Affected by GO-2025-3999 and 3 other vulnerabilities

GO-2025-3999: Privilege Escalation via WebSocket Connection Hijacking in Operations API in github.com/canonical/lxd

GO-2025-4003: CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI in github.com/canonical/lxd

GO-2025-4121: LXD vulnerable to a local privilege escalation through custom storage volumes in lxd in github.com/canonical/lxd

GO-2026-4595: Non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints in github.com/canonical/lxd

auth

package

v0.0.0-...-1a0a5fb Latest Latest Go to latest Published: Apr 10, 2026 License: AGPL-3.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/canonical/lxd

Documentation ¶

Index ¶

Variables
func IsDeniedError(err error) bool
func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error
type Authorizer
type Entitlement
- func EntitlementsByEntityType(entityType entity.Type) []Entitlement
type EntitlementReporter
type PermissionChecker
type TokenLocation

Constants ¶

This section is empty.

Variables ¶

View Source

var EntityTypeToEntitlements = map[entity.Type][]Entitlement{
	entity.TypeCertificate: {

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeClusterLink: {

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeAuthGroup: {

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeIdentity: {

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeIdentityProviderGroup: {

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeImage: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeImageAlias: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeInstance: {

		EntitlementUser,

		EntitlementOperator,

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,

		EntitlementCanUpdateState,

		EntitlementCanManageSnapshots,

		EntitlementCanManageBackups,

		EntitlementCanConnectSFTP,

		EntitlementCanAccessFiles,

		EntitlementCanAccessConsole,

		EntitlementCanExec,
	},
	entity.TypeNetwork: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeNetworkACL: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeNetworkZone: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypePlacementGroup: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeProfile: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeProject: {

		EntitlementOperator,

		EntitlementViewer,

		EntitlementCanView,

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementImageManager,

		EntitlementCanCreateImages,

		EntitlementCanViewImages,

		EntitlementCanEditImages,

		EntitlementCanDeleteImages,

		EntitlementImageAliasManager,

		EntitlementCanCreateImageAliases,

		EntitlementCanViewImageAliases,

		EntitlementCanEditImageAliases,

		EntitlementCanDeleteImageAliases,

		EntitlementInstanceManager,

		EntitlementCanCreateInstances,

		EntitlementCanViewInstances,

		EntitlementCanEditInstances,

		EntitlementCanDeleteInstances,

		EntitlementCanOperateInstances,

		EntitlementNetworkManager,

		EntitlementCanCreateNetworks,

		EntitlementCanViewNetworks,

		EntitlementCanEditNetworks,

		EntitlementCanDeleteNetworks,

		EntitlementNetworkACLManager,

		EntitlementCanCreateNetworkACLs,

		EntitlementCanViewNetworkACLs,

		EntitlementCanEditNetworkACLs,

		EntitlementCanDeleteNetworkACLs,

		EntitlementNetworkZoneManager,

		EntitlementCanCreateNetworkZones,

		EntitlementCanViewNetworkZones,

		EntitlementCanEditNetworkZones,

		EntitlementCanDeleteNetworkZones,

		EntitlementProfileManager,

		EntitlementCanCreateProfiles,

		EntitlementCanViewProfiles,

		EntitlementCanEditProfiles,

		EntitlementCanDeleteProfiles,

		EntitlementStorageVolumeManager,

		EntitlementCanCreateStorageVolumes,

		EntitlementCanViewStorageVolumes,

		EntitlementCanEditStorageVolumes,

		EntitlementCanDeleteStorageVolumes,

		EntitlementStorageBucketManager,

		EntitlementCanCreateStorageBuckets,

		EntitlementCanViewStorageBuckets,

		EntitlementCanEditStorageBuckets,

		EntitlementCanDeleteStorageBuckets,

		EntitlementPlacementGroupManager,

		EntitlementCanCreatePlacementGroups,

		EntitlementCanViewPlacementGroups,

		EntitlementCanEditPlacementGroups,

		EntitlementCanDeletePlacementGroups,

		EntitlementCanViewOperations,

		EntitlementCanViewEvents,

		EntitlementCanViewMetrics,
	},
	entity.TypeServer: {

		EntitlementAdmin,

		EntitlementViewer,

		EntitlementCanEdit,

		EntitlementPermissionManager,

		EntitlementCanViewPermissions,

		EntitlementCanCreateIdentities,

		EntitlementCanViewIdentities,

		EntitlementCanEditIdentities,

		EntitlementCanDeleteIdentities,

		EntitlementCanCreateGroups,

		EntitlementCanViewGroups,

		EntitlementCanEditGroups,

		EntitlementCanDeleteGroups,

		EntitlementCanCreateIdentityProviderGroups,

		EntitlementCanViewIdentityProviderGroups,

		EntitlementCanEditIdentityProviderGroups,

		EntitlementCanDeleteIdentityProviderGroups,

		EntitlementStoragePoolManager,

		EntitlementCanCreateStoragePools,

		EntitlementCanEditStoragePools,

		EntitlementCanDeleteStoragePools,

		EntitlementProjectManager,

		EntitlementCanCreateProjects,

		EntitlementCanViewProjects,

		EntitlementCanEditProjects,

		EntitlementCanDeleteProjects,

		EntitlementCanOverrideClusterTargetRestriction,

		EntitlementCanViewEvents,

		EntitlementCanViewOperations,

		EntitlementCanViewResources,

		EntitlementCanViewMetrics,

		EntitlementCanViewWarnings,

		EntitlementCanViewUnmanagedNetworks,

		EntitlementCanCreateClusterLinks,

		EntitlementCanViewClusterLinks,

		EntitlementCanEditClusterLinks,

		EntitlementCanDeleteClusterLinks,
	},
	entity.TypeStorageBucket: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,
	},
	entity.TypeStoragePool: {

		EntitlementCanEdit,

		EntitlementCanDelete,
	},
	entity.TypeStorageVolume: {

		EntitlementCanEdit,

		EntitlementCanDelete,

		EntitlementCanView,

		EntitlementCanManageSnapshots,

		EntitlementCanManageBackups,
	},
}

Functions ¶

func IsDeniedError ¶

func IsDeniedError(err error) bool

IsDeniedError returns true if the error is not found or forbidden. This is because the CheckPermission method on Authorizer will return a not found error if the requestor does not have access to view the resource. If a requestor has view access, but not edit access a forbidden error is returned.

func ValidateEntitlement ¶

func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error

ValidateEntitlement returns an error if the given Entitlement does not apply to the entity.Type.

Types ¶

type Authorizer ¶

type Authorizer interface {
	// Driver returns the driver name.
	Driver() string

	// CheckPermission checks if the caller has the given entitlement on the entity found at the given URL.
	//
	// Note: When a project does not have a feature enabled, the given URL should contain the request project, and the
	// effective project for the entity should be set on the request.Info in the given context.
	CheckPermission(ctx context.Context, entityURL *api.URL, entitlement Entitlement) error

	// GetPermissionChecker returns a PermissionChecker for a particular entity.Type.
	//
	// Note: As with CheckPermission, arguments to the returned PermissionChecker should contain the request project for
	// the entity. The effective project for the entity must be set on the request.Info in the given context before
	// calling the PermissionChecker.
	GetPermissionChecker(ctx context.Context, entitlement Entitlement, entityType entity.Type) (PermissionChecker, error)

	// CheckPermissionWithoutEffectiveProject checks a permission, but does not replace the project in the entity URL
	// with the effective project stored in the context.
	//
	// Warn: You almost never need this function. You should use CheckPermission instead.
	CheckPermissionWithoutEffectiveProject(ctx context.Context, entityURL *api.URL, entitlement Entitlement) error

	// GetPermissionCheckerWithoutEffectiveProject returns a PermissionChecker does not replace the project in the entity URL
	// with the effective project stored in the context.
	//
	// Warn: You almost never need this function. You should use GetPermissionChecker instead.
	GetPermissionCheckerWithoutEffectiveProject(ctx context.Context, entitlement Entitlement, entityType entity.Type) (PermissionChecker, error)

	// GetViewableProjects accepts a list of permissions and returns a list of projects that a member of a group with these permissions is able to view.
	GetViewableProjects(ctx context.Context, permissions []api.Permission) ([]string, error)
}

Authorizer is the primary external API for this package.

type Entitlement ¶

type Entitlement string

Entitlement is a representation of the relations that group members can have with entity types.

const (
	// EntitlementCanView is the "can_view" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeClusterLink, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypePlacementGroup, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStorageVolume.
	EntitlementCanView Entitlement = "can_view"

	// EntitlementCanEdit is the "can_edit" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeClusterLink, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypePlacementGroup, entity.TypeProfile, entity.TypeProject, entity.TypeServer, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume.
	EntitlementCanEdit Entitlement = "can_edit"

	// EntitlementCanDelete is the "can_delete" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeClusterLink, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypePlacementGroup, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume.
	EntitlementCanDelete Entitlement = "can_delete"

	// EntitlementAdmin is the "admin" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementAdmin Entitlement = "admin"

	// EntitlementViewer is the "viewer" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementViewer Entitlement = "viewer"

	// EntitlementPermissionManager is the "permission_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementPermissionManager Entitlement = "permission_manager"

	// EntitlementCanViewPermissions is the "can_view_permissions" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewPermissions Entitlement = "can_view_permissions"

	// EntitlementCanCreateIdentities is the "can_create_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateIdentities Entitlement = "can_create_identities"

	// EntitlementCanViewIdentities is the "can_view_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewIdentities Entitlement = "can_view_identities"

	// EntitlementCanEditIdentities is the "can_edit_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditIdentities Entitlement = "can_edit_identities"

	// EntitlementCanDeleteIdentities is the "can_delete_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteIdentities Entitlement = "can_delete_identities"

	// EntitlementCanCreateGroups is the "can_create_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateGroups Entitlement = "can_create_groups"

	// EntitlementCanViewGroups is the "can_view_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewGroups Entitlement = "can_view_groups"

	// EntitlementCanEditGroups is the "can_edit_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditGroups Entitlement = "can_edit_groups"

	// EntitlementCanDeleteGroups is the "can_delete_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteGroups Entitlement = "can_delete_groups"

	// EntitlementCanCreateIdentityProviderGroups is the "can_create_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateIdentityProviderGroups Entitlement = "can_create_identity_provider_groups"

	// EntitlementCanViewIdentityProviderGroups is the "can_view_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewIdentityProviderGroups Entitlement = "can_view_identity_provider_groups"

	// EntitlementCanEditIdentityProviderGroups is the "can_edit_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditIdentityProviderGroups Entitlement = "can_edit_identity_provider_groups"

	// EntitlementCanDeleteIdentityProviderGroups is the "can_delete_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteIdentityProviderGroups Entitlement = "can_delete_identity_provider_groups"

	// EntitlementStoragePoolManager is the "storage_pool_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementStoragePoolManager Entitlement = "storage_pool_manager"

	// EntitlementCanCreateStoragePools is the "can_create_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateStoragePools Entitlement = "can_create_storage_pools"

	// EntitlementCanEditStoragePools is the "can_edit_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditStoragePools Entitlement = "can_edit_storage_pools"

	// EntitlementCanDeleteStoragePools is the "can_delete_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteStoragePools Entitlement = "can_delete_storage_pools"

	// EntitlementProjectManager is the "project_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementProjectManager Entitlement = "project_manager"

	// EntitlementCanCreateProjects is the "can_create_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateProjects Entitlement = "can_create_projects"

	// EntitlementCanViewProjects is the "can_view_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewProjects Entitlement = "can_view_projects"

	// EntitlementCanEditProjects is the "can_edit_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditProjects Entitlement = "can_edit_projects"

	// EntitlementCanDeleteProjects is the "can_delete_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteProjects Entitlement = "can_delete_projects"

	// EntitlementCanOverrideClusterTargetRestriction is the "can_override_cluster_target_restriction" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanOverrideClusterTargetRestriction Entitlement = "can_override_cluster_target_restriction"

	// EntitlementCanViewEvents is the "can_view_events" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementCanViewEvents Entitlement = "can_view_events"

	// EntitlementCanViewOperations is the "can_view_operations" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementCanViewOperations Entitlement = "can_view_operations"

	// EntitlementCanViewResources is the "can_view_resources" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewResources Entitlement = "can_view_resources"

	// EntitlementCanViewMetrics is the "can_view_metrics" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementCanViewMetrics Entitlement = "can_view_metrics"

	// EntitlementCanViewWarnings is the "can_view_warnings" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewWarnings Entitlement = "can_view_warnings"

	// EntitlementCanViewUnmanagedNetworks is the "can_view_unmanaged_networks" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewUnmanagedNetworks Entitlement = "can_view_unmanaged_networks"

	// EntitlementCanCreateClusterLinks is the "can_create_cluster_links" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateClusterLinks Entitlement = "can_create_cluster_links"

	// EntitlementCanViewClusterLinks is the "can_view_cluster_links" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewClusterLinks Entitlement = "can_view_cluster_links"

	// EntitlementCanEditClusterLinks is the "can_edit_cluster_links" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditClusterLinks Entitlement = "can_edit_cluster_links"

	// EntitlementCanDeleteClusterLinks is the "can_delete_cluster_links" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteClusterLinks Entitlement = "can_delete_cluster_links"

	// EntitlementOperator is the "operator" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeProject.
	EntitlementOperator Entitlement = "operator"

	// EntitlementImageManager is the "image_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementImageManager Entitlement = "image_manager"

	// EntitlementCanCreateImages is the "can_create_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateImages Entitlement = "can_create_images"

	// EntitlementCanViewImages is the "can_view_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewImages Entitlement = "can_view_images"

	// EntitlementCanEditImages is the "can_edit_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditImages Entitlement = "can_edit_images"

	// EntitlementCanDeleteImages is the "can_delete_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteImages Entitlement = "can_delete_images"

	// EntitlementImageAliasManager is the "image_alias_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementImageAliasManager Entitlement = "image_alias_manager"

	// EntitlementCanCreateImageAliases is the "can_create_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateImageAliases Entitlement = "can_create_image_aliases"

	// EntitlementCanViewImageAliases is the "can_view_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewImageAliases Entitlement = "can_view_image_aliases"

	// EntitlementCanEditImageAliases is the "can_edit_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditImageAliases Entitlement = "can_edit_image_aliases"

	// EntitlementCanDeleteImageAliases is the "can_delete_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteImageAliases Entitlement = "can_delete_image_aliases"

	// EntitlementInstanceManager is the "instance_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementInstanceManager Entitlement = "instance_manager"

	// EntitlementCanCreateInstances is the "can_create_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateInstances Entitlement = "can_create_instances"

	// EntitlementCanViewInstances is the "can_view_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewInstances Entitlement = "can_view_instances"

	// EntitlementCanEditInstances is the "can_edit_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditInstances Entitlement = "can_edit_instances"

	// EntitlementCanDeleteInstances is the "can_delete_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteInstances Entitlement = "can_delete_instances"

	// EntitlementCanOperateInstances is the "can_operate_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanOperateInstances Entitlement = "can_operate_instances"

	// EntitlementNetworkManager is the "network_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkManager Entitlement = "network_manager"

	// EntitlementCanCreateNetworks is the "can_create_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworks Entitlement = "can_create_networks"

	// EntitlementCanViewNetworks is the "can_view_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworks Entitlement = "can_view_networks"

	// EntitlementCanEditNetworks is the "can_edit_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworks Entitlement = "can_edit_networks"

	// EntitlementCanDeleteNetworks is the "can_delete_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworks Entitlement = "can_delete_networks"

	// EntitlementNetworkACLManager is the "network_acl_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkACLManager Entitlement = "network_acl_manager"

	// EntitlementCanCreateNetworkACLs is the "can_create_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworkACLs Entitlement = "can_create_network_acls"

	// EntitlementCanViewNetworkACLs is the "can_view_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworkACLs Entitlement = "can_view_network_acls"

	// EntitlementCanEditNetworkACLs is the "can_edit_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworkACLs Entitlement = "can_edit_network_acls"

	// EntitlementCanDeleteNetworkACLs is the "can_delete_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworkACLs Entitlement = "can_delete_network_acls"

	// EntitlementNetworkZoneManager is the "network_zone_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkZoneManager Entitlement = "network_zone_manager"

	// EntitlementCanCreateNetworkZones is the "can_create_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworkZones Entitlement = "can_create_network_zones"

	// EntitlementCanViewNetworkZones is the "can_view_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworkZones Entitlement = "can_view_network_zones"

	// EntitlementCanEditNetworkZones is the "can_edit_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworkZones Entitlement = "can_edit_network_zones"

	// EntitlementCanDeleteNetworkZones is the "can_delete_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworkZones Entitlement = "can_delete_network_zones"

	// EntitlementProfileManager is the "profile_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementProfileManager Entitlement = "profile_manager"

	// EntitlementCanCreateProfiles is the "can_create_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateProfiles Entitlement = "can_create_profiles"

	// EntitlementCanViewProfiles is the "can_view_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewProfiles Entitlement = "can_view_profiles"

	// EntitlementCanEditProfiles is the "can_edit_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditProfiles Entitlement = "can_edit_profiles"

	// EntitlementCanDeleteProfiles is the "can_delete_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteProfiles Entitlement = "can_delete_profiles"

	// EntitlementStorageVolumeManager is the "storage_volume_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementStorageVolumeManager Entitlement = "storage_volume_manager"

	// EntitlementCanCreateStorageVolumes is the "can_create_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateStorageVolumes Entitlement = "can_create_storage_volumes"

	// EntitlementCanViewStorageVolumes is the "can_view_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewStorageVolumes Entitlement = "can_view_storage_volumes"

	// EntitlementCanEditStorageVolumes is the "can_edit_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditStorageVolumes Entitlement = "can_edit_storage_volumes"

	// EntitlementCanDeleteStorageVolumes is the "can_delete_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteStorageVolumes Entitlement = "can_delete_storage_volumes"

	// EntitlementStorageBucketManager is the "storage_bucket_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementStorageBucketManager Entitlement = "storage_bucket_manager"

	// EntitlementCanCreateStorageBuckets is the "can_create_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateStorageBuckets Entitlement = "can_create_storage_buckets"

	// EntitlementCanViewStorageBuckets is the "can_view_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewStorageBuckets Entitlement = "can_view_storage_buckets"

	// EntitlementCanEditStorageBuckets is the "can_edit_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditStorageBuckets Entitlement = "can_edit_storage_buckets"

	// EntitlementCanDeleteStorageBuckets is the "can_delete_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteStorageBuckets Entitlement = "can_delete_storage_buckets"

	// EntitlementPlacementGroupManager is the "placement_group_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementPlacementGroupManager Entitlement = "placement_group_manager"

	// EntitlementCanCreatePlacementGroups is the "can_create_placement_groups" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreatePlacementGroups Entitlement = "can_create_placement_groups"

	// EntitlementCanViewPlacementGroups is the "can_view_placement_groups" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewPlacementGroups Entitlement = "can_view_placement_groups"

	// EntitlementCanEditPlacementGroups is the "can_edit_placement_groups" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditPlacementGroups Entitlement = "can_edit_placement_groups"

	// EntitlementCanDeletePlacementGroups is the "can_delete_placement_groups" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeletePlacementGroups Entitlement = "can_delete_placement_groups"

	// EntitlementUser is the "user" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementUser Entitlement = "user"

	// EntitlementCanUpdateState is the "can_update_state" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanUpdateState Entitlement = "can_update_state"

	// EntitlementCanManageSnapshots is the "can_manage_snapshots" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume.
	EntitlementCanManageSnapshots Entitlement = "can_manage_snapshots"

	// EntitlementCanManageBackups is the "can_manage_backups" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume.
	EntitlementCanManageBackups Entitlement = "can_manage_backups"

	// EntitlementCanConnectSFTP is the "can_connect_sftp" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanConnectSFTP Entitlement = "can_connect_sftp"

	// EntitlementCanAccessFiles is the "can_access_files" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanAccessFiles Entitlement = "can_access_files"

	// EntitlementCanAccessConsole is the "can_access_console" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanAccessConsole Entitlement = "can_access_console"

	// EntitlementCanExec is the "can_exec" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanExec Entitlement = "can_exec"
)

func EntitlementsByEntityType ¶

func EntitlementsByEntityType(entityType entity.Type) []Entitlement

EntitlementsByEntityType returns a list of available Entitlement for the entity.Type.

type EntitlementReporter ¶

type EntitlementReporter interface {
	// ReportEntitlements adds entitlements to the entity.
	// Note: this needs to be a list of string because the implementations of this method will be for the API types.
	ReportEntitlements([]string)
}

EntitlementReporter is an interface for adding entitlements to an entity.

type PermissionChecker ¶

type PermissionChecker func(entityURL *api.URL) bool

PermissionChecker is a type alias for a function that returns whether a user has required permissions on an object. It is returned by Authorizer.GetPermissionChecker.

type TokenLocation ¶

type TokenLocation uint8

TokenLocation describes the found or expected location of a token set by a client for bearer (JWT) authentication.

const (
	// TokenLocationAuthorizationBearer is used when the token is found in the 'Authorization' header, prefixed with 'Bearer '.
	TokenLocationAuthorizationBearer TokenLocation = iota + 1

	// TokenLocationCookie is used by the initial UI token identity to gain API access.
	// Tokens presented as cookies (aside from OIDC session tokens) must be issued for the initial UI access identity.
	TokenLocationCookie

	// TokenLocationQuery is used only when accessing LXD UI via an initial UI access link.
	// It may only be set when converting a token issued for the initial UI identity from a query parameter into a cookie.
	TokenLocationQuery
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bearer
drivers
encryption
generate This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type.	This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type.
oidc

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL