Introduce APE override within Bearer token #54
6 changed files with 143 additions and 73 deletions
|
@ -6,6 +6,7 @@ option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl/grpc;ac
|
|||
option csharp_namespace = "Neo.FileStorage.API.Acl";
|
||||
|
||||
import "refs/types.proto";
|
||||
import "ape/types.proto";
|
||||
|
||||
// Target role of the access control rule in access control list.
|
||||
enum Role {
|
||||
|
@ -194,6 +195,8 @@ message BearerToken {
|
|||
// container. If it contains `container_id` field, bearer token is only
|
||||
// valid for this specific container. Otherwise, any container of the same
|
||||
// owner is allowed.
|
||||
//
|
||||
// Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead.
|
||||
EACLTable eacl_table = 1 [ json_name = "eaclTable" ];
|
||||
|
||||
// `OwnerID` defines to whom the token was issued. It must match the request
|
||||
|
@ -218,6 +221,23 @@ message BearerToken {
|
|||
// AllowImpersonate flag to consider token signer as request owner.
|
||||
// If this field is true extended ACL table in token body isn't processed.
|
||||
bool allow_impersonate = 4 [ json_name = "allowImpersonate" ];
|
||||
|
||||
// APEOverride is the list of APE chains defined for a target.
|
||||
// These chains are meant to serve as overrides to the already defined (or even undefined)
|
||||
// APE chains for the target (see contract `Policy`).
|
||||
//
|
||||
// The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
|
||||
// to override chains for the target, preventing unauthorized access through the APE mechanism.
|
||||
message APEOverride {
|
||||
// Target for which chains are applied.
|
||||
frostfs.v2.ape.ChainTarget target = 1 [ json_name = "target" ];
|
||||
|
||||
// The list of APE chains.
|
||||
repeated frostfs.v2.ape.Chain chains = 2 [ json_name = "chains" ];
|
||||
}
|
||||
|
||||
// APE override for the target.
|
||||
APEOverride ape_override = 5 [ json_name = "apeOverride" ];
|
||||
}
|
||||
// Bearer Token body
|
||||
Body body = 1 [ json_name = "body" ];
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
syntax = "proto3";
|
||||
|
||||
package frostfs.v2.apemanager;
|
||||
package frostfs.v2.ape;
|
||||
|
||||
option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
|
||||
option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/grpc;ape";
|
||||
|
||||
// TargetType is a type target to which a rule chain is defined.
|
||||
enum TargetType {
|
|
@ -2,7 +2,7 @@ syntax = "proto3";
|
|||
|
||||
package frostfs.v2.apemanager;
|
||||
|
||||
import "apemanager/types.proto";
|
||||
import "ape/types.proto";
|
||||
import "session/types.proto";
|
||||
|
||||
option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
|
||||
|
@ -52,10 +52,10 @@ service APEManagerService {
|
|||
message AddChainRequest {
|
||||
message Body {
|
||||
// A target for which a rule chain is added.
|
||||
ChainTarget target = 1;
|
||||
frostfs.v2.ape.ChainTarget target = 1;
|
||||
|
||||
// The chain to set for the target.
|
||||
Chain chain = 2;
|
||||
frostfs.v2.ape.Chain chain = 2;
|
||||
}
|
||||
|
||||
// The request's body.
|
||||
|
@ -95,7 +95,7 @@ message AddChainResponse {
|
|||
message RemoveChainRequest {
|
||||
message Body {
|
||||
// Target for which a rule chain is removed.
|
||||
ChainTarget target = 1;
|
||||
frostfs.v2.ape.ChainTarget target = 1;
|
||||
|
||||
// Chain ID assigned for the rule chain.
|
||||
bytes chain_id = 2;
|
||||
|
@ -135,7 +135,7 @@ message RemoveChainResponse {
|
|||
message ListChainsRequest {
|
||||
message Body {
|
||||
// Target for which rule chains are listed.
|
||||
ChainTarget target = 1;
|
||||
frostfs.v2.ape.ChainTarget target = 1;
|
||||
}
|
||||
|
||||
// The request's body.
|
||||
|
@ -154,7 +154,7 @@ message ListChainsRequest {
|
|||
message ListChainsResponse {
|
||||
message Body {
|
||||
// The list of chains defined for the reqeusted target.
|
||||
repeated Chain chains = 1;
|
||||
repeated frostfs.v2.ape.Chain chains = 1;
|
||||
}
|
||||
|
||||
// The response's body.
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
- Messages
|
||||
- [BearerToken](#neo.fs.v2.acl.BearerToken)
|
||||
- [BearerToken.Body](#neo.fs.v2.acl.BearerToken.Body)
|
||||
- [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride)
|
||||
- [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime)
|
||||
- [EACLRecord](#neo.fs.v2.acl.EACLRecord)
|
||||
- [EACLRecord.Filter](#neo.fs.v2.acl.EACLRecord.Filter)
|
||||
|
@ -57,10 +58,30 @@ container owner with additional information preventing token abuse.
|
|||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. |
|
||||
| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed.
|
||||
|
||||
Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead. |
|
||||
| owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. |
|
||||
| lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) | | Token expiration and valid time period parameters |
|
||||
| allow_impersonate | [bool](#bool) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |
|
||||
| ape_override | [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride) | | APE override for the target. |
|
||||
|
||||
|
||||
<a name="neo.fs.v2.acl.BearerToken.Body.APEOverride"></a>
|
||||
|
||||
### Message BearerToken.Body.APEOverride
|
||||
APEOverride is the list of APE chains defined for a target.
|
||||
These chains are meant to serve as overrides to the already defined (or even undefined)
|
||||
APE chains for the target (see contract `Policy`).
|
||||
|
||||
The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
|
||||
to override chains for the target, preventing unauthorized access through the APE mechanism.
|
||||
|
||||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which chains are applied. |
|
||||
| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of APE chains. |
|
||||
|
||||
|
||||
<a name="neo.fs.v2.acl.BearerToken.Body.TokenLifetime"></a>
|
||||
|
|
88
proto-docs/ape.md
Normal file
88
proto-docs/ape.md
Normal file
|
@ -0,0 +1,88 @@
|
|||
# Protocol Documentation
|
||||
<a name="top"></a>
|
||||
|
||||
## Table of Contents
|
||||
|
||||
- [ape/types.proto](#ape/types.proto)
|
||||
|
||||
- Messages
|
||||
- [Chain](#frostfs.v2.ape.Chain)
|
||||
- [ChainTarget](#frostfs.v2.ape.ChainTarget)
|
||||
|
||||
|
||||
- [Scalar Value Types](#scalar-value-types)
|
||||
|
||||
|
||||
|
||||
<a name="ape/types.proto"></a>
|
||||
<p align="right"><a href="#top">Top</a></p>
|
||||
|
||||
## ape/types.proto
|
||||
|
||||
|
||||
<!-- end services -->
|
||||
|
||||
|
||||
<a name="frostfs.v2.ape.Chain"></a>
|
||||
|
||||
### Message Chain
|
||||
Chain is a chain of rules defined for a specific target.
|
||||
|
||||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| raw | [bytes](#bytes) | | Raw representation of a serizalized rule chain. |
|
||||
|
||||
|
||||
<a name="frostfs.v2.ape.ChainTarget"></a>
|
||||
|
||||
### Message ChainTarget
|
||||
ChainTarget is an object to which a rule chain is defined.
|
||||
|
||||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| type | [TargetType](#frostfs.v2.ape.TargetType) | | |
|
||||
| name | [string](#string) | | |
|
||||
|
||||
<!-- end messages -->
|
||||
|
||||
|
||||
<a name="frostfs.v2.ape.TargetType"></a>
|
||||
|
||||
### TargetType
|
||||
TargetType is a type target to which a rule chain is defined.
|
||||
|
||||
| Name | Number | Description |
|
||||
| ---- | ------ | ----------- |
|
||||
| UNDEFINED | 0 | |
|
||||
| NAMESPACE | 1 | |
|
||||
| CONTAINER | 2 | |
|
||||
| USER | 3 | |
|
||||
| GROUP | 4 | |
|
||||
|
||||
|
||||
<!-- end enums -->
|
||||
|
||||
|
||||
|
||||
## Scalar Value Types
|
||||
|
||||
| .proto Type | Notes | C++ Type | Java Type | Python Type |
|
||||
| ----------- | ----- | -------- | --------- | ----------- |
|
||||
| <a name="double" /> double | | double | double | float |
|
||||
| <a name="float" /> float | | float | float | float |
|
||||
| <a name="int32" /> int32 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
|
||||
| <a name="int64" /> int64 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
|
||||
| <a name="uint32" /> uint32 | Uses variable-length encoding. | uint32 | int | int/long |
|
||||
| <a name="uint64" /> uint64 | Uses variable-length encoding. | uint64 | long | int/long |
|
||||
| <a name="sint32" /> sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
|
||||
| <a name="sint64" /> sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
|
||||
| <a name="fixed32" /> fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
|
||||
| <a name="fixed64" /> fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
|
||||
| <a name="sfixed32" /> sfixed32 | Always four bytes. | int32 | int | int |
|
||||
| <a name="sfixed64" /> sfixed64 | Always eight bytes. | int64 | long | int/long |
|
||||
| <a name="bool" /> bool | | bool | boolean | boolean |
|
||||
| <a name="string" /> string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
|
||||
| <a name="bytes" /> bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str |
|
||||
|
|
@ -22,13 +22,6 @@
|
|||
- [RemoveChainResponse.Body](#frostfs.v2.apemanager.RemoveChainResponse.Body)
|
||||
|
||||
|
||||
- [apemanager/types.proto](#apemanager/types.proto)
|
||||
|
||||
- Messages
|
||||
- [Chain](#frostfs.v2.apemanager.Chain)
|
||||
- [ChainTarget](#frostfs.v2.apemanager.ChainTarget)
|
||||
|
||||
|
||||
- [Scalar Value Types](#scalar-value-types)
|
||||
|
||||
|
||||
|
@ -128,8 +121,8 @@ Statuses:
|
|||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | A target for which a rule chain is added. |
|
||||
| chain | [Chain](#frostfs.v2.apemanager.Chain) | | The chain to set for the target. |
|
||||
| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | A target for which a rule chain is added. |
|
||||
| chain | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | | The chain to set for the target. |
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.AddChainResponse"></a>
|
||||
|
@ -177,7 +170,7 @@ Statuses:
|
|||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | Target for which rule chains are listed. |
|
||||
| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which rule chains are listed. |
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.ListChainsResponse"></a>
|
||||
|
@ -201,7 +194,7 @@ Statuses:
|
|||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| chains | [Chain](#frostfs.v2.apemanager.Chain) | repeated | The list of chains defined for the reqeusted target. |
|
||||
| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of chains defined for the reqeusted target. |
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.RemoveChainRequest"></a>
|
||||
|
@ -225,7 +218,7 @@ Statuses:
|
|||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | Target for which a rule chain is removed. |
|
||||
| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which a rule chain is removed. |
|
||||
| chain_id | [bytes](#bytes) | | Chain ID assigned for the rule chain. |
|
||||
|
||||
|
||||
|
@ -255,58 +248,6 @@ operation could not be performed is an error returning to a client.
|
|||
|
||||
|
||||
|
||||
<a name="apemanager/types.proto"></a>
|
||||
<p align="right"><a href="#top">Top</a></p>
|
||||
|
||||
## apemanager/types.proto
|
||||
|
||||
|
||||
<!-- end services -->
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.Chain"></a>
|
||||
|
||||
### Message Chain
|
||||
Chain is a chain of rules defined for a specific target.
|
||||
|
||||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| raw | [bytes](#bytes) | | Raw representation of a serizalized rule chain. |
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.ChainTarget"></a>
|
||||
|
||||
### Message ChainTarget
|
||||
ChainTarget is an object to which a rule chain is defined.
|
||||
|
||||
|
||||
| Field | Type | Label | Description |
|
||||
| ----- | ---- | ----- | ----------- |
|
||||
| type | [TargetType](#frostfs.v2.apemanager.TargetType) | | |
|
||||
| name | [string](#string) | | |
|
||||
|
||||
<!-- end messages -->
|
||||
|
||||
|
||||
<a name="frostfs.v2.apemanager.TargetType"></a>
|
||||
|
||||
### TargetType
|
||||
TargetType is a type target to which a rule chain is defined.
|
||||
|
||||
| Name | Number | Description |
|
||||
| ---- | ------ | ----------- |
|
||||
| UNDEFINED | 0 | |
|
||||
| NAMESPACE | 1 | |
|
||||
| CONTAINER | 2 | |
|
||||
| USER | 3 | |
|
||||
| GROUP | 4 | |
|
||||
|
||||
|
||||
<!-- end enums -->
|
||||
|
||||
|
||||
|
||||
## Scalar Value Types
|
||||
|
||||
| .proto Type | Notes | C++ Type | Java Type | Python Type |
|
||||
|
|
Loading…
Reference in a new issue