Skip to content

fix: surface RustFS policy apply errors#180

Merged
GatewayJ merged 3 commits into
rustfs:mainfrom
GatewayJ:fix/rustfs-policy-error-diagnostics
Jul 11, 2026
Merged

fix: surface RustFS policy apply errors#180
GatewayJ merged 3 commits into
rustfs:mainfrom
GatewayJ:fix/rustfs-policy-error-diagnostics

Conversation

@GatewayJ

@GatewayJ GatewayJ commented Jul 11, 2026

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Fixes #177

Summary of Changes

  • Preserve RustFS as the source of truth for policy syntax validation, and surface RustFS non-2xx response details through the operator instead of dropping the body.
  • Summarize upstream XML and JSON error responses into short single-line messages suitable for Tenant provisioning status, events, logs, and the existing Console UI message fields.
  • Redact sensitive key/value and XML-tag fields before upstream error details reach status, events, logs, or Console output.
  • Limit upstream error body reads to 8 KiB and hide truncated unstructured bodies behind a bounded diagnostic.
  • Add coverage for RustFS policy parse failures so PolicyApplyFailed includes details such as InvalidRequest: invalid resource: unknown "*".
  • Document that RustFS policy resources must use S3 ARN forms such as arn:aws:s3:::bucket, arn:aws:s3:::bucket/*, or arn:aws:s3:::* for all buckets.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (if user-visible change): N/A, this repository currently has no CHANGELOG.md
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: Tenant provisioning diagnostics now include bounded, redacted RustFS upstream error details; no API schema or Console UI field change is required.

Verification

cargo fmt --all --check
git diff --check
cargo test unexpected_status_ -- --nocapture
cargo test sanitize -- --nocapture
cargo test add_canned_policy_reports_upstream_policy_parse_error -- --nocapture
cargo test apply_policy_includes_upstream_policy_parse_error -- --nocapture
cargo test sts::rustfs_client::tests -- --nocapture
cargo test reconcile::provisioning::tests -- --nocapture
make pre-commit

Additional Notes

The Console UI already renders Tenant summary, condition, and provisioning messages. This change keeps the UI contract unchanged and improves the backend message content that the Console receives.


Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

@GatewayJ

Copy link
Copy Markdown
Member Author

@codex

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e6db7bbba0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/utils/sanitize.rs
// See the License for the specific language governing permissions and
// limitations under the License.

const SENSITIVE_KEYS: [&str; 16] = [

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add redaction for STS credential field names

When an upstream error body contains standard AWS/STS credential names such as SecretAccessKey (the same field name parsed by helpers::parse_assume_role_response), this allow-list never matches it: key/value redaction iterates this list, and XML tag redaction normalizes the tag to secretaccesskey, which is_sensitive_key also does not accept. Because this change now copies upstream error details into Tenant status/events/logs, those credential values can be exposed instead of replaced with <redacted>; add the standard aliases to both match paths before surfacing response bodies.

Useful? React with 👍 / 👎.

@GatewayJ GatewayJ marked this pull request as ready for review July 11, 2026 14:53
@GatewayJ GatewayJ added this pull request to the merge queue Jul 11, 2026
Merged via the queue into rustfs:main with commit 5a79049 Jul 11, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[question or bug] how to configure tenant to map a oidc user group to a specific policy?

1 participant