How to confine projects to specific users¶

You can use projects to confine the activities of different users or clients. See Confined projects in a multi-user environment for more information.

How to confine a project to a specific user depends on the authentication method you choose.

Confine projects to specific TLS clients¶

▶ Watch on YouTube

You can confine access to specific projects by restricting the TLS client certificate that is used to connect to the LXD server. See TLS client certificates for detailed information.

Note

The UI does not currently support configuring project confinement. Use the CLI or API to set up confinement.

To confine the access from the time the client certificate is added, you must either use token authentication or add the client certificate to the server directly. If you use password authentication, you can restrict the client certificate only after it has been added.

Follow these instructions:

If you’re using token authentication:

lxc config trust add --projects <project_name> --restricted

To add the client certificate directly:

lxc config trust add <certificate_file> --projects <project_name> --restricted

The client can then add the server as a remote in the usual way (lxc remote add <server_name> <token> or lxc remote add <server_name> <server_address>) and can only access the project or projects that have been specified.

To confine access for an existing certificate (either because the access restrictions change or because the certificate was added with a trust password), use the following command:

lxc config trust edit <fingerprint>

Make sure that restricted is set to true and specify the projects that the certificate should give access to under projects.

Note

You can specify the --project flag when adding a remote. This configuration pre-selects the specified project. However, it does not confine the client to this project.

If you’re using token authentication, create the token first:

lxc query --request POST /1.0/certificates --data '{
  "name": "<client_name>",
  "projects": ["<project_name>"]
  "restricted": true,
  "token": true,
  "type": "client",
}'

See POST /1.0/certificates for more information.

The return value of this query contains an operation that has the information that is required to generate the trust token:

   {
    "class": "token",
    ...
    "metadata": {
       "addresses": [
          "<server_address>"
       ],
       "fingerprint": "<fingerprint>",
       ...
       "secret": "<secret>"
    },
   ...
   }

Use this information to generate the trust token:

   echo -n '{"client_name":"<client_name>","fingerprint":"<fingerprint>",'\
   '"addresses":["<server_address>"],'\
   '"secret":"<secret>","expires_at":"0001-01-01T00:00:00Z"}' | base64 -w0

To instead add the client certificate directly, send the following request:

lxc query --request POST /1.0/certificates --data '{
  "certificate": "<certificate>",
  "name": "<client_name>",
  "projects": ["<project_name>"]
  "restricted": true,
  "token": false,
  "type": "client",
}'

The client can then authenticate using this trust token or client certificate and can only access the project or projects that have been specified.

On the client, generate a certificate to use for the connection:

   openssl req -x509 -newkey rsa:2048 -keyout "<keyfile_name>" -nodes \
   -out "<crtfile_name>" -subj "/CN=<client_name>"

Then send a POST request to the /1.0/certificates?public endpoint to authenticate:

   curl -k -s --key "<keyfile_name>" --cert "<crtfile_name>" \
   -X POST https://<server_address>/1.0/certificates \
   --data '{ "password": "<trust_token>" }'

See POST /1.0/certificates?public for more information.

To confine access for an existing certificate:

Use the following command:

lxc config trust edit <fingerprint>

Send the following request:

lxc query --request PATCH /1.0/certificates/<fingerprint> --data '{
  "projects": ["<project_name>"],
  "restricted": true
  }'

Make sure that restricted is set to true and specify the projects that the certificate should give access to under projects.

Confine projects to specific LXD users¶

▶ Watch on YouTube

If you use the LXD snap, you can configure the multi-user LXD daemon contained in the snap to dynamically create projects for all users in a specific user group.

To do so, set the daemon.user.group configuration option to the corresponding user group:

sudo snap set lxd daemon.user.group=<user_group>

Make sure that all user accounts that you want to be able to use LXD are a member of this group.

Once a member of the group issues a LXD command, LXD creates a confined project for this user and switches to this project. If LXD has not been initialized at this point, it is automatically initialized (with the default settings).

If you want to customize the project settings, for example, to impose limits or restrictions, you can do so after the project has been created. To modify the project configuration, you must have full access to LXD, which means you must be part of the lxd group and not only the group that you configured as the LXD user group.