IAM | Doc | User Inline Policy Documentation

[shirady]

Describe the Problem

In NooBaa containerized deployment in the IAM service, we added the IAM user inline policy; now adding the document.

Explain the Changes

1. Adding a document of our inline user policy.

Issues:

1. GAP - we would have an IAM document for NooBaa containerized, and it would be linked to this or moved to there.

Testing Instructions:

1. none

• Doc added/updated
• Tests added

Summary by CodeRabbit

• Documentation
  • Added a comprehensive guide for IAM User Inline Policy covering S3 authorization, multi-layer decision flow (explicit DENY vs ALLOW, implicit DENY) and how a DENY at any layer yields AccessDenied.
  • Documented supported operations (PutUserPolicy, DeleteUserPolicy, GetUserPolicy, ListUserPolicies), semantics (no JSON validation, no Principal/Condition, size and replacement rules).
  • Included a CLI demo workflow and note about a temporary policy-cache override used for demonstration.

[coderabbitai]

Walkthrough

Adds a new design document describing IAM User Inline Policy behavior, operations, authorization flow, demo steps, and cache notes; also includes a demo-only SDK tweak reducing account policy cache expiry for testing.

Changes

Cohort / File(s)	Summary
Design doc docs/design/IamUserInlinePolicy.md	New design document describing IAM User Inline Policy: supported operations (PutUserPolicy, DeleteUserPolicy, GetUserPolicy, ListUserPolicies), behavior for users with/without policies, PutUserPolicy notes (no JSON validation, differences from bucket policy, no Principal/Condition, size/replacement semantics), multi-layer authorization flow (signed/anonymous → bucket policy → IAM user policy; explicit DENY precedence and implicit DENY), demo CLI workflow, and policy cache behavior.
SDK demo tweak src/sdk/object_sdk.js	Demo-only override setting account policy cache expiry to a very short TTL (expiry_ms: 1) for demonstration/testing purposes.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client (signed/anonymous)
  participant Endpoint as Endpoint
  participant BucketPolicy as Bucket Policy Eval
  participant IAMUserPolicy as IAM User Policy Eval
  participant S3 as S3 Operation

  rect rgb(245,249,255)
    Client->>Endpoint: S3 request (signed or anonymous)
    Endpoint->>BucketPolicy: Evaluate bucket policy (Allow/Deny/NotApplicable)
  end

  alt BucketPolicy DENY
    BucketPolicy-->>Endpoint: DENY
    Endpoint-->>Client: AccessDenied
  else BucketPolicy ALLOW or NotApplicable
    BucketPolicy-->>Endpoint: ALLOW/NotApplicable
    alt Request is signed
      Endpoint->>IAMUserPolicy: Evaluate IAM user inline policy (Allow/Deny/NotApplicable)
      alt IAMUserPolicy DENY
        IAMUserPolicy-->>Endpoint: DENY
        Endpoint-->>Client: AccessDenied
      else IAMUserPolicy ALLOW
        IAMUserPolicy-->>Endpoint: ALLOW
        Endpoint->>S3: Perform S3 operation
        S3-->>Endpoint: Success
        Endpoint-->>Client: Success
      else IAMUserPolicy NotApplicable and BucketPolicy ALLOW
        Endpoint->>S3: Perform S3 operation
        S3-->>Endpoint: Success
        Endpoint-->>Client: Success
      end
    else Request is anonymous
      Endpoint->>S3: Perform S3 operation per bucket policy decision
      S3-->>Endpoint: Success/AccessDenied
      Endpoint-->>Client: Success/AccessDenied
    end
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review focus: accuracy and completeness of docs/design/IamUserInlinePolicy.md; verify src/sdk/object_sdk.js is explicitly marked demo-only and not committed for production.

Possibly related PRs

• IAM | User Inline Policy Implementation #9270 — Implements the put/get/list/delete IAM user inline policy APIs and supporting constants/helpers referenced by the design doc.
• IAM | Authorize Requests for IAM Users According to IAM User Inline Policy #9281 — Adds IAM user inline policy enforcement (authorize_request_iam_policy), account fields, and updates to bucket policy utils and S3 authorization referenced by the design doc.
• IAM | Account Schema Changes for Supporting Inline User Policy #9269 — Adds schema entries for iam_user_policy and account.iam_user_policies that the design doc describes.

Suggested reviewers

• aayushchouhan09
• liranmauda

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically references the main change: adding documentation for IAM User Inline Policy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ce6c08 and 7a6e62e.

📒 Files selected for processing (1)

• docs/design/IamUserInlinePolicy.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

docs/design/IamUserInlinePolicy.md (1)

29-30: Improve clarity of sentence.

The sentence structure is awkward: "When every S3 request has a step of authorization..." Consider rephrasing for clarity:

-When every S3 request has a step of authorization (`authorize_request` in `src/endpoint/s3/s3_rest.js`).
+For every S3 request, authorization (`authorize_request` in `src/endpoint/s3/s3_rest.js`) is performed.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 477d3ae and 7d805aa.

📒 Files selected for processing (1)

• docs/design/IamUserInlinePolicy.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/design/IamUserInlinePolicy.md

[style] ~92-~92: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...est_object2.txt (should work) 11. User can not create a bucket under the account: use...

(CAN_NOT_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

docs/design/IamUserInlinePolicy.md

49-49: Unordered list indentation
Expected: 0; Actual: 2

(MD007, ul-indent)

---

50-50: Unordered list indentation
Expected: 0; Actual: 2

(MD007, ul-indent)

---

52-52: Unordered list indentation
Expected: 0; Actual: 2

(MD007, ul-indent)

---

54-54: Unordered list indentation
Expected: 0; Actual: 2

(MD007, ul-indent)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (1)

docs/design/IamUserInlinePolicy.md (1)

1-46: Overall documentation quality is good.

The documentation clearly explains the IAM user policy feature, supported operations, and authorization flow. The structure is logical and the demo workflow is helpful. After addressing the critical code change issue and the minor grammar/formatting issues above, this will be a solid contribution.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

docs/design/IamUserInlinePolicy.md (1)

90-90: Fix style and backtick placement issues.

Line 90 contains two issues: (1) use "cannot" instead of "can not"; (2) fix the backtick placement for the account alias.

-11. User can not create a bucket under the account: u`ser-robert-s3 s3 mb s3://bucket-robert-2` (should throw `AccessDenied` error)
+11. User cannot create a bucket under the account: `user-robert-s3 s3 mb s3://bucket-robert-2` (should throw `AccessDenied` error)

🧹 Nitpick comments (1)

docs/design/IamUserInlinePolicy.md (1)

29-29: Improve sentence clarity.

Line 29 contains awkward phrasing that should be refactored for clarity: "When every S3 request has a step of authorization" is grammatically strained.

-When every S3 request has a step of authorization (`authorize_request` in `src/endpoint/s3/s3_rest.js`).
+When an S3 request is made, there is a step of authorization (`authorize_request` in `src/endpoint/s3/s3_rest.js`).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d805aa and 4855b90.

📒 Files selected for processing (1)

• docs/design/IamUserInlinePolicy.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests