Fine Grained Authorization

LXD announced several months ago that they were going to be re-working their fine-grained authorization system to be completely built into LXD, without requiring any external OpenFGA servers. This caused me to move over to LXD, however, Incus just announced OCI support is coming and that is extremely intriguing to me, however, without similar level of fine grained authorization I don’t think that I would be able to move back. Does incus have plans to implement a fine grained authorization system similar to the re-work that LXD just did, or is OpenFGA the only thing that is going to be supported?

We have no plans to follow LXD’s built-in OpenFGA method as it comes with a lot of issues and little benefits over just running OpenFGA and managing your policies directly in it. It was a designed I had specifically rejected back when running the LXD project and that I was surprised to see be adopted in LXD.

The main issues with it being built-in are:

  • No central control over access policies within an organization. We’ve found that large users running dozens of clusters don’t particularly enjoy having to configure each one of them directly and it’s usually pretty critical for a particular user’s access to be easily revoked across all systems.
  • Keeping track of users internally directly causes the database to now have to contain a copy of the OIDC user data, which if the profile claim is used mean including PII and potentially now requiring you to have plans on how to safeguard, track and know how to fully delete that information depending on your jurisdiction (GDPR for example).