IAM | Block OBC Accounts From IAM API

[shirady]

Describe the Problem

Currently all accounts in the system can perform IAM API, we decided at this point that accounts that are related to the OBC cannot perform IAM API operations (have the property bucket_claim_owner in the DB is it the bucket ID of the OBC).

Explain the Changes

1. Block the IAM requests in the step of authorize_request.

Issues:

List of GAPs:

1. The tests are only manual at this point; there is a plan to add automated tests after we have the design change.

Testing Instructions:

1. Build the images and install NooBaa system on Rancher Desktop (see guide).
   Note: nb is an alias that runs the local operator from build/_output/bin (alias created by devenv).
2. Wait for the default backing store pod to be in state Ready before starting the tests: kubectl wait --for=condition=available backingstore/noobaa-default-backing-store --timeout=6m -n test1
3. I'm using port-forward (in a different tab):

• S3 kubectl port-forward -n test1 service/s3 12443:443
• IAM kubectl port-forward -n test1 service/iam 14443:443

4. Create the OBC: nb obc create shira-obc1 -n test1 --show-secrets
5. Create the alias for the OBC account:

• alias account-obc-s3='AWS_ACCESS_KEY=<access-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:12443'
• alias account-obc-iam='AWS_ACCESS_KEY=<access-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:14443'

7. Check the connection to the endpoint:

• try to list the buckets: account-obc-s3 s3 ls; echo $? (should see the OBC bucket).
• try to list the users (should throw an error): account-obc-iam iam list-users; echo $?
  In the logs:

Nov-24 11:44:33.281 [Endpoint/13] [ERROR] core.endpoint.iam.iam_rest:: OBC accounts cannot are not allowed to perform IAM API actions
Nov-24 11:44:33.281 [Endpoint/13] [ERROR] core.endpoint.iam.iam_rest:: IAM ERROR <?xml version="1.0" encoding="UTF-8"?><ErrorResponse><Error><Type>Sender</Type><Code>AccessDeniedException</Code><Message>You do not have sufficient access to perform this action.</Message></Error><RequestId>mid2xgxs-9ib675-5kd</RequestId></ErrorResponse> POST / {"host":"localhost:14443","accept-encoding":"identity","content-type":"application/x-www-form-urlencoded; charset=utf-8","user-agent":"aws-cli/2.27.7 md/awscrt#0.26.1 ua/2.1 os/macos#25.0.0 md/arch#arm64 lang/python#3.13.5 md/pyimpl#CPython m/C,N cfg/retry-mode#standard md/installer#source md/prompt#off md/command#iam.list-users","x-amz-date":"20251124T114434Z","authorization":"AWS4-HMAC-SHA256 Credential=Pymzf04ynwvJxeuXXroC/20251124/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=fde997baf8abee3b19ab171c11c8ef3118728fecd8d46627483c04e10fa30756","content-length":"35"} Error: You do not have sufficient access to perform this action.
    at authorize_request (/root/node_modules/noobaa-core/src/endpoint/iam/iam_rest.js:230:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async handle_request (/root/node_modules/noobaa-core/src/endpoint/iam/iam_rest.js:196:5)
    at async iam_rest (/root/node_modules/noobaa-core/src/endpoint/iam/iam_rest.js:142:9)

Code changes for testing:

1. To see the account (of a user) in the cache after changes, src/sdk/object_sdk.js uses cache expiry of 1 millisecond.

const account_cache = new LRUCache({
    name: 'AccountCache',
-    expiry_ms: config.OBJECT_SDK_ACCOUNT_CACHE_EXPIRY_MS,
+   expiry_ms: 1, //SDSD 

Notes:

• In step 1 - deploying the system, I used --use-standalone-db for simplicity (fewer steps for the system in Ready status).

• Doc added/updated

• Tests added

Summary by CodeRabbit

• Bug Fixes
  • IAM API now blocks requests from OBC (bucket-claim owner) accounts for user-management actions. Such attempts are logged as errors and return an access-denied response, improving authorization handling and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added a runtime guard in IAM REST authorize_request to block OBC (bucket-claim-owner) accounts from performing IAM user-management actions by checking req.account_sdk.requesting_account.bucket_claim_owner and throwing an AccessDeniedException when true.

Changes

Cohort / File(s)	Summary
IAM Authorization Guard src/endpoint/iam/iam_rest.js	Added a runtime check in authorize_request to detect requesting_account.bucket_claim_owner, log an error, and throw AccessDeniedException to deny IAM user-management API actions for OBC accounts.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant IAM_Rest as iam_rest.authorize_request
    participant AccountSDK as account_sdk
    participant Authz as authorization_logic

    Client->>IAM_Rest: API request (user-management)
    IAM_Rest->>AccountSDK: load requesting_account
    AccountSDK-->>IAM_Rest: requesting_account (includes bucket_claim_owner?)
    alt bucket_claim_owner present
        rect rgb(255,230,230)
        IAM_Rest->>IAM_Rest: log error (OBC detected)
        IAM_Rest-->>Client: AccessDeniedException (deny)
        end
    else not present
        IAM_Rest->>Authz: proceed with existing authorization
        Authz-->>IAM_Rest: authorized / denied
        IAM_Rest-->>Client: respond accordingly
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify guard placement occurs after loading the requesting account and before performing user-management actions.
• Confirm bucket_claim_owner is the correct field for identifying OBC accounts.
• Check logging and thrown AccessDeniedException align with existing error handling.

Possibly related PRs

• IAM | Use the account server flow #9289 — Modifies src/endpoint/iam/iam_rest.js (IAM error mappings and handling) and likely intersects with authorization/error semantics in this file.

Suggested labels

size/S

Suggested reviewers

• aayushchouhan09
• naveenpaul1

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: blocking OBC accounts from IAM API operations, which directly matches the core modification in the changeset.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e210292 and eb6e8e3.

📒 Files selected for processing (1)

• src/endpoint/iam/iam_rest.js (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/endpoint/iam/iam_rest.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

🔇 Additional comments (1)

src/endpoint/iam/iam_rest.js (1)

226-231: LGTM! Clean implementation of the OBC account restriction.

The placement after account authorization is correct, the truthy check on bucket_claim_owner appropriately handles all cases (undefined/null/empty for non-OBC accounts, any truthy value for OBC accounts), and the AccessDeniedException error type aligns with IAM standards. The logic uniformly blocks all IAM operations for OBC accounts as intended.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2af53d0 and 1c113e9.

📒 Files selected for processing (1)

• src/endpoint/iam/iam_rest.js (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/endpoint/iam/iam_rest.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-package-lock-validation
• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (2)

src/endpoint/iam/iam_rest.js (2)

226-231: Well-placed authorization check for OBC accounts.

The placement of this check is correct—it executes after the account is loaded and authorized, ensuring requesting_account is available. Using AccessDeniedException is appropriate for blocking unauthorized operations.

---

226-231: The current implementation is correct and consistent with codebase patterns.

The verification shows that bucket_claim_owner is never explicitly set to null anywhere in the codebase. The field either remains undefined (for regular accounts) or is assigned an ObjectId (for OBC accounts). The current check using !== undefined is the standard pattern used throughout the codebase for optional account properties (e.g., requesting_account.owner !== undefined in account_util.js:517). Additionally, the same field is checked with truthiness in s3_rest.js:258, confirming the field design assumes only undefined or truthy values.

The suggestion to use != null is unnecessary and would deviate from established codebase conventions.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/endpoint/iam/iam_rest.js (1)

226-231: Use the idiomatic truthy check for consistency with codebase patterns.

The suggestion to replace bucket_claim_owner !== undefined with bucket_claim_owner is well-founded. The codebase consistently uses truthy checks for this field across multiple locations (account_server.js:1027, auth_server.js:545, s3_rest.js:258, and s3_rest.js:271), making the proposed change more consistent and idiomatic.

Since bucket_claim_owner is an ObjectID field that is either undefined (non-OBC accounts) or an ObjectID reference (OBC accounts), a truthy check is both functionally correct and matches the established pattern:

-    if (req.account_sdk.requesting_account.bucket_claim_owner !== undefined) {
+    if (req.account_sdk.requesting_account.bucket_claim_owner) {

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0d63d65 and 2e0a8c5.

📒 Files selected for processing (1)

• src/endpoint/iam/iam_rest.js (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/endpoint/iam/iam_rest.js

🧬 Code graph analysis (1)

src/endpoint/iam/iam_rest.js (1)

src/endpoint/iam/iam_utils.js (15)

• IamError (82-82)
• IamError (255-255)
• IamError (481-481)
• IamError (510-510)
• IamError (538-538)
• IamError (545-545)
• IamError (573-573)
• IamError (595-595)
• IamError (624-624)
• IamError (659-659)
• IamError (676-676)
• IamError (691-691)
• IamError (698-698)
• IamError (711-711)
• IamError (715-715)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-package-lock-validation
• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests