Mark Laing
Mark Laing
Hi @JoelLau, the `/1.0/permissions` API endpoint returns a slice of permissions, if the `recursion` parameter is set then a list of groups is included in each permission (the groups with...
@edlerd is this a regression? As far as I know, it has never been possible for a restricted client to list resources of any kind with `all-projects=true`. Example: ``` $...
So it looks like in 5.0-stable there are no authorization checks when listing operations. The client just needs to be authenticated. Assuming 76cfc851a46df5958d76f1028a4247c547d26879 has now been backported to 5.21, this...
Yes. The `all-projects` query parameter for restricted TLS clients is being blocked by this function https://github.com/canonical/lxd/blob/5169fd87039da0cef8af5c054f963cfaa56df045/lxd/daemon.go#L308-L356 which was specifically added to maintain API behaviour for restricted TLS clients. I'm not...
For the events API, we're also using the aforementioned function to block "all-projects" requests for restricted TLS clients. But I think the fix should be different as we'll need to...
> [@markylaing](https://github.com/markylaing) thanks, at the very least the HTTP response code is incorrect: > > > Failed to get operation permission checker: Certificate is restricted error_code: 500 > > Its...
> If that was always being rejected for restricted TLS clients then thats a fair point. That being said if its always been rejected it means nobody can be using...
Correction - It returns a 403 Forbidden (not 401 Unauthorized): ``` mark@RUBIX:~$ lxc config trust add --name mark --restricted --projects default Client mark certificate add token: eyJjbGllbnRfbmFtZSI6Im1hcmsiLCJmaW5nZXJwcmludCI6IjI2YmE1NTZhNmIwNDdkYjE2NzZlZDczOTRjNzRhZTY4ZjgzZjA5NmJhZjk3MjNjOWEyZjM0MGU5YTE5NTg4ZjkiLCJhZGRyZXNzZXMiOlsiMTI3LjAuMC4xOjg0NDMiXSwic2VjcmV0IjoiNDQyYTNmYjY4YzE4NjAyNGQwODVjMTM0YzllMzZiNjIzZjE1MWQzMDViNzI0M2M3YjQxNmEyNDVkOWM2MWI2YSIsImV4cGlyZXNfYXQiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsInR5cGUiOiIifQ== mark@RUBIX:~$ lxc remote...
I'm open to changing it but we'll need to be careful. There's a PR to reinstate this behaviour here https://github.com/canonical/lxd/pull/13702 which is labelled as a bug. IIRC, we decided to...
It's not an issue for fine-grained users. They can view operations in all projects where they have the `can_view_operations` entitlement. I'll double check this now