[Feature Request] Make RBAC usable with tls authentication on LXD

Question

[Feature Request] Make RBAC usable with tls authentication on LXD

Closed this issue 4 years ago · 1 comments

To limit user access based on tls certificates a command or flag is needed to assign a role to a client certificate.

Adding a trust certificate currently works like this
lxc config trust add <cert>

A flag would suffice to set a role, like:
lxc config trust add <cert> --role user
lxc config trust add <cert> --role admin
If a cert would be added twice, the last rule setting should get preference.

Additionally a default role setting should be set in the core settings, like
core.trust_default_role: 'readonly'

Answer 1 · 2020-10-08T11:45:54.000Z

Hi,

We won't be doing this as that would require LXD itself to become aware of roles which is what an RBAC service is for.

What we do have planned though is for restricting a certificate to a project and to prevent such a user to have full admin access, effectively similar to an operator role.