[#9999] writer: Sign EC parts with node's private key
As EC put request may be processed only by container node, so sign requests with current node private to not to perform APE checks. Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
This commit is contained in:
parent
bc8d79ddf9
commit
28a0f66c4a
3 changed files with 23 additions and 2 deletions
|
@ -37,6 +37,8 @@ type ECWriter struct {
|
||||||
|
|
||||||
ObjectMeta object.ContentMeta
|
ObjectMeta object.ContentMeta
|
||||||
ObjectMetaValid bool
|
ObjectMetaValid bool
|
||||||
|
|
||||||
|
remoteRequestSignKey *ecdsa.PrivateKey
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error {
|
func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error {
|
||||||
|
@ -60,6 +62,14 @@ func (e *ECWriter) WriteObject(ctx context.Context, obj *objectSDK.Object) error
|
||||||
e.ObjectMetaValid = true
|
e.ObjectMetaValid = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
restoreTokens := e.CommonPrm.ForgetTokens()
|
||||||
|
defer restoreTokens()
|
||||||
|
// As request executed on container node, so sign request with container key.
|
||||||
|
e.remoteRequestSignKey, err = e.Config.KeyStorage.GetKey(nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
if obj.ECHeader() != nil {
|
if obj.ECHeader() != nil {
|
||||||
return e.writeECPart(ctx, obj)
|
return e.writeECPart(ctx, obj)
|
||||||
}
|
}
|
||||||
|
@ -338,7 +348,7 @@ func (e *ECWriter) writePartRemote(ctx context.Context, obj *objectSDK.Object, n
|
||||||
client.NodeInfoFromNetmapElement(&clientNodeInfo, node)
|
client.NodeInfoFromNetmapElement(&clientNodeInfo, node)
|
||||||
|
|
||||||
remoteTaget := remoteWriter{
|
remoteTaget := remoteWriter{
|
||||||
privateKey: e.Key,
|
privateKey: e.remoteRequestSignKey,
|
||||||
clientConstructor: e.Config.ClientConstructor,
|
clientConstructor: e.Config.ClientConstructor,
|
||||||
commonPrm: e.CommonPrm,
|
commonPrm: e.CommonPrm,
|
||||||
nodeInfo: clientNodeInfo,
|
nodeInfo: clientNodeInfo,
|
||||||
|
|
|
@ -14,6 +14,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/client"
|
||||||
netmapcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
|
netmapcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/network"
|
||||||
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object/util"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object_manager/placement"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/object_manager/placement"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/checksum"
|
||||||
|
@ -127,6 +128,8 @@ func TestECWriter(t *testing.T) {
|
||||||
|
|
||||||
ownerKey, err := keys.NewPrivateKey()
|
ownerKey, err := keys.NewPrivateKey()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
nodeKey, err := keys.NewPrivateKey()
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
pool, err := ants.NewPool(4, ants.WithNonblocking(true))
|
pool, err := ants.NewPool(4, ants.WithNonblocking(true))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -141,6 +144,7 @@ func TestECWriter(t *testing.T) {
|
||||||
RemotePool: pool,
|
RemotePool: pool,
|
||||||
Logger: log,
|
Logger: log,
|
||||||
ClientConstructor: clientConstructor{vectors: ns},
|
ClientConstructor: clientConstructor{vectors: ns},
|
||||||
|
KeyStorage: util.NewKeyStorage(&nodeKey.PrivateKey, nil, nil),
|
||||||
},
|
},
|
||||||
PlacementOpts: append(
|
PlacementOpts: append(
|
||||||
[]placement.Option{placement.UseBuilder(builder), placement.ForContainer(cnr)},
|
[]placement.Option{placement.UseBuilder(builder), placement.ForContainer(cnr)},
|
||||||
|
|
|
@ -100,11 +100,18 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) {
|
||||||
|
|
||||||
// ForgetTokens forgets all the tokens read from the request's
|
// ForgetTokens forgets all the tokens read from the request's
|
||||||
// meta information before.
|
// meta information before.
|
||||||
func (p *CommonPrm) ForgetTokens() {
|
func (p *CommonPrm) ForgetTokens() func() {
|
||||||
if p != nil {
|
if p != nil {
|
||||||
|
tk := p.token
|
||||||
|
br := p.bearer
|
||||||
p.token = nil
|
p.token = nil
|
||||||
p.bearer = nil
|
p.bearer = nil
|
||||||
|
return func() {
|
||||||
|
p.token = tk
|
||||||
|
p.bearer = br
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
return func() {}
|
||||||
}
|
}
|
||||||
|
|
||||||
func CommonPrmFromV2(req interface {
|
func CommonPrmFromV2(req interface {
|
||||||
|
|
Loading…
Reference in a new issue