Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Generate entitlement definitions #13256

Merged
merged 14 commits into from
Apr 4, 2024
Merged

Auth: Generate entitlement definitions #13256

merged 14 commits into from
Apr 4, 2024

Commits on Apr 4, 2024

  1. lxd/auth: Add comments to the OpenFGA model describing entitlements. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    bfff083 View commit details
    Browse the repository at this point in the history

  2. lxd/auth/generate: Add logic for generating entitlement definitions. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    87bb69e View commit details
    Browse the repository at this point in the history

  3. lxd/auth: Adds entitlements file with go:generate directive. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    49ea081 View commit details
    Browse the repository at this point in the history

  4. Makefile: Adds update-auth make target. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    9cab182 View commit details
    Browse the repository at this point in the history

  5. lxd/auth: Runs make update-auth. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    1944cc2 View commit details
    Browse the repository at this point in the history

  6. test/lint: Add linter to ensure generated file is up to date. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    105fc24 View commit details
    Browse the repository at this point in the history

  7. lxd/auth: Remove duplicated type and function definitions. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    1072807 View commit details
    Browse the repository at this point in the history

  8. lxd/auth: Replace EntitlementProjectOperator with `EntitlementOpera… 

    …tor`.

EntitlementProjectOperator was the string "operator". This was to
differentiate it from the server level operator but there is no benefit
to this now that we are generating the entitlements.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    c70f0c6 View commit details
    Browse the repository at this point in the history

  9. lxd: Update entitlement validation calls. 

    Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    5ab85a0 View commit details
    Browse the repository at this point in the history

  10. lxd/auth: Add a can_delete entitlement to identity. 

    Granting a `can_delete` permission on an identity to a group
was possible via the API but this would have had no effect because
the relation was not present in the model.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    38e125a View commit details
    Browse the repository at this point in the history

  11. lxd/auth: Add directly related user types to group entitlements. 

    Granting `can_view`, `can_edit`, or `can_delete` on a group was
possible via the API but this would have had no effect because
members of a group (group#member) could not be directly related to
the group type in the model via these relations.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    a744120 View commit details
    Browse the repository at this point in the history

  12. lxd/auth: Run make update-auth. 

    Re-generate the entitlements map to reflect changes.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    64584f8 View commit details
    Browse the repository at this point in the history

  13. test/suites: It should be possible to grant permissions against a cer… 

    …tificate.

This restriction was artificial and also incorrect. We should allow granting
permissions against certificates because this is used by the certificates API.
Since identities and certificates are different entity types, a permission
granted on an identity is not identical to a permission granted on a certificate,
so we need to allow this.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    931536c View commit details
    Browse the repository at this point in the history

  14. test/suites: Update list of server entitlements. 

    This adds entitlements for identity provider groups that we previously
omitted incorrectly. Additionally, the `can_view` entitlement on server
cannot be granted because this is the type-bound public access that
allows all authenticated clients to call GET /1.0.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
    @markylaing
    markylaing committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    ad09afa View commit details
    Browse the repository at this point in the history