forked from TrueCloudLab/frostfs-s3-gw
[#544] Upgrade NeoFS SDK Go with another approach of container sessions
After recent changes in NeoFS SDK Go library session tokens aren't embedded into `container.Container` and `eacl.Table` structures. Instead, the operations of storing given values in NeoFS are parameterized by elements of the corresponding type. Add dedicated session parameters to operations of bucket and eACL setting. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
8a1fc8ae3f
commit
028a152e04
10 changed files with 47 additions and 45 deletions
|
@ -236,11 +236,10 @@ func (h *handler) updateBucketACL(r *http.Request, astChild *ast, bktInfo *data.
|
||||||
return false, fmt.Errorf("could not translate ast to table: %w", err)
|
return false, fmt.Errorf("could not translate ast to table: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
table.SetSessionToken(sessionToken)
|
|
||||||
|
|
||||||
p := &layer.PutBucketACLParams{
|
p := &layer.PutBucketACLParams{
|
||||||
BktInfo: bktInfo,
|
BktInfo: bktInfo,
|
||||||
EACL: table,
|
EACL: table,
|
||||||
|
SessionToken: sessionToken,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
||||||
|
|
|
@ -147,11 +147,11 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
newEaclTable.SetSessionToken(sessionTokenEACL)
|
|
||||||
|
|
||||||
p := &layer.PutBucketACLParams{
|
p := &layer.PutBucketACLParams{
|
||||||
BktInfo: dstBktInfo,
|
BktInfo: dstBktInfo,
|
||||||
EACL: newEaclTable,
|
EACL: newEaclTable,
|
||||||
|
SessionToken: sessionTokenEACL,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
||||||
|
|
|
@ -250,7 +250,6 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
newEaclTable.SetSessionToken(sessionTokenEACL)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if tagSet != nil {
|
if tagSet != nil {
|
||||||
|
@ -264,6 +263,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
p := &layer.PutBucketACLParams{
|
p := &layer.PutBucketACLParams{
|
||||||
BktInfo: bktInfo,
|
BktInfo: bktInfo,
|
||||||
EACL: newEaclTable,
|
EACL: newEaclTable,
|
||||||
|
SessionToken: sessionTokenEACL,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
||||||
|
@ -382,11 +382,10 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if newEaclTable != nil {
|
if newEaclTable != nil {
|
||||||
newEaclTable.SetSessionToken(sessionTokenEACL)
|
|
||||||
|
|
||||||
p := &layer.PutBucketACLParams{
|
p := &layer.PutBucketACLParams{
|
||||||
BktInfo: bktInfo,
|
BktInfo: bktInfo,
|
||||||
EACL: newEaclTable,
|
EACL: newEaclTable,
|
||||||
|
SessionToken: sessionTokenEACL,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
||||||
|
@ -609,16 +608,16 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
boxData, err := layer.GetBoxData(r.Context())
|
boxData, err := layer.GetBoxData(r.Context())
|
||||||
if err == nil {
|
if err == nil {
|
||||||
policies = boxData.Policies
|
policies = boxData.Policies
|
||||||
p.SessionToken = boxData.Gate.SessionTokenForPut()
|
p.SessionContainerCreation = boxData.Gate.SessionTokenForPut()
|
||||||
p.EACL.SetSessionToken(boxData.Gate.SessionTokenForSetEACL())
|
p.SessionEACL = boxData.Gate.SessionTokenForSetEACL()
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.SessionToken == nil {
|
if p.SessionContainerCreation == nil {
|
||||||
h.logAndSendError(w, "couldn't find session token for put", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
h.logAndSendError(w, "couldn't find session token for put", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.EACL.SessionToken() == nil {
|
if p.SessionEACL == nil {
|
||||||
h.logAndSendError(w, "couldn't find session token for setEACL", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
h.logAndSendError(w, "couldn't find session token for setEACL", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -147,7 +147,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
|
||||||
Creator: bktInfo.Owner,
|
Creator: bktInfo.Owner,
|
||||||
Policy: p.Policy,
|
Policy: p.Policy,
|
||||||
Name: p.Name,
|
Name: p.Name,
|
||||||
SessionToken: p.SessionToken,
|
SessionToken: p.SessionContainerCreation,
|
||||||
AdditionalAttributes: attributes,
|
AdditionalAttributes: attributes,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -156,7 +156,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
|
||||||
|
|
||||||
bktInfo.CID = *idCnr
|
bktInfo.CID = *idCnr
|
||||||
|
|
||||||
if err = n.setContainerEACLTable(ctx, bktInfo.CID, p.EACL); err != nil {
|
if err = n.setContainerEACLTable(ctx, bktInfo.CID, p.EACL, p.SessionEACL); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -170,15 +170,10 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
|
||||||
return bktInfo, nil
|
return bktInfo, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *layer) setContainerEACLTable(ctx context.Context, idCnr cid.ID, table *eacl.Table) error {
|
func (n *layer) setContainerEACLTable(ctx context.Context, idCnr cid.ID, table *eacl.Table, sessionToken *session.Container) error {
|
||||||
table.SetCID(idCnr)
|
table.SetCID(idCnr)
|
||||||
|
|
||||||
boxData, err := GetBoxData(ctx)
|
return n.neoFS.SetContainerEACL(ctx, *table, sessionToken)
|
||||||
if err == nil {
|
|
||||||
table.SetSessionToken(boxData.Gate.SessionTokenForSetEACL())
|
|
||||||
}
|
|
||||||
|
|
||||||
return n.neoFS.SetContainerEACL(ctx, *table)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *layer) GetContainerEACL(ctx context.Context, idCnr cid.ID) (*eacl.Table, error) {
|
func (n *layer) GetContainerEACL(ctx context.Context, idCnr cid.ID) (*eacl.Table, error) {
|
||||||
|
|
|
@ -138,7 +138,8 @@ type (
|
||||||
Name string
|
Name string
|
||||||
Policy netmap.PlacementPolicy
|
Policy netmap.PlacementPolicy
|
||||||
EACL *eacl.Table
|
EACL *eacl.Table
|
||||||
SessionToken *session.Container
|
SessionContainerCreation *session.Container
|
||||||
|
SessionEACL *session.Container
|
||||||
LocationConstraint string
|
LocationConstraint string
|
||||||
ObjectLockEnabled bool
|
ObjectLockEnabled bool
|
||||||
}
|
}
|
||||||
|
@ -146,6 +147,7 @@ type (
|
||||||
PutBucketACLParams struct {
|
PutBucketACLParams struct {
|
||||||
BktInfo *data.BucketInfo
|
BktInfo *data.BucketInfo
|
||||||
EACL *eacl.Table
|
EACL *eacl.Table
|
||||||
|
SessionToken *session.Container
|
||||||
}
|
}
|
||||||
// DeleteBucketParams stores delete bucket request parameters.
|
// DeleteBucketParams stores delete bucket request parameters.
|
||||||
DeleteBucketParams struct {
|
DeleteBucketParams struct {
|
||||||
|
@ -368,7 +370,7 @@ func (n *layer) GetBucketACL(ctx context.Context, bktInfo *data.BucketInfo) (*Bu
|
||||||
|
|
||||||
// PutBucketACL puts bucket acl by name.
|
// PutBucketACL puts bucket acl by name.
|
||||||
func (n *layer) PutBucketACL(ctx context.Context, param *PutBucketACLParams) error {
|
func (n *layer) PutBucketACL(ctx context.Context, param *PutBucketACLParams) error {
|
||||||
return n.setContainerEACLTable(ctx, param.BktInfo.CID, param.EACL)
|
return n.setContainerEACLTable(ctx, param.BktInfo.CID, param.EACL, param.SessionToken)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ListBuckets returns all user containers. The name of the bucket is a container
|
// ListBuckets returns all user containers. The name of the bucket is a container
|
||||||
|
@ -630,7 +632,7 @@ func (n *layer) CreateBucket(ctx context.Context, p *CreateBucketParams) (*data.
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.SessionToken != nil && session.IssuedBy(*p.SessionToken, bktInfo.Owner) {
|
if p.SessionContainerCreation != nil && session.IssuedBy(*p.SessionContainerCreation, bktInfo.Owner) {
|
||||||
return nil, errors.GetAPIError(errors.ErrBucketAlreadyOwnedByYou)
|
return nil, errors.GetAPIError(errors.ErrBucketAlreadyOwnedByYou)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -162,10 +162,11 @@ type NeoFS interface {
|
||||||
// prevented the containers from being listed.
|
// prevented the containers from being listed.
|
||||||
UserContainers(context.Context, user.ID) ([]cid.ID, error)
|
UserContainers(context.Context, user.ID) ([]cid.ID, error)
|
||||||
|
|
||||||
// SetContainerEACL saves the eACL table of the container in NeoFS.
|
// SetContainerEACL saves the eACL table of the container in NeoFS. The
|
||||||
|
// extended ACL is modified within session if session token is not nil.
|
||||||
//
|
//
|
||||||
// It returns any error encountered which prevented the eACL from being saved.
|
// It returns any error encountered which prevented the eACL from being saved.
|
||||||
SetContainerEACL(context.Context, eacl.Table) error
|
SetContainerEACL(context.Context, eacl.Table, *session.Container) error
|
||||||
|
|
||||||
// ContainerEACL reads the container eACL from NeoFS by the container ID.
|
// ContainerEACL reads the container eACL from NeoFS by the container ID.
|
||||||
//
|
//
|
||||||
|
|
|
@ -82,7 +82,6 @@ func (t *TestNeoFS) CreateContainer(_ context.Context, prm PrmContainerCreate) (
|
||||||
}
|
}
|
||||||
|
|
||||||
cnr := container.New(opts...)
|
cnr := container.New(opts...)
|
||||||
cnr.SetSessionToken(prm.SessionToken)
|
|
||||||
|
|
||||||
if prm.Name != "" {
|
if prm.Name != "" {
|
||||||
container.SetNativeName(cnr, prm.Name)
|
container.SetNativeName(cnr, prm.Name)
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -10,7 +10,7 @@ require (
|
||||||
github.com/nats-io/nats.go v1.13.1-0.20220121202836-972a071d373d
|
github.com/nats-io/nats.go v1.13.1-0.20220121202836-972a071d373d
|
||||||
github.com/nspcc-dev/neo-go v0.98.2
|
github.com/nspcc-dev/neo-go v0.98.2
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2
|
github.com/nspcc-dev/neofs-api-go/v2 v2.12.2
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599
|
||||||
github.com/prometheus/client_golang v1.11.0
|
github.com/prometheus/client_golang v1.11.0
|
||||||
github.com/spf13/pflag v1.0.5
|
github.com/spf13/pflag v1.0.5
|
||||||
github.com/spf13/viper v1.7.1
|
github.com/spf13/viper v1.7.1
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -306,8 +306,8 @@ github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnB
|
||||||
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20211201182451-a5b61c4f6477/go.mod h1:dfMtQWmBHYpl9Dez23TGtIUKiFvCIxUZq/CkSIhEpz4=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
github.com/nspcc-dev/neofs-sdk-go v0.0.0-20220113123743-7f3162110659/go.mod h1:/jay1lr3w7NQd/VDBkEhkJmDmyPNsu4W+QV2obsUV40=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721 h1:5Al3dddr0SG3ONhfglTyc2GSnQS0vMmygCD00vLo/jU=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599 h1:EkwWrbzImpqtNJa8IZIsfk/EqbmPwpd0DfdenrJLSbc=
|
||||||
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220616082321-e986f4780721/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU=
|
github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.4.0.20220621170307-721df386c599/go.mod h1:k58jgszGX3pws2yiOXu9m0i32BzRgi1T6Bpd/L1KrJU=
|
||||||
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
|
||||||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||||
|
|
|
@ -137,7 +137,6 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
|
||||||
}
|
}
|
||||||
|
|
||||||
cnr := container.New(cnrOptions...)
|
cnr := container.New(cnrOptions...)
|
||||||
cnr.SetSessionToken(prm.SessionToken)
|
|
||||||
|
|
||||||
if prm.Name != "" {
|
if prm.Name != "" {
|
||||||
container.SetNativeName(cnr, prm.Name)
|
container.SetNativeName(cnr, prm.Name)
|
||||||
|
@ -147,6 +146,10 @@ func (x *NeoFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreat
|
||||||
prmPut.SetContainer(*cnr)
|
prmPut.SetContainer(*cnr)
|
||||||
prmPut.SetWaitParams(x.await)
|
prmPut.SetWaitParams(x.await)
|
||||||
|
|
||||||
|
if prm.SessionToken != nil {
|
||||||
|
prmPut.WithinSession(*prm.SessionToken)
|
||||||
|
}
|
||||||
|
|
||||||
// send request to save the container
|
// send request to save the container
|
||||||
idCnr, err := x.pool.PutContainer(ctx, prmPut)
|
idCnr, err := x.pool.PutContainer(ctx, prmPut)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -170,11 +173,15 @@ func (x *NeoFS) UserContainers(ctx context.Context, id user.ID) ([]cid.ID, error
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetContainerEACL implements neofs.NeoFS interface method.
|
// SetContainerEACL implements neofs.NeoFS interface method.
|
||||||
func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table) error {
|
func (x *NeoFS) SetContainerEACL(ctx context.Context, table eacl.Table, sessionToken *session.Container) error {
|
||||||
var prm pool.PrmContainerSetEACL
|
var prm pool.PrmContainerSetEACL
|
||||||
prm.SetTable(table)
|
prm.SetTable(table)
|
||||||
prm.SetWaitParams(x.await)
|
prm.SetWaitParams(x.await)
|
||||||
|
|
||||||
|
if sessionToken != nil {
|
||||||
|
prm.WithinSession(*sessionToken)
|
||||||
|
}
|
||||||
|
|
||||||
err := x.pool.SetEACL(ctx, prm)
|
err := x.pool.SetEACL(ctx, prm)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("save eACL via connection pool: %w", err)
|
return fmt.Errorf("save eACL via connection pool: %w", err)
|
||||||
|
|
Loading…
Reference in a new issue