Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization refactor in preparation for fine-grained authorization #12313

Merged
merged 55 commits into from
Oct 25, 2023
Merged
Changes from 1 commit
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
5017205
lxd/auth: Adds entitlement, object, and permission types and constants.
markylaing Sep 25, 2023
3ea15d2
lxd/auth: Adds functions for creating auth objects.
markylaing Sep 25, 2023
a52e978
lxd/auth: Adds tests for authorization objects.
markylaing Oct 9, 2023
1ec0160
lxd/auth: Extends the authorizer interface.
markylaing Sep 25, 2023
cfa3b77
lxd/auth: Update common authorizer for Authorizer interface extension.
markylaing Sep 25, 2023
9123f14
lxd/auth: Implement Authorizer for TLS driver.
markylaing Sep 25, 2023
822af45
lxd/auth: Implement Authorizer for RBAC driver.
markylaing Sep 25, 2023
a39a702
lxd: Do not set user access data in request context.
markylaing Sep 25, 2023
c2c5840
lxd: Update calls to auth package.
markylaing Sep 25, 2023
dbad9e2
lxd: Only allow missing access handler when AllowUntrusted is true.
markylaing Sep 25, 2023
7b250a6
lxd: Update allowPermission function.
markylaing Sep 25, 2023
fd9d911
lxd: Updates allowAuthenticated function.
markylaing Oct 19, 2023
d428bc7
lxd/db/operationtype: Updates Permission method.
markylaing Sep 25, 2023
67d9725
lxd/operations: Updates operation permissions.
markylaing Sep 25, 2023
154c204
lxd/db/cluster: Renames constants.go file.
markylaing Sep 27, 2023
1fb2633
lxd/db/cluster: Add storage bucket entity type.
markylaing Sep 27, 2023
7362589
lxd/db/cluster: Adds URLToEntityType function.
markylaing Sep 27, 2023
1e22bcb
lxd/db/cluster: Adds a unit test for the URLToEntityType function.
markylaing Sep 27, 2023
3abd114
lxd/project: Updates permission handling for projects.
markylaing Sep 25, 2023
8975800
lxd/project: Updates permissions tests.
markylaing Oct 20, 2023
f0b0dcc
lxd/events: Pass an auth.PermissionChecker into the event listener.
markylaing Sep 25, 2023
fbd635b
lxd-agent: Update call to AddListener for the LXD Agent.
markylaing Sep 25, 2023
74aa566
lxd: Update authorization for the /1.0 endpoint.
markylaing Sep 25, 2023
2db6fe5
lxd: Update authorization for cluster endpoints.
markylaing Sep 25, 2023
aa061f8
lxd: Update authorization for internal endpoints.
markylaing Sep 25, 2023
9306e35
lxd/metrics: Adds method to filter metrics with a permission checker.
markylaing Sep 25, 2023
ae092f4
lxd: Update authorization for metrics.
markylaing Sep 25, 2023
4cb57a1
lxd: Update authorization for projects API.
markylaing Sep 25, 2023
535c040
lxd: Updates authorization for certificates API.
markylaing Sep 25, 2023
f1bb54a
lxd: Updates authorization for events API.
markylaing Sep 25, 2023
0cc2aa3
lxd: Updates authorization for image API.
markylaing Sep 25, 2023
73a9ce3
lxd: Add/remove images and image aliases from authorizer.
markylaing Sep 25, 2023
46698f1
lxd: Update authorization for instances.
markylaing Sep 25, 2023
146f36c
lxd/instance/drivers: Add/remove/rename instances in authorizer.
markylaing Sep 25, 2023
cacb832
lxd: Update authorization for network ACL API.
markylaing Sep 25, 2023
8b494ab
lxd: Update network ACLs in the authorizer.
markylaing Sep 25, 2023
721e31a
lxd: Update authorization for network allocations.
markylaing Sep 25, 2023
444692e
lxd: Update authorization for network forwards.
markylaing Sep 25, 2023
c2ef675
lxd: Update authorization for network load balancers.
markylaing Sep 25, 2023
3147031
lxd: Update authorization for network peers.
markylaing Sep 25, 2023
92408de
lxd: Update authorization for network zones.
markylaing Sep 25, 2023
cb5919f
lxd: Update network zones in the authorizer.
markylaing Sep 25, 2023
ca20445
lxd: Update authorization for the networks API.
markylaing Sep 25, 2023
31df5be
lxd: Update networks in the authorizer.
markylaing Sep 25, 2023
8ee727e
lxd: Update authorization for operations.
markylaing Sep 25, 2023
d9322ff
lxd: Update authorization for profiles.
markylaing Sep 25, 2023
6000337
lxd: Update profiles in authorizer.
markylaing Sep 25, 2023
cac36ee
lxd: Update authorization for resources.
markylaing Sep 25, 2023
2d3a73c
lxd: Update authorization for storage buckets.
markylaing Sep 25, 2023
0c43e90
lxd: Update storage buckets in authorizer.
markylaing Sep 25, 2023
27d6fe4
lxd: Update authorization for storage pools.
markylaing Sep 25, 2023
2ff65b0
lxd: Update storage pools in authorizer.
markylaing Sep 25, 2023
cb9da5d
lxd: Update authorization for storage volumes.
markylaing Sep 25, 2023
3371cf9
lxd/storage: Add/Remove/Rename storage volumes in authorizer.
markylaing Sep 25, 2023
7c9f699
lxd: Update authorization for warnings.
markylaing Sep 25, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 36 additions & 7 deletions lxd/operations.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (

"github.com/gorilla/mux"

"github.com/canonical/lxd/lxd/auth"
"github.com/canonical/lxd/lxd/cluster"
"github.com/canonical/lxd/lxd/db"
dbCluster "github.com/canonical/lxd/lxd/db/cluster"
Expand Down Expand Up @@ -251,13 +252,29 @@ func operationDelete(d *Daemon, r *http.Request) response.Response {
op, err := operations.OperationGetInternal(id)
if err == nil {
projectName := op.Project()
if op.Permission() != "" {
if projectName == "" {
projectName = api.ProjectDefaultName
}
if projectName == "" {
projectName = api.ProjectDefaultName
}

if !s.Authorizer.UserHasPermission(r, projectName, op.Permission()) {
return response.Forbidden(nil)
objectType, entitlement := op.Permission()
if objectType != "" {
for _, v := range op.Resources() {
for _, u := range v {
_, _, pathArgs, err := dbCluster.URLToEntityType(u.String())
if err != nil {
return response.InternalError(fmt.Errorf("Unable to parse operation resource URL: %w", err))
}

object, err := auth.NewObject(objectType, projectName, pathArgs...)
if err != nil {
return response.InternalError(fmt.Errorf("Unable to create authorization object for operation: %w", err))
}

err = s.Authorizer.CheckPermission(r.Context(), r, object, entitlement)
Copy link
Member

@tomponline tomponline Oct 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use a "get permission checker" to avoid having to call out to the authorizer service for each op.Resources()?

if err != nil {
return response.SmartError(err)
}
}
}
}

Expand Down Expand Up @@ -480,6 +497,11 @@ func operationsGet(d *Daemon, r *http.Request) response.Response {
projectName = api.ProjectDefaultName
}

userHasPermission, err := s.Authorizer.GetPermissionChecker(r.Context(), r, auth.EntitlementCanViewOperations, auth.ObjectTypeProject)
if err != nil {
return response.InternalError(fmt.Errorf("Failed to get operation permission checker: %w", err))
}

localOperationURLs := func() (shared.Jmap, error) {
// Get all the operations.
localOps := operations.Clone()
Expand All @@ -492,6 +514,10 @@ func operationsGet(d *Daemon, r *http.Request) response.Response {
continue
}

if !userHasPermission(auth.ObjectProject(v.Project())) {
continue
}

status := strings.ToLower(v.Status().String())
_, ok := body[status]
if !ok {
Expand All @@ -516,6 +542,10 @@ func operationsGet(d *Daemon, r *http.Request) response.Response {
continue
}

if !userHasPermission(auth.ObjectProject(v.Project())) {
continue
}

status := strings.ToLower(v.Status().String())
_, ok := body[status]
if !ok {
Expand Down Expand Up @@ -557,7 +587,6 @@ func operationsGet(d *Daemon, r *http.Request) response.Response {

// Start with local operations.
var md shared.Jmap
var err error

if recursion {
md, err = localOperations()
Expand Down