Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add hability to create user #43

Merged
merged 1 commit into from
Jun 5, 2024
Merged

Add hability to create user #43

merged 1 commit into from
Jun 5, 2024

Conversation

Donatien26
Copy link
Collaborator

No description provided.

@Donatien26 Donatien26 force-pushed the add-hability-to-create-user branch 2 times, most recently from 692216a to 71dc785 Compare April 15, 2024 05:51
@Donatien26 Donatien26 marked this pull request as ready for review April 15, 2024 05:51
@Donatien26 Donatien26 requested a review from phlg April 15, 2024 05:51
@Donatien26 Donatien26 force-pushed the add-hability-to-create-user branch 2 times, most recently from fa272fd to 8cb16f7 Compare April 15, 2024 05:58
sathieu
sathieu requested changes Apr 15, 2024
View reviewed changes
Copy link
Collaborator

@sathieu sathieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Donatien26 Thanks for your PR. I've left some comments. Back to you 🏓 !

api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
controllers/utils/utils.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
phlg
phlg requested changes Apr 15, 2024
View reviewed changes
Copy link
Contributor

@phlg phlg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this big contribution. :)

Added my own batch of comments on top of Mathieu's (which by the way also apply to the other resources managed by s3-operator, I will need to fix that in the future).

Some are pretty important stuff that need to be discussed and/or implemented before approval (eg: README, group/policy considerations, status update method), some are minor nitpicks.

Will now clone the branch to do some local testing, might have other feedback afterwards.

README.md Show resolved Hide resolved
api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
api/v1alpha1/user_types.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/user_controller.go Outdated Show resolved Hide resolved
controllers/s3/factory/mockedS3Client.go Show resolved Hide resolved
controllers/s3/factory/minioS3Client.go Outdated Show resolved Hide resolved
@Donatien26 Donatien26 force-pushed the add-hability-to-create-user branch 6 times, most recently from 63cf6ed to b255261 Compare April 16, 2024 06:43
@Donatien26 Donatien26 force-pushed the add-hability-to-create-user branch 5 times, most recently from 302580b to 706ace3 Compare April 26, 2024 07:44
@Donatien26 Donatien26 force-pushed the add-hability-to-create-user branch from 706ace3 to 1c752dd Compare April 26, 2024 07:48
sathieu
sathieu requested changes Apr 29, 2024
View reviewed changes
config/samples/s3.onyxia.sh_v1alpha1_s3user.yaml
Comment on lines +16 to +17
groups:
- group-example1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the groups part.

@phlg
Copy link
Contributor

phlg commented May 15, 2024

@Donatien26 We resumed tests today - still ongoing, but I'm wondering what we should do with the override-existing-secret.

With its default value of false, it means that if the accessKey stored inside the secret is changed, we have a mismatch between the actual working password (the initial value) and what's visible in the k8s secret. At this point, if the initial password is lost or deleted, then that S3User becomes unusable unless an admin resets the password, or both S3User and Secret resources are deleted and recreated.

Does that mean the Secret is considered a temporary commodity only, to first fetch the secret key and then store it somewhre else (eg: Vault) ? Or is it intended for a different reason (or unintended - in which case we might want to either change the default value or drop the flag) ?

@phlg
Copy link
Contributor

phlg commented May 15, 2024
edited
Loading

Another thing of note : we need to test this further, but it looks like modifying just the accessKey in an existing S3User resource brings forth an incoherent state. Let's say the modification is this :

- - accessKey: user-a
+ - accessKey: user-b

Then :

  • user-b is created on S3
  • no user-b k8s Secret is created (which seems sane - there's still only one k8s S3User)
  • user-a is not deleted on S3 (even with the s3user-deletion flag)
  • it appears impossible to log in with either of them using the (unchanged) secret key (at least on Minio Console) EDIT : trying this again from scratch, it's actually still possible to log-in with user-a - but we do have a new user-b that is unable to log in

@phlg
Copy link
Contributor

phlg commented May 15, 2024

One last tidbit for today : I'm not if this is normal or not, but checking the YAML for the Secret tied to a S3User, the lastAppliedConfiguration annotation actually points to that of the S3User, not the secret.

Now there is an obvious link between the two, but I thought this was carried by the ownerReference. Is it normal that the Secret also carries the entire spec or its owning S3User ?

phlg
phlg reviewed May 16, 2024
View reviewed changes
README.md
{
"Effect": "Allow",
"Action": [
"admin:CreatePolicy",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add the right to remove a policy as well please ?

Suggested change
"admin:CreatePolicy",
"admin:CreatePolicy",
"admin:DeletePolicy",

@JackLemaitre JackLemaitre merged commit 1cd93b5 into main Jun 5, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexisdondon alexisdondon alexisdondon left review comments

@nvalembois nvalembois nvalembois left review comments

@sathieu sathieu sathieu requested changes

@phlg phlg phlg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Donatien26 @phlg @sathieu @nvalembois @alexisdondon @JackLemaitre