fix: surface RustFS policy apply errors#180
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e6db7bbba0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| const SENSITIVE_KEYS: [&str; 16] = [ |
There was a problem hiding this comment.
Add redaction for STS credential field names
When an upstream error body contains standard AWS/STS credential names such as SecretAccessKey (the same field name parsed by helpers::parse_assume_role_response), this allow-list never matches it: key/value redaction iterates this list, and XML tag redaction normalizes the tag to secretaccesskey, which is_sensitive_key also does not accept. Because this change now copies upstream error details into Tenant status/events/logs, those credential values can be exposed instead of replaced with <redacted>; add the standard aliases to both match paths before surfacing response bodies.
Useful? React with 👍 / 👎.
Type of Change
Related Issues
Fixes #177
Summary of Changes
PolicyApplyFailedincludes details such asInvalidRequest: invalid resource: unknown "*".arn:aws:s3:::bucket,arn:aws:s3:::bucket/*, orarn:aws:s3:::*for all buckets.Checklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](if user-visible change): N/A, this repository currently has noCHANGELOG.mdImpact
Verification
Additional Notes
The Console UI already renders Tenant summary, condition, and provisioning messages. This change keeps the UI contract unchanged and improves the backend message content that the Console receives.
Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.