feature: CLDSRV-162 use metadata and data from new arsenal

Author: miniscruff

Dockerfile

@@ -33,7 +33,7 @@ RUN cd /tmp \
     && rm -rf /tmp/Python-$PY_VERSION.tgz
 
 RUN yarn cache clean \
-    && yarn install --production --ignore-optional --ignore-engines --network-concurrency 1  \
+    && yarn install --production --ignore-optional --ignore-engines --network-concurrency 1 \
     && apt-get autoremove --purge -y python git build-essential \
     && rm -rf /var/lib/apt/lists/* \
     && yarn cache clean \

DockerfileMem

@@ -7,7 +7,7 @@ COPY . /usr/src/app
 
 RUN apt-get update \
     && apt-get install -y jq python git build-essential --no-install-recommends \
-    && yarn install --production --network-concurrency 1 \
+    && yarn install --production \
     && apt-get autoremove --purge -y python git build-essential \
     && rm -rf /var/lib/apt/lists/* \
     && yarn cache clean \

constants.js

@@ -174,10 +174,6 @@ const constants = {
         'bucket',
     ],
     allowedUtapiEventFilterStates: ['allow', 'deny'],
-    // The AWS assumed Role resource type
-    assumedRoleArnResourceType: 'assumed-role',
-    // Session name of the backbeat lifecycle assumed role session.
-    backbeatLifecycleSessionName: 'backbeat-lifecycle',
 };
 
 module.exports = constants;

lib/Config.js

@@ -24,9 +24,60 @@ const versionIdUtils = versioning.VersionID;
 const defaultHealthChecks = { allowFrom: ['127.0.0.1/8', '::1'] };
 
 const defaultLocalCache = { host: '127.0.0.1', port: 6379 };
+const defaultExternalBackendsConfig = {
+    // eslint-disable-next-line camelcase
+    aws_s3: {
+        httpAgent: {
+            keepAlive: false,
+            keepAliveMsecs: 1000,
+            maxFreeSockets: 256,
+            maxSockets: null,
+        },
+    },
+    gcp: {
+        httpAgent: {
+            keepAlive: true,
+            keepAliveMsecs: 1000,
+            maxFreeSockets: 256,
+            maxSockets: null,
+        },
+    },
+};
 
 const gcpScope = 'https://www.googleapis.com/auth/cloud-platform';
 
+function assertCertPaths(key, cert, ca, basePath) {
+    const certObj = {};
+    certObj.paths = {};
+    certObj.certs = {};
+    if (key) {
+        const keypath = key.startsWith('/') ? key : `${basePath}/${key}`;
+        assert.doesNotThrow(() =>
+            fs.accessSync(keypath, fs.F_OK | fs.R_OK),
+            `File not found or unreachable: ${keypath}`);
+        certObj.paths.key = keypath;
+        certObj.certs.key = fs.readFileSync(keypath, 'ascii');
+    }
+    if (cert) {
+        const certpath = cert.startsWith('/') ? cert : `${basePath}/${cert}`;
+        assert.doesNotThrow(() =>
+            fs.accessSync(certpath, fs.F_OK | fs.R_OK),
+            `File not found or unreachable: ${certpath}`);
+        certObj.paths.cert = certpath;
+        certObj.certs.cert = fs.readFileSync(certpath, 'ascii');
+    }
+
+    if (ca) {
+        const capath = ca.startsWith('/') ? ca : `${basePath}/${ca}`;
+        assert.doesNotThrow(() =>
+            fs.accessSync(capath, fs.F_OK | fs.R_OK),
+            `File not found or unreachable: ${capath}`);
+        certObj.paths.ca = capath;
+        certObj.certs.ca = fs.readFileSync(capath, 'ascii');
+    }
+    return certObj;
+}
+
 function parseSproxydConfig(configSproxyd) {
     const joiSchema = joi.object({
         bootstrap: joi.array().items(joi.string()).min(1),
@@ -1124,6 +1175,58 @@ class Config extends EventEmitter {
                 'certFilePaths.cert must be defined');
         }
 
+        this.outboundProxy = {};
+        const envProxy = process.env.HTTP_PROXY || process.env.HTTPS_PROXY
+            || process.env.http_proxy || process.env.https_proxy;
+        const p = config.outboundProxy;
+        const proxyUrl = envProxy || (p ? p.url : '');
+        if (proxyUrl) {
+            assert(typeof proxyUrl === 'string',
+                'bad proxy config: url must be a string');
+            const { protocol, hostname, port, auth } = url.parse(proxyUrl);
+            assert(protocol === 'http:' || protocol === 'https:',
+                'bad proxy config: protocol must be http or https');
+            assert(typeof hostname === 'string' && hostname !== '',
+                'bad proxy config: hostname must be a non-empty string');
+            if (port) {
+                const portInt = Number.parseInt(port, 10);
+                assert(!Number.isNaN(portInt) && portInt > 0,
+                    'bad proxy config: port must be a number greater than 0');
+            }
+            if (auth) {
+                assert(typeof auth === 'string',
+                    'bad proxy config: auth must be string');
+                const authArray = auth.split(':');
+                assert(authArray.length === 2 && authArray[0].length > 0
+                    && authArray[1].length > 0, 'bad proxy config: ' +
+                    'auth must be of format username:password');
+            }
+            this.outboundProxy.url = proxyUrl;
+            this.outboundProxy.certs = {};
+            const envCert = process.env.HTTPS_PROXY_CERTIFICATE;
+            const key = p ? p.key : '';
+            const cert = p ? p.cert : '';
+            const caBundle = envCert || (p ? p.caBundle : '');
+            if (p) {
+                assert(typeof p === 'object',
+                    'bad config: "proxy" should be an object');
+            }
+            if (key) {
+                assert(typeof key === 'string',
+                    'bad config: proxy.key should be a string');
+            }
+            if (cert) {
+                assert(typeof cert === 'string',
+                    'bad config: proxy.cert should be a string');
+            }
+            if (caBundle) {
+                assert(typeof caBundle === 'string',
+                    'bad config: proxy.caBundle should be a string');
+            }
+            const certObj = assertCertPaths(key, cert, caBundle, this._basePath);
+            this.outboundProxy.certs = certObj.certs;
+        }
+
         // Ephemeral token to protect the reporting endpoint:
         // try inherited from parent first, then hardcoded in conf file,
         // then create a fresh one as last resort.
@@ -1132,6 +1235,40 @@ class Config extends EventEmitter {
             config.reportToken ||
             uuidv4();
 
+        // External backends
+        // Currently supports configuring httpAgent(s) for keepAlive
+        this.externalBackends = defaultExternalBackendsConfig;
+        if (config.externalBackends) {
+            const extBackendsConfig = Object.keys(config.externalBackends);
+            extBackendsConfig.forEach(b => {
+                // assert that it's a valid backend
+                assert(externalBackends[b] !== undefined,
+                    `bad config: ${b} is not one of valid external backends: ` +
+                    `${Object.keys(externalBackends).join(', ')}`);
+
+                const { httpAgent } = config.externalBackends[b];
+                assert(typeof httpAgent === 'object',
+                    `bad config: ${b} must have httpAgent object defined`);
+                const { keepAlive, keepAliveMsecs, maxFreeSockets, maxSockets }
+                    = httpAgent;
+                assert(typeof keepAlive === 'boolean',
+                    `bad config: ${b}.httpAgent.keepAlive must be a boolean`);
+                assert(typeof keepAliveMsecs === 'number' &&
+                    httpAgent.keepAliveMsecs > 0,
+                    `bad config: ${b}.httpAgent.keepAliveMsecs must be` +
+                    ' a number > 0');
+                assert(typeof maxFreeSockets === 'number' &&
+                    httpAgent.maxFreeSockets >= 0,
+                    `bad config: ${b}.httpAgent.maxFreeSockets must be ` +
+                    'a number >= 0');
+                assert((typeof maxSockets === 'number' && maxSockets >= 0) ||
+                    maxSockets === null,
+                    `bad config: ${b}.httpAgent.maxFreeSockets must be ` +
+                    'null or a number >= 0');
+                Object.assign(this.externalBackends[b].httpAgent, httpAgent);
+            });
+        }
+
         // requests-proxy configuration
         this.requests = {
             viaProxy: false,

lib/api/apiUtils/authorization/permissionChecks.js

@@ -1,8 +1,7 @@
 const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
 const constants = require('../../../../constants');
 
-const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
-    assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants;
+const { allAuthedUsersId, bucketOwnerActions, logId, publicId } = constants;
 
 // whitelist buckets to allow public read on objects
 const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
@@ -365,34 +364,10 @@ function validatePolicyResource(bucketName, policy) {
     });
 }
 
-/** isLifecycleSession - check if it is the Lifecycle assumed role session arn.
- * @param {string} arn - Amazon resource name - example:
- * arn:aws:sts::257038443293:assumed-role/rolename/backbeat-lifecycle
- * @return {boolean} true if Lifecycle assumed role session arn, false if not.
- */
-function isLifecycleSession(arn) {
-    if (!arn) {
-        return false;
-    }
-
-    const arnSplits = arn.split(':');
-    const service = arnSplits[2];
-
-    const resourceNames = arnSplits[arnSplits.length - 1].split('/');
-
-    const resourceType = resourceNames[0];
-    const sessionName = resourceNames[resourceNames.length - 1];
-
-    return (service === 'sts' &&
-        resourceType === assumedRoleArnResourceType &&
-        sessionName === backbeatLifecycleSessionName);
-}
-
 module.exports = {
     isBucketAuthorized,
     isObjAuthorized,
     checkBucketAcls,
     checkObjectAcls,
     validatePolicyResource,
-    isLifecycleSession,
 };

lib/api/apiUtils/authorization/tagConditionKeys.js

@@ -49,7 +49,7 @@ function updateRequestContexts(request, requestContexts, apiMethod, log, cb) {
                 return metadata.getObjectMD(bucketName, objectKey, { versionId: reqVersionId }, log,
                 (err, objMD) => {
                     if (err) {
-                        if (err.NoSuchKey) {
+                        if (err.is.NoSuchKey) {
                             return next();
                         }
                         log.trace('error getting request object tags');

lib/api/apiUtils/bucket/bucketCreation.js

@@ -22,7 +22,7 @@ function addToUsersBucket(canonicalID, bucketName, log, cb) {
 
     // Get new format usersBucket to see if it exists
     return metadata.getBucket(usersBucket, log, (err, usersBucketAttrs) => {
-        if (err && !err.NoSuchBucket && !err.BucketAlreadyExists) {
+        if (err && !err.is.NoSuchBucket && !err.is.BucketAlreadyExists) {
             return cb(err);
         }
         const splitter = usersBucketAttrs ?
@@ -36,7 +36,7 @@ function addToUsersBucket(canonicalID, bucketName, log, cb) {
             usersBucket : oldUsersBucket;
         return metadata.putObjectMD(usersBucketBeingCalled, key,
             omVal, {}, log, err => {
-                if (err && err.NoSuchBucket) {
+                if (err && err.is.NoSuchBucket) {
                     // There must be no usersBucket so createBucket
                     // one using the new format
                     log.trace('users bucket does not exist, ' +
@@ -56,9 +56,7 @@ function addToUsersBucket(canonicalID, bucketName, log, cb) {
                             // from getting a BucketAlreadyExists
                             // error with respect
                             // to the usersBucket.
-                            if (err &&
-                                err !==
-                                    errors.BucketAlreadyExists) {
+                            if (err && !err.is.BucketAlreadyExists) {
                                 log.error('error from metadata', {
                                     error: err,
                                 });
@@ -206,7 +204,7 @@ function createBucket(authInfo, bucketName, headers,
         },
         getAnyExistingBucketInfo: function getAnyExistingBucketInfo(callback) {
             metadata.getBucket(bucketName, log, (err, data) => {
-                if (err && err.NoSuchBucket) {
+                if (err && err.is.NoSuchBucket) {
                     return callback(null, 'NoBucketYet');
                 }
                 if (err) {

lib/api/apiUtils/bucket/bucketDeletion.js

@@ -16,7 +16,7 @@ function _deleteMPUbucket(destinationBucketName, log, cb) {
         `${mpuBucketPrefix}${destinationBucketName}`;
     return metadata.deleteBucket(mpuBucketName, log, err => {
         // If the mpu bucket does not exist, just move on
-        if (err && err.NoSuchBucket) {
+        if (err && err.is.NoSuchBucket) {
             return cb();
         }
         return cb(err);
@@ -90,7 +90,7 @@ function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
                 log, (err, objectsListRes) => {
                     // If no shadow bucket ever created, no ongoing MPU's, so
                     // continue with deletion
-                    if (err && err.NoSuchBucket) {
+                    if (err && err.is.NoSuchBucket) {
                         return next();
                     }
                     if (err) {

lib/api/apiUtils/bucket/deleteUserBucketEntry.js

@@ -11,7 +11,7 @@ function deleteUserBucketEntry(bucketName, canonicalID, log, cb) {
     metadata.deleteObjectMD(usersBucket, keyForUserBucket, {}, log, error => {
         // If the object representing the bucket is not in the
         // users bucket just continue
-        if (error && error.NoSuchKey) {
+        if (error && error.is.NoSuchKey) {
             return cb(null);
         // BACKWARDS COMPATIBILITY: Remove this once no longer
         // have old user bucket format
@@ -20,7 +20,7 @@ function deleteUserBucketEntry(bucketName, canonicalID, log, cb) {
                 oldSplitter, bucketName);
             return metadata.deleteObjectMD(oldUsersBucket, keyForUserBucket2,
                 {}, log, error => {
-                    if (error && !error.NoSuchKey) {
+                    if (error && !error.is.NoSuchKey) {
                         log.error('from metadata while deleting user bucket',
                             { error });
                         return cb(error);

lib/api/apiUtils/object/abortMultipartUpload.js

@@ -1,12 +1,10 @@
 const async = require('async');
 
-const { config } = require('../../../Config');
 const constants = require('../../../../constants');
-const data = require('../../../data/wrapper');
+const { data } = require('../../../data/wrapper');
 const locationConstraintCheck = require('../object/locationConstraintCheck');
 const { metadataValidateBucketAndObj } =
     require('../../../metadata/metadataUtils');
-const multipleBackendGateway = require('../../../data/multipleBackendGateway');
 const services = require('../../../services');
 
 function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
@@ -55,35 +53,19 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
                     return next(err, mpuBucket, mpuOverviewObj, destBucket);
                 });
         },
-        function ifMultipleBackend(mpuBucket, mpuOverviewObj, destBucket,
+        function abortExternalMpu(mpuBucket, mpuOverviewObj, destBucket,
         next) {
-            if (config.backends.data === 'multiple') {
-                let location;
-                // if controlling location constraint is not stored in object
-                // metadata, mpu was initiated in legacy S3C, so need to
-                // determine correct location constraint
-                if (!mpuOverviewObj.controllingLocationConstraint) {
-                    const backendInfoObj = locationConstraintCheck(request,
-                        null, destBucket, log);
-                    if (backendInfoObj.err) {
-                        return process.nextTick(() => {
-                            next(backendInfoObj.err, destBucket);
-                        });
-                    }
-                    location = backendInfoObj.controllingLC;
-                } else {
-                    location = mpuOverviewObj.controllingLocationConstraint;
+            const location = mpuOverviewObj.controllingLocationConstraint;
+            return data.abortMPU(objectKey, uploadId, location, bucketName,
+            request, destBucket, locationConstraintCheck, log,
+            (err, skipDataDelete) => {
+                if (err) {
+                    return next(err, destBucket);
                 }
-                return multipleBackendGateway.abortMPU(objectKey, uploadId,
-                location, bucketName, log, (err, skipDataDelete) => {
-                    if (err) {
-                        return next(err, destBucket);
-                    }
-                    return next(null, mpuBucket, destBucket,
-                    skipDataDelete);
-                });
-            }
-            return next(null, mpuBucket, destBucket, false);
+                // for Azure and GCP we do not need to delete data
+                // for all other backends, skipDataDelete will be set to false
+                return next(null, mpuBucket, destBucket, skipDataDelete);
+            });
         },
         function sendAbortPut(mpuBucket, destBucket, skipDataDelete, next) {
             services.sendAbortMPUPut(bucketName, objectKey, uploadId, log,