From 66c7a7d899b99983e1f37e512ea133fe704e8113 Mon Sep 17 00:00:00 2001
From: shirady <57721533+shirady@users.noreply.github.com>
Date: Thu, 5 Sep 2024 16:03:25 +0300
Subject: [PATCH] changes after rebase

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
---
 docs/design/iam.md                            | 32 -------------------
 src/endpoint/s3/s3_rest.js                    |  5 +--
 .../jest_tests/test_accountspace_fs.test.js   |  1 +
 3 files changed, 4 insertions(+), 34 deletions(-)

diff --git a/docs/design/iam.md b/docs/design/iam.md
index 8df9b94785..3538b25f67 100644
--- a/docs/design/iam.md
+++ b/docs/design/iam.md
@@ -228,35 +228,3 @@ This was partially copied from [AWS IAM Guide - Intro](https://docs.aws.amazon.c
   - Name - in the IAM API we pass the `--user-name` flag. The username is unique only under the account (not including the account name itself).
   - Access key - in S3 API and IAM API the request is signed with the requesting user credentials.
 - Currently, users cannot use any IAM API operations on other users.
-
-## Other
-### Terminology - AWS vs NooBaa
-|   | AWS | NooBaa |
-|---|-----|--------|
-|   | root account  | account  |
-|   | IAM user  | user  |
-
-#### Root Account / Account
-- In NooBaa NC, the term "root" is associated with Linux root permission, therefore, the term "account" will be the equivalent term used for "root account".
-  - The account is the owner of the users that it created using the IAM API. The account owns the users and manage them (can create, read, update, delete or list them).
-  - The account is the owner of the buckets that were created by it or by its users.
-- In AWS root accounts are only created in the console.  
-While in NooBaa, accounts can be created by - 
-  1. NooBaa CLI `account add` command.
-  2. IAM API CreateUser operation. The requesting account must have the `iam_operate_on_root_account` property set to true. An account that has `iam_operate_on_root_account` property set to true, will operate on accounts instead of users when calling the IAM API, although it does not own them.
-- In NooBaa, an account is identified by:  
-  - Name  - in the CLI we pass the account name. The account name is unique within all the accounts (you cannot create a new account with the name of an existing account).
-  - Access key - in S3 API and IAM API the request is signed with the requesting account credentials.
-
-#### Identity
-- In general, we manage identities - currently accounts and users - but in the future, we might support roles, groups, etc.).
-
-#### IAM User / User
-- In NooBaa we decide to omit the "IAM" from the term "IAM users" as IAM is Identity & Access Management, and we thought it would be clear enough just the term "user" in our system.
-- users are individual users within an account (for a single person or application), they aren't separate accounts. 
-- users and their access keys have long-term credentials to the system resource, they give the ability to make programmatic requests to NooBaa service using the API or CLI.  
-This was partially copied from [AWS IAM Guide - Intro](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-users) and [AWS IAM Guide - When To Use IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/when-to-use-iam.html#security_iam_authentication-iamuser).
-- In NooBaa, a user is identified by:
-  - Name - in the IAM API we pass the `--user-name` flag. The username is unique only under the account (not including the account name itself).
-  - Access key - in S3 API and IAM API the request is signed with the requesting user credentials.
-- Currently, users cannot use any IAM API operations on other users.
\ No newline at end of file
diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
index c6ef8f475a..2b4f090b9e 100755
--- a/src/endpoint/s3/s3_rest.js
+++ b/src/endpoint/s3/s3_rest.js
@@ -243,9 +243,10 @@ async function authorize_request_policy(req) {
         // NC conditions for bucket ownership
         // 1. by ID (when creating the bucket the owner is always an account) - comparison to ID which is unique
         // 2. by name - account_identifier can be username which is not unique
-        //    to make sure it is only on accounts (account names are unique) we check the account's ownership
+        //    to make sure it is only on accounts (account names are unique) we check there's no account's ownership
         if (owner_account && owner_account.id === account._id) return true;
-        if (account_identifier === bucket_owner.unwrap()) return true;
+        // checked last on purpose (NC first checks the ID and then name for backward computability)
+        if (account.owner === undefined && account_identifier_name === bucket_owner.unwrap()) return true; // mutual check
         return false;
     }());
 
diff --git a/src/test/unit_tests/jest_tests/test_accountspace_fs.test.js b/src/test/unit_tests/jest_tests/test_accountspace_fs.test.js
index 821f8459fc..072431c77b 100644
--- a/src/test/unit_tests/jest_tests/test_accountspace_fs.test.js
+++ b/src/test/unit_tests/jest_tests/test_accountspace_fs.test.js
@@ -12,6 +12,7 @@ const { TMP_PATH } = require('../../system_tests/test_utils');
 const { IAM_DEFAULT_PATH, ACCESS_KEY_STATUS_ENUM } = require('../../../endpoint/iam/iam_constants');
 const fs_utils = require('../../../util/fs_utils');
 const { IamError } = require('../../../endpoint/iam/iam_errors');
+const nsfs_schema_utils = require('../../../manage_nsfs/nsfs_schema_utils');
 
 class NoErrorThrownError extends Error {}