-
Notifications
You must be signed in to change notification settings - Fork 932
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Fix missing snapshots and backups from storage pool used-by URLs #14324
base: main
Are you sure you want to change the base?
Commits on Oct 25, 2024
-
test/deps: Add python script to search for panics in LXD logs.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for a3e99ac - Browse repository at this point
Copy the full SHA a3e99acView commit details -
test/includes: Add panic checker helper function.
This runs the panic checker against all currently running LXD daemons. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 0e5c00c - Browse repository at this point
Copy the full SHA 0e5c00cView commit details -
test: All tests should be executed from TEST_DIR.
This commit reverts any changes made to the current directory in any test suites. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 5aeabb5 - Browse repository at this point
Copy the full SHA 5aeabb5View commit details -
test: Run the panic checker after every test.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for c0a24e6 - Browse repository at this point
Copy the full SHA c0a24e6View commit details -
shared/entity: Add functions to create snapshot and backup URLs.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for edfa3db - Browse repository at this point
Copy the full SHA edfa3dbView commit details -
lxd/auth/drivers: Add snapshots and backups to authorization model.
Adds instance and storage volume snapshots and backups to the OpenFGA model. These entitlements cannot be assigned to identities, service accounts, or group members. Instead they are inherited from the parent instance or volume. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 69e7d96 - Browse repository at this point
Copy the full SHA 69e7d96View commit details -
lxd/auth/drivers: Clarify that "can_view" allows viewing snapshots an…
…d backups. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 552cbe9 - Browse repository at this point
Copy the full SHA 552cbe9View commit details -
lxd/auth: Run
make update-auth
.Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 2cc11e5 - Browse repository at this point
Copy the full SHA 2cc11e5View commit details -
metadata: Run
make update-metadata
.Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for e6f05d0 - Browse repository at this point
Copy the full SHA e6f05d0View commit details -
lxd/auth/drivers: Remove entitlement validation check.
The auth.ValidateEntitlement function validates all entitlements that can be granted via the API. Since the new entitlements on snapshots and backups cannot be granted via the API, this check fails. The OpenFGA server will return an error if an invalid query is performed based on it's own understanding of the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 1a8fc68 - Browse repository at this point
Copy the full SHA 1a8fc68View commit details -
lxd/db/openfga: Use entity types for parent-child relations.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 2419c04 - Browse repository at this point
Copy the full SHA 2419c04View commit details -
lxd/db/openfga: Handle instance and storage_volume relations on Read.
Previously the only entities that had inherited relations were project and server. Now that we are linking instances and storage volumes to their snapshots and backups, the OpenFGADatastore implementation needs to handle these relations. On Read, we can connect a snapshot or backup to its parent instance or storage volume using the information stored in its URL. For example, the storage volume backup URL: /1.0/storage-pools/default/volumes/custom/vol1/backups/backup1?project=project1 is related to its parent: /1.0/storage-pools/default/volumes/custom/vol1?project=project1 via the `storage_volume relation`. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 793d858 - Browse repository at this point
Copy the full SHA 793d858View commit details -
lxd/db/openfga: Handle instance and storage_volume relations on ReadS…
…tartingWithUser. Previously the only entities that had inherited relations were project and server. Now that we are linking instances and storage volumes to their snapshots and backups, the OpenFGADatastore implementation needs to handle these relations. On ReadStartingWithUser, the function needs to return all backups or snapshots that are related to a parent instance or storage volume. This is used in the `ListObjects` call to the OpenFGA server, which is used by `(auth.Authorizer).GetPermissionChecker`. To do this, I have naively queried for all snapshots or backups in the project, and filtered out those that don't have the correct parent. This keeps the implementation simple and makes use of `GetEntityURLs`, which performs as few queries as possible. Further optimisation may be needed. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for b1bb8a2 - Browse repository at this point
Copy the full SHA b1bb8a2View commit details -
lxd: Update instance backup and snapshot authorization checks.
We can now use the `can_view`, `can_edit`, and `can_delete` entitlements with instance backups and snapshots. We should do this so that our checks more accurately reflect the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for ebc2413 - Browse repository at this point
Copy the full SHA ebc2413View commit details -
lxd: Add location to storage volume details.
The access handler was performing some logic to determine the location of the storage volume for use in the access check. This was based on whether the storage pool is remote, and if not, the cluster member where the volume is located. This commit removes that logic and adds a "location" field to `storageVolumeDetails` so that it can be used in the handlers. The logic for determining the location is modified to suit the call site. It is only set when the pool is not remote. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 2d5e6aa - Browse repository at this point
Copy the full SHA 2d5e6aaView commit details -
lxd: Parameterise the storagePoolVolumeTypeAccessHandler by entity type.
The storage volume snapshot and backup access handlers need to share almost identical logic to the storage volume access handler. Including getting the storage pool, understanding if the storage volume is located on another cluster member, and so forth. This commit parameterises the function so that it can be used by the snapshot and backup entity types as well; creating and checking against the correct URL when called. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for f41203a - Browse repository at this point
Copy the full SHA f41203aView commit details -
lxd: Update calls to the storage volume access handler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 7286913 - Browse repository at this point
Copy the full SHA 7286913View commit details -
lxd: Update storage volume snapshot and backup access checks.
We can now check `can_view`, `can_edit`, and `can_delete` against the backup/snapshot itself. We should do so to more accurately reflect the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 2487d6f - Browse repository at this point
Copy the full SHA 2487d6fView commit details -
test/suites: Add tests for storage pool used-by filtering.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for a000ae4 - Browse repository at this point
Copy the full SHA a000ae4View commit details