[#1039] object: Skip APE check for certain request roles

* Skip APE check if a role is Container. * Skip APE check if a role is IR and methods are get-like. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2024-03-12 15:09:55 +03:00 · 2024-03-12 15:09:55 +03:00 · 5c252c9193
parent b4cb54e7ed
commit 5c252c9193
1 changed files with 16 additions and 0 deletions
--- a/pkg/services/object/ape/checker.go
+++ b/pkg/services/object/ape/checker.go
@ -10,6 +10,7 @@ import (
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 )

 type checkerImpl struct {
@ -56,6 +57,21 @@ var errMissingOID = errors.New("object ID is not set")
 // CheckAPE checks if a request or a response is permitted creating an ape request and passing
 // it to chain router.
 func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
+	// APE check is ignored for some inter-node requests.
+	if prm.Role == nativeschema.PropertyValueContainerRoleContainer {
+		return nil
+	} else if prm.Role == nativeschema.PropertyValueContainerRoleIR {
+		switch prm.Method {
+		case nativeschema.MethodGetObject,
+			nativeschema.MethodHeadObject,
+			nativeschema.MethodSearchObject,
+			nativeschema.MethodRangeObject,
+			nativeschema.MethodHashObject:
+			return nil
+		default:
+		}
+	}
+
 	r, err := c.newAPERequest(ctx, prm)
 	if err != nil {
 		return fmt.Errorf("failed to create ape request: %w", err)