mgr/dashboard: link user to rgw account & add root account user functionality

Fixes: https://tracker.ceph.com/issues/69529

Signed-off-by: Naman Munet <[email protected]>

Author: Naman Munet

src/pybind/mgr/dashboard/controllers/rgw.py

@@ -851,7 +851,8 @@ def get_emails(self, daemon_name=None):
     @allow_empty_body
     def create(self, uid, display_name, email=None, max_buckets=None,
                system=None, suspended=None, generate_key=None, access_key=None,
-               secret_key=None, daemon_name=None):
+               secret_key=None, daemon_name=None, account_id: Optional[str] = None,
+               account_root_user: Optional[bool] = False):
         params = {'uid': uid}
         if display_name is not None:
             params['display-name'] = display_name
@@ -869,13 +870,18 @@ def create(self, uid, display_name, email=None, max_buckets=None,
             params['access-key'] = access_key
         if secret_key is not None:
             params['secret-key'] = secret_key
+        if account_id is not None:
+            params['account-id'] = account_id
+        if account_root_user:
+            params['account-root'] = account_root_user
         result = self.proxy(daemon_name, 'PUT', 'user', params)
         result['uid'] = result['full_user_id']
         return result
 
     @allow_empty_body
     def set(self, uid, display_name=None, email=None, max_buckets=None,
-            system=None, suspended=None, daemon_name=None):
+            system=None, suspended=None, daemon_name=None, account_id: Optional[str] = None,
+            account_root_user: Optional[bool] = False):
         params = {'uid': uid}
         if display_name is not None:
             params['display-name'] = display_name
@@ -887,6 +893,10 @@ def set(self, uid, display_name=None, email=None, max_buckets=None,
             params['system'] = system
         if suspended is not None:
             params['suspended'] = suspended
+        if account_id is not None:
+            params['account-id'] = account_id
+        if account_root_user:
+            params['account-root'] = account_root_user
         result = self.proxy(daemon_name, 'POST', 'user', params)
         result['uid'] = result['full_user_id']
         return result

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/models/rgw-user.ts

@@ -0,0 +1,80 @@
+interface Key {
+  access_key: string;
+  active: boolean;
+  secret_key: string;
+  user: string;
+}
+
+interface SwiftKey {
+  active: boolean;
+  secret_key: string;
+  user: string;
+}
+
+interface Cap {
+  perm: string;
+  type: string;
+}
+
+interface Subuser {
+  id: string;
+  permissions: string;
+}
+
+interface BucketQuota {
+  check_on_raw: boolean;
+  enabled: boolean;
+  max_objects: number;
+  max_size: number;
+  max_size_kb: number;
+}
+
+interface UserQuota {
+  check_on_raw: boolean;
+  enabled: boolean;
+  max_objects: number;
+  max_size: number;
+  max_size_kb: number;
+}
+
+interface Stats {
+  num_objects: number;
+  size: number;
+  size_actual: number;
+  size_utilized: number;
+  size_kb: number;
+  size_kb_actual: number;
+  size_kb_utilized: number;
+}
+
+export interface RgwUser {
+  account_id: string;
+  admin: boolean;
+  bucket_quota: BucketQuota;
+  caps: Cap[];
+  create_date: string;
+  default_placement: string;
+  default_storage_class: string;
+  display_name: string;
+  email: string;
+  full_user_id: string;
+  group_ids: any[];
+  keys: Key[];
+  max_buckets: number;
+  mfa_ids: any[];
+  op_mask: string;
+  path: string;
+  placement_tags: any[];
+  stats: Stats;
+  subusers: Subuser[];
+  suspended: number;
+  swift_keys: SwiftKey[];
+  system: boolean;
+  tags: any[];
+  tenant: string;
+  temp_url_keys: any[];
+  type: string;
+  uid: string;
+  user_id: string;
+  user_quota: UserQuota;
+}

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-details/rgw-user-details.component.html

@@ -88,6 +88,35 @@
       </tbody>
     </table>
 
+    <ng-container *ngIf="selection.account && selection.account?.id">
+      <legend i18n>Account Details</legend>
+      <table class="cds--data-table--sort cds--data-table--no-border cds--data-table cds--data-table--md">
+        <tbody>
+          <tr>
+            <td i18n
+                class="bold w-25">Account ID</td>
+            <td class="w-75">{{ selection.account?.id }}</td>
+          </tr>
+          <tr>
+            <td i18n
+                class="bold w-25">Name</td>
+            <td class="w-75">{{ selection.account?.name }}</td>
+          </tr>
+          <tr>
+            <td i18n
+                class="bold w-25">Tenant</td>
+            <td class="w-75">{{ selection.account?.tenant || '-'}}</td>
+          </tr>
+          <tr>
+            <td i18n
+                class="bold w-25">User type</td>
+            <td class="w-75"
+                i18n>{{ user?.type === 'root' ? 'Account root user' : 'rgw user' }}</td>
+          </tr>
+        </tbody>
+      </table>
+    </ng-container>
+
     <!-- User quota -->
     <div *ngIf="user.user_quota">
       <legend i18n>User quota</legend>

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-form/rgw-user-form.component.html

@@ -7,6 +7,49 @@
     <div i18n="form title"
          class="form-header">{{ action | titlecase }} {{ resource | upperFirst }}</div>
 
+    @if(accounts.length > 0){
+      <!-- Link Account -->
+      <div class="form-item">
+        <cds-select label="Link Account"
+                    i18n-label
+                    for="link_account"
+                    formControlName="account_id"
+                    [invalid]="userForm.controls.account_id.invalid && userForm.controls.account_id.dirty"
+                    [invalidText]="accountError"
+                    [helperText]="accountsHelper">
+          <option i18n
+                  *ngIf="accounts === null"
+                  [ngValue]="null">Loading...</option>
+          <option i18n
+                  *ngIf="accounts !== null"
+                  [ngValue]="null">-- Select an Account --</option>
+          <option *ngFor="let account of accounts"
+                  [value]="account.id">{{ account.name }} {{account.tenant ? '- '+account.tenant : ''}}</option>
+        </cds-select>
+        <ng-template #accountError>
+          <span class="invalid-feedback"
+                *ngIf="userForm.showError('account_id', frm, 'tenantedAccount')"
+                i18n>Only accounts with the same tenant name can be linked to a tenanted user.</span>
+        </ng-template>
+        <ng-template #accountsHelper>
+          <div i18n>Account membership is permanent. Once added, users cannot be removed from their account.</div>
+          <div i18n>Ownership of all of the user's buckets will be transferred to the account.</div>
+        </ng-template>
+      </div>
+
+      <!-- Account Root user -->
+      <div *ngIf="userForm.getValue('account_id')"
+           class="form-item">
+        <cds-checkbox formControlName="account_root_user"
+                      id="account_root_user"
+                      i18n>Account Root user
+          <cd-help-text>The account root user has full access to all resources and manages the account.
+            It's recommended to use this account for management tasks only and create additional users with specific permissions.
+          </cd-help-text>
+        </cds-checkbox>
+      </div>
+    }
+
     <!-- User ID -->
     <div class="form-item">
       <cds-text-label for="user_id"
@@ -35,14 +78,14 @@
       </ng-template>
     </div>
 
-      <!-- Show Tenant -->
-      <div class="form-item">
-        <cds-checkbox formControlName="show_tenant"
-                      id="show_tenant"
-                      [readonly]="true"
-                      (checkedChange)="updateFieldsWhenTenanted()">Show Tenant
-        </cds-checkbox>
-      </div>
+    <!-- Show Tenant -->
+    <div class="form-item">
+      <cds-checkbox formControlName="show_tenant"
+                    id="show_tenant"
+                    [readonly]="true"
+                    (checkedChange)="updateFieldsWhenTenanted()">Show Tenant
+      </cds-checkbox>
+    </div>
 
     <!-- Tenant -->
     <div class="form-item"

src/pybind/mgr/dashboard/frontend/src/app/ceph/rgw/rgw-user-form/rgw-user-form.component.spec.ts

@@ -23,6 +23,7 @@ import { FormatterService } from '~/app/shared/services/formatter.service';
 import { RgwRateLimitComponent } from '../rgw-rate-limit/rgw-rate-limit.component';
 import { By } from '@angular/platform-browser';
 import { CheckboxModule, NumberModule, SelectModule } from 'carbon-components-angular';
+import { LoadingStatus } from '~/app/shared/forms/cd-form';
 
 describe('RgwUserFormComponent', () => {
   let component: RgwUserFormComponent;
@@ -185,6 +186,7 @@ describe('RgwUserFormComponent', () => {
 
   describe('max buckets', () => {
     beforeEach(() => {
+      component.loading = LoadingStatus.Ready;
       fixture.detectChanges();
       childComponent = fixture.debugElement.query(By.directive(RgwRateLimitComponent))
         .componentInstance;
@@ -203,7 +205,9 @@ describe('RgwUserFormComponent', () => {
         secret_key: '',
         suspended: false,
         system: false,
-        uid: null
+        uid: null,
+        account_id: '',
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -219,7 +223,8 @@ describe('RgwUserFormComponent', () => {
         email: null,
         max_buckets: -1,
         suspended: false,
-        system: false
+        system: false,
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -238,7 +243,9 @@ describe('RgwUserFormComponent', () => {
         secret_key: '',
         suspended: false,
         system: false,
-        uid: null
+        uid: null,
+        account_id: '',
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -254,7 +261,8 @@ describe('RgwUserFormComponent', () => {
         email: null,
         max_buckets: 0,
         suspended: false,
-        system: false
+        system: false,
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -264,6 +272,7 @@ describe('RgwUserFormComponent', () => {
       formHelper.setValue('max_buckets_mode', 1, true);
       formHelper.setValue('max_buckets', 100, true);
       let spyRateLimit = jest.spyOn(childComponent, 'getRateLimitFormValue');
+
       component.onSubmit();
       expect(rgwUserService.create).toHaveBeenCalledWith({
         access_key: '',
@@ -274,7 +283,9 @@ describe('RgwUserFormComponent', () => {
         secret_key: '',
         suspended: false,
         system: false,
-        uid: null
+        uid: null,
+        account_id: '',
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -291,7 +302,8 @@ describe('RgwUserFormComponent', () => {
         email: null,
         max_buckets: 100,
         suspended: false,
-        system: false
+        system: false,
+        account_root_user: false
       });
       expect(spyRateLimit).toHaveBeenCalled();
     });
@@ -301,6 +313,7 @@ describe('RgwUserFormComponent', () => {
     let notificationService: NotificationService;
 
     beforeEach(() => {
+      component.loading = LoadingStatus.Ready;
       spyOn(TestBed.inject(Router), 'navigate').and.stub();
       notificationService = TestBed.inject(NotificationService);
       spyOn(notificationService, 'show');
@@ -320,7 +333,8 @@ describe('RgwUserFormComponent', () => {
         email: '',
         max_buckets: 1000,
         suspended: false,
-        system: false
+        system: false,
+        account_root_user: false
       });
     });
 
@@ -348,6 +362,9 @@ describe('RgwUserFormComponent', () => {
   });
 
   describe('RgwUserCapabilities', () => {
+    beforeEach(() => {
+      component.loading = LoadingStatus.Ready;
+    });
     it('capability button disabled when all capabilities are added', () => {
       component.editing = true;
       for (const capabilityType of RgwUserCapabilities.getAll()) {
@@ -669,4 +686,49 @@ describe('RgwUserFormComponent', () => {
       expect(modalRef.submitAction.subscribe).toHaveBeenCalled();
     });
   });
+
+  describe('RgwUserAccounts', () => {
+    beforeEach(() => {
+      component.loading = LoadingStatus.Ready;
+      fixture.detectChanges();
+      childComponent = fixture.debugElement.query(By.directive(RgwRateLimitComponent))
+        .componentInstance;
+    });
+    it('create with account id & account root user', () => {
+      spyOn(rgwUserService, 'create');
+      formHelper.setValue('account_id', 'RGW12312312312312312', true);
+      formHelper.setValue('account_root_user', true, true);
+      component.onSubmit();
+      expect(rgwUserService.create).toHaveBeenCalledWith({
+        access_key: '',
+        display_name: null,
+        email: '',
+        generate_key: true,
+        max_buckets: 1000,
+        secret_key: '',
+        suspended: false,
+        system: false,
+        uid: null,
+        account_id: 'RGW12312312312312312',
+        account_root_user: true
+      });
+    });
+
+    it('edit to link account to existing user', () => {
+      spyOn(rgwUserService, 'update');
+      component.editing = true;
+      formHelper.setValue('account_id', 'RGW12312312312312312', true);
+      formHelper.setValue('account_root_user', true, true);
+      component.onSubmit();
+      expect(rgwUserService.update).toHaveBeenCalledWith(null, {
+        display_name: null,
+        email: null,
+        max_buckets: 1000,
+        suspended: false,
+        system: false,
+        account_id: 'RGW12312312312312312',
+        account_root_user: true
+      });
+    });
+  });
 });