daemon

@@ -93,14 +96,14 @@ support the Docker client interactions detailed in this section.

 ### Setting up Docker daemon

 Enable the authorization plugin with a dedicated command line flag in the

-`--authz-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` value.

-This value can be the plugin’s socket or a path to a specification file.

+`--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID`

+value. This value can be the plugin’s socket or a path to a specification file.

 ```bash

-$ docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...

+$ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...

 ```

-Docker's authorization subsystem supports multiple `--authz-plugin` parameters.

+Docker's authorization subsystem supports multiple `--authorization-plugin` parameters.

 ### Calling authorized command (allow)

@@ -17,7 +17,7 @@ weight = -1

     Options:

       --api-cors-header=""                   Set CORS headers in the remote API

-      --authz-plugin=[]                      Set authorization plugins to load

+      --authorization-plugin=[]              Set authorization plugins to load

       -b, --bridge=""                        Attach containers to a network bridge

       --bip=""                               Specify network bridge IP

       --cgroup-parent=                       Set parent cgroup for all containers

@@ -613,10 +613,10 @@ The currently supported cluster store options are:

 Docker's access authorization can be extended by authorization plugins that your

 organization can purchase or build themselves. You can install one or more

 authorization plugins when you start the Docker `daemon` using the

-`--authz-plugin=PLUGIN_ID` option.

+`--authorization-plugin=PLUGIN_ID` option.

 ```bash

-docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...

+docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...

 ```

 The `PLUGIN_ID` value is either the plugin's name or a path to its specification

@@ -168,7 +168,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {

 	c.Assert(s.d.StartWithBusybox(), check.IsNil)

 	// restart the daemon and enable the plugin, otherwise busybox loading

 	// is blocked by the plugin itself

-	c.Assert(s.d.Restart("--authz-plugin="+testAuthZPlugin), check.IsNil)

+	c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Allow = true

@@ -189,7 +189,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {

 }

 func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {

-	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)

+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)

 	c.Assert(err, check.IsNil)

 	s.ctrl.reqRes.Allow = false

 	s.ctrl.reqRes.Msg = unauthorizedMessage

@@ -205,7 +205,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {

 }

 func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {

-	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)

+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)

 	c.Assert(err, check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Allow = false

@@ -222,7 +222,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {

 }

 func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {

-	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)

+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)

 	c.Assert(err, check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Err = errorMessage

@@ -235,7 +235,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {

 }

 func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {

-	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)

+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)

 	c.Assert(err, check.IsNil)

 	s.ctrl.reqRes.Err = errorMessage

@@ -247,7 +247,7 @@ func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {

 }

 func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) {

-	c.Assert(s.d.Start("--authz-plugin="+testAuthZPlugin, "--authz-plugin="+testAuthZPlugin), check.IsNil)

+	c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin), check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Allow = true

@@ -7,7 +7,7 @@ docker-daemon - Enable daemon mode

 # SYNOPSIS

 **docker daemon**

 [**--api-cors-header**=[=*API-CORS-HEADER*]]

-[**--authz-plugin**[=*[]*]]

+[**--authorization-plugin**[=*[]*]]

 [**-b**|**--bridge**[=*BRIDGE*]]

 [**--bip**[=*BIP*]]

 [**--cgroup-parent**[=*[]*]]

@@ -73,7 +73,7 @@ format.

 **--api-cors-header**=""

   Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all.

-**--authz-plugin**=""

+**--authorization-plugin**=""

   Set authorization plugins to load

 **-b**, **--bridge**=""

@@ -473,10 +473,10 @@ Key/Value store.

 Docker's access authorization can be extended by authorization plugins that your

 organization can purchase or build themselves. You can install one or more

 authorization plugins when you start the Docker `daemon` using the

-`--authz-plugin=PLUGIN_ID` option.

+`--authorization-plugin=PLUGIN_ID` option.

 ```bash

-docker daemon --authz-plugin=plugin1 --authz-plugin=plugin2,...

+docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...

 ```

 The `PLUGIN_ID` value is either the plugin's name or a path to its specification