[#54 ] acl: Add APE chains to Bearer token

Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
[#54 ] apemanager: Move APE specific types to separate package
2024-05-30 10:49:30 +03:00 · 2024-05-29 14:03:56 +03:00
6 changed files with 143 additions and 73 deletions
--- a/acl/types.proto
+++ b/acl/types.proto
@ -6,6 +6,7 @@ option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl/grpc;ac
 option csharp_namespace = "Neo.FileStorage.API.Acl";

 import "refs/types.proto";
+import "ape/types.proto";

 // Target role of the access control rule in access control list.
 enum Role {
@ -194,6 +195,8 @@ message BearerToken {
    // container. If it contains `container_id` field, bearer token is only
    // valid for this specific container. Otherwise, any container of the same
    // owner is allowed.
+    //
+    // Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead.
    EACLTable eacl_table = 1 [ json_name = "eaclTable" ];

    // `OwnerID` defines to whom the token was issued. It must match the request
@ -218,6 +221,23 @@ message BearerToken {
    // AllowImpersonate flag to consider token signer as request owner.
    // If this field is true extended ACL table in token body isn't processed.
    bool allow_impersonate = 4 [ json_name = "allowImpersonate" ];
+
+    // APEOverride is the list of APE chains defined for a target.
+    // These chains are meant to serve as overrides to the already defined (or even undefined)
+    // APE chains for the target (see contract `Policy`).
+    //
+    // The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
+    // to override chains for the target, preventing unauthorized access through the APE mechanism.
+    message APEOverride {
+      // Target for which chains are applied.
+      frostfs.v2.ape.ChainTarget target = 1 [ json_name = "target" ];
+
+      // The list of APE chains.
+      repeated frostfs.v2.ape.Chain chains = 2 [ json_name = "chains" ];
+    }
+
+    // APE override for the target.
+    APEOverride ape_override = 5 [ json_name = "apeOverride" ];
  }
  // Bearer Token body
  Body body = 1 [ json_name = "body" ];
--- a/apemanager/types.proto
+++ b/apemanager/types.proto
@ -1,8 +1,8 @@
 syntax = "proto3";

-package frostfs.v2.apemanager;
+package frostfs.v2.ape;

-option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
+option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/grpc;ape";

 // TargetType is a type target to which a rule chain is defined.
 enum TargetType {
--- a/apemanager/service.proto
+++ b/apemanager/service.proto
@ -2,7 +2,7 @@ syntax = "proto3";

 package frostfs.v2.apemanager;

-import "apemanager/types.proto";
+import "ape/types.proto";
 import "session/types.proto";

 option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
@ -52,10 +52,10 @@ service APEManagerService {
 message AddChainRequest {
  message Body {
    // A target for which a rule chain is added.
-    ChainTarget target = 1;
+    frostfs.v2.ape.ChainTarget target = 1;

    // The chain to set for the target.
-    Chain chain = 2;
+    frostfs.v2.ape.Chain chain = 2;
  }

  // The request's body.
@ -95,7 +95,7 @@ message AddChainResponse {
 message RemoveChainRequest {
  message Body {
    // Target for which a rule chain is removed.
-    ChainTarget target = 1;
+    frostfs.v2.ape.ChainTarget target = 1;

    // Chain ID assigned for the rule chain.
    bytes chain_id = 2;
@ -135,7 +135,7 @@ message RemoveChainResponse {
 message ListChainsRequest {
  message Body {
    // Target for which rule chains are listed.
-    ChainTarget target = 1;
+    frostfs.v2.ape.ChainTarget target = 1;
  }

  // The request's body.
@ -154,7 +154,7 @@ message ListChainsRequest {
 message ListChainsResponse {
  message Body {
    // The list of chains defined for the reqeusted target.
-    repeated Chain chains = 1;
+    repeated frostfs.v2.ape.Chain chains = 1;
  }

  // The response's body.
--- a/proto-docs/acl.md
+++ b/proto-docs/acl.md
@ -8,6 +8,7 @@
  - Messages
      - [BearerToken](#neo.fs.v2.acl.BearerToken)
      - [BearerToken.Body](#neo.fs.v2.acl.BearerToken.Body)
+      - [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride)
      - [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime)
      - [EACLRecord](#neo.fs.v2.acl.EACLRecord)
      - [EACLRecord.Filter](#neo.fs.v2.acl.EACLRecord.Filter)
@ -57,10 +58,30 @@ container owner with additional information preventing token abuse.

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) |  | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. |
+| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) |  | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed.
+
+Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead. |
 | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) |  | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. |
 | lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) |  | Token expiration and valid time period parameters |
 | allow_impersonate | [bool](#bool) |  | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |
+| ape_override | [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride) |  | APE override for the target. |
+
+
+<a name="neo.fs.v2.acl.BearerToken.Body.APEOverride"></a>
+
+### Message BearerToken.Body.APEOverride
+APEOverride is the list of APE chains defined for a target.
+These chains are meant to serve as overrides to the already defined (or even undefined)
+APE chains for the target (see contract `Policy`).
+
+The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
+to override chains for the target, preventing unauthorized access through the APE mechanism.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) |  | Target for which chains are applied. |
+| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of APE chains. |


 <a name="neo.fs.v2.acl.BearerToken.Body.TokenLifetime"></a>
--- a/proto-docs/ape.md
+++ b/proto-docs/ape.md
@ -0,0 +1,88 @@
+# Protocol Documentation
+<a name="top"></a>
+
+## Table of Contents
+
+- [ape/types.proto](#ape/types.proto)
+
+  - Messages
+      - [Chain](#frostfs.v2.ape.Chain)
+      - [ChainTarget](#frostfs.v2.ape.ChainTarget)
+    
+
+- [Scalar Value Types](#scalar-value-types)
+
+
+
+<a name="ape/types.proto"></a>
+<p align="right"><a href="#top">Top</a></p>
+
+## ape/types.proto
+
+
+ <!-- end services -->
+
+
+<a name="frostfs.v2.ape.Chain"></a>
+
+### Message Chain
+Chain is a chain of rules defined for a specific target.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| raw | [bytes](#bytes) |  | Raw representation of a serizalized rule chain. |
+
+
+<a name="frostfs.v2.ape.ChainTarget"></a>
+
+### Message ChainTarget
+ChainTarget is an object to which a rule chain is defined.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| type | [TargetType](#frostfs.v2.ape.TargetType) |  |  |
+| name | [string](#string) |  |  |
+
+ <!-- end messages -->
+
+
+<a name="frostfs.v2.ape.TargetType"></a>
+
+### TargetType
+TargetType is a type target to which a rule chain is defined.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| UNDEFINED | 0 |  |
+| NAMESPACE | 1 |  |
+| CONTAINER | 2 |  |
+| USER | 3 |  |
+| GROUP | 4 |  |
+
+
+ <!-- end enums -->
+
+
+
+## Scalar Value Types
+
+| .proto Type | Notes | C++ Type | Java Type | Python Type |
+| ----------- | ----- | -------- | --------- | ----------- |
+| <a name="double" /> double |  | double | double | float |
+| <a name="float" /> float |  | float | float | float |
+| <a name="int32" /> int32 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
+| <a name="int64" /> int64 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
+| <a name="uint32" /> uint32 | Uses variable-length encoding. | uint32 | int | int/long |
+| <a name="uint64" /> uint64 | Uses variable-length encoding. | uint64 | long | int/long |
+| <a name="sint32" /> sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
+| <a name="sint64" /> sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
+| <a name="fixed32" /> fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
+| <a name="fixed64" /> fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
+| <a name="sfixed32" /> sfixed32 | Always four bytes. | int32 | int | int |
+| <a name="sfixed64" /> sfixed64 | Always eight bytes. | int64 | long | int/long |
+| <a name="bool" /> bool |  | bool | boolean | boolean |
+| <a name="string" /> string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
+| <a name="bytes" /> bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str |
+
--- a/proto-docs/apemanager.md
+++ b/proto-docs/apemanager.md
@ -22,13 +22,6 @@
      - [RemoveChainResponse.Body](#frostfs.v2.apemanager.RemoveChainResponse.Body)
    

- [apemanager/types.proto](#apemanager/types.proto)
-
-  - Messages
-      - [Chain](#frostfs.v2.apemanager.Chain)
-      - [ChainTarget](#frostfs.v2.apemanager.ChainTarget)
-    
-
 - [Scalar Value Types](#scalar-value-types)


@ -128,8 +121,8 @@ Statuses:

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) |  | A target for which a rule chain is added. |
-| chain | [Chain](#frostfs.v2.apemanager.Chain) |  | The chain to set for the target. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) |  | A target for which a rule chain is added. |
+| chain | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) |  | The chain to set for the target. |


 <a name="frostfs.v2.apemanager.AddChainResponse"></a>
@ -177,7 +170,7 @@ Statuses:

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) |  | Target for which rule chains are listed. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) |  | Target for which rule chains are listed. |


 <a name="frostfs.v2.apemanager.ListChainsResponse"></a>
@ -201,7 +194,7 @@ Statuses:

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| chains | [Chain](#frostfs.v2.apemanager.Chain) | repeated | The list of chains defined for the reqeusted target. |
+| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of chains defined for the reqeusted target. |


 <a name="frostfs.v2.apemanager.RemoveChainRequest"></a>
@ -225,7 +218,7 @@ Statuses:

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) |  | Target for which a rule chain is removed. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) |  | Target for which a rule chain is removed. |
 | chain_id | [bytes](#bytes) |  | Chain ID assigned for the rule chain. |


@ -255,58 +248,6 @@ operation could not be performed is an error returning to a client.



-<a name="apemanager/types.proto"></a>
-<p align="right"><a href="#top">Top</a></p>
-
-## apemanager/types.proto
-
-
- <!-- end services -->
-
-
-<a name="frostfs.v2.apemanager.Chain"></a>
-
-### Message Chain
-Chain is a chain of rules defined for a specific target.
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| raw | [bytes](#bytes) |  | Raw representation of a serizalized rule chain. |
-
-
-<a name="frostfs.v2.apemanager.ChainTarget"></a>
-
-### Message ChainTarget
-ChainTarget is an object to which a rule chain is defined.
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| type | [TargetType](#frostfs.v2.apemanager.TargetType) |  |  |
-| name | [string](#string) |  |  |
-
- <!-- end messages -->
-
-
-<a name="frostfs.v2.apemanager.TargetType"></a>
-
-### TargetType
-TargetType is a type target to which a rule chain is defined.
-
-| Name | Number | Description |
-| ---- | ------ | ----------- |
-| UNDEFINED | 0 |  |
-| NAMESPACE | 1 |  |
-| CONTAINER | 2 |  |
-| USER | 3 |  |
-| GROUP | 4 |  |
-
-
- <!-- end enums -->
-
-
-
 ## Scalar Value Types

 | .proto Type | Notes | C++ Type | Java Type | Python Type |
Author	SHA1	Message	Date
Airat Arifullin	38f54c6fe9	[#54 ] acl: Add APE chains to Bearer token Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-05-30 10:49:30 +03:00
Airat Arifullin	672bf7e097	[#54 ] apemanager: Move APE specific types to separate package * Introduce `ape` package and move `apemanager/types.proto` to `ape/`; * Fix `apemanager/service.proto`. Signed-off-by: Airat Arifullin <aarifullin@yadro.com>	2024-05-29 14:03:56 +03:00