COSI-40: use-bucket-name-for-in-line-policy-name

We have acces sto bucket name in revoke APIs and it would be simpler for a user to detect which user has access to which bucket.
scality · Dec 6, 2024 · 5f3b953 · 5f3b953
1 parent 5c09e99
commit 5f3b953
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 8 deletions.
diff --git a/.github/scripts/e2e_tests.sh b/.github/scripts/e2e_tests.sh
@@ -136,7 +136,7 @@ log_and_run echo "IAM user found: $IAM_USER_NAME"
 
 log_and_run echo "Verifying inline policy attached to IAM user..."
 INLINE_POLICY="$(aws --endpoint-url "$IAM_ENDPOINT" iam list-user-policies --user-name "$IAM_USER_NAME" --query "PolicyNames[0]" --output text)"
-EXPECTED_INLINE_POLICY="$BUCKET_FOUND-cosi-ba"
+EXPECTED_INLINE_POLICY="$BUCKET_FOUND"
 
 if [[ "$INLINE_POLICY" != "$EXPECTED_INLINE_POLICY" ]]; then
   log_and_run echo "Inline policy '$INLINE_POLICY' does not match expected bucket name '$EXPECTED_INLINE_POLICY'."

diff --git a/pkg/clients/iam/iam_client.go b/pkg/clients/iam/iam_client.go
@@ -15,9 +15,6 @@ import (
 	"k8s.io/klog/v2"
 )
 
-// postfix for inline policy which is created when COSI receives a BucketAccess (BA) request
-const IAMUserInlinePolicyPostfix = "-cosi-ba"
-
 type IAMAPI interface {
 	CreateUser(ctx context.Context, input *iam.CreateUserInput, opts ...func(*iam.Options)) (*iam.CreateUserOutput, error)
 	PutUserPolicy(ctx context.Context, input *iam.PutUserPolicyInput, opts ...func(*iam.Options)) (*iam.PutUserPolicyOutput, error)
@@ -82,7 +79,6 @@ func (client *IAMClient) CreateUser(ctx context.Context, userName string) error
 
 // AttachS3WildcardInlinePolicy attaches an inline policy to an IAM user for a specific bucket.
 func (client *IAMClient) AttachS3WildcardInlinePolicy(ctx context.Context, userName, bucketName string) error {
-	policyName := fmt.Sprintf("%s%s", bucketName, IAMUserInlinePolicyPostfix)
 	policyDocument := fmt.Sprintf(`{
 		"Version": "2012-10-17",
 		"Statement": [
@@ -99,7 +95,7 @@ func (client *IAMClient) AttachS3WildcardInlinePolicy(ctx context.Context, userN
 
 	input := &iam.PutUserPolicyInput{
 		UserName:       &userName,
-		PolicyName:     &policyName,
+		PolicyName:     &bucketName,
 		PolicyDocument: &policyDocument,
 	}
 
@@ -108,7 +104,7 @@ func (client *IAMClient) AttachS3WildcardInlinePolicy(ctx context.Context, userN
 		return fmt.Errorf("failed to attach inline policy to IAM user %s: %w", userName, err)
 	}
 
-	klog.InfoS("Inline policy attachment succeeded", "user", userName, "policyName", policyName)
+	klog.InfoS("Inline policy attachment succeeded", "user", userName, "policyName", bucketName)
 	return nil
 }
 

diff --git a/pkg/clients/iam/iam_client_test.go b/pkg/clients/iam/iam_client_test.go
@@ -100,7 +100,7 @@ var _ = Describe("IAMClient", func() {
 		It("should attach an inline policy with the correct name and content", func(ctx SpecContext) {
 			bucketName := "inline-policy-bucket-test"
 			mockIAM.PutUserPolicyFunc = func(ctx context.Context, input *iam.PutUserPolicyInput, opts ...func(*iam.Options)) (*iam.PutUserPolicyOutput, error) {
-				expectedPolicyName := bucketName + iamclient.IAMUserInlinePolicyPostfix
+				expectedPolicyName := bucketName
 				Expect(input.UserName).To(Equal(aws.String("test-user")))
 				Expect(*input.PolicyName).To(Equal(expectedPolicyName))
 				Expect(*input.PolicyDocument).To(ContainSubstring("s3:*"))