Evaluate policies in Backbeat routes by welansari · Pull Request #5911 · scality/cloudserver

welansari · 2025-08-20T12:25:11Z

Evaluate policies in Backbeat routes when running in the external Cloudserver.

This PR is based on the implementation in #5714

bert-e · 2025-08-20T12:25:14Z

Hello kerkesni,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
`/after_pull_request`	Wait for the given pull request id to be merged before continuing with the current one.
`/bypass_author_approval`	Bypass the pull request author's approval	⭐
`/bypass_build_status`	Bypass the build and test status	⭐
`/bypass_commit_size`	Bypass the check on the size of the changeset `TBA`	⭐
`/bypass_incompatible_branch`	Bypass the check on the source branch prefix	⭐
`/bypass_jira_check`	Bypass the Jira issue check	⭐
`/bypass_peer_approval`	Bypass the pull request peers' approval	⭐
`/bypass_leader_approval`	Bypass the pull request leaders' approval	⭐
`/approve`	Instruct Bert-E that the author has approved the pull request.		✍️
`/create_pull_requests`	Allow the creation of integration pull requests.
`/create_integration_branches`	Allow the creation of integration branches.
`/no_octopus`	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
`/unanimity`	Change review acceptance criteria from `one reviewer at least` to `all reviewers`
`/wait`	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
`/help`	Print Bert-E's manual in the pull request.
`/status`	Print Bert-E's current status in the pull request `TBA`
`/clear`	Remove all comments from Bert-E from the history `TBA`
`/retry`	Re-start a fresh build `TBA`
`/build`	Re-start a fresh build `TBA`
`/force_reset`	Delete integration branches & pull requests, and restart merge process from the beginning.
`/reset`	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

codecov · 2025-08-20T12:27:26Z

Codecov Report

❌ Patch coverage is 83.01887% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.52%. Comparing base (fe01aad) to head (4d7d1b3).
⚠️ Report is 3 commits behind head on development/9.1.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
lib/api/api.js	76.31%	9 Missing ⚠️
lib/routes/routeBackbeat.js	86.56%	9 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/utilities/internalHandlers.js	`100.00% <100.00%> (ø)`
lib/api/api.js	`90.90% <76.31%> (+1.32%)`	⬆️
lib/routes/routeBackbeat.js	`75.21% <86.56%> (+4.28%)`	⬆️

... and 1 file with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.1    #5911      +/-   ##
===================================================
+ Coverage            83.24%   83.52%   +0.27%     
===================================================
  Files                  190      190              
  Lines                12159    12167       +8     
===================================================
+ Hits                 10122    10162      +40     
+ Misses                2037     2005      -32

Flag	Coverage Δ
ceph-backend-test	`64.31% <57.54%> (+0.06%)`	⬆️
file-ft-tests	`66.14% <39.62%> (+0.06%)`	⬆️
kmip-ft-tests	`26.96% <12.26%> (+0.03%)`	⬆️
mongo-v0-ft-tests	`67.95% <45.28%> (+0.02%)`	⬆️
mongo-v1-ft-tests	`67.95% <45.28%> (+<0.01%)`	⬆️
multiple-backend	`33.97% <57.54%> (+0.06%)`	⬆️
sur-tests	`34.51% <12.26%> (-0.84%)`	⬇️
sur-tests-inflights	`36.49% <12.26%> (+0.05%)`	⬆️
unit	`67.98% <67.92%> (+0.65%)`	⬆️
utapi-v2-tests	`33.32% <12.26%> (+0.02%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

bert-e · 2025-08-20T12:28:18Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

ghost

Changes lgtm, just some more tests I believe we can add for completeness

francoisferrand · 2025-08-20T14:24:40Z

+            if (request.bypassUserBucketPolicies) {
+                return next(null, userInfo);
            }


this "skip" on internal routes is already implemented deep inside bucket policies, inside isBucketAuthorized and isObjectAuthorized : is this redundant (i.e. we indeed call these later), or do we really need the extra skip here? In that case, should that check be added in handleAuthorizationResults ?

The check is not redundant, as far as i understood we are only supposed to skip bucket policies when using an internal Cloudserver not all the policies, so handling the flag at a higher level like in handleAuthorizationResults would disable all policy evaluation including for standard APIs which is not something we want.

handling the flag at a higher level like in handleAuthorizationResults would disable all policy evaluation including for standard APIs which is not something we want.

That explains why we want to keep the checks deep in isBucketAuthorized and isObjectAuthorized instead of moving it handleAuthorizationResults.

But should we not evaluate these "standard" policies on backbeat routes as well (i.e. remove this extra bypass, and just rely on the deeper bypass) ? Or is it something we can only do later, when we have added the required (custom) permissions in arsenal/vault and given them to the internal users?

We could evaluate policies on the internal Cloudserver, however i'm not certain our internal services have the required permissions (policies) hence why i skipped the evaluation here.

I created a follow-up ticket to verify the policies we create for our services and eventually remove this check (ZENKO-5058)

Issue: CLDSRV-728

Policy evaluation is skipped in the internal Cloudserver instance. Issue: CLDSRV-728

Issue: CLDSRV-728

welansari · 2025-08-22T12:19:11Z

/approve

bert-e · 2025-08-22T12:19:27Z

I have successfully merged the changeset of this pull request
into targetted development branches:

✔️ development/9.1

The following branches have NOT changed:

development/7.10
development/7.4
development/7.70
development/8.8
development/9.0

Please check the status of the associated issue CLDSRV-728.

Goodbye kerkesni.

The following options are set: approve

scality deleted a comment from bert-e Aug 20, 2025

welansari requested review from a user and francoisferrand August 20, 2025 12:33

ghost approved these changes Aug 20, 2025

View reviewed changes

Comment thread tests/unit/DummyRequest.js Outdated

Comment thread lib/routes/routeBackbeat.js

Comment thread tests/unit/routes/routeBackbeat.js Outdated

francoisferrand reviewed Aug 20, 2025

View reviewed changes

SylvainSenechal reviewed Aug 21, 2025

View reviewed changes

Comment thread lib/api/api.js

SylvainSenechal reviewed Aug 21, 2025

View reviewed changes

Comment thread lib/api/api.js

welansari requested a review from francoisferrand August 21, 2025 14:16

francoisferrand approved these changes Aug 21, 2025

View reviewed changes

Kerkesni added 3 commits August 21, 2025 17:42

refactor policy evaluation function

0fd3fd8

Issue: CLDSRV-728

evaluate policies in backbeat routes

9d9086e

Policy evaluation is skipped in the internal Cloudserver instance. Issue: CLDSRV-728

add tests

4d7d1b3

Issue: CLDSRV-728

welansari force-pushed the bugfix/CLDSRV-728 branch from ca67f3f to 4d7d1b3 Compare August 21, 2025 15:48

bert-e merged commit 4d7d1b3 into development/9.1 Aug 22, 2025
27 checks passed

bert-e deleted the bugfix/CLDSRV-728 branch August 22, 2025 12:19

Conversation

welansari commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bert-e commented Aug 20, 2025

Hello kerkesni,

Uh oh!

codecov bot commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

bert-e commented Aug 20, 2025

Waiting for approval

Uh oh!

ghost left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

francoisferrand Aug 20, 2025

Choose a reason for hiding this comment

Uh oh!

welansari Aug 21, 2025

Choose a reason for hiding this comment

Uh oh!

francoisferrand Aug 21, 2025

Choose a reason for hiding this comment

Uh oh!

welansari Aug 21, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

welansari commented Aug 22, 2025

Uh oh!

bert-e commented Aug 22, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

welansari commented Aug 20, 2025 •

edited

Loading

codecov bot commented Aug 20, 2025 •

edited

Loading