IAM | Change bucket owner for IAM user to account and more

Signed-off-by: Naveen Paul <[email protected]>

Author: naveenpaul1

src/sdk/accountspace_nb.js

@@ -2,7 +2,6 @@
 'use strict';
 
 const _ = require('lodash');
-const SensitiveString = require('../util/sensitive_string');
 const account_util = require('../util/account_util');
 const iam_utils = require('../endpoint/iam/iam_utils');
 const dbg = require('../util/debug_module')(__filename);
@@ -48,7 +47,7 @@ class AccountSpaceNB {
                 { username: params.username, path: params.iam_path });
         account_util._check_username_already_exists(action, params, requesting_account);
         const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username, params.iam_path);
-        const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const account_name = account_util.get_account_name_from_username(params.username, requesting_account._id);
         const req = {
             rpc_params: {
                 name: account_name,
@@ -60,16 +59,14 @@ class AccountSpaceNB {
                 is_iam: true,
                 iam_arn: iam_arn,
                 iam_path: params.iam_path,
-                role: 'iam_user',
+                role: 'admin',
 
                 // TODO: default_resource remove
                 default_resource: 'noobaa-default-backing-store',
             },
             account: requesting_account,
         };
-        // CORE CHANGES PENDING - START
         const iam_account = await account_util.create_account(req);
-        // CORE CHANGES PENDING - END
 
         // TODO : Clean account cache
         // TODO : Send Event
@@ -87,19 +84,19 @@ class AccountSpaceNB {
     async get_user(params, account_sdk) {
         const action = IAM_ACTIONS.GET_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const account_name = account_util.get_account_name_from_username(params.username, requesting_account._id);
         const requested_account = system_store.get_account_by_email(account_name);
         account_util._check_if_requesting_account_is_root_account(action, requesting_account,
                 { username: params.username, iam_path: params.iam_path });
         account_util._check_if_account_exists(action, account_name);
         account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
         account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
+        const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username, requested_account.iam_path);
         const reply = {
             user_id: requested_account._id.toString(),
-            // TODO : IAM PATH
             iam_path: requested_account.iam_path || IAM_DEFAULT_PATH,
             username: account_util.get_iam_username(requested_account.name.unwrap()),
-            arn: requested_account.iam_arn,
+            arn: iam_arn,
             // TODO: GAP Need to save created date
             create_date: Date.now(),
             // TODO: Dates missing : GAP
@@ -111,7 +108,7 @@ class AccountSpaceNB {
     async update_user(params, account_sdk) {
         const action = IAM_ACTIONS.UPDATE_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const username = account_util.get_account_name_from_username(params.username, requesting_account._id);
         account_util._check_if_requesting_account_is_root_account(action, requesting_account,
                 { username: params.username, iam_path: params.iam_path });
         account_util._check_if_account_exists(action, username);
@@ -124,14 +121,12 @@ class AccountSpaceNB {
         if (params.new_iam_path !== undefined) iam_path = params.new_iam_path;
         if (params.new_username !== undefined) user_name = params.new_username;
         const iam_arn = iam_utils.create_arn_for_user(requested_account._id.toString(), user_name, iam_path);
-        const new_account_name = new SensitiveString(`${params.new_username}:${requesting_account.name.unwrap()}`);
+        const new_account_name = account_util.get_account_name_from_username(params.new_username, requesting_account._id);
         const updates = {
             name: new_account_name,
             email: new_account_name,
-            iam_arn: iam_arn,
             iam_path: iam_path,
         };
-        // CORE CHANGES PENDING - START
         await system_store.make_changes({
             update: {
                 accounts: [{
@@ -140,11 +135,9 @@ class AccountSpaceNB {
                 }]
             }
         });
-        // CORE CHANGES PENDING - END
         // TODO : Clean account cache
         // TODO : Send Event
         return {
-            // TODO: IAM path needs to be saved
             iam_path: iam_path || IAM_DEFAULT_PATH,
             username: user_name,
             user_id: requested_account._id.toString(),
@@ -156,14 +149,15 @@ class AccountSpaceNB {
     async delete_user(params, account_sdk) {
         const action = IAM_ACTIONS.DELETE_USER;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
-        const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+        const username = account_util.get_account_name_from_username(params.username, requesting_account._id);
         account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
         account_util._check_if_account_exists(action, username);
         const requested_account = system_store.get_account_by_email(username);
         account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
         account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
+        // Need to delete all accesskeys before deleting user
+        account_util._check_if_user_does_not_have_access_keys_before_deletion(action, requested_account);
         // TODO: DELETE INLINE POLICY : Manually
-        // TODO: DELETE ACCESS KEY : manually
         const req = {
             system: system_store.data.systems[0],
             account: requested_account,
@@ -181,28 +175,28 @@ class AccountSpaceNB {
         account_util._check_if_requesting_account_is_root_account(action, requesting_account, { });
         const is_truncated = false; // GAP - no pagination at this point
 
-        const root_name = requesting_account.name.unwrap();
-        // CORE CHANGES PENDING - START
+
         const requesting_account_iam_users = _.filter(system_store.data.accounts, function(acc) {
             if (!acc.name.unwrap().includes(IAM_SPLIT_CHARACTERS)) {
                 return false;
             }
-            return acc.name.unwrap().split(IAM_SPLIT_CHARACTERS)[1] === root_name;
+            return acc.name.unwrap().split(IAM_SPLIT_CHARACTERS)[1] === requesting_account._id.toString();
         });
         let members = _.map(requesting_account_iam_users, function(iam_user) {
+            const iam_username = account_util.get_iam_username(iam_user.name.unwrap());
+            const iam_path = iam_user.iam_path || IAM_DEFAULT_PATH;
             const member = {
                 user_id: iam_user._id.toString(),
-                iam_path: iam_user.iam_path || IAM_DEFAULT_PATH,
-                username: iam_user.name.unwrap().split(IAM_SPLIT_CHARACTERS)[0],
-                arn: iam_user.iam_arn,
+                iam_path: iam_path,
+                username: iam_username,
+                arn: iam_utils.create_arn_for_user(iam_user._id.toString(), iam_username, iam_path),
                 // TODO: GAP Need to save created date
                 create_date: Date.now(),
                 // TODO: GAP missing password_last_used
                 password_last_used: Date.now(), // GAP
             };
             return member;
         });
-        // CORE CHANGES PENDING - END
         members = members.sort((a, b) => a.username.localeCompare(b.username));
         return { members, is_truncated };
     }
@@ -215,7 +209,7 @@ class AccountSpaceNB {
         const action = IAM_ACTIONS.CREATE_ACCESS_KEY;
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
         const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
-        const account_email = params.username ? new SensitiveString(`${params.username}:${requesting_account.name.unwrap()}`) :
+        const account_email = params.username ? account_util.get_account_name_from_username(params.username, requesting_account._id) :
                                 account_sdk.requesting_account.email;
         account_util._check_number_of_access_key_array(action, requested_account);
         const req = {
@@ -225,7 +219,6 @@ class AccountSpaceNB {
             },
             account: requesting_account,
         };
-        // CORE CHANGES PENDING - START
         let iam_access_key;
         try {
             iam_access_key = await account_util.generate_account_keys(req);
@@ -236,8 +229,6 @@ class AccountSpaceNB {
             throw new IamError({ code, message: message_with_details, http_code, type });
         }
 
-        // CORE CHANGES PENDING - STOP
-
         return {
             username: params.username,
             access_key: iam_access_key.access_key.unwrap(),
@@ -362,7 +353,7 @@ function validate_and_return_requested_account(params, action, requesting_accoun
             // So in that case requesting account and requested account is same.
             requested_account = requesting_account;
         } else {
-            const account_email = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
+            const account_email = account_util.get_account_name_from_username(params.username, requesting_account._id);
             account_util._check_if_account_exists(action, account_email);
             requested_account = system_store.get_account_by_email(account_email);
             account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });

src/server/system_services/bucket_server.js

@@ -241,9 +241,14 @@ async function create_bucket(req) {
 
         validate_non_nsfs_bucket_creation(req);
         validate_nsfs_bucket(req);
-
+        // Buckets created by IAM users are owned by the IAM account the user belongs to.
+        let account_id = req.account._id;
+        // Only IAM user will have owner.
+        if (req.account.owner) {
+            account_id = req.account.owner._id;
+        }
         const bucket = new_bucket_defaults(req.rpc_params.name, req.system._id,
-            tiering_policy && tiering_policy._id, req.account._id, req.rpc_params.tag, req.rpc_params.lock_enabled);
+            tiering_policy && tiering_policy._id, account_id, req.rpc_params.tag, req.rpc_params.lock_enabled);
 
         const bucket_m_key = system_store.master_key_manager.new_master_key({
             description: `master key of ${bucket._id} bucket`,

src/server/system_services/schemas/account_schema.js

@@ -31,7 +31,6 @@ module.exports = {
         tagging: {
             $ref: 'common_api#/definitions/tagging',
         },
-        iam_arn: { type: 'string' },
         iam_path: { type: 'string' },
         // default policy for new buckets
         default_resource: { objectid: true },

src/server/system_services/schemas/role_schema.js

@@ -25,7 +25,7 @@ module.exports = {
         },
         role: {
             type: 'string',
-            enum: ['admin', 'user', 'operator', 'iam_user']
+            enum: ['admin', 'user', 'operator']
         },
     }
 };

src/util/account_util.js

@@ -113,7 +113,6 @@ async function create_account(req) {
     // TODO : remove rpc_params
     if (req.rpc_params.is_iam) {
         account.owner = req.rpc_params.owner;
-        account.iam_arn = req.rpc_params.iam_arn;
         account.iam_path = req.rpc_params.iam_path;
     }
 
@@ -318,9 +317,9 @@ function validate_assume_role_policy(policy) {
 }
 
 // User name is first part is user provided name, and second part
-// is root account name, This will make the user name uniq accross system.
-function get_account_name_from_username(username, requesting_account_name) {
-    return new SensitiveString(`${username}:${requesting_account_name}`);
+// is root account id, This will make the user name uniq accross system.
+function get_account_name_from_username(username, requesting_account_id) {
+    return new SensitiveString(`${username}:${requesting_account_id}`);
 }
 
 function get_iam_username(requested_account_name) {
@@ -367,7 +366,7 @@ function _check_if_requesting_account_is_root_account(action, requesting_account
 }
 
 function _check_username_already_exists(action, params, requesting_account) {
-    const username = get_account_name_from_username(params.username, requesting_account.name.unwrap());
+    const username = get_account_name_from_username(params.username, requesting_account._id);
     const account = system_store.get_account_by_email(username);
     if (account) {
         dbg.error(`AccountSpaceNB.${action} username already exists`, params.username);
@@ -406,6 +405,14 @@ function _check_if_requested_is_owned_by_root_account(action, requesting_account
     }
 }
 
+function _check_if_user_does_not_have_access_keys_before_deletion(action, account_to_delete) {
+    const resource_name = 'access keys';
+        const is_access_keys_exists = account_to_delete.access_keys && account_to_delete.access_keys.length > 0;
+        if (is_access_keys_exists) {
+            _throw_error_delete_conflict(action, account_to_delete, resource_name);
+        }
+}
+
 /**
 * _returned_username would return the username of IAM Access key API:
     * 1. undefined - for root accounts manager on root account (no username, only account name)
@@ -423,6 +430,14 @@ function _returned_username(requesting_account, username, on_itself) {
     return username instanceof SensitiveString ? username.unwrap() : username;
 }
 
+function _throw_error_delete_conflict(action, account_to_delete, resource_name) {
+    dbg.error(`AccountSpaceFS.${action} requested account ` +
+        `${account_to_delete.name} ${account_to_delete._id} has ${resource_name}`);
+    const message_with_details = `Cannot delete entity, must delete ${resource_name} first.`;
+    const { code, http_code, type } = IamError.DeleteConflict;
+    throw new IamError({ code, message: message_with_details, http_code, type });
+}
+
 function _throw_error_perform_action_from_root_accounts_manager_on_iam_user(action, requesting_account, requested_account) {
     dbg.error(`AccountSpaceNB.${action} root accounts manager cannot perform actions on IAM users`,
         requesting_account, requested_account);
@@ -656,6 +671,7 @@ exports._check_if_requesting_account_is_root_account = _check_if_requesting_acco
 exports._check_username_already_exists = _check_username_already_exists;
 exports._check_number_of_access_key_array = _check_number_of_access_key_array;
 exports._check_access_key_belongs_to_account = _check_access_key_belongs_to_account;
+exports._check_if_user_does_not_have_access_keys_before_deletion = _check_if_user_does_not_have_access_keys_before_deletion;
 exports._get_access_key_status = _get_access_key_status;
 exports._check_access_key_is_deactivated = _check_access_key_is_deactivated;
 exports._list_access_keys_from_account = _list_access_keys_from_account;