Auth: Fix missing snapshots and backups from storage pool used-by URLs #14324
Commits on Oct 25, 2024
-
test/deps: Add python script to search for panics in LXD logs.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
test/includes: Add panic checker helper function.
This runs the panic checker against all currently running LXD daemons. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
test: All tests should be executed from TEST_DIR.
This commit reverts any changes made to the current directory in any test suites. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
test: Run the panic checker after every test.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
shared/entity: Add functions to create snapshot and backup URLs.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/auth/drivers: Add snapshots and backups to authorization model.
Adds instance and storage volume snapshots and backups to the OpenFGA model. These entitlements cannot be assigned to identities, service accounts, or group members. Instead they are inherited from the parent instance or volume. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/auth/drivers: Clarify that "can_view" allows viewing snapshots an…
…d backups. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/auth: Run
make update-auth.Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
metadata: Run
make update-metadata.Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/auth/drivers: Remove entitlement validation check.
The auth.ValidateEntitlement function validates all entitlements that can be granted via the API. Since the new entitlements on snapshots and backups cannot be granted via the API, this check fails. The OpenFGA server will return an error if an invalid query is performed based on it's own understanding of the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/db/openfga: Use entity types for parent-child relations.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/db/openfga: Handle instance and storage_volume relations on Read.
Previously the only entities that had inherited relations were project and server. Now that we are linking instances and storage volumes to their snapshots and backups, the OpenFGADatastore implementation needs to handle these relations. On Read, we can connect a snapshot or backup to its parent instance or storage volume using the information stored in its URL. For example, the storage volume backup URL: /1.0/storage-pools/default/volumes/custom/vol1/backups/backup1?project=project1 is related to its parent: /1.0/storage-pools/default/volumes/custom/vol1?project=project1 via the `storage_volume relation`. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd/db/openfga: Handle instance and storage_volume relations on ReadS…
…tartingWithUser. Previously the only entities that had inherited relations were project and server. Now that we are linking instances and storage volumes to their snapshots and backups, the OpenFGADatastore implementation needs to handle these relations. On ReadStartingWithUser, the function needs to return all backups or snapshots that are related to a parent instance or storage volume. This is used in the `ListObjects` call to the OpenFGA server, which is used by `(auth.Authorizer).GetPermissionChecker`. To do this, I have naively queried for all snapshots or backups in the project, and filtered out those that don't have the correct parent. This keeps the implementation simple and makes use of `GetEntityURLs`, which performs as few queries as possible. Further optimisation may be needed. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd: Update instance backup and snapshot authorization checks.
We can now use the `can_view`, `can_edit`, and `can_delete` entitlements with instance backups and snapshots. We should do this so that our checks more accurately reflect the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd: Add location to storage volume details.
The access handler was performing some logic to determine the location of the storage volume for use in the access check. This was based on whether the storage pool is remote, and if not, the cluster member where the volume is located. This commit removes that logic and adds a "location" field to `storageVolumeDetails` so that it can be used in the handlers. The logic for determining the location is modified to suit the call site. It is only set when the pool is not remote. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd: Parameterise the storagePoolVolumeTypeAccessHandler by entity type.
The storage volume snapshot and backup access handlers need to share almost identical logic to the storage volume access handler. Including getting the storage pool, understanding if the storage volume is located on another cluster member, and so forth. This commit parameterises the function so that it can be used by the snapshot and backup entity types as well; creating and checking against the correct URL when called. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd: Update calls to the storage volume access handler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
lxd: Update storage volume snapshot and backup access checks.
We can now check `can_view`, `can_edit`, and `can_delete` against the backup/snapshot itself. We should do so to more accurately reflect the authorization model. Signed-off-by: Mark Laing <mark.laing@canonical.com>
-
test/suites: Add tests for storage pool used-by filtering.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
