MANTA-5485 Add support for STS and IAM #30
Conversation
- Update accesskey schema to include: updated, description, and status. - Update ENG submodule.
Adds CLI tool to manually clean up expired temporary credentials. Fixes ldapjs search to use event-based pattern and adds rate limiting (5 concurrent deletes) to prevent Moray overload. Modifies schema validation to pass operation type and skip accesskey validation on delete, allowing removal of expired credentials. Includes documentation in docs/temporary-credentials.md. Generated with Claude Code (https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
|
I see you pulled in commits from #29 too! Would you mind pulling in the latest commits? I suspect they'll merge pretty cleanly: MANTA-5485...TRITON-2513 I was just about to mark that PR non-draft too so if those changes get pulled in here we can simply close #29 altogether! |
|
Do we need to expose temporary key functionality in CloudAPI and node-triton? What's the intended process for obtaining one of these newer tokens? |
danmcd
left a comment
danmcd
left a comment
There was a problem hiding this comment.
Pass 0, didn't find much, but it is pass-0 while remote-remote. :)
package.json
Outdated
| "restify": "2.3.4", | ||
| "sshpk": "1.16.1", | ||
| "ufds": "^1.7.0", | ||
| "ufds": "git+https://github.com/TritonDataCenter/node-ufds.git#8b64c76422819a34e99cda5421e8931892640881", |
There was a problem hiding this comment.
This will get updated with an accompanying node-ufds change? Or am I missing something here?
There was a problem hiding this comment.
I just merged latest changes from TRITON-2513 so this should be fixed.
We need to be able to delete expired temporary access keys as they are no longer useful. Skipping this check allows that.
Done! |
test/accesskey.test.js
Outdated
| @@ -0,0 +1,228 @@ | |||
| /* | |||
There was a problem hiding this comment.
Nit, non-blocker: Maybe this should be renamed to: temporary-accesskey.test.js? Or combined with accesskeys.test.js?
travispaul
left a comment
travispaul
left a comment
There was a problem hiding this comment.
I added some non-blocking nits but otherwise testing has went well for me.
I authored some of the commits here, so not sure how much to value my approval.
travispaul
left a comment
travispaul
left a comment
There was a problem hiding this comment.
I noticed some temporary keys from my tests last week were never purged. The cronjob doesn't have node in its path:
[root@b0be2660-17e4-46b7-95aa-53d8116940ae (coal:ufds0) ~]# cat /var/log/ufds-cleanup.log
/usr/bin/env: node: No such file or directory
The script itself works fine because /opt/smartdc/ufds/build/node/bin is in $PATH however that path is not present in /etc/default/cron
Thank you! I'm sorry I did not catch this sooner. I'll fix it now. |
Add tests for temporary access keys Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
I modified the access keys schema to support temporary keys, their deletion, and the fields required for Secure Token Services (STS) and Identity and Access Management (IAM). I added a script to delete the temporary keys, but my first approach would be to include this in a crontab, but I'm not sure at the moment is that the best approach.