-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NC | NSFS | Config Dir Restructure - Add users/
Dir
#8312
Open
shirady
wants to merge
2
commits into
noobaa:master
Choose a base branch
from
shirady:nsfs-nc-config-dir-restructure-users-dir
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
NC | NSFS | Config Dir Restructure - Add users/
Dir
#8312
shirady
wants to merge
2
commits into
noobaa:master
from
shirady:nsfs-nc-config-dir-restructure-users-dir
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
romayalon
reviewed
Sep 3, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a small gap from bucket_owner removal we had to add when adding users/ - #8289
Gap - we need to remove the following line when having IAM users in users/ directory (this will mean that a root account can have the same name as an IAM user) @shirady
- if (account_identifier === bucket_owner.unwrap()) return true;
+ if (owner_account && account._id === owner_account.id) return true;
+ //name check - only for root accounts
+ if (!account.owner && account_identifier_name === bucket_owner.unwrap()) return true;
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
3 times, most recently
from
September 5, 2024 14:39
66c7a7d
to
08b70a8
Compare
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
from
September 8, 2024 05:16
08b70a8
to
4036567
Compare
1. Update IAM API Users, Access Keys and additional changes in accountspace_fs: - Move the config creation from the function _copy_data_from_requesting_account_to_account_config to the create_user. - Fix the ARN account ID for root accounts that were operated by the roots accounts manager (before we copied the requesting_account._id which was true only for root accounts on IAM users). - Fix _check_root_account as it has a redundant line that was not relevant (it was there when we thought of additional case, but we never get to it). - Add 2 helper functions: _get_account_owner_id_for_arn, _get_owner_account_argument. - Improve performance in the function _check_if_root_account_does_not_have_IAM_users_before_deletion after we have the new structure. 2. Update the ConfigFS module to support the new structure and operate on users configs. 3. Update docs: - With the config dire restructure (identities/, accounts_by_name/, users/directories). - IAM docs - regarding the naming scope (that we have with the new structure) and about the new structure with users/ directory. 4. Update the IAM API tests: - Mainly reading the config file in the new structure. - Add account validation to accounts created hardcoded (to avoid schema changes without them updated). - Refactor `it` names to multiple lines. 5. In rest_s3 change the 'is_owner` part (the gap mentioned in NC | Bucket Owner Removal noobaa#8289), where it checks the name, to make sure the account is not a user with the same name. Signed-off-by: shirady <[email protected]>
shirady
force-pushed
the
nsfs-nc-config-dir-restructure-users-dir
branch
from
September 8, 2024 05:26
4036567
to
2b3f42d
Compare
…M user) Signed-off-by: shirady <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Explain the changes
accountspace_fs
:_copy_data_from_requesting_account_to_account_config
to thecreate_user
.requesting_account._id
which was true only for root accounts on IAM users)._check_root_account
as it has a redundant line that was not relevant (it was there when we thought of additional case, but we never get to it)._get_account_owner_id_for_arn
,_get_owner_account_argument
._check_if_root_account_does_not_have_IAM_users_before_deletion
after we have the new structure.ConfigFS
module to support the new structure and operate on users configs.identities/
,accounts_by_name/
,users/
directories).users/
directory.it
names to multiple lines.rest_s3
change the 'is_owner` part (the gap mentioned in NC | Bucket Owner Removal #8289), where it checks the name, to make sure the account is not a user with the same name.Issues:
Open questions to answer in the CR:
users/
if there are no users in the account? I decided not to delete it.arn:aws:iam::${account_id}:user/${username}
theaccount_id
is his_id
and theusername
is the account name.List of GAPS:
accountspace_fs
methods.Testing Instructions:
Unit Tests:
Please run:
sudo npx jest test_accountspace_fs.test.js
Manual Tests:
Operate any IAM actions on users and access keys on the NSFS server as described in Non Containerized NSFS IAM (Developers Documentation)