Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Redefine identity certificate entity types to prevent overlap #14173

Merged
merged 9 commits into from
Sep 30, 2024
Merged

Auth: Redefine identity certificate entity types to prevent overlap #14173

merged 9 commits into from
Sep 30, 2024

Conversation

markylaing
Copy link
Contributor

This PR redefines the identity and certificate entity types such that a certificate is considered to be any existing certificate type (e.g. client, metrics, server) and an identity is any identity whose permissions are managed via group membership.

Closes #13372

Opening as draft as I would like to perform more testing on the patch before merging.

@markylaing markylaing self-assigned this Sep 27, 2024
@markylaing markylaing changed the title Auth: Split identity certificate entity types Auth: Redefine identity certificate entity types to prevent overlap Sep 27, 2024
@markylaing markylaing force-pushed the split-identity-certificate-entity-types branch from 7736f43 to fab42d3 Compare September 30, 2024 08:32
@markylaing markylaing marked this pull request as ready for review September 30, 2024 08:32
@markylaing markylaing force-pushed the split-identity-certificate-entity-types branch from fab42d3 to e203347 Compare September 30, 2024 08:46
tomponline
tomponline reviewed Sep 30, 2024
View reviewed changes
lxd/patches.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Sep 30, 2024
View reviewed changes
lxd/patches.go Outdated Show resolved Hide resolved
@markylaing
lxd: Add patch to fix errant identity permissions.
8f4ba06 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/identity: Add util for checking if identity type is fine-grained.
4e1d543 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update identity handlers to check certificate permissions.
95fa04a 
This is required so that non- fine-grained identities are still
visible via the identities API, but not editable.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
test/suites: Test permission management for certificates vs. identities.
855dbe3 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
test/suites: Commands that are expected to fail shoud end with `|| fa…
8cfe181 
…lse`.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Use given auth group ID when setting permissions.
143717c 
This function could be misused if the given permission slice contains
permissions that reference a different group ID. This change enforces
that calls to this function can only affect one group.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update permission handling on upsert.
aef96d0 
With the change to `SetAuthGroupPermissions`, we no longer need to set
the group ID in each permission in the slice.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Test patching certificate/identity permissions.
9b75840 
Signed-off-by: Mark Laing <[email protected]>
@markylaing markylaing force-pushed the split-identity-certificate-entity-types branch from e203347 to 9b75840 Compare September 30, 2024 12:37
@tomponline tomponline merged commit 2514eaf into canonical:main Sep 30, 2024
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

@hamistao hamistao Awaiting requested review from hamistao

Assignees

@markylaing markylaing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Potentially redundant entity types for permissions
2 participants
@markylaing @tomponline