FOSDEM 2026

"Fine-grained access control in LXD with OpenFGA" ( 2025 )

Sunday at 13:05, 30 minutes, UA2.118 (Henriot), UA2.118 (Henriot), Identity and Access Management Mark Laing , slides , video

LXD is increasingly deployed on premises as a private cloud solution. To manage access over the HTTPS API, LXD has developed a novel approach using relationship-based access control (ReBAC) and OpenFGA. This approach facilitates fine-grained permission management and enforcement in air-gapped deployments where it is not feasible to deploy a separate OpenFGA server.

This talk will outline LXD's implementation and discuss its benefits and drawbacks.

Implementation details can be found in the specification and in the LXD Github repository

2026

0.44 "Keeping applications secure by evolving OAuth 2.0 and OpenID Connect"
0.44 "Ceph mgmt-gateway: A Single, Secure Entry Point for Management and Monitoring"
0.43 "Reduce attack surface or keep compatibility: lessons of sudo-rs and run0 transition plans"
0.43 "Peergos: Capability-Based Access Control for an Encrypted Web"

2025

0.45 "Implementing a rootless container manager from scratch"
0.44 "Comprehensive Federated Authentication for AI/HPC Infrastructure"

2024

0.45 "Role of IGA in Access Management with Multilateral Identities"
0.45 "Improving Infrastructure Security Through Access Auditing"
0.43 "SpiceDB: mature, open source ReBAC"
0.43 "Using chroots in a single Linux Container as an alternative to docker-compose"

Related: