[#118] Replace ACLs with polices in readme

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2024-06-24 16:54:55 +03:00 · 2024-06-24 16:54:55 +03:00 · 27478995b5
parent 3741e3b003
commit 27478995b5
1 changed files with 35 additions and 52 deletions
--- a/README.md
+++ b/README.md
@ -466,13 +466,13 @@ You can always upload files to public containers (open for anyone to put
 objects into), but for restricted containers you need to explicitly allow PUT
 operations for a request signed with your HTTP Gateway keys.

-If your don't want to manage gateway's secret keys and adjust eACL rules when
+If you don't want to manage gateway's secret keys and adjust policies when
 gateway configuration changes (new gate, key rotation, etc) or you plan to use
 public services, there is an option to let your application backend (or you) to
-issue Bearer Tokens ans pass them from the client via gate down to FrostFS level
+issue Bearer Tokens and pass them from the client via gate down to FrostFS level
 to grant access.

-FrostFS Bearer Token basically is a container owner-signed ACL data (refer to FrostFS
+FrostFS Bearer Token basically is a container owner-signed policy (refer to FrostFS
 documentation for more details). There are two options to pass them to gateway:
 * "Authorization" header with "Bearer" type and base64-encoded token in
   credentials field
@ -482,33 +482,31 @@ For example, you have a mobile application frontend with a backend part storing
 data in FrostFS. When a user authorizes in the mobile app, the backend issues a FrostFS
 Bearer token and provides it to the frontend. Then, the mobile app may generate
 some data and upload it via any available FrostFS HTTP Gateway by adding
-the corresponding header to the upload request. Accessing the ACL protected data
+the corresponding header to the upload request. Accessing policy protected data
 works the same way.

 ##### Example
-In order to generate a bearer token, you need to have wallet (which will be used to sign the token) and
-the address of the sender who will do the request to FrostFS (in our case, it's a gateway wallet address).
+In order to generate a bearer token, you need to have wallet (which will be used to sign the token)

-Suppose we have:
-* **NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3** (token owner (gateway address))
+1. Suppose you have a container with private policy for wallet key

-Firstly, we need to encode the container id and the sender address to base64 (now it's base58).
-So use **base58** and **base64** utils.
-
-1. Encoding token owner id:
 ```
-$ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64
-# output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==
+$ frostfs-cli container create -r <endpoint> --wallet <wallet> -policy <policy> --basic-acl 0 --await
+CID: 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z
+
+$ frostfs-cli ape-manager add -r <endpoint> --wallet <wallet> \
+  --target-type container --target-name 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z \
+  --rule "allow Object.* RequestCondition:"\$Actor:publicKey"=03b09baabff3f6107c7e9acb8721a6fc5618d45b50247a314d82e548702cce8cd5 *" \
+  --chain-id <chainID>
 ```

-2. Form a Bearer token (10000 is lifetime expiration in epoch) and save it to **bearer.json**:
+
+2. Form a Bearer token (10000 is lifetime expiration in epoch) to impersonate
+   HTTP Gateway request as wallet signed request and save it to **bearer.json**:
 ```
 {
    "body": {
        "allowImpersonate": true,
-        "ownerID": {
-            "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg=="
-        },
        "lifetime": {
            "exp": "10000",
            "nbf": "0",
@ -521,7 +519,7 @@ $ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64

 3. Sign it with the wallet:
 ```
-$ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w ./wallet.json
+$ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w <wallet>
 ```

 4. Encode to base64 to use in header:
@ -542,47 +540,32 @@ $ curl -F 'file=@cat.jpeg;filename=cat.jpeg' -H "Authorization: Bearer Ck4KKgoEC
 # }
 ```

-##### Note
-For the token to work correctly, you need to create a container with a basic ACL that:
-1. Allow PUT operation to others
-2. Doesn't set "final" bit
+##### Note: Bearer Token owner
+
+You can specify exact key who can use Bearer Token (gateway wallet address).
+To do this, encode wallet address in base64 format

-For example:
 ```
-$ frostfs-cli -w ./wallet.json --basic-acl 0x0FFFCFFF -r 192.168.130.72:8080 container create --policy "REP 3"  --await
+$ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64
+# output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==
 ```

-To deny access to a container without a token, set the eACL rules:
-```
-$ frostfs-cli -w ./wallet.json -r 192.168.130.72:8080 container set-eacl --table eacl.json --await --cid BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K
-```
-
-File **eacl.json**:
+Then specify this value in Bearer Token Json
 ```
 {
-    "version": {
-        "major": 0,
-        "minor": 0
-    },
-    "containerID": {
-        "value": "mRnZWzewzxjzIPa7Fqlfqdl3TM1KpJ0YnsXsEhafJJg="
-    },
-    "records": [
-        {
-            "operation": "PUT",
-            "action": "DENY",
-            "filters": [],
-            "targets": [
-                {
-                    "role": "OTHERS",
-                    "keys": []
-                }
-            ]
-        }
-    ]
-}
+    "body": {
+        "ownerID": {
+            "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg=="
+        },
+        ...
 ```

+##### Note: Policy override
+
+Instead of impersonation, you can define the set of policies that will be applied
+to the request sender. This allows to restrict access to specific operation and
+specific objects without giving full impersonation control to the token user.
+
 ### Metrics and Pprof

 If enabled, Prometheus metrics are available at `localhost:8084` endpoint