canonical
Remove projects and groups from identity cache
Please confirm
- [x] I have searched existing issues to check if an issue already exists for my feature request.
Is your feature request related to a problem? Please describe.
It could be possible for the identity cache to be out of sync with the database.
For example, if a certificate is deleted and the internal cache update notification fails on another node, then that node doesn't know that the certificate is no longer trusted.
The identity cache also contains information about project and group membership. This is used for access control decisions.
If the identity cache can be out of sync with the database, we should never use it for access control.
We should instead use the identity cache only to authenticate a request. After which we can get access control information from the database.
The exception is for internal cluster communication. The /internal/database connection itself is authenticated and requires a server certificate.
Describe the solution you'd like
The identity cache should be:
// Cache represents a thread-safe in-memory cache of the identities in the database.
type Cache struct {
serverCertificates map[string]*x509.Certificate
clientCertificates map[string]*x509.Certificate
clientSecrets map[string][]byte
mu *sync.RWMutex
}
This is enough information to authenticate a request and get the initial RequestorArgs to pass into request.SetRequestor. Which can then get further information as necessary.
Describe alternatives you've considered
None. There aren't really any alternatives here as it is not possible to guarantee that a distributed cache is consistent (well it may be possible but that's well outside the scope of LXD).
Additional context
No response
