auth: Add entitlements to LXD resources (part 2: Get entitlements from Authorizer interface) #14746
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Documentation
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
7 times, most recently
from
0e88556 to
e7df56e
Compare
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
2 times, most recently
from
cf7fc3f to
b35d8fc
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
from
b35d8fc to
4a142e4
Compare
minaelee
previously approved these changes
Jan 8, 2025
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
2 times, most recently
from
929e682 to
f394e71
Compare
Adds `fine_grained` field to `GET /1.0/auth/identities/current` to indicate if the current identity interacting with the LXD API is fine-grained (i.e, associated permissions are managed via group membership) and allow LXD entities to be returned with an `entitlements` field if the current identity is fine-grained and if the GET request to fetch the LXD entities has the `with-entitlements=<comma_separated_list_of_candidate_entitlements>` query parameter. Signed-off-by: Gabriel Mougard <[email protected]>
Signed-off-by: Gabriel Mougard <[email protected]>
Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
2 times, most recently
from
8b60caf to
d9a0b7c
Compare
…ies/current` endpoint This is needed to let know the client if the currently used identity is fine-grained or not. Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
from
d9a0b7c to
7858a0b
Compare
…e-allocated) Signed-off-by: Gabriel Mougard <[email protected]>
… current identity info Signed-off-by: Gabriel Mougard <[email protected]>
…e `Authorizer` interface These methods return the entitlements corresponding to the entity/entities through calls to the OpenFGA datastore. These functions should be called at the end of a LXD API handler so that the OpenFGA per-request cache can be hit. Signed-off-by: Gabriel Mougard <[email protected]>
gabrielmougard
force-pushed
the
feat/auth-dry-run-check-part2
branch
from
7858a0b to
a4d5c3a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the second part of a group of three stacked PRs.
IsFineGrainedfield) #14745