Skip to content

rgw/iam: customer managed policy #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ArbitCode wants to merge 1 commit into
base: master
Choose a base branch
from
Open

rgw/iam: customer managed policy #646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pytest.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,4 @@ markers =
user_policy
versioning
webidentity_test
policy
Copy link
Contributor

@cbodley cbodley May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we call this managed_policy?

Copy link
Member Author

@ArbitCode ArbitCode May 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cbodley overall related to this SPIKE can we call managed_policy instead of policy or customer_managed_policy ?

but there is other existing features related managed_policy in will that create any confusion?
rgw_rest_user_policy.cc

Copy link
Member Author

@ArbitCode ArbitCode May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but AWS presents it as policy while create, delete, get etc

132 changes: 132 additions & 0 deletions s3tests_boto3/functional/test_iam.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1451,6 +1451,138 @@ def test_account_user_policy_allow(iam_root):
# something other than AccessDenied
retry_on('AccessDenied', 10, client.list_buckets)

# IAM Customer Managed Policy
@pytest.mark.policy
@pytest.mark.iam_account
def test_create_policy(iam_root):
name = make_iam_name('create-policy')
path = get_iam_path_prefix()
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
policy = iam_root.create_policy(
PolicyName=name,
PolicyDocument=json.dumps(policy_document),
Description='Read-only access to mybucket',
Path=path,
Tags=[
{"Key": "Perms", "Value": "READ"},
{"Key": "Principle", "Value": "S3"}
]
)
assert policy['Policy']['PolicyName'] == name
assert policy['Policy']['Path'] == path

# Cleanup
iam_root.delete_policy(PolicyArn=policy['Policy']['Arn'])
Comment on lines +1489 to +1490
Copy link
Contributor

@cbodley cbodley May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

once we support iam:ListPolicies, we can add a nuke_policies() to the iam_root/iam_alt_root fixtures in iam.py so that test cases don't have to handle cleanup on their own


@pytest.mark.policy
@pytest.mark.iam_account
def test_create_duplicate_policy(iam_root):
name = make_iam_name('duplicate-policy')
path = get_iam_path_prefix()
policy_document = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::example"]
}]
}

policy = iam_root.create_policy(
PolicyName=name,
PolicyDocument=json.dumps(policy_document),
Path=path
)
policy_arn = policy['Policy']['Arn']

try:
with pytest.raises(iam_root.exceptions.EntityAlreadyExistsException):
iam_root.create_policy(
PolicyName=name,
PolicyDocument=json.dumps(policy_document),
Path=path
)
finally:
iam_root.delete_policy(PolicyArn=policy_arn)

@pytest.mark.policy
@pytest.mark.iam_account
def test_get_policy(iam_root):
Copy link
Contributor

@pritha-srivastava pritha-srivastava May 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can add a get test for a non existent policy.

name = make_iam_name('get-policy')
path = get_iam_path_prefix()
policy_document = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::mybucket"]
}]
}

policy = iam_root.create_policy(
PolicyName=name,
PolicyDocument=json.dumps(policy_document),
Path=path
)
policy_arn = policy['Policy']['Arn']

fetched = iam_root.get_policy(PolicyArn=policy_arn)

assert fetched['Policy']['PolicyName'] == name
assert fetched['Policy']['Arn'] == policy_arn

# Cleanup
iam_root.delete_policy(PolicyArn=policy_arn)

@pytest.mark.policy
@pytest.mark.iam_account
def test_delete_policy(iam_root):
name = make_iam_name('delete-policy')
path = get_iam_path_prefix()
policy_document = {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::mybucket"]
}]
}

policy = iam_root.create_policy(
PolicyName=name,
PolicyDocument=json.dumps(policy_document),
Path=path
)
policy_arn = policy['Policy']['Arn']

iam_root.delete_policy(PolicyArn=policy_arn)

with pytest.raises(iam_root.exceptions.NoSuchEntityException):
iam_root.get_policy(PolicyArn=policy_arn)

@pytest.mark.policy
@pytest.mark.iam_account
def test_delete_nonexistent_policy(iam_root):
main_arn = iam_root.get_user()['User']['Arn']
account_id = main_arn.removeprefix('arn:aws:iam::').removesuffix(':root')
fake_arn = f"arn:aws:iam::{account_id}:policy/NonExistentPolicy"
with pytest.raises(iam_root.exceptions.NoSuchEntityException):
iam_root.delete_policy(PolicyArn=fake_arn)

def group_list_names(client, **kwargs):
p = client.get_paginator('list_groups')
Expand Down