Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth: Add entitlements to LXD entities (part 1: introduce IsFineGrained field) #14745

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

gabrielmougard
Copy link
Contributor

@gabrielmougard gabrielmougard commented Jan 6, 2025

JIRA ticket: https://warthogs.atlassian.net/browse/LXD-2208
Specification link: https://docs.google.com/document/d/1GxWV5J57MLrjGEY5RDG7eS86J99A8RMmjKTpn0mEhgY/edit?tab=t.0


This is the first part of a group of three stacked PRs.


This introduces a new FineGrained boolean field in IdentityInfo (returned from GET /1.0/auth/identities/current) to let a user know if he is currently using a fine grained authentication method. This PR also introduce the entities_with_entitlements extension.


How to query the API using fine grained auth (this is just a reminder for me)

# Add TLS certificate to LXD (this can be done through LXD UI. Download the .pfx file)
# Create an auth group
lxc auth group create test-group

# Add an new identity to this group ("lxd-ui" is my TLS certificate identifier created by LXD UI)
lxc auth identity group add tls/lxd-ui test-group-1

# Create resources and add permissions to them
lxc auth group permission add test-group-1 instance c1 can_view project=default

# Create a .pfx certificate (with password "1234") and associate it to an auth group and give it some permissions. You can call the API like the following to perform fine-grained calls:
curl --insecure --cert-type P12 --cert lxd-ui-fine-grained-tls.pfx:1234 "https://127.0.0.1:8443/1.0/instances/c1?recursion=1&with-entitlements=can_view" | jq '.'

The CURL output should give you something like:

{
  "type": "sync",
  "status": "Success",
  "status_code": 200,
  "operation": "",
  "error_code": 0,
  "error": "",
  "metadata": {
    "entitlements": [
      "can_view"
    ],
    "name": "c1",
    "description": "this is a test ",
    "status": "Running",
    "status_code": 103,
    "created_at": "2024-11-12T09:58:54.960586253Z",
    "last_used_at": "2024-11-16T12:15:13.572661467Z",
    "location": "none",
    "type": "container",
    ...
  }
}

Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"resources" means something else in LXD as we have /1.0/resources so we should find a different name for this conceptual change.

Would entities be more appropriate?

@gabrielmougard
Copy link
Contributor Author

"resources" means something else in LXD as we have /1.0/resources so we should find a different name for this conceptual change.

Would entities be more appropriate?

Yes, entities seems better. I'll change the naming. Thanks!

@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch from a6cab4d to 7462cae Compare January 6, 2025 15:58
@gabrielmougard gabrielmougard changed the title auth: Add entitlements to LXD resources (part 1: introduce IsFineGrained field) auth: Add entitlements to LXD entities (part 1: introduce IsFineGrained field) Jan 6, 2025
@gabrielmougard gabrielmougard marked this pull request as ready for review January 6, 2025 16:18
shared/version/api.go Outdated Show resolved Hide resolved
doc/api-extensions.md Outdated Show resolved Hide resolved
shared/api/auth.go Outdated Show resolved Hide resolved
shared/api/auth.go Outdated Show resolved Hide resolved
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make the changes as discussed, thanks.

Please update the PR description to demonstrate the actual API change being made here. Ta

@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch 6 times, most recently from d87a4ea to 88c7bae Compare January 8, 2025 16:55
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch 5 times, most recently from 54150d6 to 243c70b Compare January 8, 2025 18:21
lxd/identities.go Outdated Show resolved Hide resolved
@tomponline tomponline requested a review from markylaing January 9, 2025 12:42
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch from 243c70b to c4d0b14 Compare January 10, 2025 08:43
Copy link
Contributor

@markylaing markylaing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of small nits :)

test/suites/auth.sh Outdated Show resolved Hide resolved
test/suites/auth.sh Outdated Show resolved Hide resolved
lxd/identities.go Outdated Show resolved Hide resolved
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch 2 times, most recently from f7b3a8c to 1db1638 Compare January 10, 2025 17:06
@tomponline
Copy link
Member

@gabrielmougard please rebase

@tomponline tomponline requested a review from markylaing January 14, 2025 09:56
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part1 branch from 1db1638 to d80b67f Compare January 14, 2025 09:58
markylaing
markylaing previously approved these changes Jan 20, 2025
@tomponline
Copy link
Member

thanks @markylaing im going to hold off merging this one until we are happy with #14748

@markylaing
Copy link
Contributor

thanks @markylaing im going to hold off merging this one until we are happy with #14748

Yes sorry I've just seen the comment on there relating to the change in API extension 👍

Adds `fine_grained` field to `GET /1.0/auth/identities/current` to indicate if the current identity
interacting with the LXD API is fine-grained (i.e, associated permissions are managed via group membership) and
allow LXD entities to be returned with an `access_entitlements` field if the current identity is fine-grained and if the
GET request to fetch the LXD entities has the `with-access-entitlements=<comma_separated_list_of_candidate_entitlements>` query parameter.

Signed-off-by: Gabriel Mougard <[email protected]>
Signed-off-by: Gabriel Mougard <[email protected]>
…ies/current` endpoint

This is needed to let know the client if the currently used identity is fine-grained or not.

Signed-off-by: Gabriel Mougard <[email protected]>
… current identity info

Signed-off-by: Gabriel Mougard <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API Changes to the REST API Documentation Documentation needs updating
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants