NSFS | Support anonymous NSFS requests #7997
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
from
bba3686
to
9152079
Compare
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
from
119f473
to
4a7a0e4
Compare
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
2 times, most recently
from
587d9f6
to
29b78b8
Compare
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
2 times, most recently
from
54c3ad4
to
658345d
Compare
naveenpaul1
changed the title
|
Hi @naveenpaul1 :) |
guymguym
requested changes
May 9, 2024
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
6 times, most recently
from
e3bb799
to
ee482a7
Compare
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
3 times, most recently
from
e428fd8
to
aeb811d
Compare
romayalon
reviewed
May 15, 2024
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
from
aeb811d
to
7abb27e
Compare
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
4 times, most recently
from
1bd0bfd
to
14d1ef3
Compare
romayalon
reviewed
May 22, 2024
shirady
reviewed
May 22, 2024
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
2 times, most recently
from
e2a19b4
to
6a85286
Compare
romayalon
reviewed
May 23, 2024
romayalon
reviewed
May 23, 2024
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
2 times, most recently
from
bd3dd7f
to
8ee713e
Compare
romayalon
reviewed
May 23, 2024
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
2 times, most recently
from
d832341
to
f309093
Compare
romayalon
approved these changes
May 27, 2024
|
@naveenpaul1 Thanks for the hard work on this one!!! |
Signed-off-by: naveenpaul1 <napaul@redhat.com>
naveenpaul1
force-pushed
the
anonymous_namespace_req
branch
from
f309093
to
3a7b275
Compare
romayalon
reviewed
May 27, 2024
| * (instead of flags) and return its content | ||
| * @param {object[]} access_keys | ||
| */ | ||
| function is_anonymous(access_keys) { |
There was a problem hiding this comment.
rename to has_access_keys please
romayalon
reviewed
May 27, 2024
|
|
||
| Anonymous requests are those sent without access and secret key and Noobaa NSFS allow it with supporting bucket policy. Users have to create an anonymous account before accessing the resources. Noobaa uses anonymous account's uid and gid or user(distinguished_name) for accessing bucket storage paths. Noobaa can have one anonymous account. Commands for creating anonumous account are | ||
| ``` | ||
| node src/cmd/manage_nsfs account add --anonymous --uid {uid} --gid {gid} |
There was a problem hiding this comment.
can someone create/update a regular account called anonymous? we need to block it if so
romayalon
reviewed
May 27, 2024
| // ANONYMOUS: cannot work without bucket, cannot work on namespace bucket (?) | ||
| // ANONYMOUS: cannot work without bucket. | ||
| // Return if the acount is anonymous | ||
| const is_anon = !(token && token.access_key); |
There was a problem hiding this comment.
this causing s3 requests with access key empty and secret key non empty to make anon requests instead of failing like happens in AWS
guymguym
reviewed
May 27, 2024
| @@ -96,8 +96,8 @@ class BucketSpaceFS extends BucketSpaceSimpleFS { | |||
|
|
|||
| async read_account_by_access_key({ access_key }) { | |||
| try { | |||
| if (!access_key) throw new Error('no access key'); | |||
| const iam_path = this._get_access_keys_config_path(access_key); | |||
| const iam_path = access_key === '' ? this._get_account_config_path(config.NC_ANON_ACCOUNT_NAME) : | |||
There was a problem hiding this comment.
Using empty string or even undefined can be accidental and we really don't want to allow that.
Lets do this - define a new const anonymous_access_key = Symbol('anonymous_access_key') in object_sdk.
Then we should use this symbol as the key to the cache, but be explicit about it and not implicit.
guymguym
reviewed
May 27, 2024
| @@ -207,19 +207,17 @@ class ObjectSDK { | |||
| async load_requesting_account(req) { | |||
| try { | |||
| const token = this.get_auth_token(); | |||
| if (!token) return; | |||
| const is_anon = !(token && token.access_key); | |||
There was a problem hiding this comment.
also here we want to only check !token and not assume empty access key is also anon, right?
guymguym
reviewed
May 27, 2024
| this.requesting_account = await account_cache.get_with_cache({ | ||
| bucketspace: this._get_bucketspace(), | ||
| access_key: token.access_key, | ||
| access_key: is_anon ? '' : token.access_key, |
There was a problem hiding this comment.
Per the suggestion to use symbol above -
Suggested change
| access_key: is_anon ? '' : token.access_key, | |
| access_key: token ? token.access_key : anonymous_access_key, |
guymguym
reviewed
May 27, 2024
| ``` | ||
| or | ||
| ``` | ||
| node src/cmd/manage_nsfs account add --anonymous --user {user} |
There was a problem hiding this comment.
change all calls from manage_nsfs to noobaa-cli -
Suggested change
| node src/cmd/manage_nsfs account add --anonymous --user {user} | |
| noobaa-cli account add --anonymous --user {user} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Explain the changes
test_post_object_wrong_bucketadded to black listIssues: Fixed #xxx / Gap #xxx
Testing Instructions:
node src/cmd/manage_nsfs account add --anonymous --uid {uid} --gid {gid}{ Effect: 'Allow', Principal: { AWS: ["*"] }, Action: ['s3:GetObject', 's3:ListBucket'], Resource: ['arn:aws:s3:::*'] }