Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lxc config trust add --project should require --restricted flag #13865

Open
MggMuggins opened this issue Aug 3, 2024 · 4 comments
Open

lxc config trust add --project should require --restricted flag #13865

MggMuggins opened this issue Aug 3, 2024 · 4 comments
Labels
Improvement Improve to current situation

Comments

@MggMuggins
Copy link
Contributor

MggMuggins commented Aug 3, 2024
edited
Loading

lxc config trust add requires the --restricted flag in order to actually restrict the identity to the specified set of projects. As a user this is very confusing; I would expect if I pass a set of projects to restrict the cert to, that the cert would be restricted. Per the help page:

      --projects     List of projects to restrict the certificate to
      --restricted   Restrict the certificate to one or more projects

I propose removing --restricted and inferring cert.Restricted from the presence/absence of --projects.

Current Behavior

wesley@voyager:~$ lxc config trust add --name voyager-juju-unrestricted --projects juju
...
wesley@unrestricted:~$ lxc remote add homelab houston.cld.lan
wesley@unrestricted:~$ lxc project list
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS |     DESCRIPTION     | USED BY |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| cluster           | NO     | YES      | YES             | NO       |                     | 11      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| default (current) | YES    | YES      | YES             | YES      | Default LXD project | 39      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| dev               | NO     | NO       | YES             | NO       |                     | 12      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| juju              | NO     | YES      | YES             | NO       |                     | 1       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| k8s               | NO     | NO       | YES             | NO       |                     | 12      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| lxd               | NO     | YES      | YES             | NO       |                     | 8       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| maas              | NO     | YES      | YES             | NO       |                     | 11      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| minecraft         | NO     | YES      | YES             | NO       |                     | 3       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+

wesley@voyager:~$ lxc config trust add --name voyager-juju-restricted --projects juju --restricted
...
wesley@restricted:~$ lxc remote add homelab houston.cld.lan
wesley@restricted:~$ lxc project list
+----------------+--------+----------+-----------------+----------+-------------+---------+
|      NAME      | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS | DESCRIPTION | USED BY |
+----------------+--------+----------+-----------------+----------+-------------+---------+
| juju (current) | NO     | YES      | YES             | NO       |             | 1       |
+----------------+--------+----------+-----------------+----------+-------------+---------+
@markylaing
Copy link
Contributor

I think a security first approach would be to always restrict certificates, and only unrestrict with a flag e.g. --unrestricted. However, I don't think this is possible without breaking backwards compatibility.

In general though I agree, if passing a list of projects then the restricted property of the certificate is implicit.

@tomponline tomponline added the Improvement Improve to current situation label Aug 5, 2024
@tomponline
Copy link
Member

@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?

@tomponline
Copy link
Member

If not then I think one way we can fix this is to require --restricted be passed when providing --projects flag.

@markylaing
Copy link
Contributor

@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?

No, we only check the project list of restricted certificates. Would it be worth also adding a warning log message if an unrestricted certificate has a project list?

If not then I think one way we can fix this is to require --restricted be passed when providing --projects flag.

Yeah I think this is a good idea. It makes the usage more clear for now without breaking anything.

@tomponline tomponline changed the title lxc config trust add --project proj should restrict token lxc config trust add --project proj should require --restricted flag Aug 7, 2024
@tomponline tomponline changed the title lxc config trust add --project proj should require --restricted flag lxc config trust add --project should require --restricted flag Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement Improve to current situation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomponline @MggMuggins @markylaing