forked from TrueCloudLab/frostfs-s3-gw
[#338] Remove redundant flag for session tokens in authmate
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva
Alex Vanin
parent
2b4638f6bb
commit
204835ace3
3 changed files with 24 additions and 37 deletions
|
|
@ -59,8 +59,7 @@ type (
|
||||||
NeoFSKey *keys.PrivateKey
|
NeoFSKey *keys.PrivateKey
|
||||||
GatesPublicKeys []*keys.PublicKey
|
GatesPublicKeys []*keys.PublicKey
|
||||||
EACLRules []byte
|
EACLRules []byte
|
||||||
ContextRules []byte
|
SessionTokenRules []byte
|
||||||
SessionTkn bool
|
|
||||||
Lifetime time.Duration
|
Lifetime time.Duration
|
||||||
AwsCliCredentialsFile string
|
AwsCliCredentialsFile string
|
||||||
ContainerPolicies ContainerPolicies
|
ContainerPolicies ContainerPolicies
|
||||||
|
|
@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
|
||||||
a.log.Info("store bearer token into NeoFS",
|
a.log.Info("store bearer token into NeoFS",
|
||||||
zap.Stringer("owner_tkn", oid))
|
zap.Stringer("owner_tkn", oid))
|
||||||
|
|
||||||
if !options.SessionTkn && len(options.ContextRules) > 0 {
|
|
||||||
_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
|
|
||||||
"so session token was not created\n"))
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
address, err := tokens.
|
address, err := tokens.
|
||||||
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
|
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
|
||||||
Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
|
Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
|
||||||
|
|
@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
|
||||||
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
|
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
|
||||||
}
|
}
|
||||||
|
|
||||||
if options.SessionTkn {
|
if options.SessionTokenRules != nil {
|
||||||
sessionRules, err := buildContext(options.ContextRules)
|
sessionRules, err := buildContext(options.SessionTokenRules)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to build context for session token: %w", err)
|
return nil, fmt.Errorf("failed to build context for session token: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,6 @@ var (
|
||||||
accountAddressFlag string
|
accountAddressFlag string
|
||||||
peerAddressFlag string
|
peerAddressFlag string
|
||||||
eaclRulesFlag string
|
eaclRulesFlag string
|
||||||
contextRulesFlag string
|
|
||||||
gateWalletPathFlag string
|
gateWalletPathFlag string
|
||||||
gateAccountAddressFlag string
|
gateAccountAddressFlag string
|
||||||
accessKeyIDFlag string
|
accessKeyIDFlag string
|
||||||
|
|
@ -45,7 +44,7 @@ var (
|
||||||
gatesPublicKeysFlag cli.StringSlice
|
gatesPublicKeysFlag cli.StringSlice
|
||||||
logEnabledFlag bool
|
logEnabledFlag bool
|
||||||
logDebugEnabledFlag bool
|
logDebugEnabledFlag bool
|
||||||
sessionTokenFlag bool
|
sessionTokenFlag string
|
||||||
lifetimeFlag time.Duration
|
lifetimeFlag time.Duration
|
||||||
containerPolicies string
|
containerPolicies string
|
||||||
awcCliCredFile string
|
awcCliCredFile string
|
||||||
|
|
@ -174,12 +173,6 @@ func issueSecret() *cli.Command {
|
||||||
Required: false,
|
Required: false,
|
||||||
Destination: &eaclRulesFlag,
|
Destination: &eaclRulesFlag,
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
|
||||||
Name: "session-rules",
|
|
||||||
Usage: "rules for session token as plain json string",
|
|
||||||
Required: false,
|
|
||||||
Destination: &contextRulesFlag,
|
|
||||||
},
|
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: "gate-public-key",
|
Name: "gate-public-key",
|
||||||
Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
|
Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
|
||||||
|
|
@ -198,12 +191,12 @@ func issueSecret() *cli.Command {
|
||||||
Required: false,
|
Required: false,
|
||||||
Destination: &containerFriendlyName,
|
Destination: &containerFriendlyName,
|
||||||
},
|
},
|
||||||
&cli.BoolFlag{
|
&cli.StringFlag{
|
||||||
Name: "create-session-token",
|
Name: "session-token",
|
||||||
Usage: "create session token",
|
Usage: "create session token with rules, if the rules are set as 'none', no session tokens will be created",
|
||||||
Required: false,
|
Required: false,
|
||||||
Destination: &sessionTokenFlag,
|
Destination: &sessionTokenFlag,
|
||||||
Value: false,
|
Value: "",
|
||||||
},
|
},
|
||||||
&cli.DurationFlag{
|
&cli.DurationFlag{
|
||||||
Name: "lifetime",
|
Name: "lifetime",
|
||||||
|
|
@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
||||||
NeoFSKey: key,
|
NeoFSKey: key,
|
||||||
GatesPublicKeys: gatesPublicKeys,
|
GatesPublicKeys: gatesPublicKeys,
|
||||||
EACLRules: getJSONRules(eaclRulesFlag),
|
EACLRules: getJSONRules(eaclRulesFlag),
|
||||||
ContextRules: getJSONRules(contextRulesFlag),
|
SessionTokenRules: getSessionRules(sessionTokenFlag),
|
||||||
ContainerPolicies: policies,
|
ContainerPolicies: policies,
|
||||||
SessionTkn: sessionTokenFlag,
|
|
||||||
Lifetime: lifetimeFlag,
|
Lifetime: lifetimeFlag,
|
||||||
AwsCliCredentialsFile: awcCliCredFile,
|
AwsCliCredentialsFile: awcCliCredFile,
|
||||||
}
|
}
|
||||||
|
|
@ -320,6 +312,13 @@ func getJSONRules(val string) []byte {
|
||||||
return []byte(val)
|
return []byte(val)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getSessionRules(r string) []byte {
|
||||||
|
if r == "none" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return getJSONRules(r)
|
||||||
|
}
|
||||||
|
|
||||||
func obtainSecret() *cli.Command {
|
func obtainSecret() *cli.Command {
|
||||||
command := &cli.Command{
|
command := &cli.Command{
|
||||||
Name: "obtain-secret",
|
Name: "obtain-secret",
|
||||||
|
|
|
||||||
|
|
@ -97,8 +97,7 @@ parameter, but this way is **not recommended**.
|
||||||
The tokens are encrypted by a set of gateway keys, so you need to pass them as well.
|
The tokens are encrypted by a set of gateway keys, so you need to pass them as well.
|
||||||
|
|
||||||
Creation of the bearer token is mandatory, while creation of the session token is
|
Creation of the bearer token is mandatory, while creation of the session token is
|
||||||
optional. If you want to add the session token, you need to add a parameter
|
optional.
|
||||||
`create-session-token`.
|
|
||||||
|
|
||||||
Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
|
Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
|
||||||
it will be auto-generated with values:
|
it will be auto-generated with values:
|
||||||
|
|
@ -128,9 +127,13 @@ it will be auto-generated with values:
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
|
With session token, there is 3 options:
|
||||||
|
* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below)
|
||||||
|
|
||||||
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens:
|
**NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
||||||
|
|
||||||
|
* append `--session-token` parameter with the value `none` -- no session token will be created
|
||||||
|
* skip the parameter and `authmate` will create and put session tokens with default rules:
|
||||||
```
|
```
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
|
|
@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s
|
||||||
]
|
]
|
||||||
```
|
```
|
||||||
|
|
||||||
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
|
||||||
|
|
||||||
If `session-rules` are set, but `create-session-token` is not, no session
|
|
||||||
token will be created.
|
|
||||||
|
|
||||||
Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody))
|
Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody))
|
||||||
to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md))
|
to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md))
|
||||||
can be set via param `container-policy` (json-string and file path allowed):
|
can be set via param `container-policy` (json-string and file path allowed):
|
||||||
|
|
@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \
|
||||||
--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
|
--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
|
||||||
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
|
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
|
||||||
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
|
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
|
||||||
--create-session-token \
|
--session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]'
|
||||||
--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
|
|
||||||
--container-policy '{"rep-3": "REP 3"}'
|
--container-policy '{"rep-3": "REP 3"}'
|
||||||
|
|
||||||
Enter password for wallet.json >
|
Enter password for wallet.json >
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue