linode
Added functionality to clean-up old Object Storage keys created by linode-cli
📝 Description
This change adds automatic clean-up of object storage access keys created by linode-cli that are older than 30 days (by default). The clean-up runs once every 24 hours and is triggered before any object storage operation. This helps to remove stale keys and improve security by ensuring old, unused keys are regularly deleted.
✔️ How to Test
What are the steps to reproduce the issue or verify the changes?
- Make sure access-key was created for linode-cli (e.g. perform
linode-cli obj ls) - Run another obj command with the cleanup, e.g.:
linode-cli obj ls --force-key-cleanup --key-lifespan 10s
- Observe that access key created after step 1. is deleted.
Can you add some clarification in the PR description on how to test this? When I followed the current steps, I never got plugin-obj-key-lifespan-days to appear in my config file. Not sure if its something I'm doing wrong.
@ezilber-akamai Sure, I updated the ticket description with the verification info: https://track.akamai.com/jira/browse/STORIF-108. I changed plugin-obj-key-lifespan-days after Jacques' suggestion to plugin-obj-key-lifespan, so now you can set it like so:
plugin-obj-key-lifespan = 1h
EDIT: Oh, I also updated the "How to test" section.
Hi @ezilber-akamai, this is expected behavior, the keys are cleaned up before executing the operation. If the key-lifespan is set to 10s, it means it will remove all access keys generated for that customer older than 10s, including the one generated by your linode-cli, so it will need to generate a new one (the default lifespan is 30 days). BTW, it should not rotate the access key if you set plugin-obj-access-key+plugin-obj-secret-key to a key that you created manually (so it doesn't have the "linode-cli-..." naming pattern). Regarding plugin-obj-key-lifespan - it is no longer added automatically to the config after I applied the suggestion that @jafreche-akamai made. It can still be added manually, though.
Hi @ezilber-akamai, this is expected behavior, the keys are cleaned up before executing the operation. If the key-lifespan is set to 10s, it means it will remove all access keys generated for that customer older than 10s, including the one generated by your linode-cli, so it will need to generate a new one (the default lifespan is 30 days). BTW, it should not rotate the access key if you set plugin-obj-access-key+plugin-obj-secret-key to a key that you created manually (so it doesn't have the "linode-cli-..." naming pattern). Regarding plugin-obj-key-lifespan - it is no longer added automatically to the config after I applied the suggestion that @jafreche-akamai made. It can still be added manually, though.
Understood. In that case it sounds like it is working properly. I will give a final review today. Thanks for clarifying!
This implementation looks great, although I'm seeing the following test failures when running them locally:
FAILED tests/integration/obj/test_obj_plugin.py::test_obj_action_triggers_key_cleanup_and_deletes_stale_key - AssertionError: Stale key was not deleted
FAILED tests/integration/obj/test_obj_plugin.py::test_obj_action_triggers_key_rotation - AssertionError: Key rotation (keys-create) was not triggered
Since these tests are making heavy use of mocks, I'm wondering if the mocking isn't playing nice with the the subprocesses created by exec_test_command.
Would it make sense to move these tests to test/unit/test_plugin_obj.py and call the plugin's call method directly?
Hey @skulpok-akamai ! Just bumping my above message in case you missed it 👍
Just pushed up the testing changes recommended above as discussed in private. We'll just need a re-review from the DX team and this should be set.
Thanks for the contribution!
Hi @lgarber-akamai, sorry, I’m on leave until 2nd January and have very limited availability. I see that you improved the tests, thanks for that! I also see that the PR has now been merged, which is great. I can work on further improving the tests when I’m back from leave if there’s still a need, I’ll get in touch then.