Merge pull request #1831 from stgraber/main

Various fixes from address set PR

Author: brauner

cmd/incusd/daemon.go

@@ -2029,7 +2029,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 		var resources auth.Resources
 
 		err = d.db.Cluster.Transaction(d.shutdownCtx, func(ctx context.Context, tx *db.ClusterTx) error {
-			err := query.Scan(ctx, tx.Tx(), "SELECT certificates.fingerprint from certificates", func(scan func(dest ...any) error) error {
+			err := query.Scan(ctx, tx.Tx(), "SELECT certificates.fingerprint FROM certificates", func(scan func(dest ...any) error) error {
 				var fingerprint string
 				err := scan(&fingerprint)
 				if err != nil {
@@ -2043,7 +2043,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 				return err
 			}
 
-			err = query.Scan(ctx, tx.Tx(), "SELECT name from storage_pools", func(scan func(dest ...any) error) error {
+			err = query.Scan(ctx, tx.Tx(), "SELECT name FROM storage_pools", func(scan func(dest ...any) error) error {
 				var storagePoolName string
 				err := scan(&storagePoolName)
 				if err != nil {
@@ -2057,7 +2057,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 				return err
 			}
 
-			err = query.Scan(ctx, tx.Tx(), "SELECT name from projects", func(scan func(dest ...any) error) error {
+			err = query.Scan(ctx, tx.Tx(), "SELECT name FROM projects", func(scan func(dest ...any) error) error {
 				var projectName string
 				err := scan(&projectName)
 				if err != nil {
@@ -2071,7 +2071,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 				return err
 			}
 
-			err = query.Scan(ctx, tx.Tx(), "SELECT images.fingerprint, projects.name from images JOIN projects ON projects.id=images.project_id", func(scan func(dest ...any) error) error {
+			err = query.Scan(ctx, tx.Tx(), "SELECT images.fingerprint, projects.name FROM images JOIN projects ON projects.id=images.project_id", func(scan func(dest ...any) error) error {
 				var imageFingerprint string
 				var projectName string
 				err := scan(&imageFingerprint, &projectName)
@@ -2086,7 +2086,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 				return err
 			}
 
-			err = query.Scan(ctx, tx.Tx(), "SELECT images_aliases.name, projects.name from images_aliases JOIN projects ON projects.id=images_aliases.project_id", func(scan func(dest ...any) error) error {
+			err = query.Scan(ctx, tx.Tx(), "SELECT images_aliases.name, projects.name FROM images_aliases JOIN projects ON projects.id=images_aliases.project_id", func(scan func(dest ...any) error) error {
 				var imageAliasName string
 				var projectName string
 				err := scan(&imageAliasName, &projectName)
@@ -2101,7 +2101,7 @@ func (d *Daemon) setupOpenFGA(apiURL string, apiToken string, storeID string) er
 				return err
 			}
 
-			err = query.Scan(ctx, tx.Tx(), "SELECT instances.name, projects.name from instances JOIN projects ON projects.id=instances.project_id", func(scan func(dest ...any) error) error {
+			err = query.Scan(ctx, tx.Tx(), "SELECT instances.name, projects.name FROM instances JOIN projects ON projects.id=instances.project_id", func(scan func(dest ...any) error) error {
 				var instanceName string
 				var projectName string
 				err := scan(&instanceName, &projectName)

doc/howto/network_integrations.md

@@ -47,7 +47,17 @@ This is done through `incus network peer create`, for example:
 incus network peer create default region ovn-region --type=remote
 ```
 
-## Configuration options
+## Integration properties
+
+Address sets have the following properties:
+
+Property         | Type     | Required | Description
+:--              | :--      | :--      | :--
+`name`           | string   | yes      | Name of the network integration
+`description`    | string   | no       | Description of the network integration
+`type`           | string   | yes      | Type of network integration (currently only `ovn`)
+
+## Integration configuration options
 
 The following configuration options are available for all network integrations:
 

internal/server/auth/authorization.go

@@ -111,18 +111,19 @@ type Opts struct {
 
 // Resources represents a set of current API resources as Object slices for use when loading an Authorizer.
 type Resources struct {
-	CertificateObjects       []Object
-	StoragePoolObjects       []Object
-	ProjectObjects           []Object
-	ImageObjects             []Object
-	ImageAliasObjects        []Object
-	InstanceObjects          []Object
-	NetworkObjects           []Object
-	NetworkACLObjects        []Object
-	NetworkZoneObjects       []Object
-	ProfileObjects           []Object
-	StoragePoolVolumeObjects []Object
-	StorageBucketObjects     []Object
+	CertificateObjects        []Object
+	StoragePoolObjects        []Object
+	ProjectObjects            []Object
+	ImageObjects              []Object
+	ImageAliasObjects         []Object
+	InstanceObjects           []Object
+	NetworkObjects            []Object
+	NetworkACLObjects         []Object
+	NetworkIntegrationObjects []Object
+	NetworkZoneObjects        []Object
+	ProfileObjects            []Object
+	StoragePoolVolumeObjects  []Object
+	StorageBucketObjects      []Object
 }
 
 // WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.

internal/server/auth/driver_openfga.go

@@ -1042,6 +1042,22 @@ func (f *FGA) syncResources(ctx context.Context, resources Resources) error {
 		return err
 	}
 
+	// List the network integrations we have added to OpenFGA already.
+	networkIntegrationsResp, err := f.client.ListObjects(ctx).Body(client.ClientListObjectsRequest{
+		User:     ObjectServer().String(),
+		Relation: relationServer,
+		Type:     string(ObjectTypeNetworkIntegration),
+	}).Execute()
+	if err != nil {
+		return err
+	}
+
+	// Compare with local network integrations.
+	err = diffObjects(relationServer, networkIntegrationsResp.GetObjects(), resources.NetworkIntegrationObjects)
+	if err != nil {
+		return err
+	}
+
 	// List the storage pools we have added to OpenFGA already.
 	storagePoolsResp, err := f.client.ListObjects(ctx).Body(client.ClientListObjectsRequest{
 		User:     ObjectServer().String(),

internal/server/db/cluster/entities.go

@@ -33,51 +33,51 @@ const (
 
 // EntityNames associates an entity code to its name.
 var EntityNames = map[int]string{
+	TypeCertificate:           "certificate",
+	TypeClusterGroup:          "cluster group",
 	TypeContainer:             "container",
 	TypeImage:                 "image",
-	TypeProfile:               "profile",
-	TypeProject:               "project",
-	TypeCertificate:           "certificate",
-	TypeInstance:              "instance",
 	TypeInstanceBackup:        "instance backup",
+	TypeInstance:              "instance",
 	TypeInstanceSnapshot:      "instance snapshot",
-	TypeNetwork:               "network",
 	TypeNetworkACL:            "network acl",
+	TypeNetwork:               "network",
 	TypeNode:                  "node",
 	TypeOperation:             "operation",
+	TypeProfile:               "profile",
+	TypeProject:               "project",
+	TypeStorageBucket:         "storage bucket",
 	TypeStoragePool:           "storage pool",
-	TypeStorageVolume:         "storage volume",
 	TypeStorageVolumeBackup:   "storage volume backup",
 	TypeStorageVolumeSnapshot: "storage volume snapshot",
-	TypeStorageBucket:         "storage bucket",
+	TypeStorageVolume:         "storage volume",
 	TypeWarning:               "warning",
-	TypeClusterGroup:          "cluster group",
 }
 
 // EntityTypes associates an entity name to its type code.
 var EntityTypes = map[string]int{}
 
 // EntityURIs associates an entity code to its URI pattern.
 var EntityURIs = map[int]string{
+	TypeCertificate:           "/" + version.APIVersion + "/certificates/%s",
+	TypeClusterGroup:          "/" + version.APIVersion + "/cluster/groups/%s",
 	TypeContainer:             "/" + version.APIVersion + "/containers/%s?project=%s",
 	TypeImage:                 "/" + version.APIVersion + "/images/%s?project=%s",
-	TypeProfile:               "/" + version.APIVersion + "/profiles/%s?project=%s",
-	TypeProject:               "/" + version.APIVersion + "/projects/%s",
-	TypeCertificate:           "/" + version.APIVersion + "/certificates/%s",
-	TypeInstance:              "/" + version.APIVersion + "/instances/%s?project=%s",
 	TypeInstanceBackup:        "/" + version.APIVersion + "/instances/%s/backups/%s?project=%s",
 	TypeInstanceSnapshot:      "/" + version.APIVersion + "/instances/%s/snapshots/%s?project=%s",
-	TypeNetwork:               "/" + version.APIVersion + "/networks/%s?project=%s",
+	TypeInstance:              "/" + version.APIVersion + "/instances/%s?project=%s",
 	TypeNetworkACL:            "/" + version.APIVersion + "/network-acls/%s?project=%s",
+	TypeNetwork:               "/" + version.APIVersion + "/networks/%s?project=%s",
 	TypeNode:                  "/" + version.APIVersion + "/cluster/members/%s",
 	TypeOperation:             "/" + version.APIVersion + "/operations/%s",
+	TypeProfile:               "/" + version.APIVersion + "/profiles/%s?project=%s",
+	TypeProject:               "/" + version.APIVersion + "/projects/%s",
+	TypeStorageBucket:         "/" + version.APIVersion + "/storage-pools/%s/buckets/%s?project=%s",
 	TypeStoragePool:           "/" + version.APIVersion + "/storage-pools/%s",
-	TypeStorageVolume:         "/" + version.APIVersion + "/storage-pools/%s/volumes/%s/%s?project=%s",
 	TypeStorageVolumeBackup:   "/" + version.APIVersion + "/storage-pools/%s/volumes/%s/%s/backups/%s?project=%s",
 	TypeStorageVolumeSnapshot: "/" + version.APIVersion + "/storage-pools/%s/volumes/%s/%s/snapshots/%s?project=%s",
-	TypeStorageBucket:         "/" + version.APIVersion + "/storage-pools/%s/buckets/%s?project=%s",
+	TypeStorageVolume:         "/" + version.APIVersion + "/storage-pools/%s/volumes/%s/%s?project=%s",
 	TypeWarning:               "/" + version.APIVersion + "/warnings/%s",
-	TypeClusterGroup:          "/" + version.APIVersion + "/cluster/groups/%s",
 }
 
 func init() {