-
Notifications
You must be signed in to change notification settings - Fork 929
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Fine-grained access control for TLS clients #14099
base: main
Are you sure you want to change the base?
Commits on Sep 16, 2024
-
api: Add
identity_management
API extension.Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 16f202f - Browse repository at this point
Copy the full SHA 16f202fView commit details -
lxd: Separate identity handlers by auth method.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cd6fd48 - Browse repository at this point
Copy the full SHA cd6fd48View commit details -
shared/api: Add metadata to identity API response.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f26e54a - Browse repository at this point
Copy the full SHA f26e54aView commit details -
lxd/db/cluster: Add metadata to identity API response.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bd77f49 - Browse repository at this point
Copy the full SHA bd77f49View commit details -
lxd: Add metadata to identity API response.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ccb7d21 - Browse repository at this point
Copy the full SHA ccb7d21View commit details -
shared/api: Add pending and fine-grained TLS certificate identity types.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a772e1f - Browse repository at this point
Copy the full SHA a772e1fView commit details -
lxd/db/cluster: Add pending and fine-grained TLS certificate identity…
… types. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f8090bb - Browse repository at this point
Copy the full SHA f8090bbView commit details -
lxd/db/cluster: Add pending TLS identity metadata type and method.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 978f055 - Browse repository at this point
Copy the full SHA 978f055View commit details -
lxd/db/cluster: Add method to unpend a TLS certificate.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 51ede48 - Browse repository at this point
Copy the full SHA 51ede48View commit details -
lxd/db/cluster: Omit pending TLS identity metadata from API responses.
We should never expose the secret except in the issued token. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9e02957 - Browse repository at this point
Copy the full SHA 9e02957View commit details -
lxd/identity: Add pending and fine-grained TLS identity types.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 64be20d - Browse repository at this point
Copy the full SHA 64be20dView commit details -
lxd/auth/drivers: Handle fine-grained TLS clients in OpenFGA driver.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d7708eb - Browse repository at this point
Copy the full SHA d7708ebView commit details -
lxd: Move CA check into
certificateValidate
method.Whether a new client is being trusted via secret, or if an administrator is adding or updating the certificate directly, the certificate must be signed by the CA if set. Note that this is *not* a security issue, because we validate that client certificates have been signed by the CA when authenticating. This just meant that it was possible for an admin to create a certificate that would be invalid. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4f3e3ff - Browse repository at this point
Copy the full SHA 4f3e3ffView commit details -
lxd: Don't show fine-grained or pending TLS certificates in certifica…
…tes API. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3a1aa81 - Browse repository at this point
Copy the full SHA 3a1aa81View commit details -
lxd: Allow fine-grained TLS identities to authenticate.
Adds the fine-grained TLS identity type to the list of candidate identity types for client authentication. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 02a39e0 - Browse repository at this point
Copy the full SHA 02a39e0View commit details -
lxd: Allow fine-grained TLS identities list resources in any project.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5392127 - Browse repository at this point
Copy the full SHA 5392127View commit details -
shared/api: Add API structs for identity creation.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 477f32d - Browse repository at this point
Copy the full SHA 477f32dView commit details -
shared/api: Add field to CertificateAddToken.
This field indicates to the CLI which API to use when adding a remote. If `Identity` is true, then `POST /1.0/auth/identities/tls` will be used. Otherwise, `POST /1.0/certificates` will be used. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 983213a - Browse repository at this point
Copy the full SHA 983213aView commit details -
lxd: Add
POST /1.0/auth/identities/tls
.If a token is requested, a pending TLS identity is created whose identifier is a UUID, and whose metadata contains a secret and an expiry. If a token is supplied, the pending TLS identities are enumerated and if a matching secret is found (that has not expired), the pending identity is updated with the TLS certificate that the client sent during the TLS handshake. If a certificate is supplied directly, then an identity of type `Client certificate` is created. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 239adc7 - Browse repository at this point
Copy the full SHA 239adc7View commit details -
lxd: Add
DELETE /1.0/auth/identities/{tls,oidc}/{nameOrIdentifier}
.Deletes the identity. For mTLS authentication this revokes trust entirely. For OIDC this does not revoke trust but will revoke any locally configured group membership (and therefore revoke access). If group membership has been configured via identity provider groups then this will do nothing. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1c944d1 - Browse repository at this point
Copy the full SHA 1c944d1View commit details -
lxd: Allow fine-grained TLS identities to be added to groups.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1be1ecd - Browse repository at this point
Copy the full SHA 1be1ecdView commit details -
lxd: Omit pending TLS identities when updating the identity cache.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f46f652 - Browse repository at this point
Copy the full SHA f46f652View commit details -
lxd: Skip server certificates that cannot be converted to a valid type.
On updating the certificate cache, it was possible (programmatically) to append a nil certificate to the list of local server certificates. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8d6693a - Browse repository at this point
Copy the full SHA 8d6693aView commit details -
client: Add client methods for creation and deletion of identities.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3c68d15 - Browse repository at this point
Copy the full SHA 3c68d15View commit details -
lxc/remote: Update
remote add
to handle tokens issued by identities…… API. Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c76cb94 - Browse repository at this point
Copy the full SHA c76cb94View commit details -
lxc/auth: Add commands for creating and deleting identities.
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5ae3497 - Browse repository at this point
Copy the full SHA 5ae3497View commit details -
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 29bcbf8 - Browse repository at this point
Copy the full SHA 29bcbf8View commit details -
Signed-off-by: Mark Laing <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e1fc039 - Browse repository at this point
Copy the full SHA e1fc039View commit details