lxd: Add comment explaining behaviour of events websocket with effect…

…ive projects. Signed-off-by: Mark Laing <[email protected]>
canonical · Aug 23, 2024 · d137df1 · d137df1
1 parent eddd72f
commit d137df1
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/lxd/events.go b/lxd/events.go
@@ -61,6 +61,14 @@ func eventsSocket(s *state.State, r *http.Request, w http.ResponseWriter) error
 		}
 	}
 
+	// Notes on authorization for events:
+	// - Checks are currently performed at the project level. Fine-grained auth uses `can_view_events` on the project,
+	//   TLS auth checks if a restricted identity has access to the project against which the event is defined.
+	// - If project "foo" does not have a particular feature enabled, say 'features.networks', if a network is updated
+	//   via project "foo", no events will be emitted in project "foo" relating to the network. They will only be emitted
+	//   in project "default". In order to get all related events, TLS users must be granted access to the default project,
+	//   fine-grained users can be granted `can_view_events` on the default project. Both must call the events API with
+	//   `all-projects=true`.
 	var projectPermissionFunc auth.PermissionChecker
 	if projectName != "" {
 		err := s.Authorizer.CheckPermission(r.Context(), entity.ProjectURL(projectName), auth.EntitlementCanViewEvents)