enabled to disabled

Signed-off-by: Romy <[email protected]>

config.js

@@ -889,9 +889,9 @@ config.NC_MASTER_KEYS_PUT_EXECUTABLE = '';
 config.NC_MASTER_KEYS_MANAGER_REFRESH_THRESHOLD = -1; // currently we want to disable automatic refresh
 config.MASTER_KEYS_EXEC_MAX_RETRIES = 3;
 
-config.NC_ENABLE_ACCESS_CHECK = true;
-config.NC_ENABLE_HEALTH_ACCESS_CHECK = true;
-config.NC_ENABLE_POSIX_MODE_ACCESS_CHECK = false;
+config.NC_DISABLE_ACCESS_CHECK = false;
+config.NC_DISABLE_HEALTH_ACCESS_CHECK = false;
+config.NC_DISABLE_POSIX_MODE_ACCESS_CHECK = true;
 config.NC_DISABLE_SCHEMA_CHECK = false;
 
 ////////// GPFS //////////

docs/NooBaaNonContainerized/ConfigFileCustomizations.md

@@ -356,54 +356,54 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     ```
 
 
-### 25. Enable Read accessibility check -
-* <u>Key</u>: `NC_ENABLE_ACCESS_CHECK`  
+### 25. Disable Read accessibility check -
+* <u>Key</u>: `NC_DISABLE_ACCESS_CHECK`  
 * <u>Type</u>: Boolean  
-* <u>Default</u>: true  
-* <u>Description</u>: This flag will enable Read accessibility validations in the following flows -  
+* <u>Default</u>: false  
+* <u>Description</u>: Setting this flag to true will disable Read accessibility validations in the following flows -  
     1. Bucket creation/update - NooBaa will not validate that the bucket owner has read/write permissions to the bucket's path.  
     2. Account creation/update - NooBaa will not validate that the account owner has read/write permissions to the account's new_buckets_path.  
     3. Health buckets and accounts accessibility check.
-    Warning - setting this configuration to false might result with unexpected behavior. 
+    Warning - setting this configuration to true might result with unexpected behavior. 
 
 * <u>Steps</u>:  
     ```
     1. Open /path/to/config_dir/config.json file.
     2. Set the config key -
     Example:
-    "NC_ENABLE_ACCESS_CHECK": false
+    "NC_DISABLE_ACCESS_CHECK": true
     ```
 
-### 26. Enable Read accessibility check on the Health CLI -
-* <u>Key</u>: `NC_ENABLE_HEALTH_ACCESS_CHECK`  
+### 26. Disable Read accessibility check on the Health CLI -
+* <u>Key</u>: `NC_DISABLE_HEALTH_ACCESS_CHECK`  
 * <u>Type</u>: Boolean  
-* <u>Default</u>: true  
-* <u>Description</u>: This flag will enable Read accessibility validations in Health check of buckets and accounts.
+* <u>Default</u>: false  
+* <u>Description</u>: This flag will disable Read accessibility validations in Health check of buckets and accounts.
 
 * <u>Steps</u>:  
     ```
     1. Open /path/to/config_dir/config.json file.
     2. Set the config key -
     Example:
-    "NC_ENABLE_HEALTH_ACCESS_CHECK": false
+    "NC_DISABLE_HEALTH_ACCESS_CHECK": true
     ```
 
-### 27. Enable Read/Write POSIX mode bits check -
-* <u>Key</u>: `NC_ENABLE_POSIX_MODE_ACCESS_CHECK`  
+### 27. Disable Read/Write POSIX mode bits check -
+* <u>Key</u>: `NC_DISABLE_POSIX_MODE_ACCESS_CHECK`  
 * <u>Type</u>: Boolean  
-* <u>Default</u>: false  
-* <u>Description</u>: This flag will enable Read/Write mode bits accessibility validations by in the following flows -  
-    1. Bucket creation/update - NooBaa will not validate that the bucket owner has read/write permissions to the bucket's path.  
-    2. Account creation/update - NooBaa will not validate that the account owner has read/write permissions to the account's new_buckets_path.  
+* <u>Default</u>: true  
+* <u>Description</u>: Setting this flag to false will enable Read/Write mode bits accessibility validations by in the following flows -  
+    1. Bucket creation/update - NooBaa will validate that the bucket owner has read/write permissions to the bucket's path.  
+    2. Account creation/update - NooBaa will validate that the account owner has read/write permissions to the account's new_buckets_path.  
     3. Health buckets and accounts accessibility check.
-    Warning - setting this configuration to true won't support a check of the ACLs.
+    Warning - setting this configuration to false won't support a check of the ACLs and be based only on mode bits check.
 
 * <u>Steps</u>:  
     ```
     1. Open /path/to/config_dir/config.json file.
     2. Set the config key -
     Example:
-    "NC_ENABLE_HEALTH_ACCESS_CHECK": true
+    "NC_DISABLE_POSIX_MODE_ACCESS_CHECK": false
     ```
 
 

src/manage_nsfs/health.js

@@ -474,7 +474,7 @@ async function is_new_buckets_path_valid(config_file_path, config_data, new_buck
     }
 
     try {
-        if (config.NC_ENABLE_ACCESS_CHECK && config.NC_ENABLE_HEALTH_ACCESS_CHECK) {
+        if (!_should_skip_health_access_check()) {
             await nb_native().fs.stat(account_fs_context, new_buckets_path);
             const accessible = await native_fs_utils.is_dir_rw_accessible(account_fs_context, new_buckets_path);
             if (!accessible) {
@@ -507,7 +507,9 @@ async function is_new_buckets_path_valid(config_file_path, config_data, new_buck
 async function is_bucket_storage_path_exists(fs_context, config_data, storage_path) {
     let res_obj;
     try {
-        await nb_native().fs.stat(fs_context, storage_path);
+        if (!_should_skip_health_access_check()) {
+            await nb_native().fs.stat(fs_context, storage_path);
+        }
         res_obj = get_valid_object(config_data.name, undefined, storage_path);
     } catch (err) {
         let err_code;
@@ -558,5 +560,13 @@ function get_invalid_object(name, config_path, storage_path, err_code) {
     };
 }
 
+/**
+ * _should_skip_access_check returns true if the health CLI should skip access check
+ * @returns {Boolean}
+ */
+function _should_skip_health_access_check() {
+    return config.NC_DISABLE_HEALTH_ACCESS_CHECK || config.NC_DISABLE_ACCESS_CHECK;
+}
+
 exports.get_health_status = get_health_status;
 exports.NSFSHealth = NSFSHealth;

src/manage_nsfs/manage_nsfs_validations.js

@@ -368,7 +368,7 @@ async function validate_bucket_args(config_fs, data, action) {
         const owner_account_data = await get_bucket_owner_account(config_fs, undefined, data.owner_account);
         const account_fs_context = await native_fs_utils.get_fs_context(owner_account_data.nsfs_account_config,
             owner_account_data.nsfs_account_config.fs_backend);
-        if (config.NC_ENABLE_ACCESS_CHECK) {
+        if (!config.NC_DISABLE_ACCESS_CHECK) {
             const accessible = await native_fs_utils.is_dir_rw_accessible(account_fs_context, data.path);
             if (!accessible) {
                 throw_cli_error(ManageCLIError.InaccessibleStoragePath, data.path);
@@ -458,7 +458,7 @@ async function validate_account_args(config_fs, data, action, is_flag_iam_operat
         if (!exists) {
             throw_cli_error(ManageCLIError.InvalidAccountNewBucketsPath, data.nsfs_account_config.new_buckets_path);
         }
-        if (config.NC_ENABLE_ACCESS_CHECK) {
+        if (!config.NC_DISABLE_ACCESS_CHECK) {
             const account_fs_context = await native_fs_utils.get_fs_context(data.nsfs_account_config, data.fs_backend);
             const accessible = await native_fs_utils.is_dir_rw_accessible(account_fs_context, data.nsfs_account_config.new_buckets_path);
             if (!accessible) {

src/server/system_services/schemas/nsfs_config_schema.js

@@ -122,15 +122,15 @@ const nsfs_node_config_schema = {
             type: 'boolean',
             doc: 'indicate whether account/bucket/config.json schema will be validated.'
         },
-        NC_ENABLE_ACCESS_CHECK: {
+        NC_DISABLE_ACCESS_CHECK: {
             type: 'boolean',
             doc: 'indicate whether read access will be validated on bucket/account creation/update.'
         },
-        NC_ENABLE_HEALTH_ACCESS_CHECK: {
+        NC_DISABLE_HEALTH_ACCESS_CHECK: {
             type: 'boolean',
             doc: 'indicate whether read access will be validated on bucket/account health check.'
         },
-        NC_ENABLE_POSIX_MODE_ACCESS_CHECK: {
+        NC_DISABLE_POSIX_MODE_ACCESS_CHECK: {
             type: 'boolean',
             doc: 'indicate whether posix mode read/write access will be validated on bucket/account creation/update or health check.'
         },

src/test/unit_tests/jest_tests/test_nc_nsfs_account_cli.test.js

@@ -1929,7 +1929,7 @@ describe('cli account flow distinguished_name - permissions', function() {
             ...accounts.accessible_user.cli_options,
             new_buckets_path: no_permissions_new_buckets_path,
         };
-        await config_fs.create_config_json_file(JSON.stringify({ NC_ENABLE_POSIX_MODE_ACCESS_CHECK: true }));
+        await config_fs.create_config_json_file(JSON.stringify({ NC_DISABLE_POSIX_MODE_ACCESS_CHECK: false }));
         const res = await exec_manage_cli(type, action, update_options);
         await config_fs.delete_config_json_file();
         expect(JSON.parse(res.stdout).error.code).toBe(ManageCLIError.InaccessibleAccountNewBucketsPath.code);
@@ -1950,18 +1950,18 @@ describe('cli account flow distinguished_name - permissions', function() {
         expect(JSON.parse(res.stdout).error.code).toBe(ManageCLIError.InaccessibleAccountNewBucketsPath.code);
     });
 
-    it('cli account create - account cant access new_bucket_path - NC_ENABLE_ACCESS_CHECK = false', async function() {
+    it('cli account create - account cant access new_bucket_path - NC_DISABLE_ACCESS_CHECK = true', async function() {
         let action = ACTIONS.ADD;
-        config.NC_ENABLE_ACCESS_CHECK = false;
+        config.NC_DISABLE_ACCESS_CHECK = true;
         set_nc_config_dir_in_config(config_root);
-        await config_fs.create_config_json_file(JSON.stringify({ NC_ENABLE_ACCESS_CHECK: false }));
+        await config_fs.create_config_json_file(JSON.stringify({ NC_DISABLE_ACCESS_CHECK: false }));
         const res = await exec_manage_cli(type, action, accounts.inaccessible_user.cli_options);
         expect(JSON.parse(res).response.code).toEqual(ManageCLIResponse.AccountCreated.code);
         assert_account(JSON.parse(res).response.reply, { ...accounts.inaccessible_user.cli_options }, false);
         action = ACTIONS.DELETE;
         const delete_inaccessible_options = _.omit(accounts.inaccessible_user.cli_options, ['new_buckets_path', 'user']);
         await exec_manage_cli(type, action, delete_inaccessible_options);
-        config.NC_ENABLE_ACCESS_CHECK = true;
+        config.NC_DISABLE_ACCESS_CHECK = false;
         await config_fs.delete_config_json_file();
     }, timeout);
 });

src/test/unit_tests/jest_tests/test_nc_nsfs_bucket_cli.test.js

@@ -119,7 +119,7 @@ describe('manage nsfs cli bucket flow', () => {
             await fs_utils.create_fresh_path(bucket_options.path);
             await fs_utils.file_must_exist(bucket_options.path);
             await set_path_permissions_and_owner(bucket_options.path, account_defaults, 0o477);
-            await config_fs.create_config_json_file(JSON.stringify({ NC_ENABLE_POSIX_MODE_ACCESS_CHECK: true }));
+            await config_fs.create_config_json_file(JSON.stringify({ NC_DISABLE_POSIX_MODE_ACCESS_CHECK: false }));
             const res = await exec_manage_cli(TYPES.BUCKET, action, bucket_options);
             await config_fs.delete_config_json_file();
             expect(JSON.parse(res.stdout).error.code).toBe(ManageCLIError.InaccessibleStoragePath.code);
@@ -146,14 +146,14 @@ describe('manage nsfs cli bucket flow', () => {
             await assert_bucket(bucket, bucket_options, config_fs);
         });
 
-        it('cli create bucket - account can not access path  NC_ENABLE_ACCESS_CHECK = false - should succeed', async () => {
+        it('cli create bucket - account can not access path  NC_DISABLE_ACCESS_CHECK = true - should succeed', async () => {
             const action = ACTIONS.ADD;
             const bucket_options = { config_root, ...bucket_defaults};
             await fs_utils.create_fresh_path(bucket_options.path);
             await fs_utils.file_must_exist(bucket_options.path);
             set_nc_config_dir_in_config(config_root);
             await set_path_permissions_and_owner(bucket_options.path, account_defaults, 0o000);
-            await config_fs.create_config_json_file(JSON.stringify({ NC_ENABLE_ACCESS_CHECK: false }));
+            await config_fs.create_config_json_file(JSON.stringify({ NC_DISABLE_ACCESS_CHECK: true }));
             const res = await exec_manage_cli(TYPES.BUCKET, action, bucket_options);
             await config_fs.delete_config_json_file();
             expect(JSON.parse(res).response.code).toEqual(ManageCLIResponse.BucketCreated.code);
@@ -535,7 +535,7 @@ describe('manage nsfs cli bucket flow', () => {
             await fs_utils.create_fresh_path(bucket_defaults.path);
             await fs_utils.file_must_exist(bucket_defaults.path);
             await set_path_permissions_and_owner(bucket_defaults.path, account_defaults2, 0o477);
-            await config_fs.create_config_json_file(JSON.stringify({ NC_ENABLE_POSIX_MODE_ACCESS_CHECK: true }));
+            await config_fs.create_config_json_file(JSON.stringify({ NC_DISABLE_POSIX_MODE_ACCESS_CHECK: false }));
             const res = await exec_manage_cli(TYPES.BUCKET, action, bucket_options);
             await config_fs.delete_config_json_file();
             expect(JSON.parse(res.stdout).error.code).toBe(ManageCLIError.InaccessibleStoragePath.code);

src/test/unit_tests/jest_tests/test_nc_nsfs_new_buckets_path_validation.test.js

@@ -20,7 +20,7 @@ const timeout = 50000;
 
 describe('new_buckets_path posix mode access validation account', () => {
     const new_buckets_path = path.join(tmp_fs_path, 'new_buckets_path');
-    config.NC_ENABLE_POSIX_MODE_ACCESS_CHECK = true;
+    config.NC_DISABLE_POSIX_MODE_ACCESS_CHECK = false;
     const owner_user = 'owner_user';
     const group_user = 'group_user';
     const other_user = 'other_user';

src/util/native_fs_utils.js

@@ -532,7 +532,7 @@ async function is_dir_rw_accessible(fs_context, dir_path) {
         return false;
     }
 
-    if (!config.NC_ENABLE_POSIX_MODE_ACCESS_CHECK) return true;
+    if (config.NC_DISABLE_POSIX_MODE_ACCESS_CHECK) return true;
 
     const is_owner = fs_context.uid === stat.uid;
     const is_group = fs_context.gid === stat.gid;