Improvement/cldsrv 431 misc api implicit deny #5479
Conversation
benzekrimaha
force-pushed
the
improvement/CLDSRV-431-misc-api-implicitDeny
branch
from
f545cc1 to
c65aefb
Compare
lib/routes/routeBackbeat.js
Outdated
| // eslint-disable-next-line no-param-reassign | ||
| request.actionImplicitDenies = false; |
There was a problem hiding this comment.
This can be done in the _normalizeBackbeatRequest function:
cloudserver/lib/routes/routeBackbeat.js
Line 71 in 15a1aa7
| @@ -22,10 +22,11 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log, | |||
| // but the requestType is the more general 'objectDelete' | |||
| const metadataValParams = Object.assign({}, metadataValMPUparams); | |||
| metadataValParams.requestType = 'objectPut'; | |||
| const authzIdentityResult = request ? request.actionImplicitDenies : true; | |||
There was a problem hiding this comment.
Maybe not useful anymore if we default to true (implicit deny) when the request is mising the property?
There was a problem hiding this comment.
Indeed even if it's not changing the behaviour setting it to false makes more sens , good catch
| const actionImplicitDenies = authorizationResults.reduce((acc, curr, idx) => { | ||
| const apiMethod = requestContextParams[idx].apiMethod; | ||
| return Object.assign({}, acc, { [apiMethod]: curr.isImplicit }); | ||
| }, {}); |
There was a problem hiding this comment.
Same comment as in other PR here to optimize the logic and avoid re-creating objects
| log, | ||
| request); | ||
|
|
||
| return cb(areAllActionsAllowed ? null : errors.AccessDenied); |
There was a problem hiding this comment.
This was from the PoC but I would suggest being very strict on the check:
| return cb(areAllActionsAllowed ? null : errors.AccessDenied); | |
| return cb(areAllActionsAllowed === true ? null : errors.AccessDenied); |
benzekrimaha
force-pushed
the
improvement/CLDSRV-430-delete-api-implicitDeny
branch
from
76b8d1f to
74425d0
Compare
Hello benzekrimaha,My role is to assist you with the merge of this Status report is not available. |
|
ping |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
|
ping |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
benzekrimaha
changed the base branch from
development/7.10
to
improvement/CLDSRV-474-fix-multiObjectDelete-api-aut
benzekrimaha
force-pushed
the
improvement/CLDSRV-431-misc-api-implicitDeny
branch
2 times, most recently
from
98e5efd to
55d741c
Compare
benzekrimaha
force-pushed
the
improvement/CLDSRV-431-misc-api-implicitDeny
branch
from
304181e to
4897b3c
Compare
benzekrimaha
force-pushed
the
improvement/CLDSRV-431-misc-api-implicitDeny
branch
from
ab42bc4 to
dc39b37
Compare
|
/create_integration_branches |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/7.70
$ git merge origin/improvement/CLDSRV-431-misc-api-implicitDeny
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/7.70/improvement/CLDSRV-431-misc-api-implicitDenyThe following options are set: create_integration_branches |
|
ping |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.6
$ git merge origin/w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.6/improvement/CLDSRV-431-misc-api-implicitDenyThe following options are set: create_integration_branches |
|
ping |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.7
$ git merge origin/w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.7/improvement/CLDSRV-431-misc-api-implicitDenyThe following options are set: create_integration_branches |
|
ping |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.8/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.8
$ git merge origin/w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.8/improvement/CLDSRV-431-misc-api-implicitDenyThe following options are set: create_integration_branches |
|
/create_pull_requests |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
Follow integration pull requests if you would like to be notified of The following options are set: create_pull_requests, create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_pull_requests, create_integration_branches |
There was a problem hiding this comment.
I tested this PR with E2E tests
LGTM
I was closely following there branch and code changes before the PR was opened, hence review was quick.
Integration PR: https://github.com/scality/Integration/pull/1215
|
@bert-e approve |
In the queueThe changeset has received all authorizations and has been added to the The changeset will be merged in:
The following branches will NOT be impacted:
There is no action required on your side. You will be notified here once IMPORTANT Please do not attempt to modify this pull request.
If you need this pull request to be removed from the queue, please contact a The following options are set: approve, create_pull_requests, create_integration_branches |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue CLDSRV-431. Goodbye benzekrimaha. |
Bucket policies are not correctly interpreted, this is part of the following epic to fix that: scality/Arsenal#2181
This PR is aiming to update get apis since object and bucket authorisations are made at API level and need to support implicit denies, ticket linked to this issue here : https://scality.atlassian.net/browse/CLDSRV-431
PRs providing implicit Deny logic to CS for processing in this PR
scality/Arsenal#2181 and scality/Arsenal#2193
https://github.com/scality/Vault/pull/2135
#5322
#5420
#5432
#5456
#5462
#5470
Here CI links for zenko tests :
https://github.com/scality/Zenko/actions/runs/7209044767
https://github.com/scality/Zenko/actions/runs/7209077500
https://github.com/scality/Zenko/actions/runs/7209082617