授权¶
当通过 Unix 套接字与 Incus 交互时,incus-admin 组的成员将可以完全访问 Incus API。仅为 incus 组成员的用户将被限制到与其用户绑定的单个项目。
当通过网络与 Incus 交互时(有关说明,请参阅 如何将 Incus 公开到网络),可以进一步验证和限制用户访问。有两种受支持的授权方法
TLS 授权¶
Incus 本身支持将 受信任的 TLS 客户端 限制到一个或多个项目。当客户端证书受到限制时,客户端也将被阻止执行全局配置更改或更改其允许访问的项目的配置(限制、约束)。
要限制访问,请使用 incus config trust edit <fingerprint>。将 restricted 键设置为 true 并指定要将客户端限制到的项目列表。如果项目列表为空,则不允许客户端访问任何项目。
无论是否配置了其他授权方法,如果客户端使用 TLS 进行身份验证,始终会使用此授权方法。
开放细粒度授权 (OpenFGA)¶
Incus 支持与 OpenFGA 集成。此授权方法非常细粒度。例如,它可用于限制用户对单个实例的访问。
要将 OpenFGA 用于授权,您必须自行配置和运行 OpenFGA 服务器。要在 Incus 中启用此授权方法,请设置 openfga.* 服务器配置选项。Incus 将连接到 OpenFGA 服务器,写入 OpenFGA 模型,并查询此服务器以获取所有后续请求的授权。
OpenFGA 模型¶
使用 OpenFGA,对特定 API 资源的访问由用户与其的关系决定。这些关系由 OpenFGA 授权模型 决定。Incus OpenFGA 授权模型根据 API 资源与其他资源的关系以及用户或组可能与该资源的关系来描述 API 资源。模型中还构建了一些方便的关系
server -> admin:对 Incus 的完全访问权限。server -> operator:对 Incus 的完全访问权限,但没有服务器配置、证书或存储池的编辑权限。server -> viewer:可以查看所有服务器级配置,但不能编辑。无法查看项目及其内容。project -> manager:对单个项目的完全访问权限,包括编辑权限。project -> operator:对单个项目的完全访问权限,但没有编辑权限。project -> viewer:单个项目的查看权限。instance -> manager:对单个实例的完全访问权限,包括编辑权限。instance -> operator:对单个实例的完全访问权限,但没有编辑权限。instance -> user:对单个实例的查看权限,以及exec、console和fileAPI 的权限。instance -> viewer:对单个实例的查看权限。
重要
您不信任其具有主机 root 访问权限的用户不应授予以下关系
server -> adminserver -> operatorserver -> can_editserver -> can_create_storage_poolsserver -> can_create_projectsserver -> can_create_certificatescertificate -> can_editstorage_pool -> can_editproject -> manager
其余关系可以授予。但是,您必须应用适当的项目限制。
完整的 Incus OpenFGA 授权模型定义在 internal/server/auth/driver_openfga_model.openfga
model
schema 1.1
type user
type group
relations
define member: [user]
type certificate
relations
define server: [server]
define can_edit: [user, group#member] or admin from server
define can_view: viewer from server
type image
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type image_alias
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type instance
relations
define project: [project]
define admin: [user, group#member] or admin from project
define operator: [user, group#member] or admin or operator from project
define user: [user, group#member] or operator or user from project
define viewer: [user, group#member] or user or viewer from project
define can_access_console: [user, group#member] or user
define can_access_files: [user, group#member] or user
define can_connect_sftp: [user, group#member] or user
define can_edit: operator
define can_exec: [user, group#member] or user
define can_manage_backups: [user, group#member] or operator
define can_manage_snapshots: [user, group#member] or operator
define can_update_state: [user, group#member] or operator
define can_view: viewer
type network
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type network_acl
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type network_integration
relations
define server: [server]
define can_edit: [user, group#member] or admin from server
define can_view: viewer from server
type network_zone
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type profile
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type project
relations
define server: [server]
define admin: [user, group#member] or admin from server
define operator: [user, group#member] or admin or operator from server
define user: [user, group#member] or operator or user from server
define viewer: [user, group#member] or user
define can_create_image_aliases: [user, group#member] or operator
define can_create_images: [user, group#member] or operator
define can_create_instances: [user, group#member] or operator
define can_create_network_acls: [user, group#member] or operator
define can_create_networks: [user, group#member] or operator
define can_create_network_zones: [user, group#member] or operator
define can_create_profiles: [user, group#member] or operator
define can_create_storage_buckets: [user, group#member] or operator
define can_create_storage_volumes: [user, group#member] or operator
define can_edit: admin
define can_view_events: [user, group#member] or viewer
define can_view_operations: [user, group#member] or viewer
define can_view: viewer
type server
relations
define admin: [user, group#member]
define operator: [user, group#member] or admin
define user: [user, group#member] or operator
define viewer: [user:*] or user
define can_create_certificates: [user, group#member] or admin
define can_create_network_integrations: [user, group#member] or admin
define can_create_projects: [user, group#member] or admin
define can_create_storage_pools: [user, group#member] or admin
define can_edit: admin
define can_override_cluster_target_restriction: [user, group#member] or admin
define can_view_metrics: [user, group#member] or viewer
define can_view_privileged_events: [user, group#member] or admin
define can_view_resources: [user, group#member] or viewer
define can_view: viewer
type storage_bucket
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_view: [user, group#member] or can_edit or viewer from project
type storage_pool
relations
define server: [server]
define can_edit: [user, group#member] or admin from server
define can_view: viewer from server
type storage_volume
relations
define project: [project]
define can_edit: [user, group#member] or operator from project
define can_manage_backups: [user, group#member] or can_edit
define can_manage_snapshots: [user, group#member] or can_edit
define can_view: [user, group#member] or can_edit or viewer from project