Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSFS | NC | IAM Service - Root Accounts Manager #8161

Merged
merged 1 commit into from
Jul 3, 2024
Merged

NSFS | NC | IAM Service - Root Accounts Manager #8161

merged 1 commit into from
Jul 3, 2024

Conversation

shirady
Copy link
Contributor

@shirady shirady commented Jun 24, 2024
edited
Loading

Explain the changes

  1. Add more properties to nsfs_account_schema (not required):
  • iam_operate_on_root_account = boolean (if an account was set with true. then it is a roots accounts manager).
  1. Add the option of iam_operate_on_root_account in noobaa cli.
  2. Edit all the functions in AccountSpaceFS (CRUD) to operate on root accounts when the requesting account is a root accounts manager.

Issues:

List of GAPs:

  1. Parsing and validating the params (for example: username).
  2. No NoobaaEvent at this point.
  3. Change the IamError class to have a template message.

Testing Instructions:

Unit Tests

Please run:

  1. sudo npx jest test_accountspace_fs.test.js
  2. npx jest test_nc_nsfs_account_schema_validation.test.js
  3. sudo npx jest test_nc_nsfs_account_cli.test.js
  4. sudo npx jest test_nc_nsfs_bucket_cli.test.js
  5. sudo node ./node_modules/.bin/_mocha src/test/unit_tests/test_nc_nsfs_cli.js

Manual Tests

IAM changes in NC NSFS
Currently, we do not validate the input, so the test should use only valid input.

  1. Create the root accounts manager with the CLI: sudo node src/cmd/manage_nsfs account add --name <account-name> --new_buckets_path /tmp/nsfs_root1 --access_key <access-key> --secret_key <secret-key> --uid <uid> --gid <gid> --iam_operate_on_root_account
    Note: before creating the account need to give permission to the new_buckets_path: chmod 777 /tmp/nsfs_root1.
  2. Start the NSFS server with: sudo node src/cmd/nsfs --debug 5 --https_port_iam 7005
    Note: before starting the server please add this line: process.env.NOOBAA_LOG_LEVEL = 'nsfs'; in the endpoint.js (before the condition if (process.env.NOOBAA_LOG_LEVEL) {)
  3. Create the alias for IAM service: alias s3-nc-user-manager-iam='AWS_ACCESS_KEY_ID=<acess-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:7005'.
  4. Use AWS CLI to send requests to the IAM service, for example:
    s3-nc-manager-1-iam iam create-user --user-name Bob-root --path '/division_abc/subdivision_xyz/'
    s3-nc-manager-1-iam iam create-access-key --user-name Bob-root
    s3-nc-manager-1-iam iam get-access-key-last-used --access-key-id <access-key>
    s3-nc-manager-1-iam iam update-access-key --access-key-id <access-key> --user-name Bob-root --status Inactive
    s3-nc-manager-1-iam iam delete-access-key --access-key-id <access-key> --user-name Bob-root
    s3-nc-manager-1-iam iam list-access-keys --user-name Bob-root
    Note: the account created by a root accounts manager using the IAM API is a root account.
  • Doc added/updated
  • Tests added

@shirady shirady self-assigned this Jun 24, 2024
@shirady shirady force-pushed the nsfs-iam-account-allow_root_account_creation branch 2 times, most recently from 338450c to b8a42ef Compare June 27, 2024 14:21
@shirady shirady changed the title NSFS | NC | IAM Service - Admin Account NSFS | NC | IAM Service - Root Accounts Manager Jun 27, 2024
@shirady shirady force-pushed the nsfs-iam-account-allow_root_account_creation branch from b8a42ef to 6512f6a Compare June 30, 2024 05:07
romayalon
romayalon reviewed Jun 30, 2024
View reviewed changes
src/cmd/manage_nsfs.js Outdated Show resolved Hide resolved
src/cmd/manage_nsfs.js Outdated Show resolved Hide resolved
docs/dev_guide/nc_nsfs_iam_developer_doc.md Outdated Show resolved Hide resolved
src/cmd/manage_nsfs.js Outdated Show resolved Hide resolved
src/cmd/manage_nsfs.js Outdated Show resolved Hide resolved
@shirady shirady force-pushed the nsfs-iam-account-allow_root_account_creation branch from 6512f6a to 5143196 Compare June 30, 2024 12:23
@shirady shirady mentioned this pull request Jul 2, 2024
Closed
2 tasks
@shirady shirady force-pushed the nsfs-iam-account-allow_root_account_creation branch 2 times, most recently from babf3d4 to baa893a Compare July 2, 2024 08:20
@shirady shirady requested a review from romayalon July 2, 2024 08:46
@shirady
NSFS | NC | IAM service - root accounts manager (root account operati…
052f158 
…ons using the IAM API)

1. Add more properties to nsfs_account_schema (not required):
   - iam_operate_on_root_account = boolean (if an account was set with true. then it is a roots accounts manager).
2. Add the option of iam_operate_on_root_account in noobaa cli.
3. Edit all the functions in AccountSpaceFS (CRUD) to operate on root accounts when the requesting account is a root accounts manager.

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
@shirady shirady force-pushed the nsfs-iam-account-allow_root_account_creation branch from baa893a to 052f158 Compare July 3, 2024 05:45
@shirady shirady merged commit 0689043 into noobaa:master Jul 3, 2024
10 checks passed
@shirady shirady mentioned this pull request Jul 7, 2024
Merged
2 tasks
@shirady shirady mentioned this pull request Jul 16, 2024
Merged
2 tasks
This was referenced Aug 6, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guymguym guymguym guymguym approved these changes

@liranmauda liranmauda Awaiting requested review from liranmauda

@naveenpaul1 naveenpaul1 Awaiting requested review from naveenpaul1

@romayalon romayalon Awaiting requested review from romayalon

Assignees

@shirady shirady

Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shirady @guymguym @romayalon