fix: normalize RustFS policies before drift hash comparison#146
Open
mskitroot wants to merge 1 commit into
Open
fix: normalize RustFS policies before drift hash comparison#146mskitroot wants to merge 1 commit into
mskitroot wants to merge 1 commit into
Conversation
RustFS returns canned policies with extra envelope fields (ID, empty Sid, empty Condition) and may reorder Action arrays. Hashing raw JSON caused false PolicyConflict even when live policy matched the Tenant spec. Normalize policy documents before hashing and accept live policies that match spec when status tracking hashes are stale after upgrades. Fixes rustfs#145 Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Related Issues
Fixes #145
Summary of Changes
Policy drift detection compared SHA-256 hashes of raw JSON from the Tenant
ConfigMap against live RustFS canned policies. RustFS adds envelope fields
(
ID, emptySid, emptyCondition) and may reorderActionarrays whenstoring or listing policies, so semantically identical documents produced
different hashes and the Tenant was blocked with
PolicyConflicteven aftersuccessful provisioning.
This change normalizes policy documents before hashing (strip empty RustFS
fields, sort actions/resources/statements) and treats live policies that match
spec as Ready when status tracking hashes are stale after operator upgrades.
Checklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](if user-visible change)Impact
Verification
make pre-commit cargo test reconcile::provisioning::testsValidated on a live cluster: Tenant provisioning moved to Ready after deploy;
policies recreated when deleted from RustFS and reconcile was triggered.
Additional Notes
N/A
Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.