I have a remote user configured to be restricted to a few projects which have restrictions on them. Currently, these users can edit the project configurations and remove project limits, if they wish. How can I restrict this access?
The restricted remote user has the following configuration.
pargo@bastion:~$ incus config trust show 7fee7f7b76b4
name: victoitor@bastion
type: client
restricted: true
projects:
- compartilhado
- dedicado
- aux
- test
certificate: |
(...)
From the user’s view I get the following.
victoitor@bastion:~$ incus project list
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | NETWORK ZONES | DESCRIPTION | USED BY |
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
| aux (current) | YES | YES | YES | YES | NO | NO | Containers com baixo recurso | 6 |
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
| compartilhado | YES | YES | YES | YES | NO | NO | Experimentos - máquinas compartilhadas | 8 |
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
| dedicado | YES | YES | YES | YES | NO | NO | Experimentos - máquinas dedicadas | 4 |
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
| test | YES | YES | YES | YES | NO | NO | Containers com baixo recurso | 1 |
+---------------+--------+----------+-----------------+-----------------+----------+---------------+----------------------------------------+---------+
victoitor@bastion:~$ incus project show test
config:
features.images: "true"
features.profiles: "true"
features.storage.buckets: "true"
features.storage.volumes: "true"
restricted: "true"
restricted.backups: allow
restricted.cluster.groups: compartilhado
restricted.cluster.target: allow
restricted.containers.lowlevel: allow
restricted.containers.nesting: allow
restricted.devices.nic: allow
restricted.snapshots: allow
description: Containers com baixo recurso
name: test
used_by:
- /1.0/profiles/default?project=test
victoitor@bastion:~$ incus project unset test restricted
victoitor@bastion:~$ incus project show test
config:
features.images: "true"
features.profiles: "true"
features.storage.buckets: "true"
features.storage.volumes: "true"
restricted.backups: allow
restricted.cluster.groups: compartilhado
restricted.cluster.target: allow
restricted.containers.lowlevel: allow
restricted.containers.nesting: allow
restricted.devices.nic: allow
restricted.snapshots: allow
description: Containers com baixo recurso
name: test
used_by:
- /1.0/profiles/default?project=test
How can I make it so the user cannot edit the project’s configuration?