Auth: Fine-grained access control for TLS clients

client/interfaces.go

@@ -444,6 +444,9 @@ type InstanceServer interface {
 	GetIdentity(authenticationMethod string, nameOrIdentifier string) (identity *api.Identity, ETag string, err error)
 	GetCurrentIdentityInfo() (identityInfo *api.IdentityInfo, ETag string, err error)
 	UpdateIdentity(authenticationMethod string, nameOrIdentifier string, identityPut api.IdentityPut, ETag string) error
+	CreateTLSIdentity(identity api.TLSIdentitiesPost) error
+	CreateTLSIdentityToken(identity api.TLSIdentitiesPost) (*api.TLSIdentityToken, error)
+	DeleteIdentity(authenticationMethod string, nameOrIdentifier string, ETag string) error
 	GetIdentityProviderGroupNames() (identityProviderGroupNames []string, err error)
 	GetIdentityProviderGroups() (identityProviderGroups []api.IdentityProviderGroup, err error)
 	GetIdentityProviderGroup(identityProviderGroupName string) (identityProviderGroup *api.IdentityProviderGroup, ETag string, err error)

client/lxd_auth.go

@@ -261,6 +261,56 @@ func (r *ProtocolLXD) UpdateIdentity(authenticationMethod string, nameOrIdentife
 	return nil
 }
 
+// DeleteIdentity deletes the specified identity.
+func (r *ProtocolLXD) DeleteIdentity(authenticationMethod string, nameOrIdentifier string, ETag string) error {
+	err := r.CheckExtension("identity_management")
+	if err != nil {
+		return err
+	}
+
+	_, _, err = r.query(http.MethodDelete, api.NewURL().Path("auth", "identities", authenticationMethod, nameOrIdentifier).String(), nil, ETag)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// CreateTLSIdentity creates a TLS identity.
+func (r *ProtocolLXD) CreateTLSIdentity(tlsIdentitiesPost api.TLSIdentitiesPost) error {
+	err := r.CheckExtension("identity_management")
+	if err != nil {
+		return err
+	}
+
+	_, _, err = r.query(http.MethodPost, api.NewURL().Path("auth", "identities", api.AuthenticationMethodTLS).String(), tlsIdentitiesPost, "")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// CreateTLSIdentityToken creates an identity token that can be used by an untrusted client to set up authentication with LXD.
+func (r *ProtocolLXD) CreateTLSIdentityToken(tlsIdentitiesPost api.TLSIdentitiesPost) (*api.TLSIdentityToken, error) {
+	err := r.CheckExtension("identity_management")
+	if err != nil {
+		return nil, err
+	}
+
+	if !tlsIdentitiesPost.Token {
+		return nil, fmt.Errorf("Token needs to be true if requesting a token")
+	}
+
+	var token api.TLSIdentityToken
+	_, err = r.queryStruct(http.MethodPost, api.NewURL().Path("auth", "identities", api.AuthenticationMethodTLS).String(), tlsIdentitiesPost, "", &token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}
+
 // GetIdentityProviderGroupNames returns a list of identity provider group names.
 func (r *ProtocolLXD) GetIdentityProviderGroupNames() ([]string, error) {
 	err := r.CheckExtension("access_management")

doc/api-extensions.md

@@ -2470,3 +2470,7 @@ Adds the following internal metrics:
 This introduces per-pool project disk limits, introducing a `limits.disk.pool.NAME`
 configuration option to the project limits. When `limits.disk.pool.POOLNAME: 0`
 for a project, the pool is excluded from `lxc storage list` in that project.
+
+## `identity_management`
+
+Adds functionality to create and delete TLS identities whose permissions can be managed via group membership.