lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

Auth: Prune pending TLS identities

Open markylaing opened this issue 1 year ago • 0 comments

As part of the TLS fine-grained authorization specification, pending TLS identities must be pruned when their associated token expires. This pull request adds logic to the autoRemoveExpiredTokens task such that the leader will retrieve all the pending TLS identities and delete those that have expired. Non-leaders will continue to cancel "certificate add" and "cluster join" operations in-memory in each member.

There was a lot of duplication of logic to identify the database leader. This PR adds a method to Daemon and State to determine if the member is a leader and refactors existing code to use that method. If the Daemon is standalone it is considered to be the leader. It is the responsibility of the caller to check (*State).ServerClustered before calling (*State).LeaderInfo when necessary.

Marked as draft until #14207 is merged.

markylaing avatar Oct 11 '24 10:10 markylaing