Fine-grained access control in LXD with OpenFGA

LXD is increasingly deployed on premises as a private cloud solution. To manage access over the HTTPS API, LXD has developed a novel approach using relationship-based access control (ReBAC) and OpenFGA. This approach facilitates fine-grained permission management and enforcement in air-gapped deployments where it is not feasible to deploy a separate OpenFGA server.

This talk will outline LXD's implementation and discuss its benefits and drawbacks.

Implementation details can be found in the specification and in the LXD Github repository