Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Standard authorization for backbeat routes #5714

Open
wants to merge 8 commits into
base: development/8.8
Choose a base branch
from

Conversation

williamlardier
Copy link
Contributor

@williamlardier williamlardier commented Dec 10, 2024

Better review commit per commit

The goal here is to handle the authorization from the IAM module in the backbeat routes, and not rely on implicit deny === access denied, as this is not true anymore.
By doing so, we centralize the logic with all S3 APIs, and introduce some unit test to complete the functional tests from tests/multipleBackend/routes/routeBackbeat.js

Current state: functional tests for the ceph test suite and the ones using a real azure/aws/gcp are still not running because they were disabled long time ago, and the resources are not existing anymore, some are still there, but it will be done in a separate ticket.

Today, authorization results are not used. It is because before
having implicit denies, we would have an AccessDenied directly.
To be consistent, we must pass the authorization results.
We thus allow the bucket policies and ACLs to be processed.

Unit tests are added to cover all existing routes.
Routes themselves are not direectly tested, only the router
logic. We must first add tests for backbeat routes before
merging more logic with the normal router.

Issue: CLDSRV-591
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Hello williamlardier,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.

@williamlardier williamlardier changed the title Bugfix/cldsrv 591 Standard authorization for backbeat routes Dec 10, 2024
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@williamlardier williamlardier force-pushed the bugfix/CLDSRV-591 branch 3 times, most recently from c3b007f to fa4422a Compare December 11, 2024 10:57
- Also split backbeat routers
- Better use the callback functions
- Do not return twice to the client in case of error and
  quota evaluation (finalizer hooks)
- Remove account quota from backbeat proxy route: as not
  used in this case.

Issue: CLDSRV-591
@bert-e
Copy link
Contributor

bert-e commented Dec 12, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • 8.8.40

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

  • 8.9.0

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.

- Update old ones
- Fix some tests not compatible with existing code, after
  confirming the changes were expected
- Do not run the tests with azure/aws real backend in some cases,
  because the backends are either not healthy, or the tests
  doesn't work. To be done separately.

Issue: CLDSRV-591
- To be re-enabled if we want to keep these tests
- We also have a LocationNotFound error from AWS client,
  although properly configured in the location config file...

Issue: CLDSRV-591
- The bucket cleaning might not work during js tests, and can
  be expected
- In such case, the java test should not enforce strict number
  of bucket, but use the existing number when starting...

Issue: CLDSRV-591
- Same as java test, the scenario should never assume what
  the environment is, when the resources are shared.

Issue: CLDSRV-591
@williamlardier williamlardier marked this pull request as ready for review December 12, 2024 13:26
related to the Backbeat service. Backbeat may call any of the below APIs to
perform operations on either data or s3 objects (metadata).

These route follow the same authorization and validation as the S3 routes:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
These route follow the same authorization and validation as the S3 routes:
These routes follows the same authorization and validation as the S3 routes:

@bert-e
Copy link
Contributor

bert-e commented Dec 23, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • 8.8.40

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

  • 9.0.0

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.


- Authorize the request with support for Implicit Denies from the IAM service.
- Retrieve the bucket and object metadata if applicable.
- Evaluate the S3 Bucket Policies and ACLs before authozing the request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Evaluate the S3 Bucket Policies and ACLs before authozing the request.
- Evaluate the S3 Bucket Policies and ACLs before authorizing the request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants