Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standard authorization for backbeat routes #5714

Open
wants to merge 8 commits into
base: development/8.8
Choose a base branch
from
Open

Standard authorization for backbeat routes #5714

wants to merge 8 commits into from

Conversation

williamlardier
Copy link
Contributor

@williamlardier williamlardier commented Dec 10, 2024
edited
Loading

Better review commit per commit

The goal here is to handle the authorization from the IAM module in the backbeat routes, and not rely on implicit deny === access denied, as this is not true anymore.
By doing so, we centralize the logic with all S3 APIs, and introduce some unit test to complete the functional tests from tests/multipleBackend/routes/routeBackbeat.js

Current state: functional tests for the ceph test suite and the ones using a real azure/aws/gcp are still not running because they were disabled long time ago, and the resources are not existing anymore, some are still there, but it will be done in a separate ticket.

@williamlardier
Document backbeat routes
7c88864 
Issue: CLDSRV-591
@williamlardier
Ensure backbeat routes are authorizing requests
c0bb428 
Today, authorization results are not used. It is because before
having implicit denies, we would have an AccessDenied directly.
To be consistent, we must pass the authorization results.
We thus allow the bucket policies and ACLs to be processed.

Unit tests are added to cover all existing routes.
Routes themselves are not direectly tested, only the router
logic. We must first add tests for backbeat routes before
merging more logic with the normal router.

Issue: CLDSRV-591
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Hello williamlardier,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.

@williamlardier williamlardier changed the title Bugfix/cldsrv 591 Standard authorization for backbeat routes Dec 10, 2024
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@williamlardier williamlardier force-pushed the bugfix/CLDSRV-591 branch 3 times, most recently from c3b007f to fa4422a Compare December 11, 2024 10:57
@williamlardier
Unify implicit deny handling in normal and backbeat routes
decfc8f 
- Also split backbeat routers
- Better use the callback functions
- Do not return twice to the client in case of error and
  quota evaluation (finalizer hooks)
- Remove account quota from backbeat proxy route: as not
  used in this case.

Issue: CLDSRV-591
@bert-e
Copy link
Contributor

bert-e commented Dec 12, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • 8.8.40

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

  • 8.9.0

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.

@williamlardier
Re-enable route backbeat tests
d8cd2e4 
- Update old ones
- Fix some tests not compatible with existing code, after
  confirming the changes were expected
- Do not run the tests with azure/aws real backend in some cases,
  because the backends are either not healthy, or the tests
  doesn't work. To be done separately.

Issue: CLDSRV-591
@williamlardier
Disable ceph tests using AWS as the bucket does not exist anymore
a21ea94 
- To be re-enabled if we want to keep these tests
- We also have a LocationNotFound error from AWS client,
  although properly configured in the location config file...

Issue: CLDSRV-591
@williamlardier
Make java test independent from js tests
20412bc 
- The bucket cleaning might not work during js tests, and can
  be expected
- In such case, the java test should not enforce strict number
  of bucket, but use the existing number when starting...

Issue: CLDSRV-591
@williamlardier
Make js test independent from existing buckets
1e3ad11 
- Same as java test, the scenario should never assume what
  the environment is, when the resources are shared.

Issue: CLDSRV-591
@williamlardier williamlardier marked this pull request as ready for review December 12, 2024 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@williamlardier @bert-e