Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSFS | NC | IAM Service - Users CRUD API Implementation #8055

Merged
merged 1 commit into from
Jun 9, 2024
Merged

NSFS | NC | IAM Service - Users CRUD API Implementation #8055

merged 1 commit into from
Jun 9, 2024

Conversation

shirady
Copy link
Contributor

@shirady shirady commented May 20, 2024
edited
Loading

Explain the changes

  1. Implement the functions related to users in AccountSpaceFS (CRUD) - all the functions here will only work on an IAM user without access keys (no encryption is involved at this point).
  2. Add more properties to nsfs_account_schema (all of them are not required):
  • owner = owner is the account ID that owns this account (permission-wise).
  • creator = creator is the account ID that created this account (internal information).
  • path = AWS path (identifier).
  1. Add function generate_id in manage_nsfs_cli_utils.js to avoid importing MongoDB code in new files, and reuse this function only.
  2. Add errors in IamError from the doc of users' action API.
  3. Add functions in iam_utils.
  4. Add unit tests for the function in iam_utils.
  5. Update unit test for user function in accountspace_fs.
  6. Add unit test in account_schema_validation for the case of an account without access keys (empty array), and for added properties in the schema.
  7. Rename:
  • path to iam_path
  • AWS_DEFAULT_PATH to IAM_DEFAULT_PATH
  • Rename path_prefix to iam_path_prefix
  1. Add ResponseMetadata protection in reply.
  2. Add more details in IAM documentation:
  • Add documentation related to users in the design docs (docs/design/iam.md)
  • Add Get Started section that would be the demo for IAM user management (docs/dev_guide/nc_nsfs_iam_developer_doc.md)

Issues:

Gaps:

  1. Currently naming scope of username is global scope - all config files names, it should be only under the root account in the future.
  2. Currently the files are written in the config file at the same place as the root account, meaning by default in /etc/noobaa.conf.d/accounts/, no hierarchy in FS (under discussion if it would be changed in the future).
  3. Data is read without encryption/decryption in users CRUD API implementation in accountspace_fs.
  4. Parsing and validating the params (for example: username).
  5. No pagination in the list_users implementation.
  6. No NoobaaEvent at this point.
  7. _translate_error_codes was copied from NameSpaceFS and BucketSpaceFS, but might need to be refactored to match the needs.
  8. In some cases the ARN that we use will not contain the user's path in errors.
  9. In password_last_used we send a dummy value.
  10. Currently we copy the master_key_id from the root account, we should take the most updated master_key_id.
  11. Clean the account cache after update_user (we will add this in the PR of IAM access keys).

Testing Instructions:

Unit Tests

Please run:

  1. sudo npx jest test_accountspace_fs.test.js
  2. npx jest test_iam_utils.test.js
  3. npx jest test_nc_nsfs_account_schema_validation.test.js

Manual Test

Currently, we do not validate the input, so the test should use only valid input.

  1. Create the root user account with the CLI: sudo node src/cmd/manage_nsfs account add --name shira-1002 --new_buckets_path /tmp/nsfs_root1 --access_key <access-key> --secret_key <secret-key> --uid <uid> --gid <gid>
    Note: before creating the account need to give permission to the new_buckets_path: chmod 777 /tmp/nsfs_root1.
  2. Start the NSFS server with: sudo node src/cmd/nsfs --debug 5 --https_port_iam 7005
    Note: before starting the server please add this line: process.env.NOOBAA_LOG_LEVEL = 'nsfs'; in the endpoint.js (before the condition if (process.env.NOOBAA_LOG_LEVEL) {)
  3. Create the alias for IAM service: alias s3-nc-user-1-iam='AWS_ACCESS_KEY_ID=<acess-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:7005'.
  4. Use AWS CLI to send requests to the IAM service, for example:
    s3-nc-user-1-iam iam create-user --user-name Bob --path '/division_abc/subdivision_xyz/'
    s3-nc-user-1-iam iam get-user --user-name Bob
    s3-nc-user-1-iam iam update-user --user-name Bob --new-user-name Robert --new-path '/division_abc/subdivision_abc/'
    s3-nc-user-1-iam iam delete-user --user-name Bob
    s3-nc-user-1-iam iam list-users
  • Doc added/updated
  • Tests added

@shirady shirady self-assigned this May 20, 2024
@shirady shirady force-pushed the nsfs-iam-account-users branch 3 times, most recently from 8f7e950 to 69db000 Compare May 27, 2024 12:40
@shirady shirady force-pushed the nsfs-iam-account-users branch 2 times, most recently from c928d6d to 9e0fa78 Compare June 6, 2024 05:43
@shirady shirady force-pushed the nsfs-iam-account-users branch 2 times, most recently from 32ba9a8 to 7ba9cc0 Compare June 6, 2024 08:41
@shirady shirady requested a review from guymguym June 6, 2024 09:17
@guymguym
Copy link
Member

guymguym commented Jun 9, 2024

@shirady Please do not forget to squash commits. thanks

@shirady shirady force-pushed the nsfs-iam-account-users branch from 7ba9cc0 to df04d9d Compare June 9, 2024 08:09
@shirady
NSFS | NC | IAM service - users API
3e07454 
1. Implement the functions related to users in AccountSpaceFS (CRUD) - all the functions here will only work on an IAM user without access keys (no encryption is involved at this point).
2. Add more properties to nsfs_account_schema (all of them are not required):
  - owner = owner is the account ID that owns this account (permission-wise).
  - creator = creator is the account ID that created this account (internal information).
  - path = AWS path (identifier).
3. Add function generate_id in manage_nsfs_cli_utils.js to avoid importing MongoDB code in new files, and reuse this function only.
4. Add errors in IamError from the doc of users' action API.
5. Add functions in iam_utils.
6. Add unit tests for the function in iam_utils.
7. Update unit test for user function in accountspace_fs.
8. Add unit test in account_schema_validation for the case of an account without access keys (empty array), and for added properties in the schema.
9. Rename:
  - path to iam_path
  - AWS_DEFAULT_PATH to IAM_DEFAULT_PATH
  - Rename path_prefix to iam_path_prefix
10. Add ResponseMetadata protection in reply.
11. Add more details in IAM documentation:
  - Add documentation related to users in the design docs (docs/design/iam.md)
  -Add Get Started section that would be the demo for IAM user management (docs/dev_guide/nc_nsfs_iam_developer_doc.md)

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
@shirady shirady force-pushed the nsfs-iam-account-users branch from df04d9d to 3e07454 Compare June 9, 2024 08:18
@shirady shirady merged commit 28af670 into noobaa:master Jun 9, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guymguym guymguym guymguym approved these changes

@liranmauda liranmauda Awaiting requested review from liranmauda

@romayalon romayalon Awaiting requested review from romayalon

@naveenpaul1 naveenpaul1 Awaiting requested review from naveenpaul1

Assignees

@shirady shirady

Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shirady @guymguym