You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Via unix or as administrator
$ lxc project create foo # `features.networks` & `features.networks.zones` disabled on creation be default.
$ lxc config trust add <cert> --restricted --projects foo
# Restricted cert
$ lxc monitor --all-projects --type lifecycle
$ lxc network create foo-network --project foo
The restricted certificate will not see the lifecycle event relating to the creation of their network, because the network was created in the default project.
We should discuss whether it is possible to address this. Some initial ideas would be:
Duplicate events in the default project and emit one for each project where that feature is disabled.
Add some "source project" property to events.
Don't handle it for existing TLS users, expect that an administrator will add can_view_events for the default project where a group is confined to a project with any features disabled.
Don't handle it for existing TLS users, add logic to include a source entity in the event, fine-grained users can view the event if they have can_view on the entity.
Note that 4. would be generally useful. We currently require that the can_exec entitlement on an instance be paired with can_view_events on the parent project because the client uses the events websocket instead of operations (to avoid creation of multiple connections). We've discussed how to fix this before in #12885, as using operations can be problematic (connections dropping when performing a long pool).
Consider the following:
The restricted certificate will not see the lifecycle event relating to the creation of their network, because the network was created in the default project.
We should discuss whether it is possible to address this. Some initial ideas would be:
can_view_events
for the default project where a group is confined to a project with any features disabled.can_view
on the entity.Note that 4. would be generally useful. We currently require that the
can_exec
entitlement on an instance be paired withcan_view_events
on the parent project because the client uses the events websocket instead of operations (to avoid creation of multiple connections). We've discussed how to fix this before in #12885, as using operations can be problematic (connections dropping when performing a long pool).See #13886 (comment)_
The text was updated successfully, but these errors were encountered: