Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Embedded OpenFGA authorization driver #12976

Merged
merged 11 commits into from
Mar 8, 2024
Merged

Auth: Embedded OpenFGA authorization driver #12976

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1746373
lxd/db/cluster: Add a method to get a single entity reference from a …
markylaing Mar 4, 2024
e51f12c
gomod: Add OpenFGA dependencies.
markylaing Mar 8, 2024
57b95ea
lxd/db: Adds the OpenFGA datastore implementation.
markylaing Feb 27, 2024
be6b406
lxd/auth: Add the OpenFGA model.
markylaing Feb 27, 2024
61ad209
lxd/auth: Add identity provider groups to request details.
markylaing Feb 27, 2024
8389cf5
lxd/auth: Update requestDetails method.
markylaing Feb 27, 2024
74aff1a
lxd/auth: Add the embedded OpenFGA authorization driver.
markylaing Feb 27, 2024
1bbd495
lxd: Load the embedded OpenFGA driver by default.
markylaing Feb 27, 2024
0270135
test: Add a util for getting the fingerprint from a certificate.
markylaing Feb 27, 2024
a0fdce4
test/suites: Add tests for fine-grained authorization.
markylaing Feb 27, 2024
28b5fd2
Makefile: Exclude dependency from spec generation.
markylaing Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions lxd/auth/authorization.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,31 @@ import (
"fmt"
"net/http"

"github.com/openfga/openfga/pkg/storage"

"github.com/canonical/lxd/lxd/identity"
"github.com/canonical/lxd/shared/api"
"github.com/canonical/lxd/shared/entity"
"github.com/canonical/lxd/shared/logger"
)

const (
// DriverTLS is the default TLS authorization driver. It is not compatible with OIDC authentication.
// DriverTLS is used at start up to allow communication between cluster members and initialise the cluster database.
DriverTLS string = "tls"

// DriverEmbeddedOpenFGA is the default authorization driver. It currently falls back to DriverTLS for all TLS
// clients. It cannot be initialised until after the cluster database to be operational.
DriverEmbeddedOpenFGA string = "embedded-openfga"
)

// ErrUnknownDriver is the "Unknown driver" error.
var ErrUnknownDriver = fmt.Errorf("Unknown driver")

var authorizers = map[string]func() authorizer{
DriverTLS: func() authorizer { return &tls{} },
DriverEmbeddedOpenFGA: func() authorizer {
return &embeddedOpenFGA{}
},
}

type authorizer interface {
Expand Down Expand Up @@ -89,7 +98,8 @@ type Authorizer interface {
// Opts is used as part of the LoadAuthorizer function so that only the relevant configuration fields are passed into a
// particular driver.
type Opts struct {
config map[string]any
config map[string]any
openfgaDatastore storage.OpenFGADatastore
}

// WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.
Expand All @@ -99,6 +109,13 @@ func WithConfig(c map[string]any) func(*Opts) {
}
}

// WithOpenFGADatastore should be passed into LoadAuthorizer when using the embedded openfga driver.
func WithOpenFGADatastore(store storage.OpenFGADatastore) func(*Opts) {
return func(o *Opts) {
o.openfgaDatastore = store
}
}

// LoadAuthorizer instantiates, configures, and initialises an Authorizer.
func LoadAuthorizer(ctx context.Context, driver string, logger logger.Logger, certificateCache *identity.Cache, options ...func(opts *Opts)) (Authorizer, error) {
opts := &Opts{}
Expand Down
Loading