[#180] Make separate basic ACL check for inner ring requests
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
parent
badfd1b6e5
commit
6f841e319d
2 changed files with 19 additions and 0 deletions
|
@ -53,6 +53,7 @@ type (
|
|||
requestInfo struct {
|
||||
basicACL basicACLHelper
|
||||
requestRole acl.Role
|
||||
isInnerRing bool
|
||||
operation acl.Operation // put, get, head, etc.
|
||||
owner *owner.ID // container owner
|
||||
|
||||
|
@ -491,6 +492,9 @@ func basicACLCheck(info requestInfo) bool {
|
|||
checkFn = info.basicACL.UserAllowed
|
||||
case acl.RoleSystem:
|
||||
checkFn = info.basicACL.SystemAllowed
|
||||
if info.isInnerRing {
|
||||
checkFn = info.basicACL.InnerRingAllowed
|
||||
}
|
||||
case acl.RoleOthers:
|
||||
checkFn = info.basicACL.OthersAllowed
|
||||
default:
|
||||
|
|
|
@ -121,6 +121,21 @@ func (a basicACLHelper) SystemAllowed(op eacl.Operation) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// InnerRingAllowed returns true if the operation is allowed by ACL for
|
||||
// InnerRing nodes, as part of System group.
|
||||
func (a basicACLHelper) InnerRingAllowed(op eacl.Operation) bool {
|
||||
switch op {
|
||||
case eacl.OperationSearch, eacl.OperationRangeHash, eacl.OperationHead:
|
||||
return true
|
||||
default:
|
||||
if n, ok := order[op]; ok {
|
||||
return isLeftBitSet(a, opOffset+n*bitsPerOp+bitSystem)
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// AllowSystem allows System group the n-th operation in ACL.
|
||||
func (a *basicACLHelper) AllowSystem(op eacl.Operation) {
|
||||
if n, ok := order[op]; ok {
|
||||
|
|
Loading…
Reference in a new issue