-
Notifications
You must be signed in to change notification settings - Fork 930
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Fine-grained access control for TLS clients #14099
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Documentation
Documentation needs updating
API
Changes to the REST API
labels
Sep 13, 2024
markylaing
force-pushed
the
fine-grained-tls
branch
from
September 13, 2024 16:07
6ab5570
to
a6436de
Compare
Heads up @mionaalex - the "Documentation" label was applied to this issue. |
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
… types. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
We should never expose the secret except in the issued token. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Whether a new client is being trusted via secret, or if an administrator is adding or updating the certificate directly, the certificate must be signed by the CA if set. Note that this is *not* a security issue, because we validate that client certificates have been signed by the CA when authenticating. This just meant that it was possible for an admin to create a certificate that would be invalid. Signed-off-by: Mark Laing <[email protected]>
…tes API. Signed-off-by: Mark Laing <[email protected]>
Adds the fine-grained TLS identity type to the list of candidate identity types for client authentication. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This field indicates to the CLI which API to use when adding a remote. If `Identity` is true, then `POST /1.0/auth/identities/tls` will be used. Otherwise, `POST /1.0/certificates` will be used. Signed-off-by: Mark Laing <[email protected]>
If a token is requested, a pending TLS identity is created whose identifier is a UUID, and whose metadata contains a secret and an expiry. If a token is supplied, the pending TLS identities are enumerated and if a matching secret is found (that has not expired), the pending identity is updated with the TLS certificate that the client sent during the TLS handshake. If a certificate is supplied directly, then an identity of type `Client certificate` is created. Signed-off-by: Mark Laing <[email protected]>
Deletes the identity. For mTLS authentication this revokes trust entirely. For OIDC this does not revoke trust but will revoke any locally configured group membership (and therefore revoke access). If group membership has been configured via identity provider groups then this will do nothing. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
On updating the certificate cache, it was possible (programmatically) to append a nil certificate to the list of local server certificates. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
… API. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
markylaing
force-pushed
the
fine-grained-tls
branch
from
September 16, 2024 11:58
a6436de
to
e1fc039
Compare
tomponline
added a commit
that referenced
this pull request
Oct 4, 2024
In the specification for fine-grained authorization for TLS clients, the `/1.0/certificates` API does not return identities of the new type (because they can't be managed via this API). In the PoC PR (#14099) this is done in a bit of a hacky way. They are essentially filtered out because they don't have a matching certificate type. This PR does this in a more correct way, by ensuring that certificate database queries only return identities of the correct type. I've done some additional clean up as well.
Closing as PoC |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds:
lxc auth identity create [<remote>:]tls/<name> [<path_to_cert_file>]
. If a file is provided, the certificate is sent as a base64 encoded, PEM encoded certificate in the request body. If a file is not provided, an identity of typeClient certificate (pending)
is created, whose identifier is a UUID. The pending client certificate identity works like a certificate add operation - it's metadata contains a secret and an expiry time.Client certificate
, with a valid token.lxd remote add
to handle these cases./1.0/certificates
so that the API does not show the new TLS identity type.Here are some examples:
Closes #13149