IAM | Change bucket owner for IAM user to account and more

Signed-off-by: Naveen Paul <napaul@redhat.com>

Review

Signed-off-by: Naveen Paul <napaul@redhat.com>

Author: naveenpaul1

src/sdk/accountspace_nb.js

@@ -2,7 +2,6 @@
 'use strict';
 
 const _ = require('lodash');
-const SensitiveString = require('../util/sensitive_string');
 const account_util = require('../util/account_util');
 const iam_utils = require('../endpoint/iam/iam_utils');
 const dbg = require('../util/debug_module')(__filename);
@@ -47,29 +46,28 @@ class AccountSpaceNB {
         account_util._check_if_requesting_account_is_root_account(action, requesting_account,
                 { username: params.username, path: params.iam_path });
         account_util._check_username_already_exists(action, params, requesting_account);
-        const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username, params.iam_path);
-        const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username,
+                                    params.iam_path || IAM_DEFAULT_PATH);
+        const account_name = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
         const req = {
             rpc_params: {
                 name: account_name,
                 email: account_name,
                 has_login: false,
                 s3_access: true,
                 allow_bucket_creation: true,
-                owner: requesting_account._id.toString(),
+                owner: requesting_account._id,
                 is_iam: true,
                 iam_arn: iam_arn,
                 iam_path: params.iam_path,
-                role: 'iam_user',
+                role: 'admin',
 
                 // TODO: default_resource remove
                 default_resource: 'noobaa-default-backing-store',
             },
             account: requesting_account,
         };
-        // CORE CHANGES PENDING - START
         const iam_account = await account_util.create_account(req);
-        // CORE CHANGES PENDING - END
 
         // TODO : Clean account cache
         // TODO : Send Event
@@ -87,19 +85,15 @@ class AccountSpaceNB {
     async get_user(params, account_sdk) {
         const action = IAM_ACTIONS.GET_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
-        const requested_account = system_store.get_account_by_email(account_name);
-        account_util._check_if_requesting_account_is_root_account(action, requesting_account,
-                { username: params.username, iam_path: params.iam_path });
-        account_util._check_if_account_exists(action, account_name);
-        account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
-        account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account);
+        const username = account_util.get_iam_username(params.username || requested_account.name.unwrap());
+        const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), username,
+                                    requested_account.iam_path || IAM_DEFAULT_PATH);
         const reply = {
             user_id: requested_account._id.toString(),
-            // TODO : IAM PATH
             iam_path: requested_account.iam_path || IAM_DEFAULT_PATH,
-            username: account_util.get_iam_username(requested_account.name.unwrap()),
-            arn: requested_account.iam_arn,
+            username: username,
+            arn: iam_arn,
             // TODO: GAP Need to save created date
             create_date: Date.now(),
             // TODO: Dates missing : GAP
@@ -111,7 +105,7 @@ class AccountSpaceNB {
     async update_user(params, account_sdk) {
         const action = IAM_ACTIONS.UPDATE_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
         account_util._check_if_requesting_account_is_root_account(action, requesting_account,
                 { username: params.username, iam_path: params.iam_path });
         account_util._check_if_account_exists(action, username);
@@ -121,17 +115,15 @@ class AccountSpaceNB {
         account_util._check_username_already_exists(action, { username: params.new_username }, requesting_account);
         account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
         account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
-        if (params.new_iam_path !== undefined) iam_path = params.new_iam_path;
-        if (params.new_username !== undefined) user_name = params.new_username;
-        const iam_arn = iam_utils.create_arn_for_user(requested_account._id.toString(), user_name, iam_path);
-        const new_account_name = new SensitiveString(`${params.new_username}:${requesting_account.name.unwrap()}`);
+        if (params.new_iam_path) iam_path = params.new_iam_path;
+        if (params.new_username) user_name = params.new_username;
+        const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), user_name, iam_path);
+        const new_account_name = account_util.get_account_name_from_username(params.new_username, requesting_account._id.toString());
         const updates = {
             name: new_account_name,
             email: new_account_name,
-            iam_arn: iam_arn,
             iam_path: iam_path,
         };
-        // CORE CHANGES PENDING - START
         await system_store.make_changes({
             update: {
                 accounts: [{
@@ -140,11 +132,9 @@ class AccountSpaceNB {
                 }]
             }
         });
-        // CORE CHANGES PENDING - END
         // TODO : Clean account cache
         // TODO : Send Event
         return {
-            // TODO: IAM path needs to be saved
             iam_path: iam_path || IAM_DEFAULT_PATH,
             username: user_name,
             user_id: requested_account._id.toString(),
@@ -156,15 +146,14 @@ class AccountSpaceNB {
     async delete_user(params, account_sdk) {
         const action = IAM_ACTIONS.DELETE_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
         account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
         account_util._check_if_account_exists(action, username);
         const requested_account = system_store.get_account_by_email(username);
         account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
         account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
         account_util._check_if_user_does_not_have_resources_before_deletion(action, requested_account);
         // TODO: DELETE INLINE POLICY : Manually
-        // TODO: DELETE ACCESS KEY : manually
         const req = {
             system: system_store.data.systems[0],
             account: requested_account,
@@ -182,28 +171,29 @@ class AccountSpaceNB {
         account_util._check_if_requesting_account_is_root_account(action, requesting_account, { });
         const is_truncated = false; // GAP - no pagination at this point
 
-        const root_name = requesting_account.name.unwrap();
-        // CORE CHANGES PENDING - START
-        const requesting_account_iam_users = _.filter(system_store.data.accounts, function(acc) {
-            if (!acc.name.unwrap().includes(IAM_SPLIT_CHARACTERS)) {
+
+        const requesting_account_iam_users = _.filter(system_store.data.accounts, function(user) {
+            if (!user.name.unwrap().includes(IAM_SPLIT_CHARACTERS)) {
                 return false;
             }
-            return acc.name.unwrap().split(IAM_SPLIT_CHARACTERS)[1] === root_name;
+            // Check IAM user owner is same as requesting_account id
+            return user.owner._id.toString() === requesting_account._id.toString();
         });
         let members = _.map(requesting_account_iam_users, function(iam_user) {
+            const iam_username = account_util.get_iam_username(iam_user.name.unwrap());
+            const iam_path = iam_user.iam_path || IAM_DEFAULT_PATH;
             const member = {
                 user_id: iam_user._id.toString(),
-                iam_path: iam_user.iam_path || IAM_DEFAULT_PATH,
-                username: iam_user.name.unwrap().split(IAM_SPLIT_CHARACTERS)[0],
-                arn: iam_user.iam_arn,
+                iam_path: iam_path,
+                username: iam_username,
+                arn: iam_utils.create_arn_for_user(iam_user.owner._id.toString(), iam_username, iam_path),
                 // TODO: GAP Need to save created date
                 create_date: Date.now(),
                 // TODO: GAP missing password_last_used
                 password_last_used: Date.now(), // GAP
             };
             return member;
         });
-        // CORE CHANGES PENDING - END
         members = members.sort((a, b) => a.username.localeCompare(b.username));
         return { members, is_truncated };
     }
@@ -215,9 +205,10 @@ class AccountSpaceNB {
     async create_access_key(params, account_sdk) {
         const action = IAM_ACTIONS.CREATE_ACCESS_KEY;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
-        const account_email = params.username ? new SensitiveString(`${params.username}:${requesting_account.name.unwrap()}`) :
-                                account_sdk.requesting_account.email;
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account);
+        const account_email = params.username ? account_util.get_account_name_from_username(params.username,
+                                    requesting_account._id.toString()) :
+                                requesting_account.email;
         account_util._check_number_of_access_key_array(action, requested_account);
         const req = {
             rpc_params: {
@@ -226,7 +217,6 @@ class AccountSpaceNB {
             },
             account: requesting_account,
         };
-        // CORE CHANGES PENDING - START
         let iam_access_key;
         try {
             iam_access_key = await account_util.generate_account_keys(req);
@@ -237,10 +227,8 @@ class AccountSpaceNB {
             throw new IamError({ code, message: message_with_details, http_code, type });
         }
 
-        // CORE CHANGES PENDING - STOP
-
         return {
-            username: params.username,
+            username: account_util.get_iam_username(requested_account.name.unwrap()),
             access_key: iam_access_key.access_key.unwrap(),
             create_date: iam_access_key.creation_date,
             status: ACCESS_KEY_STATUS_ENUM.ACTIVE,
@@ -268,7 +256,7 @@ class AccountSpaceNB {
         const action = IAM_ACTIONS.UPDATE_ACCESS_KEY;
         const access_key_id = params.access_key;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account);
         account_util._check_access_key_belongs_to_account(action, requested_account, access_key_id);
 
         const updating_access_key_obj = _.find(requested_account.access_keys,
@@ -299,7 +287,7 @@ class AccountSpaceNB {
         const access_key_id = params.access_key;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
 
-        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account);
         account_util._check_access_key_belongs_to_account(action, requested_account, access_key_id);
         // Filter out the deleting access key from the access key list and save remaining accesskey.
         const filtered_access_keys = account_util.get_non_updating_access_key(requested_account, access_key_id);
@@ -320,7 +308,7 @@ class AccountSpaceNB {
     async list_access_keys(params, account_sdk) {
         const action = IAM_ACTIONS.LIST_ACCESS_KEYS;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account);
 
         const is_truncated = false; // // GAP - no pagination at this point
         let members = account_util._list_access_keys_from_account(requesting_account, requested_account, false);
@@ -518,7 +506,7 @@ class AccountSpaceNB {
 }
 
 
-function validate_and_return_requested_account(params, action, requesting_account, account_sdk) {
+function validate_and_return_requested_account(params, action, requesting_account) {
     const on_itself = !params.username;
         let requested_account;
         if (on_itself) {

src/server/system_services/bucket_server.js

@@ -241,9 +241,14 @@ async function create_bucket(req) {
 
         validate_non_nsfs_bucket_creation(req);
         validate_nsfs_bucket(req);
-
+        // Buckets created by IAM users are owned by the IAM account the user belongs to.
+        let account_id = req.account._id;
+        // Only IAM user will have owner.
+        if (req.account.owner) {
+            account_id = req.account.owner._id;
+        }
         const bucket = new_bucket_defaults(req.rpc_params.name, req.system._id,
-            tiering_policy && tiering_policy._id, req.account._id, req.rpc_params.tag, req.rpc_params.lock_enabled);
+            tiering_policy && tiering_policy._id, account_id, req.rpc_params.tag, req.rpc_params.lock_enabled);
 
         const bucket_m_key = system_store.master_key_manager.new_master_key({
             description: `master key of ${bucket._id} bucket`,

src/server/system_services/schemas/account_schema.js

@@ -31,7 +31,6 @@ module.exports = {
         tagging: {
             $ref: 'common_api#/definitions/tagging',
         },
-        iam_arn: { type: 'string' },
         iam_path: { type: 'string' },
         iam_user_policies: {
             type: 'array',

src/server/system_services/schemas/role_schema.js

@@ -25,7 +25,7 @@ module.exports = {
         },
         role: {
             type: 'string',
-            enum: ['admin', 'user', 'operator', 'iam_user']
+            enum: ['admin', 'user', 'operator']
         },
     }
 };