search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.39k stars 931 forks source link

`lxc config trust add --project` should require `--restricted` flag #13865

Open MggMuggins opened 4 months ago

MggMuggins commented 4 months ago

lxc config trust add requires the --restricted flag in order to actually restrict the identity to the specified set of projects. As a user this is very confusing; I would expect if I pass a set of projects to restrict the cert to, that the cert would be restricted. Per the help page:

      --projects     List of projects to restrict the certificate to
      --restricted   Restrict the certificate to one or more projects

I propose removing --restricted and inferring cert.Restricted from the presence/absence of --projects.

Current Behavior

wesley@voyager:~$ lxc config trust add --name voyager-juju-unrestricted --projects juju
...
wesley@unrestricted:~$ lxc remote add homelab houston.cld.lan
wesley@unrestricted:~$ lxc project list
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS |     DESCRIPTION     | USED BY |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| cluster           | NO     | YES      | YES             | NO       |                     | 11      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| default (current) | YES    | YES      | YES             | YES      | Default LXD project | 39      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| dev               | NO     | NO       | YES             | NO       |                     | 12      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| juju              | NO     | YES      | YES             | NO       |                     | 1       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| k8s               | NO     | NO       | YES             | NO       |                     | 12      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| lxd               | NO     | YES      | YES             | NO       |                     | 8       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| maas              | NO     | YES      | YES             | NO       |                     | 11      |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| minecraft         | NO     | YES      | YES             | NO       |                     | 3       |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
wesley@voyager:~$ lxc config trust add --name voyager-juju-restricted --projects juju --restricted
...
wesley@restricted:~$ lxc remote add homelab houston.cld.lan
wesley@restricted:~$ lxc project list
+----------------+--------+----------+-----------------+----------+-------------+---------+
|      NAME      | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS | DESCRIPTION | USED BY |
+----------------+--------+----------+-----------------+----------+-------------+---------+
| juju (current) | NO     | YES      | YES             | NO       |             | 1       |
+----------------+--------+----------+-----------------+----------+-------------+---------+
markylaing commented 4 months ago

I think a security first approach would be to always restrict certificates, and only unrestrict with a flag e.g. --unrestricted. However, I don't think this is possible without breaking backwards compatibility.

In general though I agree, if passing a list of projects then the restricted property of the certificate is implicit.

tomponline commented 3 months ago

@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?

tomponline commented 3 months ago

If not then I think one way we can fix this is to require --restricted be passed when providing --projects flag.

markylaing commented 3 months ago

@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?

No, we only check the project list of restricted certificates. Would it be worth also adding a warning log message if an unrestricted certificate has a project list?

If not then I think one way we can fix this is to require --restricted be passed when providing --projects flag.

Yeah I think this is a good idea. It makes the usage more clear for now without breaking anything.