Return `user.microcloud` from `/1.0` even when user cannot edit other config

[tomponline]

Please confirm

• I have searched existing issues to check if an issue already exists for the bug I encountered.

Distribution

N/A

Distribution version

N/A

Output of snap list --all lxd core20 core22 core24 snapd

N/A

System info

N/A

Instance log

N/A

Expected behavior

When querying /1.0 the user.microcloud key is returned for non-authenticated users.

lxd/lxd/api_1.0.go

Lines 277 to 289 in 83189e2

	// If not authenticated, return now.
	if !requestor.IsTrusted() {
	daemonConfig, _ := daemonConfigRender(s)
	_, flagExists := daemonConfig["user.microcloud"]
	if flagExists {
	// Unprivileged users may see the user.microcloud config key
	srv.Config = map[string]any{
	"user.microcloud": daemonConfig["user.microcloud"],
	}
	}
	return response.SyncResponseETag(true, srv, nil)
	}

But if the user is trusted and doesn't have permissions to edit the config, it doesn't get the see the user.microcloud key:

lxd/lxd/api_1.0.go

Lines 450 to 456 in 83189e2

	// Only allow identities that can edit configuration to view it as sensitive information may be stored there.
	err = s.Authorizer.CheckPermission(r.Context(), entity.ServerURL(), auth.EntitlementCanEdit)
	if err != nil && !auth.IsDeniedError(err) {
	return response.SmartError(err)
	} else if err == nil {
	daemonConfig, err := daemonConfigRender(s)

Actual behavior

It seems to be that a trusted user who cannot edit config will get a permission denied error.

Steps to reproduce

N/A

Information to attach

• Any relevant kernel output (dmesg)
• Instance configuration (lxc config show <instance> --expanded)
• Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
• If a lxc command fails, output of the command with --debug
• Output of the daemon with --debug (or use lxc monitor while reproducing the issue)

[tomponline]

FYI @edlerd @markylaing

[markylaing]

a trusted user who cannot edit config will get a permission denied error.

They don't get a permission denied error, but they not be able to see the user.microcloud key.

In general I think we need to move config into the public server response (including some keys - maybe some from oidc.*?) and then populate it with all config if the user has edit permissions.

[tomponline]

Thanks. Yes I think the public API config should be returned in all cases, which does not seem to be the case right now.

[edlerd]

In general I think we need to move config into the public server response (including some keys - maybe some from oidc.*?) and then populate it with all config if the user has edit permissions.

Agreed. Please ping me once this is ready, and we can adjust the UI to use those fields instead of config.