Mark Laing

These were not removed when we reverted the original OpenFGA authorization driver because they were part of a separate pull request that performed a lot of refactoring. The no longer...

There are a few non-major comments on #12313 that should be addressed: - [ ] https://github.com/canonical/lxd/pull/12313#discussion_r1371456339 - [ ] https://github.com/canonical/lxd/pull/12313#discussion_r1371469637 - [ ] https://github.com/canonical/lxd/pull/12313#discussion_r1371540450 - [ ] https://github.com/canonical/lxd/pull/12313#discussion_r1371473486 - [...

The plural form of `identity` is `identities`, but lxd-generate is outputting `identitys`. See https://github.com/canonical/lxd/pull/12807#discussion_r1474731848_

Many downstream packages are using the `lxd/response` package. #13252 removed the import of `lxd/db` from `lxd/response` so that downstream package can avoid additional imports, but if the package is being...

Auth: Entity type refactor

11

Opening as a draft to get some feedback. - The type of `entity.Type` has been changed to an interface. - A new type has been created for each shared entity...

See comments on #13379

Auth: Add project query parameter to URLs in authorizer.

1

In our implementation of `(github.com/openfga/openfga/pkg/storage).OpenFGADatastore`, entity URLs are expected to include the project query parameter even if it is the default project. However, LXD typically displays URLs without the project...

See https://github.com/canonical/lxd/pull/13364#discussion_r1574398949_ When performing an access check on a storage volume, we need to include it's location in the URL, otherwise the permission checker will not recognise it.

Add comments to explain how authorization is being handled in public (`AllowUntrusted` endpoints). See https://github.com/canonical/lxd/pull/13080#discussion_r1526551495_

Currently when using [PKI mode](https://documentation.ubuntu.com/lxd/en/latest/authentication/#using-a-pki-system) the `server.ca` and `ca.crl` files must be present at daemon start up. It is already possible to replace the cluster certificate at runtime via [/1.0/cluster/certificate](https://documentation.ubuntu.com/lxd/en/latest/api/#/cluster/clustering_update_cert)....