Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: Add entitlements to LXD entities (part 2: Enrich LXD resources with entitlements) #14748

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open

auth: Add entitlements to LXD entities (part 2: Enrich LXD resources with entitlements) #14748

wants to merge 30 commits into from
+916 −17

Conversation

gabrielmougard
Copy link
Contributor

@gabrielmougard gabrielmougard commented Jan 6, 2025
edited by tomponline
Loading

This is the second part of a group of three stacked PRs.

@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Jan 6, 2025
This was referenced Jan 6, 2025
Closed
Open
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch 11 times, most recently from d5f0001 to 3cae833 Compare January 8, 2025 16:58
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 8, 2025
View reviewed changes
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
test/suites/auth.sh Fixed Show fixed Hide fixed
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch 2 times, most recently from e653ad9 to 7f5457a Compare January 8, 2025 21:09
@gabrielmougard gabrielmougard marked this pull request as ready for review January 8, 2025 21:09
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch 2 times, most recently from 171b326 to 1a09849 Compare January 9, 2025 13:09
minaelee
minaelee reviewed Jan 10, 2025
View reviewed changes
lxd/instance_get.go Outdated Show resolved Hide resolved
lxd/auth/types.go Outdated Show resolved Hide resolved
lxd/instances_get.go Outdated Show resolved Hide resolved
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch from 1a09849 to e18b874 Compare January 10, 2025 08:44
@gabrielmougard
Copy link
Contributor Author

@minaelee thanks for the feedbacks. Fixing that right now

@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch 4 times, most recently from 6f763e7 to c793358 Compare January 10, 2025 14:28
edlerd
edlerd reviewed Jan 10, 2025
View reviewed changes
Copy link
Contributor

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach and format seems all right from my point of view. Left some comments below.

shared/api/image.go Outdated Show resolved Hide resolved
test/suites/auth.sh Show resolved Hide resolved
gabrielmougard and others added 12 commits January 24, 2025 14:09
@gabrielmougard @markylaing
lxd/auth: Introduce the EntitlementReporter interface
834ad26 
This interface will need to be implemented for each API types that need to be returned from the API handlers
with `access_entitlements`

Signed-off-by: Gabriel Mougard <[email protected]>
Co-authored-by: Mark Laing <[email protected]>
@gabrielmougard @markylaing
shared/api: Implement the EntitlementReporter interface for API typ…
d543ccb 
…es that are eligible for entitlement enrichment

Signed-off-by: Gabriel Mougard <[email protected]>
Co-authored-by: Mark Laing <[email protected]>
@gabrielmougard
doc: Update rest-api.yaml
7481bd2 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard @markylaing
lxd/state: Add identity cache to the daemon state
8cc6628 
Signed-off-by: Gabriel Mougard <[email protected]>
Co-authored-by: Mark Laing <[email protected]>
@gabrielmougard @markylaing
lxd/daemon: Populate daemon state with identityCache
8fff814 
Signed-off-by: Gabriel Mougard <[email protected]>
Co-authored-by: Mark Laing <[email protected]>
@gabrielmougard @markylaing
lxd/daemon: Add reportEntitlements function
4c992dd 
This function add entitlements to a map of entity URLs to EntitlementReporters, which
are in practice API types implementing the `ReportEntitlements` method.

Signed-off-by: Gabriel Mougard <[email protected]>
Co-authored-by: Mark Laing <[email protected]>
@gabrielmougard
lxd/daemon: Add extractEntitlementsFromQuery utility function
c3c65be 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/instance: Add entitlements for 'instance' entities
2a9fdc0 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/project: Add entitlements for 'project' entities
6d16345 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/storage-pools: Add entitlements for 'storage-pool' entities
3e8c5c2 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/storage-buckets: Add entitlements for 'storage-bucket' entities
c6ef3f4 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/storage-volumes: Add entitlements for 'storage-volume' entities
a3efc15 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch from eebe53d to 53c6a8e Compare January 24, 2025 14:44
@gabrielmougard
Copy link
Contributor Author

@markylaing updated following the approach you suggested this morning. I also added the enrichment for all the other entities.

@gabrielmougard
lxd/auth-groups: Add entitlements for 'auth-group' entities
e140152 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/certificates: Add entitlements for 'certificate' entities
254cee7 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/identities: Add entitlements for 'identity' entities
05b1a53 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/identity-provider-groups: Add entitlements for 'identity-provider…
f518032 
…-group' entities

Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/images: Add entitlements for 'image' entities
957b73e 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/network-acls: Add entitlements for 'network-acl' entities
03c62b6 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/network-zones: Add entitlements for 'network-zone' entities
b6e01d0 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/networks: Add entitlements for 'network' entities
6347eb1 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
lxd/profiles: Add entitlements for 'profile' entities
a0576ac 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
test/auth: Add check for entitlements
e3e9dd2 
Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard
test: Check that we can retrieve entities with their correct 'access_…
01a6872 
…entitlements' fields

Signed-off-by: Gabriel Mougard <[email protected]>
@gabrielmougard gabrielmougard force-pushed the feat/auth-dry-run-check-part3 branch from 53c6a8e to 01a6872 Compare January 24, 2025 14:53
edlerd
edlerd approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New tests are great, thanks for adding. I skimmed through the code without detailed reading, just one non-blocking observation below. LGTM 👍

lxd/auth_groups.go
return response.SmartError(err)
}

if len(withEntitlements) > 0 && recursion != "1" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if len(withEntitlements) > 0 && recursion != "1" {
if len(withEntitlements) > 0 && !recursion {

Should be more future-proof this way in case higher recursion levels are introduced. wdyt?

lxd/identities.go
return response.SmartError(err)
}

if len(withEntitlements) > 0 && recursion != "1" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to above, there are a couple of more occurrences like this below.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edlerd edlerd edlerd approved these changes

@markylaing markylaing Awaiting requested review from markylaing

@minaelee minaelee Awaiting requested review from minaelee

@tomponline tomponline Awaiting requested review from tomponline

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
API Changes to the REST API Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gabrielmougard @tomponline @edlerd @minaelee @markylaing