-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NSFS | NC | Add Condition in authorize_request_policy
#8086
Conversation
LGTM |
6fc7997
to
dd8d73a
Compare
Signed-off-by: shirady <[email protected]>
dd8d73a
to
a9f2f89
Compare
@shirady why did you do |
@romayalon I always change the config for running the s3 operation in NC NSFS, it should work the same. |
@shirady Why are you doing that? |
@romayalon I saw it failed on this check in the past. |
Thanks @shirady! please try to reproduce and open a bug if needed, we don't want to mask a bug by setting this config 👍🏻 |
@romayalon I opened the issue #8177. |
Explain the changes
authorize_request_policy
ins3_rest
.owner_account
in the functionread_bucket_sdk_policy_info
.owner_account
with mock value just to return a value like in the functionread_bucket_sdk_policy_info
.Issues: Fixed (partial) #8080
AccessDenied
). It happens because thebucket_owner
is with the previous name and theaccount_identifier
is with the new name.after this fix, the S3 request should not return an error, although there are still GAPS:
system_owner
andbucket_owner
with the previous name (in the bucket config).s3_policy
is set in the bucket config files with the name of the account, and this will also not be updated, for example:Principal: { AWS: 'user10' }
.Testing Instructions:
Manual Test:
Before you start: Change the
config.NSFS_CHECK_BUCKET_BOUNDARIES = false;
FS_ROOT
and a directory for a bucket:mkdir -p /tmp/nsfs_root1/my-bucket
and give permissionschmod 777 /tmp/nsfs_root1/
chmod 777 /tmp/nsfs_root1/my-bucket
.This will be the argument for:
new_buckets_path
flag/tmp/nsfs_root1
(that we will use in the account commands)path
in the buckets commands/tmp/nsfs_root1/my-bucket
(that we will use in bucket commands).sudo node src/cmd/nsfs --debug 5
sudo node src/cmd/manage_nsfs account add --name shira-1003 --new_buckets_path /tmp/nsfs_root1 --access_key <access-key> --secret_key <secret-key> --uid 1003 --gid 1003
sudo node src/cmd/manage_nsfs bucket add --name shira-1003-bucket-1 --owner shira-1003 --path /tmp/nsfs_root1/my-bucket
alias s3-nc-user-1='AWS_ACCESS_KEY_ID=<access-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:6443'
s3-nc-user-1 s3api put-object --bucket shira-1003-bucket-1 --key hello.txt
(should work).sudo node src/cmd/manage_nsfs account update --name shira-1003 --new_name shira-1003-new
sudo node src/cmd/manage_nsfs bucket status --name shira-1003-bucket-1
s3-nc-user-1 s3api put-object --bucket shira-1003-bucket-1 --key hello.txt
(should work after the fix, before that it throws an error). Please make sure that you send the request after thebucket_namespace_cache
is clear, else you would not be able to reproduce the initial issue).