New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement new access
API for instances
#725
Comments
@stgraber I would like to work on this! |
I'm currently giving priority for those easier issues to the students at the University of Texas in Austin as they've literally ran out of things to work on but I'll happily assign you to this one if they don't claim it in the next week :) |
Hello, my friend @BajuMcBites , and I are students at UT Austin and after taking a virtualization class, we wanted to contribute to this project. Could we be assigned this issue? Thanks. |
Sure, assigned it to you! If you get @BajuMcBites to comment in this issue I can assign them too. |
Hello! |
Hello, I am starting to work on this issue and was wondering if there were any files that I could look at for endpoints that are similar to this for refrence. Thanks. |
The closest in the instance case would probably be what's behind In this instance, we only need to get a I think that struct will need a minimum of 3 fields:
Note that unlike the state endpoint, we don't need to add any logic to |
Thanks, Ill start looking into that |
Hello, I just want to clarify the approach I was thinking of taking to make sure I’m on the right track.
Then I can test the endpoint by using |
That should be
Yep, this one goes as
Yeah, that part will likely be a tiny bit more complex than that. I think we'll need to:
There's a bit of an issue here that just because the authorizer is openfga doesn't mean that tls clients aren't also supported, but that's something I've got to sort out for other things so I can deal with that one later. |
This is my first time working with authorization technology so sorry if I ask a lot of questions.
|
I'd say to focus on the tls driver for now as that's the easy one to test. For that particular driver, permissions are pretty simple:
Per-instance permissions are possible but they're only supported by the openfga driver at this point and that driver is going to be a bit trickier to figure out who has access to what. For the tls driver, you can very cheaply iterate over With that you can easily |
I have a few more questions For the Access Struct, I want to make sure I'm getting a few things right, we have:
Some other questions:
Finally I just want to make sure that I'm getting the maps from GetCertificatesAndProjects() correct.
Also, once I get the Access struct clarified, I'll make a commit so it can be used in #724. |
Hello again, I went ahead and started implementing what with what I described above, with the following struct setup (SingleAccess struct name will probably be changed) for #724:
|
I think we could just define For the fields, for a TLS entry, I'd expect:
|
Not necessary |
A restricted certificate will be in the project map, an unrestricted one will not. |
Hello, I made a PR for the changes I have made, and I believe it should handle the api for the cases where the authorizer is tls. There were a few things I wasn't 100% sure one which was what the context argument passed into GetInstanceAccess was supposed to be used for as well as when to return an error since GetCertificatesAndProjects doesn't return errors, and I don't see any places where errors would appear since the instance name checks are done prior to this method. I was also wondering if you had any advice on how I should go about getting started on openfga? Also, when running make update-api to update the api documentation, I get the following error: |
That's fine, this implementation doesn't have anything cancelable so the context isn't used and you don't have anything that can throw an error so won't be returning any, but that's setting the stage for the openfga implementation where both are likely to be relevant. |
That's odd, I've never seen it crash that way. Do you have the rest of the stack trace? |
|
Interesting, it's not obvious what caused this. Anyway, you can leave that part alone and I'll generate it here. |
Hello, I I'm trying to start working on the openfga part, I think I have started the server with :
and got this url back which I then set the incus config with:
Is this the proper way to set up openfga? Also, how do I go about querying the accesses? Is there something similar to the maps for tls? Thanks. |
Incus requires both openfga.api.url and openfga.api.token, it also uses the REST API of OpenFGA which I think would be port 8080 in this case. You should be able to specify the preshared method with something like:
Then have Incus access it through |
I tried running the above command and config set up, however the access endpoint is still defaulting to the tls driver instead of the fga driver |
Hmm, you could try running |
I didn't get any errors, only:
Which I assume is the normal output |
Oh, doh, I forgot you also need a store to be created! I don't remember if their web interface lets you create it, from the CLI, you'd do |
Thanks, that got it working. server -> admin: Full access to Incus.
|
OpenFGA has just introduced experimental support for a ListUsers endpoint. I don't know what your threshold is to rely on an experimental method. Assuming we find no issues with it and no user requests that imply drastically changing the interface, it should be moving to non-experimental in a month or two |
Thanks, I'll look into that. I'm going to be out of town for the next 2 weeks, but I'll resume work on this issue when I get back. |
Closes lxc#725 Signed-off-by: Sahaj Bhakta <sahajbhakta@gmail.com>
@rhamzeh ah, that's great, it will make handling this kind of stuff a LOT easier! |
It would be nice to have a
/1.0/instances/NAME/access
endpoint which one couldGET
to retrieve the list of who's allowed access and what access level they have on the object.The text was updated successfully, but these errors were encountered: