IAM | User ID for principal is not supported

[naveenpaul1]

Describe the Problem

User ID for principal is not supported

Explain the Changes

1. Block put pucket policy if the principal is IAM user ID

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

GAP: Missing integration test for IAM users, Will add in upcoming PRs

• Doc added/updated
• Tests added

Summary by CodeRabbit

• New Features

  • Added a deployment-aware helper to determine when an account identifier should be used for bucket policy evaluation.

• Bug Fixes

  • Improved bucket policy principal resolution: IAM users are no longer treated as valid principals when looked up by account ID, reducing unintended principal matches.
  • Policy evaluation now respects deployment-specific account identification rules for more accurate access control.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Guard added preventing non-ARN principal lookups from treating an account-with-owner as a valid principal; new helper selects deployment-aware account identifier for bucket policy checks.

Changes

Cohort / File(s)	Change Summary
Bucket principal resolution logic src/server/system_services/bucket_server.js	When principal is not an ARN, if the resolved account has an owner, return false (and log debug) instead of treating account._id as a valid principal.
Policy identifier helper src/endpoint/s3/s3_bucket_policy_utils.js	Added and exported get_account_identifier_id(is_nc_deployment, account) which returns account._id only for NC deployments or when account.owner is undefined.
Policy checks usage src/endpoint/s3/s3_rest.js	Replaced direct use of account._id with get_account_identifier_id(is_nc_deployment, account) during bucket policy authorization; added clarifying comments about deployment-specific identifier behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Review get_account_by_principal behavior changes and ensure no authorization regressions.
• Verify get_account_identifier_id covers all deployment cases and is consistently used.
• Check logging and unit/integration tests for IAM-user vs account-ID resolution paths.

Possibly related PRs

• IAM | Principal validation and S3 permission updated with ID #9309 — Overlapping changes to principal/account identification and bucket-policy authorization in the same modules.
• IAM | No Bucket Policy Authorization for IAM Users #9291 — Related edits to S3 authorization paths and account/owner identifier handling.
• IAM | Change bucket owner for IAM user to account and more #9268 — Changes that modify how account/owner IDs and IAM principals are handled during lookups.

Suggested reviewers

• aayushchouhan09
• shirady

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: blocking use of IAM user IDs as principals, which is the primary purpose of the PR modifications.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89f64d8 and 774f343.

📒 Files selected for processing (1)

• src/server/system_services/bucket_server.js (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

📚 Learning: 2025-11-19T15:03:42.260Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

Applied to files:

• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-18T07:00:17.653Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_bucket_policy_utils.js:357-368
Timestamp: 2025-11-18T07:00:17.653Z
Learning: In NooBaa codebase, account.name is always a SensitiveString instance, so calling account.name.unwrap() is safe without defensive type checks in functions like get_bucket_policy_principal_arn in src/endpoint/s3/s3_bucket_policy_utils.js.

Applied to files:

• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-13T07:56:23.620Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9281
File: src/server/system_services/account_server.js:1053-1058
Timestamp: 2025-11-13T07:56:23.620Z
Learning: In noobaa-core, account_server.js is only used in containerized deployments, not in NSFS/NC deployments. NSFS/NC deployments have separate account management code in src/manage_nsfs/ directory. Therefore, account_server.js only processes accounts from account_schema.js where owner is an objectid reference, never from nsfs_account_schema.js where owner is a string.

Applied to files:

• src/server/system_services/bucket_server.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests
• GitHub Check: Build Noobaa Image

[shirady]

@naveenpaul1,
What about the s3_rest file?
It still checks the account_id for IAM user

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/endpoint/s3/s3_bucket_policy_utils.js (1)

380-391: Simplify boolean logic and fix typo.

The conditional logic can be simplified, and there's a typo in the comment.

Apply this diff:

 /**
- *  Both NSFS NC and containerized will validate bucket policy against acccount id 
- *  but in containerized deplyment not against IAM user ID.
+ *  Both NSFS NC and containerized will validate bucket policy against account id 
+ *  but in containerized deployment not against IAM user ID.
  * 
  * @param {boolean} is_nc_deployment
  * @param {object} account
  */
 function get_account_identifier_id(is_nc_deployment, account) {
-    if (is_nc_deployment || (!is_nc_deployment && account.owner === undefined)) {
+    if (is_nc_deployment || account.owner === undefined) {
         return account._id;
     }
 }

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 774f343 and 96dedf1.

📒 Files selected for processing (3)

• src/endpoint/s3/s3_bucket_policy_utils.js (2 hunks)
• src/endpoint/s3/s3_rest.js (1 hunks)
• src/server/system_services/bucket_server.js (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_bucket_policy_utils.js:357-368
Timestamp: 2025-11-18T07:00:17.653Z
Learning: In NooBaa codebase, account.name is always a SensitiveString instance, so calling account.name.unwrap() is safe without defensive type checks in functions like get_bucket_policy_principal_arn in src/endpoint/s3/s3_bucket_policy_utils.js.

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/endpoint/s3/s3_rest.js
• src/endpoint/s3/s3_bucket_policy_utils.js
• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-18T07:00:17.653Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_bucket_policy_utils.js:357-368
Timestamp: 2025-11-18T07:00:17.653Z
Learning: In NooBaa codebase, account.name is always a SensitiveString instance, so calling account.name.unwrap() is safe without defensive type checks in functions like get_bucket_policy_principal_arn in src/endpoint/s3/s3_bucket_policy_utils.js.

Applied to files:

• src/endpoint/s3/s3_rest.js
• src/endpoint/s3/s3_bucket_policy_utils.js
• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-13T07:56:23.620Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9281
File: src/server/system_services/account_server.js:1053-1058
Timestamp: 2025-11-13T07:56:23.620Z
Learning: In noobaa-core, account_server.js is only used in containerized deployments, not in NSFS/NC deployments. NSFS/NC deployments have separate account management code in src/manage_nsfs/ directory. Therefore, account_server.js only processes accounts from account_schema.js where owner is an objectid reference, never from nsfs_account_schema.js where owner is a string.

Applied to files:

• src/endpoint/s3/s3_rest.js
• src/server/system_services/bucket_server.js

📚 Learning: 2025-11-19T15:03:42.260Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

Applied to files:

• src/endpoint/s3/s3_rest.js
• src/server/system_services/bucket_server.js

🧬 Code graph analysis (1)

src/endpoint/s3/s3_bucket_policy_utils.js (3)

src/endpoint/s3/s3_rest.js (3)

• is_nc_deployment (253-253)
• account (252-252)
• account (358-358)

src/server/system_services/bucket_server.js (1)

• account (561-561)

src/util/account_util.js (2)

• account (30-42)
• account (196-196)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

🔇 Additional comments (3)

src/endpoint/s3/s3_bucket_policy_utils.js (1)

432-432: LGTM!

The export of the new helper function is correct.

src/server/system_services/bucket_server.js (1)

562-566: LGTM!

The guard against IAM user principals identified by ID is correct. The null check for account prevents runtime errors, and the account.owner check properly identifies IAM users. This successfully blocks IAM user IDs from being used as principals in bucket policies.

Based on learnings, in bucket_server.js, account.owner is an object ID reference (not a string), so the truthy check correctly identifies IAM users.

src/endpoint/s3/s3_rest.js (1)

255-257: Fix typos in comment.

Apply this diff:

-    // Both NSFS NC and containerized will validate bucket policy against acccount id 
-    // but in containerized deplyment not against IAM user ID.
+    // Both NSFS NC and containerized will validate bucket policy against account id 
+    // but in containerized deployment not against IAM user ID.
     const account_identifier_id = s3_bucket_policy_utils.get_account_identifier_id(is_nc_deployment, account);

The comment typos ("acccount" and "deplyment") should be corrected. Regarding the consistency concern about IAM user ID validation between this file and bucket_server.js: verify this is intentional behavior for NC backward compatibility, as the current implementation allows policy checks against IAM user IDs while bucket_server.js blocks them as principals.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f242358 and 4585e22.

📒 Files selected for processing (3)

• src/endpoint/s3/s3_bucket_policy_utils.js (2 hunks)
• src/endpoint/s3/s3_rest.js (1 hunks)
• src/server/system_services/bucket_server.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/endpoint/s3/s3_bucket_policy_utils.js
• src/server/system_services/bucket_server.js

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_bucket_policy_utils.js:357-368
Timestamp: 2025-11-18T07:00:17.653Z
Learning: In NooBaa codebase, account.name is always a SensitiveString instance, so calling account.name.unwrap() is safe without defensive type checks in functions like get_bucket_policy_principal_arn in src/endpoint/s3/s3_bucket_policy_utils.js.

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/endpoint/s3/s3_rest.js

📚 Learning: 2025-11-18T07:00:17.653Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_bucket_policy_utils.js:357-368
Timestamp: 2025-11-18T07:00:17.653Z
Learning: In NooBaa codebase, account.name is always a SensitiveString instance, so calling account.name.unwrap() is safe without defensive type checks in functions like get_bucket_policy_principal_arn in src/endpoint/s3/s3_bucket_policy_utils.js.

Applied to files:

• src/endpoint/s3/s3_rest.js

📚 Learning: 2025-11-19T15:03:42.260Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

Applied to files:

• src/endpoint/s3/s3_rest.js

📚 Learning: 2025-11-13T07:56:23.620Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9281
File: src/server/system_services/account_server.js:1053-1058
Timestamp: 2025-11-13T07:56:23.620Z
Learning: In noobaa-core, account_server.js is only used in containerized deployments, not in NSFS/NC deployments. NSFS/NC deployments have separate account management code in src/manage_nsfs/ directory. Therefore, account_server.js only processes accounts from account_schema.js where owner is an objectid reference, never from nsfs_account_schema.js where owner is a string.

Applied to files:

• src/endpoint/s3/s3_rest.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-package-lock-validation
• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (1)

src/endpoint/s3/s3_rest.js (1)

255-257: Verify that get_account_identifier_id correctly handles IAM users in containerized deployment.

The comment states that containerized deployment should NOT validate against IAM user ID, but the implementation of get_account_identifier_id must be reviewed to confirm this behavior is correctly enforced. Based on the comment and PR objectives, the function should return:

• undefined (or similar falsy value) for IAM users in containerized deployment
• The account ID for root accounts in both deployment types
• The account ID for IAM users in NC deployment

Inspect src/endpoint/s3/s3_bucket_policy_utils.js to verify the implementation returns the correct values for each scenario.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typos in comments.

Two typos in the comments:

• Line 255: "acccount" should be "account"
• Line 256: "deplyment" should be "deployment"

Apply this diff to fix the typos:

-    // Both NSFS NC and containerized will validate bucket policy against acccount id 
-    // but in containerized deplyment not against IAM user ID.
+    // Both NSFS NC and containerized will validate bucket policy against account id 
+    // but in containerized deployment not against IAM user ID.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Both NSFS NC and containerized will validate bucket policy against acccount id
	// but in containerized deplyment not against IAM user ID.
	// Both NSFS NC and containerized will validate bucket policy against account id
	// but in containerized deployment not against IAM user ID.

🤖 Prompt for AI Agents

In src/endpoint/s3/s3_rest.js around lines 255 to 256, fix two typos in the
comment: change "acccount" to "account" and "deplyment" to "deployment" so the
comment reads correctly about validating bucket policy against account id and
that containerized deployment does not validate against IAM user ID.