Compare commits
2 Commits
developmen
...
improvemen
| Author | SHA1 | Date |
|---|---|---|
williamlardier
|
345fa52c27 | |
|
williamlardier
|
9f1dd45671 |
|
|
@ -46,6 +46,7 @@
|
||||||
"new-parens": "off",
|
"new-parens": "off",
|
||||||
"no-multi-spaces": "off",
|
"no-multi-spaces": "off",
|
||||||
"quote-props": "off",
|
"quote-props": "off",
|
||||||
|
"no-console": "off",
|
||||||
"mocha/no-exclusive-tests": "error",
|
"mocha/no-exclusive-tests": "error",
|
||||||
},
|
},
|
||||||
"parserOptions": {
|
"parserOptions": {
|
||||||
|
|
|
||||||
|
|
@ -48,20 +48,32 @@ function isRequesterNonAccountUser(authInfo) {
|
||||||
* @returns {boolean} - Returns true if the user has the necessary access rights, otherwise false.
|
* @returns {boolean} - Returns true if the user has the necessary access rights, otherwise false.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
const considerAsObjectPut = ['initiateMultipartUpload', 'objectPutPart', 'completeMultipartUpload'];
|
||||||
|
|
||||||
function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
||||||
// Same logic applies on the Versioned APIs, so let's simplify it.
|
// Same logic applies on the Versioned APIs, so let's simplify it.
|
||||||
const requestTypeParsed = requestType.endsWith('Version') ?
|
let requestTypeParsed = requestType.endsWith('Version') ?
|
||||||
requestType.slice(0, 'Version'.length * -1) : requestType;
|
requestType.slice(0, 'Version'.length * -1) : requestType;
|
||||||
|
requestTypeParsed = considerAsObjectPut.includes(requestTypeParsed) ? 'objectPut' : requestTypeParsed;
|
||||||
|
const parsedMainApiCall = considerAsObjectPut.includes(mainApiCall) ? 'objectPut' : mainApiCall;
|
||||||
|
console.log({
|
||||||
|
requestType,
|
||||||
|
requestTypeParsed,
|
||||||
|
parsedMainApiCall,
|
||||||
|
});
|
||||||
if (bucket.getOwner() === canonicalID) {
|
if (bucket.getOwner() === canonicalID) {
|
||||||
|
console.log('acl true because bucket owner');
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (mainApiCall === 'objectGet') {
|
if (parsedMainApiCall === 'objectGet') {
|
||||||
if (requestTypeParsed === 'objectGetTagging') {
|
if (requestTypeParsed === 'objectGetTagging') {
|
||||||
|
console.log('acl true because objectGetTagging');
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (mainApiCall === 'objectPut') {
|
if (parsedMainApiCall === 'objectPut') {
|
||||||
if (arrayOfAllowed.includes(requestTypeParsed)) {
|
if (arrayOfAllowed.includes(requestTypeParsed)) {
|
||||||
|
console.log('acl true because objectPut');
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -135,8 +147,9 @@ function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
||||||
// objectPutACL, objectGetACL, objectHead or objectGet, the bucket
|
// objectPutACL, objectGetACL, objectHead or objectGet, the bucket
|
||||||
// authorization check should just return true so can move on to check
|
// authorization check should just return true so can move on to check
|
||||||
// rights at the object level.
|
// rights at the object level.
|
||||||
|
console.log('acls checks end');
|
||||||
return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
|
return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
|
||||||
|| requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
|
|| requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
|
||||||
}
|
}
|
||||||
|
|
||||||
function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
|
function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
|
||||||
|
|
@ -329,6 +342,16 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
|
||||||
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
|
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
|
||||||
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
|
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
|
||||||
const conditionsMatch = _checkBucketPolicyConditions(request, s.Condition, log);
|
const conditionsMatch = _checkBucketPolicyConditions(request, s.Condition, log);
|
||||||
|
console.log('checkBucketPolicy', {
|
||||||
|
principalMatch,
|
||||||
|
actionMatch,
|
||||||
|
resourceMatch,
|
||||||
|
conditionsMatch,
|
||||||
|
canonicalID,
|
||||||
|
requestType,
|
||||||
|
arn,
|
||||||
|
s,
|
||||||
|
});
|
||||||
|
|
||||||
if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Deny') {
|
if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Deny') {
|
||||||
// explicit deny trumps any allows, so return immediately
|
// explicit deny trumps any allows, so return immediately
|
||||||
|
|
@ -347,11 +370,15 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
|
||||||
const bucketPolicy = bucket.getBucketPolicy();
|
const bucketPolicy = bucket.getBucketPolicy();
|
||||||
let processedResult = results[requestType];
|
let processedResult = results[requestType];
|
||||||
if (!bucketPolicy) {
|
if (!bucketPolicy) {
|
||||||
|
console.log('no bucket policy', { actionImplicitDenies }, actionImplicitDenies[requestType], { aclPermission });
|
||||||
|
// must also check that this is indeed an allow, not an explicit deny
|
||||||
processedResult = actionImplicitDenies[requestType] === false && aclPermission;
|
processedResult = actionImplicitDenies[requestType] === false && aclPermission;
|
||||||
} else {
|
} else {
|
||||||
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, canonicalID, arn,
|
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, canonicalID, arn,
|
||||||
bucketOwner, log, request, actionImplicitDenies);
|
bucketOwner, log, request, actionImplicitDenies);
|
||||||
|
|
||||||
|
console.log('bk results!', bucketPolicyPermission, actionImplicitDenies[requestType]);
|
||||||
|
|
||||||
if (bucketPolicyPermission === 'explicitDeny') {
|
if (bucketPolicyPermission === 'explicitDeny') {
|
||||||
processedResult = false;
|
processedResult = false;
|
||||||
} else if (bucketPolicyPermission === 'allow') {
|
} else if (bucketPolicyPermission === 'allow') {
|
||||||
|
|
@ -360,6 +387,15 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
|
||||||
processedResult = actionImplicitDenies[requestType] === false && aclPermission;
|
processedResult = actionImplicitDenies[requestType] === false && aclPermission;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
console.log('processBP result', {
|
||||||
|
requestType,
|
||||||
|
bucketPolicy,
|
||||||
|
canonicalID,
|
||||||
|
arn,
|
||||||
|
bucketOwner,
|
||||||
|
aclPermission,
|
||||||
|
processedResult,
|
||||||
|
});
|
||||||
return processedResult;
|
return processedResult;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -385,14 +421,22 @@ function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, lo
|
||||||
// if the bucket owner is an account, users should not have default access
|
// if the bucket owner is an account, users should not have default access
|
||||||
if ((bucket.getOwner() === canonicalID) && requesterIsNotUser || isServiceAccount(canonicalID)) {
|
if ((bucket.getOwner() === canonicalID) && requesterIsNotUser || isServiceAccount(canonicalID)) {
|
||||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||||
|
console.log('result bucket authz case account or service account', results[_requestType]);
|
||||||
return results[_requestType];
|
return results[_requestType];
|
||||||
}
|
}
|
||||||
const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
|
const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
|
||||||
|
console.log('acl checks on bucket', {
|
||||||
|
aclPermission,
|
||||||
|
bucketOwner: bucket.getOwner(),
|
||||||
|
canonicalID,
|
||||||
|
requesterIsNotUser,
|
||||||
|
isServiceAccount: isServiceAccount(canonicalID),
|
||||||
|
});
|
||||||
// In case of error bucket access is checked with bucketGet
|
// In case of error bucket access is checked with bucketGet
|
||||||
// For website, bucket policy only uses objectGet and ignores bucketGet
|
// For website, bucket policy only uses objectGet and ignores bucketGet
|
||||||
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html
|
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html
|
||||||
// bucketGet should be used to check acl but switched to objectGet for bucket policy
|
// bucketGet should be used to check acl but switched to objectGet for bucket policy
|
||||||
if (isWebsite && _requestType === 'bucketGet') {
|
if (isWebsite && (_requestType === 'bucketGet' || _requestType === 'listObjectVersions')) {
|
||||||
// eslint-disable-next-line no-param-reassign
|
// eslint-disable-next-line no-param-reassign
|
||||||
_requestType = 'objectGet';
|
_requestType = 'objectGet';
|
||||||
actionImplicitDenies.objectGet = actionImplicitDenies.objectGet || false;
|
actionImplicitDenies.objectGet = actionImplicitDenies.objectGet || false;
|
||||||
|
|
@ -416,7 +460,7 @@ function evaluateBucketPolicyWithIAM(bucket, requestTypesInput, canonicalID, aut
|
||||||
arn = authInfo.getArn();
|
arn = authInfo.getArn();
|
||||||
}
|
}
|
||||||
return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
|
return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
|
||||||
request, true, results, actionImplicitDenies);
|
request, true, results, actionImplicitDenies);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -432,30 +476,50 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
|
||||||
actionImplicitDenies[_requestType] = actionImplicitDenies[_requestType] || false;
|
actionImplicitDenies[_requestType] = actionImplicitDenies[_requestType] || false;
|
||||||
const parsedMethodName = _requestType.endsWith('Version')
|
const parsedMethodName = _requestType.endsWith('Version')
|
||||||
? _requestType.slice(0, -7) : _requestType;
|
? _requestType.slice(0, -7) : _requestType;
|
||||||
|
console.log('parsedMethodName', parsedMethodName);
|
||||||
const bucketOwner = bucket.getOwner();
|
const bucketOwner = bucket.getOwner();
|
||||||
if (!objectMD) {
|
if (!objectMD) {
|
||||||
// check bucket has read access
|
// check bucket has read access
|
||||||
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
|
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
|
||||||
results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request,
|
let permision = 'bucketGet';
|
||||||
|
if (considerAsObjectPut.includes(_requestType)) {
|
||||||
|
permision = 'objectPut';
|
||||||
|
}
|
||||||
|
results[_requestType] = isBucketAuthorized(bucket, permision, canonicalID, authInfo, log, request,
|
||||||
actionImplicitDenies, isWebsite);
|
actionImplicitDenies, isWebsite);
|
||||||
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
||||||
// bucket has canned ACL public-read-write
|
// bucket has canned ACL public-read-write
|
||||||
|
console.log('checking parsedMethodName', parsedMethodName, results[_requestType]);
|
||||||
if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete')
|
if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete')
|
||||||
&& results[_requestType] === false) {
|
&& results[_requestType] === false) {
|
||||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||||
|
console.log('object authorized? case objectPut or objectDelete', {
|
||||||
|
requestType: _requestType,
|
||||||
|
results: results[_requestType],
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
// If the API is MPU related, we need to check if the user has
|
||||||
|
// permissions to the bucket
|
||||||
|
console.log('object authorized? case no objectmd', {
|
||||||
|
requestType: _requestType,
|
||||||
|
results: results[_requestType],
|
||||||
|
});
|
||||||
return results[_requestType];
|
return results[_requestType];
|
||||||
}
|
}
|
||||||
let requesterIsNotUser = true;
|
let requesterIsNotUser = true;
|
||||||
let arn = null;
|
let arn = null;
|
||||||
let isUserUnauthenticated = false;
|
let isUserUnauthenticated = false;
|
||||||
if (authInfo) {
|
if (authInfo) {
|
||||||
requesterIsNotUser = !isRequesterNonAccountUser(authInfo);
|
requesterIsNotUser = !isRequesterNonAccountUser(authInfo);
|
||||||
arn = authInfo.getArn();
|
arn = authInfo.getArn();
|
||||||
isUserUnauthenticated = arn === undefined;
|
isUserUnauthenticated = arn === undefined;
|
||||||
}
|
}
|
||||||
if (objectMD['owner-id'] === canonicalID && requesterIsNotUser || isServiceAccount(canonicalID)) {
|
if (objectMD['owner-id'] === canonicalID && requesterIsNotUser || isServiceAccount(canonicalID)) {
|
||||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||||
|
console.log('object authorized? case account or service account', {
|
||||||
|
requestType: _requestType,
|
||||||
|
results: results[_requestType],
|
||||||
|
});
|
||||||
return results[_requestType];
|
return results[_requestType];
|
||||||
}
|
}
|
||||||
// account is authorized if:
|
// account is authorized if:
|
||||||
|
|
@ -463,9 +527,13 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
|
||||||
// - account is the bucket owner
|
// - account is the bucket owner
|
||||||
// - requester is account, not user
|
// - requester is account, not user
|
||||||
if (bucketOwnerActions.includes(parsedMethodName)
|
if (bucketOwnerActions.includes(parsedMethodName)
|
||||||
&& (bucketOwner === canonicalID)
|
&& (bucketOwner === canonicalID)
|
||||||
&& requesterIsNotUser) {
|
&& requesterIsNotUser) {
|
||||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||||
|
console.log('object authorized? case bucketOwnerActions', {
|
||||||
|
requestType: _requestType,
|
||||||
|
results: results[_requestType],
|
||||||
|
});
|
||||||
return results[_requestType];
|
return results[_requestType];
|
||||||
}
|
}
|
||||||
const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
|
const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,9 @@ function bucketShield(bucket, requestType) {
|
||||||
// Otherwise return an error to the client
|
// Otherwise return an error to the client
|
||||||
if ((bucket.hasDeletedFlag() || bucket.hasTransientFlag()) &&
|
if ((bucket.hasDeletedFlag() || bucket.hasTransientFlag()) &&
|
||||||
(requestType !== 'objectPut' &&
|
(requestType !== 'objectPut' &&
|
||||||
|
requestType !== 'initiateMultipartUpload' &&
|
||||||
|
requestType !== 'objectPutPart' &&
|
||||||
|
requestType !== 'completeMultipartUpload' &&
|
||||||
requestType !== 'bucketPutACL' &&
|
requestType !== 'bucketPutACL' &&
|
||||||
requestType !== 'bucketDelete')) {
|
requestType !== 'bucketDelete')) {
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
uploadId,
|
uploadId,
|
||||||
preciseRequestType: 'multipartDelete',
|
preciseRequestType: request.apiMethods || 'multipartDelete',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
// For validating the request at the destinationBucket level
|
// For validating the request at the destinationBucket level
|
||||||
|
|
|
||||||
|
|
@ -300,13 +300,16 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
|
||||||
signatureAge: authParams.params.data.signatureAge,
|
signatureAge: authParams.params.data.signatureAge,
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
console.log('checking for s3:BypassGovernanceRetention permission');
|
||||||
return vault.checkPolicies(requestContextParams,
|
return vault.checkPolicies(requestContextParams,
|
||||||
authInfo.getArn(), log, (err, authorizationResults) => {
|
authInfo.getArn(), log, (err, authorizationResults) => {
|
||||||
|
console.log('==================================', err, authorizationResults, vault.checkPolicies);
|
||||||
if (err) {
|
if (err) {
|
||||||
return cb(err);
|
return cb(err);
|
||||||
}
|
}
|
||||||
const explicitDenyExists = authorizationResults.some(
|
const explicitDenyExists = authorizationResults.some(
|
||||||
authzResult => authzResult.isAllowed === false && !authzResult.isImplicit);
|
authzResult => authzResult.isAllowed === false && !authzResult.isImplicit);
|
||||||
|
console.log('++++++++++++=', explicitDenyExists);
|
||||||
if (explicitDenyExists) {
|
if (explicitDenyExists) {
|
||||||
log.trace('authorization check failed for user',
|
log.trace('authorization check failed for user',
|
||||||
{
|
{
|
||||||
|
|
@ -333,6 +336,13 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
|
||||||
log,
|
log,
|
||||||
request);
|
request);
|
||||||
|
|
||||||
|
console.log('actionImplicitDenies', actionImplicitDenies, areAllActionsAllowed, {
|
||||||
|
bucketMD,
|
||||||
|
actionImplicitDeniesKeys: Object.keys(actionImplicitDenies),
|
||||||
|
authInfo,
|
||||||
|
actionImplicitDenies,
|
||||||
|
});
|
||||||
|
|
||||||
return cb(areAllActionsAllowed === true ? null : errors.AccessDenied);
|
return cb(areAllActionsAllowed === true ? null : errors.AccessDenied);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ function objectRestore(metadata, mdUtils, userInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: decodedVidResult,
|
versionId: decodedVidResult,
|
||||||
requestType: 'restoreObject',
|
requestType: request.apiMethods || 'restoreObject',
|
||||||
};
|
};
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
|
|
|
||||||
|
|
@ -31,14 +31,14 @@ function bucketDeleteCors(authInfo, request, log, callback) {
|
||||||
'deleteBucketCors');
|
'deleteBucketCors');
|
||||||
return callback(err);
|
return callback(err);
|
||||||
}
|
}
|
||||||
if (bucketShield(bucket, requestType)) {
|
if (bucketShield(bucket, request.apiMethods || requestType)) {
|
||||||
monitoring.promMetrics('DELETE', bucketName, 400,
|
monitoring.promMetrics('DELETE', bucketName, 400,
|
||||||
'deleteBucketCors');
|
'deleteBucketCors');
|
||||||
return callback(errors.NoSuchBucket);
|
return callback(errors.NoSuchBucket);
|
||||||
}
|
}
|
||||||
log.trace('found bucket in metadata');
|
log.trace('found bucket in metadata');
|
||||||
|
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo, log, request,
|
||||||
request.actionImplicitDenies)) {
|
request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for user on bucket', {
|
log.debug('access denied for user on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketDeleteEncryption',
|
requestType: request.apiMethods || 'bucketDeleteEncryption',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketDeleteLifecycle',
|
requestType: request.apiMethods || 'bucketDeleteLifecycle',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketDeletePolicy',
|
requestType: request.apiMethods || 'bucketDeletePolicy',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketDeleteReplication',
|
requestType: request.apiMethods || 'bucketDeleteReplication',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
|
||||||
}
|
}
|
||||||
log.trace('found bucket in metadata');
|
log.trace('found bucket in metadata');
|
||||||
|
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo, log, request,
|
||||||
request.actionImplicitDenies)) {
|
request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for user on bucket', {
|
log.debug('access denied for user on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
|
|
|
||||||
|
|
@ -322,7 +322,7 @@ function bucketGet(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGet',
|
requestType: request.apiMethods || 'bucketGet',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const listParams = {
|
const listParams = {
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ function bucketGetACL(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetACL',
|
requestType: request.apiMethods || 'bucketGetACL',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const grantInfo = {
|
const grantInfo = {
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ function bucketGetCors(authInfo, request, log, callback) {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
|
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo, log,
|
||||||
request, request.actionImplicitDenies)) {
|
request, request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for user on bucket', {
|
log.debug('access denied for user on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetEncryption',
|
requestType: request.apiMethods || 'bucketGetEncryption',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetLifecycle',
|
requestType: request.apiMethods || 'bucketGetLifecycle',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ function bucketGetLocation(authInfo, request, log, callback) {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
|
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo, log, request,
|
||||||
request.actionImplicitDenies)) {
|
request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for account on bucket', {
|
log.debug('access denied for account on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetNotification',
|
requestType: request.apiMethods || 'bucketGetNotification',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetObjectLock',
|
requestType: request.apiMethods || 'bucketGetObjectLock',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetPolicy',
|
requestType: request.apiMethods || 'bucketGetPolicy',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetReplication',
|
requestType: request.apiMethods || 'bucketGetReplication',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -54,7 +54,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketGetVersioning',
|
requestType: request.apiMethods || 'bucketGetVersioning',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ function bucketGetWebsite(authInfo, request, log, callback) {
|
||||||
|
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo, log,
|
||||||
request, request.actionImplicitDenies)) {
|
request, request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for user on bucket', {
|
log.debug('access denied for user on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@ function bucketHead(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketHead',
|
requestType: request.apiMethods || 'bucketHead',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutObjectLock',
|
requestType: request.apiMethods || 'bucketPutObjectLock',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return waterfall([
|
return waterfall([
|
||||||
|
|
|
||||||
|
|
@ -133,7 +133,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
// Required permissions for this action
|
// Required permissions for this action
|
||||||
// at the destinationBucket level are same as objectPut
|
// at the destinationBucket level are same as objectPut
|
||||||
requestType: 'objectPut',
|
requestType: request.apiMethods || 'completeMultipartUpload',
|
||||||
versionId,
|
versionId,
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -105,7 +105,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
// Required permissions for this action are same as objectPut
|
// Required permissions for this action are same as objectPut
|
||||||
requestType: 'objectPut',
|
requestType: request.apiMethods || 'initiateMultipartUpload',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const accountCanonicalID = authInfo.getCanonicalID();
|
const accountCanonicalID = authInfo.getCanonicalID();
|
||||||
|
|
|
||||||
|
|
@ -96,8 +96,8 @@ function listMultipartUploads(authInfo, request, log, callback) {
|
||||||
// to list the multipart uploads so we have provided here that
|
// to list the multipart uploads so we have provided here that
|
||||||
// the authorization to list multipart uploads is the same
|
// the authorization to list multipart uploads is the same
|
||||||
// as listing objects in a bucket.
|
// as listing objects in a bucket.
|
||||||
requestType: 'bucketGet',
|
requestType: request.apiMethods || 'bucketGet',
|
||||||
preciseRequestType: 'listMultipartUploads',
|
preciseRequestType: request.apiMethods || 'listMultipartUploads',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -97,7 +97,7 @@ function listParts(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
uploadId,
|
uploadId,
|
||||||
preciseRequestType: 'listParts',
|
preciseRequestType: request.apiMethods || 'listParts',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
// For validating the request at the destinationBucket level
|
// For validating the request at the destinationBucket level
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ function metadataSearch(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'metadataSearch',
|
requestType: request.apiMethods || 'metadataSearch',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const listParams = {
|
const listParams = {
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
requestType: 'objectDelete',
|
requestType: request.apiMethods || 'objectDelete',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectDeleteTagging',
|
requestType: request.apiMethods || 'objectDeleteTagging',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId,
|
versionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectGet',
|
requestType: request.apiMethods || 'objectGet',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -61,7 +61,7 @@ function objectGetACL(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId,
|
versionId,
|
||||||
requestType: 'objectGetACL',
|
requestType: request.apiMethods || 'objectGetACL',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const grantInfo = {
|
const grantInfo = {
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId,
|
versionId,
|
||||||
requestType: 'objectGetLegalHold',
|
requestType: request.apiMethods || 'objectGetLegalHold',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ function objectGetRetention(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
requestType: 'objectGetRetention',
|
requestType: request.apiMethods || 'objectGetRetention',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ function objectGetTagging(authInfo, request, log, callback) {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
requestType: 'objectGetTagging',
|
requestType: request.apiMethods || 'objectGetTagging',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,7 @@ function objectHead(authInfo, request, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId,
|
versionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectHead',
|
requestType: request.apiMethods || 'objectHead',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName: destBucketName,
|
bucketName: destBucketName,
|
||||||
objectKey: destObjectKey,
|
objectKey: destObjectKey,
|
||||||
requestType: 'objectPut',
|
requestType: 'objectPutPart',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -125,8 +125,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
||||||
(destinationBucket, next) => {
|
(destinationBucket, next) => {
|
||||||
// For validating the request at the destinationBucket level the
|
// For validating the request at the destinationBucket level the
|
||||||
// `requestType` is the general 'objectPut'.
|
// `requestType` is the general 'objectPut'.
|
||||||
const requestType = 'objectPut';
|
const requestType = request.apiMethods || 'objectPutPart';
|
||||||
if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
|
if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo,
|
||||||
log, request, request.actionImplicitDenies)) {
|
log, request, request.actionImplicitDenies)) {
|
||||||
log.debug('access denied for user on bucket', { requestType });
|
log.debug('access denied for user on bucket', { requestType });
|
||||||
return next(errors.AccessDenied, destinationBucket);
|
return next(errors.AccessDenied, destinationBucket);
|
||||||
|
|
|
||||||
|
|
@ -189,6 +189,8 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
|
||||||
if (!Array.isArray(requestType)) {
|
if (!Array.isArray(requestType)) {
|
||||||
requestType = [requestType];
|
requestType = [requestType];
|
||||||
}
|
}
|
||||||
|
console.log('entering standardMetadataValidateBucketAndObj',
|
||||||
|
{ authInfo, bucketName, objectKey, versionId, getDeleteMarker, requestType });
|
||||||
async.waterfall([
|
async.waterfall([
|
||||||
next => {
|
next => {
|
||||||
// versionId may be 'null', which asks metadata to fetch the null key specifically
|
// versionId may be 'null', which asks metadata to fetch the null key specifically
|
||||||
|
|
@ -197,6 +199,7 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
|
||||||
getOptions.getDeleteMarker = true;
|
getOptions.getDeleteMarker = true;
|
||||||
}
|
}
|
||||||
return metadata.getBucketAndObjectMD(bucketName, objectKey, getOptions, log, (err, getResult) => {
|
return metadata.getBucketAndObjectMD(bucketName, objectKey, getOptions, log, (err, getResult) => {
|
||||||
|
console.log('metadata.getBucketAndObjectMD', { err, getResult });
|
||||||
if (err) {
|
if (err) {
|
||||||
// if some implicit iamAuthzResults, return AccessDenied
|
// if some implicit iamAuthzResults, return AccessDenied
|
||||||
// before leaking any state information
|
// before leaking any state information
|
||||||
|
|
@ -219,6 +222,7 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
|
||||||
return next(errors.NoSuchBucket);
|
return next(errors.NoSuchBucket);
|
||||||
}
|
}
|
||||||
const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
|
const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
|
||||||
|
console.log('validateBucket', { validationError, bucket });
|
||||||
if (validationError) {
|
if (validationError) {
|
||||||
return next(validationError, bucket);
|
return next(validationError, bucket);
|
||||||
}
|
}
|
||||||
|
|
@ -236,9 +240,11 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
|
||||||
log.debug('access denied for user on object', { requestType });
|
log.debug('access denied for user on object', { requestType });
|
||||||
return next(errors.AccessDenied, bucket);
|
return next(errors.AccessDenied, bucket);
|
||||||
}
|
}
|
||||||
|
console.log('object authorize', { bucket, objMD });
|
||||||
return next(null, bucket, objMD);
|
return next(null, bucket, objMD);
|
||||||
},
|
},
|
||||||
], (err, bucket, objMD) => {
|
], (err, bucket, objMD) => {
|
||||||
|
console.log('end of bucket checks', { err, bucket, objMD });
|
||||||
if (err) {
|
if (err) {
|
||||||
// still return bucket for cors headers
|
// still return bucket for cors headers
|
||||||
return callback(err, bucket);
|
return callback(err, bucket);
|
||||||
|
|
@ -261,6 +267,7 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
|
||||||
function standardMetadataValidateBucket(params, actionImplicitDenies, log, callback) {
|
function standardMetadataValidateBucket(params, actionImplicitDenies, log, callback) {
|
||||||
const { bucketName } = params;
|
const { bucketName } = params;
|
||||||
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
||||||
|
console.log('.getBucket', { err, bucket });
|
||||||
if (err) {
|
if (err) {
|
||||||
// if some implicit actionImplicitDenies, return AccessDenied before
|
// if some implicit actionImplicitDenies, return AccessDenied before
|
||||||
// leaking any state information
|
// leaking any state information
|
||||||
|
|
|
||||||
|
|
@ -1481,7 +1481,7 @@ function routeBackbeat(clientIP, request, response, log) {
|
||||||
objectKey: request.objectKey,
|
objectKey: request.objectKey,
|
||||||
authInfo: userInfo,
|
authInfo: userInfo,
|
||||||
versionId,
|
versionId,
|
||||||
requestType: 'ReplicateObject',
|
requestType: request.apiMethods || 'ReplicateObject',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return standardMetadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log, next);
|
return standardMetadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log, next);
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ httpRequests = Stat(
|
||||||
noValue="0",
|
noValue="0",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(rate(http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("green", 0, 0.0),
|
Threshold("green", 0, 0.0),
|
||||||
|
|
@ -60,9 +60,9 @@ successRate = GaugePanel(
|
||||||
noValue="-",
|
noValue="-",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr="\n".join([
|
expr="\n".join([
|
||||||
'sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job", code=~"2.."}[$__rate_interval])) * 100', # noqa: E501
|
'sum(rate(http_requests_total{namespace="${namespace}", job=~"$job", code=~"2.."}[$__rate_interval])) * 100', # noqa: E501
|
||||||
" /",
|
" /",
|
||||||
'sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]) > 0)', # noqa: E501
|
'sum(rate(http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]) > 0)', # noqa: E501
|
||||||
]),
|
]),
|
||||||
legendFormat="Success rate",
|
legendFormat="Success rate",
|
||||||
)],
|
)],
|
||||||
|
|
@ -86,7 +86,7 @@ dataIngestionRate = Stat(
|
||||||
format="binBps",
|
format="binBps",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='-sum(deriv(s3_cloudserver_disk_available_bytes{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='-sum(deriv(cloud_server_data_disk_available{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("dark-purple", 0, 0.0),
|
Threshold("dark-purple", 0, 0.0),
|
||||||
|
|
@ -105,7 +105,7 @@ objectIngestionRate = Stat(
|
||||||
format="O/s",
|
format="O/s",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(deriv(s3_cloudserver_objects_count{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(deriv(cloud_server_number_of_objects{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("dark-purple", 0, 0.0),
|
Threshold("dark-purple", 0, 0.0),
|
||||||
|
|
@ -125,7 +125,7 @@ bucketsCounter = Stat(
|
||||||
noValue="-",
|
noValue="-",
|
||||||
reduceCalc="lastNotNull",
|
reduceCalc="lastNotNull",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(s3_cloudserver_buckets_count{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
expr='sum(cloud_server_number_of_buckets{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("#808080", 0, 0.0),
|
Threshold("#808080", 0, 0.0),
|
||||||
|
|
@ -146,7 +146,7 @@ objectsCounter = Stat(
|
||||||
noValue="-",
|
noValue="-",
|
||||||
reduceCalc="lastNotNull",
|
reduceCalc="lastNotNull",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(s3_cloudserver_objects_count{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
expr='sum(cloud_server_number_of_objects{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("#808080", 0, 0.0),
|
Threshold("#808080", 0, 0.0),
|
||||||
|
|
@ -181,8 +181,8 @@ lastReport = Stat(
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr="\n".join([
|
expr="\n".join([
|
||||||
'time()',
|
'time()',
|
||||||
'- max(s3_cloudserver_last_report_timestamp{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
'- max(cloud_server_last_report_timestamp{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
||||||
'+ (max(s3_cloudserver_last_report_timestamp{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
'+ (max(cloud_server_last_report_timestamp{namespace="${namespace}", job="${reportJob}"})', # noqa: E501
|
||||||
' - max(kube_cronjob_status_last_schedule_time{namespace="${namespace}", cronjob="${countItemsJob}"})', # noqa: E501
|
' - max(kube_cronjob_status_last_schedule_time{namespace="${namespace}", cronjob="${countItemsJob}"})', # noqa: E501
|
||||||
' > 0 or vector(0))',
|
' > 0 or vector(0))',
|
||||||
])
|
])
|
||||||
|
|
@ -207,7 +207,7 @@ def http_status_panel(title, code):
|
||||||
noValue="0",
|
noValue="0",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job",code=' + code + "}[$__rate_interval]))", # noqa: E501
|
expr='sum(rate(http_requests_total{namespace="${namespace}", job=~"$job",code=' + code + "}[$__rate_interval]))", # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[Threshold("semi-dark-blue", 0, 0.)],
|
thresholds=[Threshold("semi-dark-blue", 0, 0.)],
|
||||||
)
|
)
|
||||||
|
|
@ -222,7 +222,7 @@ activeRequests = Stat(
|
||||||
dataSource="${DS_PROMETHEUS}",
|
dataSource="${DS_PROMETHEUS}",
|
||||||
reduceCalc="lastNotNull",
|
reduceCalc="lastNotNull",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(s3_cloudserver_http_active_requests{namespace="${namespace}", job=~"$job"})', # noqa: E501
|
expr='sum(http_active_requests{namespace="${namespace}", job=~"$job"})', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("green", 0, 0.0),
|
Threshold("green", 0, 0.0),
|
||||||
|
|
@ -242,7 +242,7 @@ oobDataIngestionRate = Stat(
|
||||||
format="binBps",
|
format="binBps",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(deriv(s3_cloudserver_ingested_bytes{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(deriv(cloud_server_data_ingested{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("purple", 0, 0.0),
|
Threshold("purple", 0, 0.0),
|
||||||
|
|
@ -261,7 +261,7 @@ oobObjectIngestionRate = Stat(
|
||||||
format="O/s",
|
format="O/s",
|
||||||
reduceCalc="mean",
|
reduceCalc="mean",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum(deriv(s3_cloudserver_ingested_objects_count{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(deriv(cloud_server_number_of_ingested_objects{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
Threshold("purple", 0, 0.0),
|
Threshold("purple", 0, 0.0),
|
||||||
|
|
@ -275,7 +275,7 @@ httpStatusCodes = TimeSeries(
|
||||||
lineInterpolation="smooth",
|
lineInterpolation="smooth",
|
||||||
unit=UNITS.OPS_PER_SEC,
|
unit=UNITS.OPS_PER_SEC,
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum by (code) (rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum by (code) (rate(http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
legendFormat="{{code}}",
|
legendFormat="{{code}}",
|
||||||
)],
|
)],
|
||||||
)
|
)
|
||||||
|
|
@ -284,7 +284,7 @@ httpStatusCodes = TimeSeries(
|
||||||
def http_aggregated_request_target(title, code):
|
def http_aggregated_request_target(title, code):
|
||||||
# type: (str, str) -> Target
|
# type: (str, str) -> Target
|
||||||
return Target(
|
return Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job", code=' + code + "}[$__rate_interval]))", # noqa: E501
|
expr='sum(rate(http_requests_total{namespace="${namespace}", job=~"$job", code=' + code + "}[$__rate_interval]))", # noqa: E501
|
||||||
legendFormat=title,
|
legendFormat=title,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -331,7 +331,7 @@ requestsByAction = TimeSeries(
|
||||||
unit=UNITS.OPS_PER_SEC,
|
unit=UNITS.OPS_PER_SEC,
|
||||||
targets=[
|
targets=[
|
||||||
Target(
|
Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval])) by(action)', # noqa: E501
|
expr='sum(rate(http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval])) by(action)', # noqa: E501
|
||||||
legendFormat="{{action}}",
|
legendFormat="{{action}}",
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
@ -345,7 +345,7 @@ requestsByMethod = PieChart(
|
||||||
unit=UNITS.SHORT,
|
unit=UNITS.SHORT,
|
||||||
targets=[
|
targets=[
|
||||||
Target(
|
Target(
|
||||||
expr='sum(round(increase(s3_cloudserver_http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))) by(method)', # noqa: E501
|
expr='sum(round(increase(http_requests_total{namespace="${namespace}", job=~"$job"}[$__rate_interval]))) by(method)', # noqa: E501
|
||||||
legendFormat="{{method}}",
|
legendFormat="{{method}}",
|
||||||
),
|
),
|
||||||
],
|
],
|
||||||
|
|
@ -358,9 +358,9 @@ def average_latency_target(title, action="", by=""):
|
||||||
by = " by (" + by + ")" if by else ""
|
by = " by (" + by + ")" if by else ""
|
||||||
return Target(
|
return Target(
|
||||||
expr="\n".join([
|
expr="\n".join([
|
||||||
'sum(rate(s3_cloudserver_http_request_duration_seconds_sum{namespace="${namespace}", job=~"$job"' + extra + "}[$__rate_interval]))" + by, # noqa: E501
|
'sum(rate(http_request_duration_seconds_sum{namespace="${namespace}", job=~"$job"' + extra + "}[$__rate_interval]))" + by, # noqa: E501
|
||||||
" /",
|
" /",
|
||||||
'sum(rate(s3_cloudserver_http_request_duration_seconds_count{namespace="${namespace}", job=~"$job"' + extra + "}[$__rate_interval]))" + by, # noqa: E501,
|
'sum(rate(http_request_duration_seconds_count{namespace="${namespace}", job=~"$job"' + extra + "}[$__rate_interval]))" + by, # noqa: E501,
|
||||||
]),
|
]),
|
||||||
legendFormat=title,
|
legendFormat=title,
|
||||||
)
|
)
|
||||||
|
|
@ -401,7 +401,7 @@ latenciesByAction = TimeSeries(
|
||||||
)
|
)
|
||||||
|
|
||||||
requestTime = Heatmap(
|
requestTime = Heatmap(
|
||||||
title="Request duration",
|
title="Request time",
|
||||||
dataSource="${DS_PROMETHEUS}",
|
dataSource="${DS_PROMETHEUS}",
|
||||||
dataFormat="tsbuckets",
|
dataFormat="tsbuckets",
|
||||||
maxDataPoints=25,
|
maxDataPoints=25,
|
||||||
|
|
@ -409,7 +409,7 @@ requestTime = Heatmap(
|
||||||
yAxis=YAxis(format=UNITS.DURATION_SECONDS),
|
yAxis=YAxis(format=UNITS.DURATION_SECONDS),
|
||||||
color=HeatmapColor(mode="opacity"),
|
color=HeatmapColor(mode="opacity"),
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='sum by(le) (increase(s3_cloudserver_http_request_duration_seconds_bucket{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum by(le) (increase(http_request_duration_seconds_bucket{namespace="${namespace}", job=~"$job"}[$__interval]))', # noqa: E501
|
||||||
format="heatmap",
|
format="heatmap",
|
||||||
legendFormat="{{ le }}",
|
legendFormat="{{ le }}",
|
||||||
)],
|
)],
|
||||||
|
|
@ -433,11 +433,11 @@ bandWidth = TimeSeries(
|
||||||
unit="binBps",
|
unit="binBps",
|
||||||
targets=[
|
targets=[
|
||||||
Target(
|
Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_response_size_bytes_sum{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(rate(http_response_size_bytes_sum{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
legendFormat="Out"
|
legendFormat="Out"
|
||||||
),
|
),
|
||||||
Target(
|
Target(
|
||||||
expr='sum(rate(s3_cloudserver_http_request_size_bytes_sum{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
expr='sum(rate(http_request_size_bytes_sum{namespace="${namespace}", job=~"$job"}[$__rate_interval]))', # noqa: E501
|
||||||
legendFormat="In"
|
legendFormat="In"
|
||||||
)
|
)
|
||||||
],
|
],
|
||||||
|
|
@ -461,7 +461,7 @@ uploadChunkSize = BarGauge(
|
||||||
noValue="-",
|
noValue="-",
|
||||||
orientation="vertical",
|
orientation="vertical",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='avg(s3_cloudserver_http_request_size_bytes{namespace="${namespace}", job=~"$job"}) by (quantile)', # noqa: E501
|
expr='avg(http_request_size_bytes{namespace="${namespace}", job=~"$job"}) by (quantile)', # noqa: E501
|
||||||
legendFormat='{{ quantile }}',
|
legendFormat='{{ quantile }}',
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
|
|
@ -481,7 +481,7 @@ downloadChunkSize = BarGauge(
|
||||||
noValue="-",
|
noValue="-",
|
||||||
orientation="vertical",
|
orientation="vertical",
|
||||||
targets=[Target(
|
targets=[Target(
|
||||||
expr='avg(s3_cloudserver_http_response_size_bytes{namespace="${namespace}", job=~"$job"}) by (quantile)', # noqa: E501
|
expr='avg(http_response_size_bytes{namespace="${namespace}", job=~"$job"}) by (quantile)', # noqa: E501
|
||||||
legendFormat='{{ quantile }}',
|
legendFormat='{{ quantile }}',
|
||||||
)],
|
)],
|
||||||
thresholds=[
|
thresholds=[
|
||||||
|
|
@ -585,7 +585,7 @@ dashboard = (
|
||||||
label='Group',
|
label='Group',
|
||||||
multi=True,
|
multi=True,
|
||||||
name='job',
|
name='job',
|
||||||
query='label_values(s3_cloudserver_http_active_requests{namespace="${namespace}", container="${container}"}, job)', # noqa: E501
|
query='label_values(http_active_requests{namespace="${namespace}", container="${container}"}, job)', # noqa: E501
|
||||||
regex='/(?<value>${zenkoName}-(?<text>\\w*).*)/',
|
regex='/(?<value>${zenkoName}-(?<text>\\w*).*)/',
|
||||||
),
|
),
|
||||||
Template(
|
Template(
|
||||||
|
|
@ -593,7 +593,7 @@ dashboard = (
|
||||||
hide=HIDE_VARIABLE,
|
hide=HIDE_VARIABLE,
|
||||||
label='pod',
|
label='pod',
|
||||||
name='pod',
|
name='pod',
|
||||||
query='label_values(s3_cloudserver_http_active_requests{namespace="${namespace}", container="${container}", job=~"$job"}, pod)', # noqa: E501
|
query='label_values(http_active_requests{namespace="${namespace}", container="${container}", job=~"$job"}, pod)', # noqa: E501
|
||||||
)
|
)
|
||||||
]),
|
]),
|
||||||
panels=layout.column([
|
panels=layout.column([
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@azure/storage-blob": "^12.12.0",
|
"@azure/storage-blob": "^12.12.0",
|
||||||
"@hapi/joi": "^17.1.0",
|
"@hapi/joi": "^17.1.0",
|
||||||
"arsenal": "git+https://github.com/scality/arsenal#8.1.121",
|
"arsenal": "git+https://github.com/scality/arsenal#e265d0b80ee27b13c4012a90777b0c77399db1fb",
|
||||||
"async": "~2.5.0",
|
"async": "~2.5.0",
|
||||||
"aws-sdk": "2.905.0",
|
"aws-sdk": "2.905.0",
|
||||||
"bucketclient": "scality/bucketclient#8.1.9",
|
"bucketclient": "scality/bucketclient#8.1.9",
|
||||||
|
|
|
||||||
|
|
@ -117,6 +117,7 @@ describe('deleted flag bucket handling', () => {
|
||||||
bucketMD.setLocationConstraint(locationConstraint);
|
bucketMD.setLocationConstraint(locationConstraint);
|
||||||
metadata.createBucket(bucketName, bucketMD, log, () => {
|
metadata.createBucket(bucketName, bucketMD, log, () => {
|
||||||
metadata.createBucket(usersBucketName, usersBucket, log, () => {
|
metadata.createBucket(usersBucketName, usersBucket, log, () => {
|
||||||
|
console.log('bucket created!!!!');
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
@ -439,13 +440,15 @@ describe('deleted flag bucket handling', () => {
|
||||||
if (extraArgNeeded) {
|
if (extraArgNeeded) {
|
||||||
return apiAction(authInfo, mpuRequest, undefined,
|
return apiAction(authInfo, mpuRequest, undefined,
|
||||||
log, err => {
|
log, err => {
|
||||||
|
console.log(err);
|
||||||
assert.strictEqual(err.is.NoSuchUpload, true);
|
assert.strictEqual(err.is.NoSuchUpload, true);
|
||||||
return done();
|
return done();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
return apiAction(authInfo, mpuRequest,
|
return apiAction(authInfo, mpuRequest,
|
||||||
log, err => {
|
log, err => {
|
||||||
assert.strictEqual(err.is.NoSuchUpload, true);
|
console.log(err);
|
||||||
|
assert.strictEqual(err.is.NoSuchUpload, true);
|
||||||
return done();
|
return done();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -789,9 +789,9 @@ arraybuffer.slice@~0.0.7:
|
||||||
optionalDependencies:
|
optionalDependencies:
|
||||||
ioctl "^2.0.2"
|
ioctl "^2.0.2"
|
||||||
|
|
||||||
"arsenal@git+https://github.com/scality/arsenal#8.1.121":
|
"arsenal@git+https://github.com/scality/arsenal#e265d0b80ee27b13c4012a90777b0c77399db1fb":
|
||||||
version "8.1.121"
|
version "8.1.121"
|
||||||
resolved "git+https://github.com/scality/arsenal#5a5ef7c572a6546021e609b752e5644c166ad8a1"
|
resolved "git+https://github.com/scality/arsenal#e265d0b80ee27b13c4012a90777b0c77399db1fb"
|
||||||
dependencies:
|
dependencies:
|
||||||
"@azure/identity" "^3.1.1"
|
"@azure/identity" "^3.1.1"
|
||||||
"@azure/storage-blob" "^12.12.0"
|
"@azure/storage-blob" "^12.12.0"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue