search

noobaa / noobaa-core

High-performance S3 application gateway to any backend - file / s3-compatible / multi-clouds / caching / replication ...
https://www.noobaa.io
Apache License 2.0
268 stars 78 forks source link

Healthcheck is not reporting error for buckets with out access #8428

Open anandhu-karattu opened 2 weeks ago

anandhu-karattu commented 2 weeks ago

Environment info

Actual behavior

This test includes parameter "NC_DISABLE_ACCESS_CHECK=true"

  1. If the account does not have access(r) to buckets directory path, health check should report this as an error.

Expected behavior

  1. Buckets are displayed as healthy even though account does not have access (r) bucket's directory path

Steps to reproduce

  1. set "NC_DISABLE_ACCESS_CHECK=true"

  2. Create an account with proper access to its newbuckets path. (account-3)

  3. Create a new directory with owner as root and mod bits 770 [root@522new-41 ~]# ls -ld /mnt/gpfs0/buck3/ drwxrwx---. 2 root root 4096 Oct 3 11:20 /mnt/gpfs0/buck3/

  4. Create a bucket with account-3. This succeeds as the RW access check is turned off.

  5. Change "NC_DISABLE_ACCESS_CHECK=false"

  6. All other accounts with no access to --newbuckets path are shown as error. However buck3 is not showing any error as part of health check.

[root@522new-41 ~]# noobaa-cli diagnose health --all_bucket_details 2>/dev/null
{
  "response": {
    "code": "HealthStatus",
    "reply": {
      "service_name": "noobaa",
      "status": "OK",
      "memory": "316.7M",
      "checks": {
        "services": [
          {
            "name": "noobaa",
            "service_status": "active",
            "pid": "1367807"
          }
        ],
        "endpoint": {
          "endpoint_state": {
            "response": {
              "response_code": "RUNNING",
              "response_message": "Endpoint running successfuly."
            },
            "total_fork_count": 2,
            "running_workers": [
              2,
              1
            ]
          },
          "error_type": "TEMPORARY"
        },
        "buckets_status": {
          "invalid_buckets": [],
          "valid_buckets": [
            {
              "name": "buck3",
              "storage_path": "/mnt/gpfs0/buck3/"
            },
            {
              "name": "buck1",
              "storage_path": "/mnt/gpfs0/test/account-75000/buck1"
            },
            {
              "name": "buck2",
              "storage_path": "/mnt/gpfs0/test/account-75000/buck2"
            }
          ],
          "error_type": "PERSISTENT"
        }
      }
    }
  }
}

More information - Screenshots / Logs / Other output

romayalon commented 1 week ago

@anandhu-karattu I didn't add it yet, this is a duplicate of https://github.com/noobaa/noobaa-core/issues/8240. Currently, we check only if the bucket storage path exists, and not if the owner of the bucket has access to the bucket's path.