Zenko icon indicating copy to clipboard operation
Zenko copied to clipboard

Published 20 hours ago verified publisher icon scality

Improvement/zenko 4685 bucket policies and conditions

Open williamlardier opened this issue 1 year ago • 8 comments

Will be rebased with creation of integration branches after the next Artesca 1.7 release.

image

Bucket policies for ARTESCA:

  • Bump of Cloudserver with latest changes around the feature
  • Bump of Vault (enabling the implicit denies by default)
  • Bump of ZKOP (adds a CR option to disable Implicit Denies from Vault)

Note: will be rebased with the real tags once we have them.

Bump of CTST

CTST is bumped to use the SDK, that greatly speed up the new tests. The changes are backported from https://github.com/scality/Zenko/pull/1995

Tests

We test all S3 APIs against 20 authorization scenarios with all combinations of Bucket Policies and IAM Policies states:

  • No policy
  • Policy does not apply
  • Policy applies with DENY
  • Policy applies with ALLOW
  • Policy applies with both ALLOW and DENY (IAM case only)

All APIs are tested for IAM Users, Assumed Role users, and Cross Account users.

Note: the scenarios are generated with a js script as a helper, as we must list all the scenarios in the .feature files, which is too much to be managed by hand.

Additional tests:

  • Customer use case, with a Bucket Policy granting read access to buckets and write accesses to objects in the bucket. All S3 APIs are tested.
  • Conditions: both retention periods and IP addresses checks.
  • Web Identities: a single sanity check to ensure internal roles permission can be extended with Bucket Policies. The main logic is already tested by the "Assumed Role" scenarios above.

Test logic

All tests try to reuse steps as much as possible. All S3 APIs are defined in an object where we define when we need specific setup or error codes as output.

williamlardier avatar Feb 21 '24 11:02 williamlardier

Hello williamlardier,

My role is to assist you with the merge of this pull request. Please type @bert-e help to get information on this process, or consult the user documentation.

Status report is not available.

bert-e avatar Feb 21 '24 11:02 bert-e

Incorrect fix version

The Fix Version/s in issue ZENKO-4685 contains:

  • 2.7.46

  • 2.8.26

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 2.6.50

  • 2.7.46

  • 2.8.26

  • 2.9.0

Please check the Fix Version/s of ZENKO-4685, or the target branch of this pull request.

bert-e avatar Mar 06 '24 08:03 bert-e

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically create the integration branches.

bert-e avatar Mar 06 '24 10:03 bert-e

/create_integration_branches

williamlardier avatar Mar 06 '24 10:03 williamlardier

Creating integration branches to assess if more work is needed on latest branches.

williamlardier avatar Mar 06 '24 10:03 williamlardier

Integration data created

I have created the integration data for the additional destination branches.

The following branches will NOT be impacted:

  • development/2.5

You can set option create_pull_requests if you need me to create integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: create_integration_branches

bert-e avatar Mar 06 '24 10:03 bert-e

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: create_integration_branches

bert-e avatar Mar 06 '24 10:03 bert-e

LGTM based on what we discussed

benzekrimaha avatar Mar 15 '24 15:03 benzekrimaha

History mismatch

Merge commit #bec26b8cd3eca474b80108f7eb37197c5e0cccaf on the integration branch w/2.7/improvement/ZENKO-4685-bucket-policies-and-conditions is merging a branch which is neither the current branch improvement/ZENKO-4685-bucket-policies-and-conditions nor the development branch development/2.7.

It is likely due to a rebase of the branch improvement/ZENKO-4685-bucket-policies-and-conditions and the merge is not possible until all related w/* branches are deleted or updated.

Please use the reset command to have me reinitialize these branches.

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 07:03 bert-e

/force_reset

williamlardier avatar Mar 18 '24 07:03 williamlardier

Reset complete

I have successfully deleted this pull request's integration branches.

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 07:03 bert-e

Integration data created

I have created the integration data for the additional destination branches.

The following branches will NOT be impacted:

  • development/2.5

You can set option create_pull_requests if you need me to create integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 08:03 bert-e

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 08:03 bert-e

/force_reset

williamlardier avatar Mar 18 '24 09:03 williamlardier

Reset complete

I have successfully deleted this pull request's integration branches.

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 09:03 bert-e

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 09:03 bert-e

History mismatch

Merge commit #3e5fd104f101e6b69e00a4bfff1fde809be1b0f0 on the integration branch w/2.8/improvement/ZENKO-4685-bucket-policies-and-conditions is merging a branch which is neither the current branch improvement/ZENKO-4685-bucket-policies-and-conditions nor the development branch development/2.8.

It is likely due to a rebase of the branch improvement/ZENKO-4685-bucket-policies-and-conditions and the merge is not possible until all related w/* branches are deleted or updated.

Please use the reset command to have me reinitialize these branches.

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 12:03 bert-e

/force_reset

williamlardier avatar Mar 18 '24 12:03 williamlardier

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: create_integration_branches

bert-e avatar Mar 18 '24 13:03 bert-e

/approve

williamlardier avatar Mar 19 '24 08:03 williamlardier

I have successfully merged the changeset of this pull request into targetted development branches:

  • :heavy_check_mark: development/2.6

  • :heavy_check_mark: development/2.7

  • :heavy_check_mark: development/2.8

  • :heavy_check_mark: development/2.9

The following branches have NOT changed:

  • development/2.5

Please check the status of the associated issue ZENKO-4685.

Goodbye williamlardier.

The following options are set: approve, create_integration_branches

bert-e avatar Mar 19 '24 08:03 bert-e