[#770] node: Introduce ape chain source

* Provide methods to access rule chains with access policy engine (APE) chain source * Initialize apeChainSource within object service initialization * Share apeChainSource with control service * Implement dummy apeChainSource instance based on in-memory implementation Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
2023-10-30 16:48:02 +03:00 · 2023-10-30 16:48:02 +03:00 · 5ec73fe8a0
parent 3a2c319b87
commit 5ec73fe8a0
8 changed files with 57 additions and 0 deletions
--- a/cmd/frostfs-node/config.go
+++ b/cmd/frostfs-node/config.go
@ -510,6 +510,11 @@ type cfgObject struct {

 	eaclSource container.EACLSource

+	// Access policy chain source is used by object service to
+	// check for operation permissions but this source is also shared with
+	// control service that dispatches local overrides.
+	apeChainSource container.AccessPolicyEngineChainSource
+
 	pool cfgObjectRoutines

 	cfgLocalStorage cfgLocalStorage
--- a/cmd/frostfs-node/control.go
+++ b/cmd/frostfs-node/control.go
@ -51,6 +51,7 @@ func initControlService(c *cfg) {
 		controlSvc.WithTreeService(treeSynchronizer{
 			c.treeService,
 		}),
+		controlSvc.WithAPEChainSource(c.cfgObject.apeChainSource),
 	)

 	lis, err := net.Listen("tcp", endpoint)
--- a/cmd/frostfs-node/object.go
+++ b/cmd/frostfs-node/object.go
@ -157,6 +157,8 @@ func initObjectService(c *cfg) {

 	c.replicator = createReplicator(c, keyStorage, c.bgClientCache)

+	c.cfgObject.apeChainSource = NewAPESource()
+
 	addPolicer(c, keyStorage, c.bgClientCache)

 	traverseGen := util.NewTraverserGenerator(c.netMapSource, c.cfgObject.cnrSource, c)
--- a/cmd/frostfs-node/policy_engine.go
+++ b/cmd/frostfs-node/policy_engine.go
@ -0,0 +1,28 @@
+package main
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+)
+
+type apeChainSourceImpl struct {
+	localChainStorage map[cid.ID]policyengine.CachedChainStorage
+}
+
+func NewAPESource() container.AccessPolicyEngineChainSource {
+	return &apeChainSourceImpl{
+		localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage),
+	}
+}
+
+var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
+
+func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) {
+	s, ok := c.localChainStorage[cid]
+	if ok {
+		return s, nil
+	}
+	c.localChainStorage[cid] = policyengine.NewInMemory()
+	return c.localChainStorage[cid], nil
+}
--- a/go.mod
+++ b/go.mod
@ -8,6 +8,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29
 	github.com/chzyer/readline v1.5.1
--- a/go.sum
+++ b/go.sum
@ -736,6 +736,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432 h1:z0PqdiEIHXK2qC83e6pmxUZ5peP9CIL0Bh5mP/d+4Xc=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432/go.mod h1:qf3B9hSz6gCMfcfvqkhTu5ak+Gx2R+wo4Hc87LnKxPg=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
--- a/pkg/core/container/storage.go
+++ b/pkg/core/container/storage.go
@ -6,6 +6,7 @@ import (
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
 )

 // Container groups information about the FrostFS container stored in the FrostFS network.
@ -70,3 +71,10 @@ type EACLSource interface {
 	// eACL table is not in source.
 	GetEACL(cid.ID) (*EACL, error)
 }
+
+// AccessPolicyEngineChainSource interface provides methods to access and manipulate
+// policy engine chain storage.
+type AccessPolicyEngineChainSource interface {
+	// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
+	GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
+}
--- a/pkg/services/control/server/server.go
+++ b/pkg/services/control/server/server.go
@ -59,6 +59,8 @@ type cfg struct {

 	cnrSrc container.Source

+	apeChainSrc container.AccessPolicyEngineChainSource
+
 	replicator *replicator.Replicator

 	nodeState NodeState
@ -151,3 +153,11 @@ func WithTreeService(s TreeService) Option {
 		c.treeService = s
 	}
 }
+
+// WithAPEChainSource returns the option to set access policy engine
+// chain source.
+func WithAPEChainSource(apeChainSrc container.AccessPolicyEngineChainSource) Option {
+	return func(c *cfg) {
+		c.apeChainSrc = apeChainSrc
+	}
+}