-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NSFS | Support anonymous NSFS requests #7997
base: master
Are you sure you want to change the base?
Conversation
bba3686
to
9152079
Compare
119f473
to
4a7a0e4
Compare
587d9f6
to
29b78b8
Compare
54c3ad4
to
658345d
Compare
Hi @naveenpaul1 :) |
e3bb799
to
ee482a7
Compare
e428fd8
to
aeb811d
Compare
aeb811d
to
7abb27e
Compare
1bd0bfd
to
14d1ef3
Compare
e2a19b4
to
6a85286
Compare
bd3dd7f
to
8ee713e
Compare
d832341
to
f309093
Compare
@naveenpaul1 Thanks for the hard work on this one!!! |
Signed-off-by: naveenpaul1 <napaul@redhat.com>
f309093
to
3a7b275
Compare
* (instead of flags) and return its content | ||
* @param {object[]} access_keys | ||
*/ | ||
function is_anonymous(access_keys) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to has_access_keys please
|
||
Anonymous requests are those sent without access and secret key and Noobaa NSFS allow it with supporting bucket policy. Users have to create an anonymous account before accessing the resources. Noobaa uses anonymous account's uid and gid or user(distinguished_name) for accessing bucket storage paths. Noobaa can have one anonymous account. Commands for creating anonumous account are | ||
``` | ||
node src/cmd/manage_nsfs account add --anonymous --uid {uid} --gid {gid} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can someone create/update a regular account called anonymous? we need to block it if so
// ANONYMOUS: cannot work without bucket, cannot work on namespace bucket (?) | ||
// ANONYMOUS: cannot work without bucket. | ||
// Return if the acount is anonymous | ||
const is_anon = !(token && token.access_key); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this causing s3 requests with access key empty and secret key non empty to make anon requests instead of failing like happens in AWS
@@ -96,8 +96,8 @@ class BucketSpaceFS extends BucketSpaceSimpleFS { | |||
|
|||
async read_account_by_access_key({ access_key }) { | |||
try { | |||
if (!access_key) throw new Error('no access key'); | |||
const iam_path = this._get_access_keys_config_path(access_key); | |||
const iam_path = access_key === '' ? this._get_account_config_path(config.NC_ANON_ACCOUNT_NAME) : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using empty string or even undefined can be accidental and we really don't want to allow that.
Lets do this - define a new const anonymous_access_key = Symbol('anonymous_access_key')
in object_sdk.
Then we should use this symbol as the key to the cache, but be explicit about it and not implicit.
@@ -207,19 +207,17 @@ class ObjectSDK { | |||
async load_requesting_account(req) { | |||
try { | |||
const token = this.get_auth_token(); | |||
if (!token) return; | |||
const is_anon = !(token && token.access_key); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also here we want to only check !token and not assume empty access key is also anon, right?
this.requesting_account = await account_cache.get_with_cache({ | ||
bucketspace: this._get_bucketspace(), | ||
access_key: token.access_key, | ||
access_key: is_anon ? '' : token.access_key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per the suggestion to use symbol above -
access_key: is_anon ? '' : token.access_key, | |
access_key: token ? token.access_key : anonymous_access_key, |
``` | ||
or | ||
``` | ||
node src/cmd/manage_nsfs account add --anonymous --user {user} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change all calls from manage_nsfs to noobaa-cli -
node src/cmd/manage_nsfs account add --anonymous --user {user} | |
noobaa-cli account add --anonymous --user {user} |
Explain the changes
test_post_object_wrong_bucket
added to black listIssues: Fixed #xxx / Gap #xxx
Testing Instructions:
node src/cmd/manage_nsfs account add --anonymous --uid {uid} --gid {gid}
{ Effect: 'Allow', Principal: { AWS: ["*"] }, Action: ['s3:GetObject', 's3:ListBucket'], Resource: ['arn:aws:s3:::*'] }