forked from TrueCloudLab/frostfs-s3-gw
[#338] Remove redundant flag for session tokens in authmate
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
parent
2b4638f6bb
commit
204835ace3
3 changed files with 24 additions and 37 deletions
|
@ -59,8 +59,7 @@ type (
|
|||
NeoFSKey *keys.PrivateKey
|
||||
GatesPublicKeys []*keys.PublicKey
|
||||
EACLRules []byte
|
||||
ContextRules []byte
|
||||
SessionTkn bool
|
||||
SessionTokenRules []byte
|
||||
Lifetime time.Duration
|
||||
AwsCliCredentialsFile string
|
||||
ContainerPolicies ContainerPolicies
|
||||
|
@ -258,14 +257,6 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
|
|||
a.log.Info("store bearer token into NeoFS",
|
||||
zap.Stringer("owner_tkn", oid))
|
||||
|
||||
if !options.SessionTkn && len(options.ContextRules) > 0 {
|
||||
_, err := w.Write([]byte("Warning: rules for session token were set but --create-session flag wasn't, " +
|
||||
"so session token was not created\n"))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
address, err := tokens.
|
||||
New(a.pool, secrets.EphemeralKey, cache.DefaultAccessBoxConfig()).
|
||||
Put(ctx, cid, oid, box, lifetime.Exp, options.GatesPublicKeys...)
|
||||
|
@ -480,8 +471,8 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions, cid *ci
|
|||
gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
|
||||
}
|
||||
|
||||
if options.SessionTkn {
|
||||
sessionRules, err := buildContext(options.ContextRules)
|
||||
if options.SessionTokenRules != nil {
|
||||
sessionRules, err := buildContext(options.SessionTokenRules)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to build context for session token: %w", err)
|
||||
}
|
||||
|
|
|
@ -36,7 +36,6 @@ var (
|
|||
accountAddressFlag string
|
||||
peerAddressFlag string
|
||||
eaclRulesFlag string
|
||||
contextRulesFlag string
|
||||
gateWalletPathFlag string
|
||||
gateAccountAddressFlag string
|
||||
accessKeyIDFlag string
|
||||
|
@ -45,7 +44,7 @@ var (
|
|||
gatesPublicKeysFlag cli.StringSlice
|
||||
logEnabledFlag bool
|
||||
logDebugEnabledFlag bool
|
||||
sessionTokenFlag bool
|
||||
sessionTokenFlag string
|
||||
lifetimeFlag time.Duration
|
||||
containerPolicies string
|
||||
awcCliCredFile string
|
||||
|
@ -174,12 +173,6 @@ func issueSecret() *cli.Command {
|
|||
Required: false,
|
||||
Destination: &eaclRulesFlag,
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "session-rules",
|
||||
Usage: "rules for session token as plain json string",
|
||||
Required: false,
|
||||
Destination: &contextRulesFlag,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "gate-public-key",
|
||||
Usage: "public 256r1 key of a gate (use flags repeatedly for multiple gates)",
|
||||
|
@ -198,12 +191,12 @@ func issueSecret() *cli.Command {
|
|||
Required: false,
|
||||
Destination: &containerFriendlyName,
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "create-session-token",
|
||||
Usage: "create session token",
|
||||
&cli.StringFlag{
|
||||
Name: "session-token",
|
||||
Usage: "create session token with rules, if the rules are set as 'none', no session tokens will be created",
|
||||
Required: false,
|
||||
Destination: &sessionTokenFlag,
|
||||
Value: false,
|
||||
Value: "",
|
||||
},
|
||||
&cli.DurationFlag{
|
||||
Name: "lifetime",
|
||||
|
@ -276,9 +269,8 @@ It will be ceil rounded to the nearest amount of epoch.`,
|
|||
NeoFSKey: key,
|
||||
GatesPublicKeys: gatesPublicKeys,
|
||||
EACLRules: getJSONRules(eaclRulesFlag),
|
||||
ContextRules: getJSONRules(contextRulesFlag),
|
||||
SessionTokenRules: getSessionRules(sessionTokenFlag),
|
||||
ContainerPolicies: policies,
|
||||
SessionTkn: sessionTokenFlag,
|
||||
Lifetime: lifetimeFlag,
|
||||
AwsCliCredentialsFile: awcCliCredFile,
|
||||
}
|
||||
|
@ -320,6 +312,13 @@ func getJSONRules(val string) []byte {
|
|||
return []byte(val)
|
||||
}
|
||||
|
||||
func getSessionRules(r string) []byte {
|
||||
if r == "none" {
|
||||
return nil
|
||||
}
|
||||
return getJSONRules(r)
|
||||
}
|
||||
|
||||
func obtainSecret() *cli.Command {
|
||||
command := &cli.Command{
|
||||
Name: "obtain-secret",
|
||||
|
|
|
@ -97,8 +97,7 @@ parameter, but this way is **not recommended**.
|
|||
The tokens are encrypted by a set of gateway keys, so you need to pass them as well.
|
||||
|
||||
Creation of the bearer token is mandatory, while creation of the session token is
|
||||
optional. If you want to add the session token, you need to add a parameter
|
||||
`create-session-token`.
|
||||
optional.
|
||||
|
||||
Rules for bearer token can be set via param `bearer-rules` (json-string and file path allowed), if it is not set,
|
||||
it will be auto-generated with values:
|
||||
|
@ -128,9 +127,13 @@ it will be auto-generated with values:
|
|||
}
|
||||
```
|
||||
|
||||
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
|
||||
With session token, there is 3 options:
|
||||
* append `--session-token` parameter with your custom rules in json format (as a string or file path, see an example below)
|
||||
|
||||
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens:
|
||||
**NB!** If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
||||
|
||||
* append `--session-token` parameter with the value `none` -- no session token will be created
|
||||
* skip the parameter and `authmate` will create and put session tokens with default rules:
|
||||
```
|
||||
[
|
||||
{
|
||||
|
@ -151,11 +154,6 @@ If the parameter `session-rules` is not set, `authmate` creates and puts three s
|
|||
]
|
||||
```
|
||||
|
||||
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
||||
|
||||
If `session-rules` are set, but `create-session-token` is not, no session
|
||||
token will be created.
|
||||
|
||||
Rules for mapping of `LocationConstraint` ([aws spec](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestBody))
|
||||
to `PlacementPolicy` ([neofs spec](https://github.com/nspcc-dev/neofs-spec/blob/master/01-arch/02-policy.md))
|
||||
can be set via param `container-policy` (json-string and file path allowed):
|
||||
|
@ -174,8 +172,7 @@ $ ./neofs-authmate issue-secret --wallet wallet.json \
|
|||
--bearer-rules '{"records":[{"operation":"PUT","action":"ALLOW","filters":[],"targets":[{"role":"OTHERS","keys":[]}]}]}' \
|
||||
--gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
|
||||
--gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
|
||||
--create-session-token \
|
||||
--session-rules '{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}'
|
||||
--session-token '[{"verb":"DELETE","wildcard":false,"containerID":{"value":"%CID"}}]'
|
||||
--container-policy '{"rep-3": "REP 3"}'
|
||||
|
||||
Enter password for wallet.json >
|
||||
|
|
Loading…
Reference in a new issue