NC | NSFS | Config Dir Restructure - Add users/ Dir
#8312
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
romayalon
reviewed
Sep 3, 2024
There was a problem hiding this comment.
Looks good, just a small gap from bucket_owner removal we had to add when adding users/ - #8289
Gap - we need to remove the following line when having IAM users in users/ directory (this will mean that a root account can have the same name as an IAM user) @shirady
- if (account_identifier === bucket_owner.unwrap()) return true;
+ if (owner_account && account._id === owner_account.id) return true;
+ //name check - only for root accounts
+ if (!account.owner && account_identifier_name === bucket_owner.unwrap()) return true;
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
3 times, most recently
from
66c7a7d
to
08b70a8
Compare
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
from
08b70a8
to
4036567
Compare
1. Update IAM API Users, Access Keys and additional changes in accountspace_fs: - Move the config creation from the function _copy_data_from_requesting_account_to_account_config to the create_user. - Fix the ARN account ID for root accounts that were operated by the roots accounts manager (before we copied the requesting_account._id which was true only for root accounts on IAM users). - Fix _check_root_account as it has a redundant line that was not relevant (it was there when we thought of additional case, but we never get to it). - Add 2 helper functions: _get_account_owner_id_for_arn, _get_owner_account_argument. - Improve performance in the function _check_if_root_account_does_not_have_IAM_users_before_deletion after we have the new structure. 2. Update the ConfigFS module to support the new structure and operate on users configs. 3. Update docs: - With the config dire restructure (identities/, accounts_by_name/, users/directories). - IAM docs - regarding the naming scope (that we have with the new structure) and about the new structure with users/ directory. 4. Update the IAM API tests: - Mainly reading the config file in the new structure. - Add account validation to accounts created hardcoded (to avoid schema changes without them updated). - Refactor `it` names to multiple lines. 5. In rest_s3 change the 'is_owner` part (the gap mentioned in NC | Bucket Owner Removal noobaa#8289), where it checks the name, to make sure the account is not a user with the same name. Signed-off-by: shirady <[email protected]>
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
from
4036567
to
2b3f42d
Compare
…M user) Signed-off-by: shirady <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Explain the changes
accountspace_fs:_copy_data_from_requesting_account_to_account_configto thecreate_user.requesting_account._idwhich was true only for root accounts on IAM users)._check_root_accountas it has a redundant line that was not relevant (it was there when we thought of additional case, but we never get to it)._get_account_owner_id_for_arn,_get_owner_account_argument._check_if_root_account_does_not_have_IAM_users_before_deletionafter we have the new structure.ConfigFSmodule to support the new structure and operate on users configs.identities/,accounts_by_name/,users/directories).users/directory.itnames to multiple lines.rest_s3change the 'is_owner` part (the gap mentioned in NC | Bucket Owner Removal #8289), where it checks the name, to make sure the account is not a user with the same name.Issues:
Open questions to answer in the CR:
users/if there are no users in the account? I decided not to delete it.arn:aws:iam::${account_id}:user/${username}theaccount_idis his_idand theusernameis the account name.List of GAPS:
accountspace_fsmethods.Testing Instructions:
Unit Tests:
Please run:
sudo npx jest test_accountspace_fs.test.jsManual Tests:
Operate any IAM actions on users and access keys on the NSFS server as described in Non Containerized NSFS IAM (Developers Documentation)