mgr/dashboard: user accounts enhancements

fixes: https://tracker.ceph.com/issues/72072

PR covers:
1) Displaying account name instead of account id in bucket list page & bucket edit form for account owned buckets
2) non-root account user can now be assigned with managed policies with which they can perform operations
3) The root user indication shifted next to username in users list rather than on Account Name with a new icon.

Signed-off-by: Naman Munet <[email protected]>

Author: Naman Munet

src/pybind/mgr/dashboard/controllers/rgw.py

@@ -546,16 +546,51 @@ def get_s3_bucket_name(bucket_name, tenant=None):
             bucket_name = '{}:{}'.format(tenant, bucket_name)
         return bucket_name
 
+    def map_bucket_owners(self, result, daemon_name):
+        """
+        Replace bucket owner IDs with account names for a list of buckets.
+
+        :param result: List of bucket dicts with 'owner' keys.
+        :param daemon_name: RGW daemon identifier.
+        :return: Modified result with owner names instead of IDs.
+        """
+        # Get unique owner IDs from buckets
+        owner_ids = {bucket['owner'] for bucket in result}
+
+        # Get available account IDs
+        valid_accounts = set(RgwAccounts().get_accounts())
+
+        # Determine which owner IDs are valid and need querying
+        query_ids = owner_ids & valid_accounts
+
+        # Fetch account names for valid owner IDs
+        id_to_name = {}
+        for owner_id in query_ids:
+            try:
+                account = self.proxy(daemon_name, 'GET', 'account', {'id': owner_id})
+                if 'name' in account:
+                    id_to_name[owner_id] = account['name']
+            except RequestException:
+                continue
+
+        # Replace owner IDs with names in the bucket list
+        for bucket in result:
+            owner_id = bucket.get('owner')
+            if owner_id in id_to_name:
+                bucket['owner'] = id_to_name[owner_id]
+
+        return result
+
     @RESTController.MethodMap(version=APIVersion(1, 1))  # type: ignore
     def list(self, stats: bool = False, daemon_name: Optional[str] = None,
              uid: Optional[str] = None) -> List[Union[str, Dict[str, Any]]]:
         query_params = f'?stats={str_to_bool(stats)}'
         if uid and uid.strip():
             query_params = f'{query_params}&uid={uid.strip()}'
         result = self.proxy(daemon_name, 'GET', 'bucket{}'.format(query_params))
-
-        if stats:
+        if str_to_bool(stats):
             result = [self._append_bid(bucket) for bucket in result]
+            result = self.map_bucket_owners(result, daemon_name)
 
         return result
 
@@ -900,6 +935,9 @@ def _get(self, uid, daemon_name=None, stats=True) -> dict:
         if not self._keys_allowed():
             del result['keys']
             del result['swift_keys']
+        if result.get('account_id') not in (None, '') and result.get('type') != 'root':
+            rgwAccounts = RgwAccounts()
+            result['managed_user_policies'] = rgwAccounts.list_managed_policy(uid)
         result['uid'] = result['full_user_id']
         return result
 
@@ -918,53 +956,94 @@ def get_emails(self, daemon_name=None):
     def create(self, uid, display_name, email=None, max_buckets=None,
                system=None, suspended=None, generate_key=None, access_key=None,
                secret_key=None, daemon_name=None, account_id: Optional[str] = None,
-               account_root_user: Optional[bool] = False):
-        params = {'uid': uid}
-        if display_name is not None:
-            params['display-name'] = display_name
-        if email is not None:
-            params['email'] = email
-        if max_buckets is not None:
-            params['max-buckets'] = max_buckets
-        if system is not None:
-            params['system'] = system
-        if suspended is not None:
-            params['suspended'] = suspended
-        if generate_key is not None:
-            params['generate-key'] = generate_key
-        if access_key is not None:
-            params['access-key'] = access_key
-        if secret_key is not None:
-            params['secret-key'] = secret_key
-        if account_id is not None:
-            params['account-id'] = account_id
+               account_root_user: Optional[bool] = False,
+               account_policies: Optional[str] = None):
+        """Create a new RGW user."""
+
+        params = {'uid': uid, 'display-name': display_name}
+
+        # Add optional parameters
+        optional_params = {
+            'email': email,
+            'max-buckets': max_buckets,
+            'system': system,
+            'suspended': suspended,
+            'generate-key': generate_key,
+            'access-key': access_key,
+            'secret-key': secret_key,
+            'account-id': account_id
+        }
+
+        # Add only non-None parameters
+        for key, value in optional_params.items():
+            if value is not None:
+                params[key] = value
+
+        # Handle boolean parameter separately
         if account_root_user:
             params['account-root'] = account_root_user
+
+        # Make the API request
         result = self.proxy(daemon_name, 'PUT', 'user', params)
         result['uid'] = result['full_user_id']
+
+        # Process account policies
+        if account_policies is not None:
+            self._process_account_policies(uid, account_policies)
+
         return result
 
+    def _process_account_policies(self, uid, account_policies):
+        """Process account policies for a user."""
+        rgw_accounts = RgwAccounts()
+        # Parse the policies JSON if it's a string
+        if isinstance(account_policies, str):
+            account_policies = json.loads(account_policies)
+
+        # Attach policies
+        for policy_arn in account_policies.get('attach', []):
+            rgw_accounts.attach_managed_policy(uid, policy_arn)
+
+        # Detach policies
+        for policy_arn in account_policies.get('detach', []):
+            rgw_accounts.detach_managed_policy(uid, policy_arn)
+
     @allow_empty_body
     def set(self, uid, display_name=None, email=None, max_buckets=None,
             system=None, suspended=None, daemon_name=None, account_id: Optional[str] = None,
-            account_root_user: Optional[bool] = False):
+            account_root_user: Optional[bool] = False,
+            account_policies: Optional[str] = None):
+        """Update an existing RGW user."""
+
         params = {'uid': uid}
-        if display_name is not None:
-            params['display-name'] = display_name
-        if email is not None:
-            params['email'] = email
-        if max_buckets is not None:
-            params['max-buckets'] = max_buckets
-        if system is not None:
-            params['system'] = system
-        if suspended is not None:
-            params['suspended'] = suspended
-        if account_id is not None:
-            params['account-id'] = account_id
+
+        # Add optional parameters
+        optional_params = {
+            'display-name': display_name,
+            'email': email,
+            'max-buckets': max_buckets,
+            'system': system,
+            'suspended': suspended,
+            'account-id': account_id
+        }
+
+        # Add only non-None parameters
+        for key, value in optional_params.items():
+            if value is not None:
+                params[key] = value
+
+        # Handle boolean parameter separately
         if account_root_user:
             params['account-root'] = account_root_user
+
+        # Make the API request
         result = self.proxy(daemon_name, 'POST', 'user', params)
         result['uid'] = result['full_user_id']
+
+        # Process account policies
+        if account_policies is not None:
+            self._process_account_policies(uid, account_policies)
+
         return result
 
     def delete(self, uid, daemon_name=None):

src/pybind/mgr/dashboard/frontend/package-lock.json

@@ -52,7 +52,7 @@
     "@angular/platform-browser-dynamic": "18.2.11",
     "@angular/router": "18.2.11",
     "@carbon/charts-angular": "1.23.9",
-    "@carbon/icons": "11.41.0",
+    "@carbon/icons": "11.63.0",
     "@carbon/styles": "1.83.0",
     "@ibm/plex": "6.4.0",
     "@ng-bootstrap/ng-bootstrap": "17.0.1",

src/pybind/mgr/dashboard/frontend/package.json

@@ -231,7 +231,12 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
     }
 
     // Process route parameters.
-    this.route.params.subscribe((params: { bid: string }) => {
+    this.route.params.subscribe((params: { bid: string; owner: string }) => {
+      let bucketOwner = '';
+      if (params.hasOwnProperty('owner')) {
+        // only used for showing bucket owned by account
+        bucketOwner = decodeURIComponent(params.owner);
+      }
       if (params.hasOwnProperty('bid')) {
         const bid = decodeURIComponent(params.bid);
         promises['getBid'] = this.rgwBucketService.get(bid);
@@ -299,13 +304,13 @@ export class RgwBucketFormComponent extends CdForm implements OnInit, AfterViewC
               // creating dummy user object to show the account owner
               // here value['owner] is the account user id
               const user = Object.assign(
-                { uid: value['owner'] },
+                { uid: bucketOwner },
                 ownersList.find((owner: RgwUser) => owner.uid === AppConstants.defaultUser)
               );
               this.accountUsers.push(user);
               this.bucketForm.get('isAccountOwner').setValue(true);
               this.bucketForm.get('isAccountOwner').disable();
-              this.bucketForm.get('accountUser').setValue(value['owner']);
+              this.bucketForm.get('accountUser').setValue(bucketOwner);
               this.bucketForm.get('accountUser').disable();
             }
             this.isVersioningAlreadyEnabled = this.isVersioningEnabled;

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-form/rgw-bucket-form.component.ts

@@ -110,7 +110,10 @@ export class RgwBucketListComponent extends ListWithDetails implements OnInit, O
       }
     ];
     const getBucketUri = () =>
-      this.selection.first() && `${encodeURIComponent(this.selection.first().bid)}`;
+      this.selection.first() &&
+      `${encodeURIComponent(this.selection.first().bid)}/${encodeURIComponent(
+        this.selection.first().owner
+      )}`;
     const addAction: CdTableAction = {
       permission: 'create',
       icon: Icons.add,

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-bucket-list/rgw-bucket-list.component.ts

@@ -64,6 +64,13 @@
               class="bold">Maximum buckets</td>
           <td>{{ user.max_buckets | map: maxBucketsMap }}</td>
         </tr>
+        @if (user.type === 'rgw' && selection.account?.id){
+        <tr>
+          <td i18n
+              class="bold">Managed policies</td>
+          <td i18n>{{ extractPolicyNamesFromArns(user.managed_user_policies) }}</td>
+        </tr>
+        }
         <tr *ngIf="user.subusers && user.subusers.length">
           <td i18n
               class="bold">Subusers</td>

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-details/rgw-user-details.component.html

@@ -56,7 +56,9 @@ describe('RgwUserDetailsComponent', () => {
       system: 'true',
       keys: [],
       swift_keys: [],
-      mfa_ids: ['testMFA1', 'testMFA2']
+      mfa_ids: ['testMFA1', 'testMFA2'],
+      type: 'rgw',
+      account: { id: 'RGW12345678901234567' }
     };
 
     component.ngOnChanges();
@@ -65,8 +67,8 @@ describe('RgwUserDetailsComponent', () => {
     const detailsTab = fixture.debugElement.nativeElement.querySelectorAll(
       '.cds--data-table--sort.cds--data-table--no-border tr td'
     );
-    expect(detailsTab[14].textContent).toEqual('MFAs(Id)');
-    expect(detailsTab[15].textContent).toEqual('testMFA1, testMFA2');
+    expect(detailsTab[16].textContent).toEqual('MFAs(Id)');
+    expect(detailsTab[17].textContent).toEqual('testMFA1, testMFA2');
   });
   it('should test updateKeysSelection', () => {
     component.selection = {

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-details/rgw-user-details.component.spec.ts

@@ -136,4 +136,14 @@ export class RgwUserDetailsComponent implements OnChanges, OnInit {
         break;
     }
   }
+
+  extractPolicyNamesFromArns(arnList: string[]) {
+    if (!arnList || arnList.length === 0) {
+      return '-';
+    }
+    return arnList
+      .map((arn) => arn.trim().split('/').pop())
+      .filter(Boolean)
+      .join(', ');
+  }
 }

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-details/rgw-user-details.component.ts

@@ -23,7 +23,7 @@
                   [ngValue]="null">Loading...</option>
           <option i18n
                   *ngIf="accounts !== null"
-                  [ngValue]="null">-- Select an Account --</option>
+                  [value]="''">-- Select an Account --</option>
           <option *ngFor="let account of accounts"
                   [value]="account.id">{{ account.name }} {{account.tenant ? '- '+account.tenant : ''}}</option>
         </cds-select>
@@ -208,6 +208,31 @@
       </cds-checkbox>
     </div>
 
+    @if(userForm.getValue('account_id') && !userForm.getValue('account_root_user')) {
+    <!-- Managed policies -->
+    <fieldset>
+      <div class="form-item">
+        <legend i18n
+                class="cd-header">Managed policies</legend>
+        <cds-combo-box label="Policies"
+                       type="multi"
+                       selectionFeedback="top-after-reopen"
+                       formControlName="account_policies"
+                       id="account_policies"
+                       placeholder="Select managed policies..."
+                       i18n-placeholder
+                       [appendInline]="true"
+                       [items]="managedPolicies"
+                       (selected)="multiSelector($event)"
+                       itemValueKey="name"
+                       i18n-label
+                       i18n>
+          <cds-dropdown-list></cds-dropdown-list>
+        </cds-combo-box>
+      </div>
+    </fieldset>
+    }
+
     <!-- S3 key -->
     <fieldset *ngIf="!editing">
       <legend i18n