Auth: Remove can_view_configuration entitlement.

lxd/api_1.0.go

@@ -386,7 +386,8 @@ func api10Get(d *Daemon, r *http.Request) response.Response {
 	fullSrv.AuthUserName = requestor.Username
 	fullSrv.AuthUserMethod = requestor.Protocol
 
-	err = s.Authorizer.CheckPermission(r.Context(), r, entity.ServerURL(), auth.EntitlementCanViewConfiguration)
+	// Only allow identities that can edit configuration to view it as sensitive information may be stored there.
+	err = s.Authorizer.CheckPermission(r.Context(), r, entity.ServerURL(), auth.EntitlementCanEdit)
 	if err != nil && !auth.IsDeniedError(err) {
 		return response.SmartError(err)
 	} else if err == nil {

lxd/auth/authorization_types.go

@@ -25,9 +25,6 @@ const (
 	// EntitlementServerViewer is the `viewer` Entitlement. It applies to entity.TypeServer.
 	EntitlementServerViewer Entitlement = "viewer"
 
-	// EntitlementCanViewConfiguration is the `can_view_configuration` Entitlement. It applies to entity.TypeServer.
-	EntitlementCanViewConfiguration Entitlement = "can_view_configuration"
-
 	// EntitlementPermissionManager is the `permission_manager` Entitlement. It applies to entity.TypeServer.
 	EntitlementPermissionManager Entitlement = "permission_manager"
 
@@ -296,7 +293,6 @@ var allEntitlements = []Entitlement{
 	EntitlementCanDelete,
 	EntitlementServerAdmin,
 	EntitlementServerViewer,
-	EntitlementCanViewConfiguration,
 	EntitlementPermissionManager,
 	EntitlementCanViewPermissions,
 	EntitlementCanCreateIdentities,

lxd/auth/driver_openfga.go

@@ -245,7 +245,14 @@ func (e *embeddedOpenFGA) CheckPermission(ctx context.Context, r *http.Request,
 			}
 		}
 
-		l.Info("Access denied", logger.Ctx{"http_code": responseCode})
+		// For some entities, a GET request will check if the caller has permission edit permission and conditionally
+		// populate configuration that may be sensitive. To reduce log verbosity, only log these cases at debug level.
+		if entitlement == EntitlementCanEdit && r.Method == http.MethodGet {
+			l.Debug("Access denied", logger.Ctx{"http_code": responseCode})
+		} else {
+			l.Info("Access denied", logger.Ctx{"http_code": responseCode})
+		}
+
 		return api.StatusErrorf(responseCode, http.StatusText(responseCode))
 	}
 

lxd/auth/driver_openfga_model.openfga

@@ -25,7 +25,6 @@ type server
     define viewer: [identity, service_account, group#member]
     define can_edit: [identity, service_account, group#member] or admin
     define can_view: [identity:*, service_account:*]
-    define can_view_configuration: [identity, service_account, group#member] or can_edit or viewer
     define permission_manager: [identity, service_account, group#member]
     define can_view_permissions: [identity, service_account, group#member] or permission_manager or admin
     define can_create_identities: [identity, service_account, group#member] or permission_manager or admin

lxd/auth/util.go

@@ -159,7 +159,6 @@ func EntitlementsByEntityType(entityType entity.Type) ([]Entitlement, error) {
 			EntitlementCanEdit,
 			EntitlementServerAdmin,
 			EntitlementServerViewer,
-			EntitlementCanViewConfiguration,
 			EntitlementPermissionManager,
 			EntitlementCanViewPermissions,
 			EntitlementCanCreateIdentities,

test/suites/auth.sh

@@ -116,7 +116,7 @@ EOF
   echo "${list_output}" | grep -Fq 'project,/1.0/projects/default,"can_create_image_aliases,can_create_images,can_create_instances,..."'
 
   list_output="$(lxc auth permission list entity_type=server --format csv --max-entitlements 0)"
-  echo "${list_output}" | grep -Fq 'server,/1.0,"admin,can_create_groups,can_create_identities,can_create_projects,can_create_storage_pools,can_delete_groups,can_delete_identities,can_delete_projects,can_delete_storage_pools,can_edit,can_edit_groups,can_edit_identities,can_edit_projects,can_edit_storage_pools,can_override_cluster_target_restriction,can_view,can_view_configuration,can_view_groups,can_view_identities,can_view_metrics,can_view_permissions,can_view_privileged_events,can_view_projects,can_view_resources,can_view_warnings,permission_manager,project_manager,storage_pool_manager,viewer"'
+  echo "${list_output}" | grep -Fq 'server,/1.0,"admin,can_create_groups,can_create_identities,can_create_projects,can_create_storage_pools,can_delete_groups,can_delete_identities,can_delete_projects,can_delete_storage_pools,can_edit,can_edit_groups,can_edit_identities,can_edit_projects,can_edit_storage_pools,can_override_cluster_target_restriction,can_view,can_view_groups,can_view_identities,can_view_metrics,can_view_permissions,can_view_privileged_events,can_view_projects,can_view_resources,can_view_warnings,permission_manager,project_manager,storage_pool_manager,viewer"'
 
   list_output="$(lxc auth permission list entity_type=project --format csv --max-entitlements 0)"
   echo "${list_output}" | grep -Fq 'project,/1.0/projects/default,"can_create_image_aliases,can_create_images,can_create_instances,can_create_network_acls,can_create_network_zones,can_create_networks,can_create_profiles,can_create_storage_buckets,can_create_storage_volumes,can_delete,can_delete_image_aliases,can_delete_images,can_delete_instances,can_delete_network_acls,can_delete_network_zones,can_delete_networks,can_delete_profiles,can_delete_storage_buckets,can_delete_storage_volumes,can_edit,can_edit_image_aliases,can_edit_images,can_edit_instances,can_edit_network_acls,can_edit_network_zones,can_edit_networks,can_edit_profiles,can_edit_storage_buckets,can_edit_storage_volumes,can_operate_instances,can_view,can_view_events,can_view_image_aliases,can_view_images,can_view_instances,can_view_network_acls,can_view_network_zones,can_view_networks,can_view_operations,can_view_profiles,can_view_storage_buckets,can_view_storage_volumes,image_alias_manager,image_manager,instance_manager,network_acl_manager,network_manager,network_zone_manager,operator,profile_manager,storage_bucket_manager,storage_volume_manager,viewer"'