Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standard authorization for backbeat routes #5714

Draft
wants to merge 3 commits into
base: development/8.8
Choose a base branch
from
Draft

Standard authorization for backbeat routes #5714

wants to merge 3 commits into from
+722 −231

Conversation

williamlardier
Copy link
Contributor

@williamlardier williamlardier commented Dec 10, 2024
edited
Loading

The goal here is to handle the authorization from the IAM module in the backbeat routes, and not rely on implicit deny === access denied, as this is not true anymore.
By doing so, we centralize the logic with all S3 APIs, and introduce some unit test to complete the functional tests from tests/multipleBackend/routes/routeBackbeat.js

Next steps:

  • Re enable all functional tests, if possible...

@williamlardier
Document backbeat routes
7c88864 
Issue: CLDSRV-591
@williamlardier
Ensure backbeat routes are authorizing requests
c0bb428 
Today, authorization results are not used. It is because before
having implicit denies, we would have an AccessDenied directly.
To be consistent, we must pass the authorization results.
We thus allow the bucket policies and ACLs to be processed.

Unit tests are added to cover all existing routes.
Routes themselves are not direectly tested, only the router
logic. We must first add tests for backbeat routes before
merging more logic with the normal router.

Issue: CLDSRV-591
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Hello williamlardier,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Incorrect fix version

The Fix Version/s in issue CLDSRV-591 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 8.8.40

Please check the Fix Version/s of CLDSRV-591, or the target
branch of this pull request.

@williamlardier williamlardier changed the title Bugfix/cldsrv 591 Standard authorization for backbeat routes Dec 10, 2024
@bert-e
Copy link
Contributor

bert-e commented Dec 10, 2024

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@williamlardier williamlardier force-pushed the bugfix/CLDSRV-591 branch 3 times, most recently from c3b007f to fa4422a Compare December 11, 2024 10:57
@williamlardier
Unify implicit deny handling in normal and backbeat routes
decfc8f 
- Also split backbeat routers
- Better use the callback functions
- Do not return twice to the client in case of error and
  quota evaluation (finalizer hooks)
- Remove account quota from backbeat proxy route: as not
  used in this case.

Issue: CLDSRV-591
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@williamlardier @bert-e