canonical
`lxc config trust add --project` should require `--restricted` flag
lxc config trust add requires the --restricted flag in order to actually restrict the identity to the specified set of projects. As a user this is very confusing; I would expect if I pass a set of projects to restrict the cert to, that the cert would be restricted. Per the help page:
--projects List of projects to restrict the certificate to
--restricted Restrict the certificate to one or more projects
I propose removing --restricted and inferring cert.Restricted from the presence/absence of --projects.
Current Behavior
wesley@voyager:~$ lxc config trust add --name voyager-juju-unrestricted --projects juju
...
wesley@unrestricted:~$ lxc remote add homelab houston.cld.lan
wesley@unrestricted:~$ lxc project list
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS | DESCRIPTION | USED BY |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| cluster | NO | YES | YES | NO | | 11 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| default (current) | YES | YES | YES | YES | Default LXD project | 39 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| dev | NO | NO | YES | NO | | 12 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| juju | NO | YES | YES | NO | | 1 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| k8s | NO | NO | YES | NO | | 12 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| lxd | NO | YES | YES | NO | | 8 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| maas | NO | YES | YES | NO | | 11 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
| minecraft | NO | YES | YES | NO | | 3 |
+-------------------+--------+----------+-----------------+----------+---------------------+---------+
wesley@voyager:~$ lxc config trust add --name voyager-juju-restricted --projects juju --restricted
...
wesley@restricted:~$ lxc remote add homelab houston.cld.lan
wesley@restricted:~$ lxc project list
+----------------+--------+----------+-----------------+----------+-------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS | DESCRIPTION | USED BY |
+----------------+--------+----------+-----------------+----------+-------------+---------+
| juju (current) | NO | YES | YES | NO | | 1 |
+----------------+--------+----------+-----------------+----------+-------------+---------+
I think a security first approach would be to always restrict certificates, and only unrestrict with a flag e.g. --unrestricted. However, I don't think this is possible without breaking backwards compatibility.
In general though I agree, if passing a list of projects then the restricted property of the certificate is implicit.
@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?
If not then I think one way we can fix this is to require --restricted be passed when providing --projects flag.
@MggMuggins @markylaing are there any uses of an identity's projects list when not restricted?
No, we only check the project list of restricted certificates. Would it be worth also adding a warning log message if an unrestricted certificate has a project list?
If not then I think one way we can fix this is to require
--restrictedbe passed when providing--projectsflag.
Yeah I think this is a good idea. It makes the usage more clear for now without breaking anything.