@@ -275,10 +275,12 @@ func (cli *DaemonCli) start(opts daemonOptions) (err error) {

 		"graphdriver": d.GraphDriverName(),

 	}).Info("Docker daemon")

+	cli.d = d

+

+	// initMiddlewares needs cli.d to be populated. Dont change this init order.

 	cli.initMiddlewares(api, serverConfig)

 	initRouter(api, d, c)

-	cli.d = d

 	cli.setupConfigReloadTrap()

 	// The serve API routine never exits unless an error occurs

@@ -438,6 +440,6 @@ func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config

 	u := middleware.NewUserAgentMiddleware(v)

 	s.UseMiddleware(u)

-	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins)

+	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, cli.d.PluginStore)

 	s.UseMiddleware(cli.authzMiddleware)

 }

@@ -96,7 +96,7 @@ type Daemon struct {

 	gidMaps                   []idtools.IDMap

 	layerStore                layer.Store

 	imageStore                image.Store

-	pluginStore               *pluginstore.Store

+	PluginStore               *pluginstore.Store

 	nameIndex                 *registrar.Registrar

 	linkIndex                 *linkIndex

 	containerd                libcontainerd.Client

@@ -559,7 +559,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot

 		driverName = config.GraphDriver

 	}

-	d.pluginStore = pluginstore.NewStore(config.Root)

+	d.PluginStore = pluginstore.NewStore(config.Root)

 	d.layerStore, err = layer.NewStoreFromOptions(layer.StoreOptions{

 		StorePath:                 config.Root,

@@ -568,7 +568,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot

 		GraphDriverOptions:        config.GraphOptions,

 		UIDMaps:                   uidMaps,

 		GIDMaps:                   gidMaps,

-		PluginGetter:              d.pluginStore,

+		PluginGetter:              d.PluginStore,

 	})

 	if err != nil {

 		return nil, err

@@ -926,7 +926,7 @@ func (daemon *Daemon) configureVolumes(rootUID, rootGID int) (*store.VolumeStore

 		return nil, err

 	}

-	volumedrivers.RegisterPluginGetter(daemon.pluginStore)

+	volumedrivers.RegisterPluginGetter(daemon.PluginStore)

 	if !volumedrivers.Register(volumesDriver, volumesDriver.Name()) {

 		return nil, fmt.Errorf("local volume driver could not be registered")

@@ -1102,7 +1102,7 @@ func (daemon *Daemon) reloadClusterDiscovery(config *Config) error {

 	if daemon.netController == nil {

 		return nil

 	}

-	netOptions, err := daemon.networkOptions(daemon.configStore, daemon.pluginStore, nil)

+	netOptions, err := daemon.networkOptions(daemon.configStore, daemon.PluginStore, nil)

 	if err != nil {

 		logrus.WithError(err).Warnf("failed to get options with network controller")

 		return nil

@@ -13,7 +13,7 @@ func (daemon *Daemon) verifyExperimentalContainerSettings(hostConfig *container.

 }

 func pluginInit(d *Daemon, cfg *Config, remote libcontainerd.Remote) error {

-	return plugin.Init(cfg.Root, d.pluginStore, remote, d.RegistryService, cfg.LiveRestoreEnabled, d.LogPluginEvent)

+	return plugin.Init(cfg.Root, d.PluginStore, remote, d.RegistryService, cfg.LiveRestoreEnabled, d.LogPluginEvent)

 }

 func pluginShutdown() {

@@ -613,7 +613,7 @@ func configureKernelSecuritySupport(config *Config, driverName string) error {

 }

 func (daemon *Daemon) initNetworkController(config *Config, activeSandboxes map[string]interface{}) (libnetwork.NetworkController, error) {

-	netOptions, err := daemon.networkOptions(config, daemon.pluginStore, activeSandboxes)

+	netOptions, err := daemon.networkOptions(config, daemon.PluginStore, activeSandboxes)

 	if err != nil {

 		return nil, err

 	}

@@ -4,6 +4,7 @@ import (

 	"net/http"

 	"github.com/Sirupsen/logrus"

+	"github.com/docker/docker/pkg/plugingetter"

 	"golang.org/x/net/context"

 )

@@ -15,7 +16,8 @@ type Middleware struct {

 // NewMiddleware creates a new Middleware

 // with a slice of plugins names.

-func NewMiddleware(names []string) *Middleware {

+func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware {

+	SetPluginGetter(pg)

 	return &Middleware{

 		plugins: newPlugins(names),

 	}

@@ -3,6 +3,7 @@ package authorization

 import (

 	"sync"

+	"github.com/docker/docker/pkg/plugingetter"

 	"github.com/docker/docker/pkg/plugins"

 )

@@ -33,6 +34,18 @@ func newPlugins(names []string) []Plugin {

 	return plugins

 }

+var getter plugingetter.PluginGetter

+

+// SetPluginGetter sets the plugingetter

+func SetPluginGetter(pg plugingetter.PluginGetter) {

+	getter = pg

+}

+

+// GetPluginGetter gets the plugingetter

+func GetPluginGetter() plugingetter.PluginGetter {

+	return getter

+}

+

 // authorizationPlugin is an internal adapter to docker plugin system

 type authorizationPlugin struct {

 	plugin *plugins.Client

@@ -80,7 +93,14 @@ func (a *authorizationPlugin) initPlugin() error {

 	var err error

 	a.once.Do(func() {

 		if a.plugin == nil {

-			plugin, e := plugins.Get(a.name, AuthZApiImplements)

+			var plugin plugingetter.CompatPlugin

+			var e error

+

+			if pg := GetPluginGetter(); pg != nil {

+				plugin, e = pg.Get(a.name, AuthZApiImplements, plugingetter.LOOKUP)

+			} else {

+				plugin, e = plugins.Get(a.name, AuthZApiImplements)

+			}

 			if e != nil {

 				err = e

 				return