[#180] Make separate basic ACL check for inner ring requests

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2020-11-18 10:46:26 +03:00 · 2020-11-18 10:46:26 +03:00 · 6f841e319d
parent badfd1b6e5
commit 6f841e319d
2 changed files with 19 additions and 0 deletions
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@ -53,6 +53,7 @@ type (
 	requestInfo struct {
 		basicACL    basicACLHelper
 		requestRole acl.Role
+		isInnerRing bool
 		operation   acl.Operation // put, get, head, etc.
 		owner       *owner.ID     // container owner

@ -491,6 +492,9 @@ func basicACLCheck(info requestInfo) bool {
 		checkFn = info.basicACL.UserAllowed
 	case acl.RoleSystem:
 		checkFn = info.basicACL.SystemAllowed
+		if info.isInnerRing {
+			checkFn = info.basicACL.InnerRingAllowed
+		}
 	case acl.RoleOthers:
 		checkFn = info.basicACL.OthersAllowed
 	default:
--- a/pkg/services/object/acl/basic_helper.go
+++ b/pkg/services/object/acl/basic_helper.go
@ -121,6 +121,21 @@ func (a basicACLHelper) SystemAllowed(op eacl.Operation) bool {
 	return false
 }

+// InnerRingAllowed returns true if the operation is allowed by ACL for
+// InnerRing nodes, as part of System group.
+func (a basicACLHelper) InnerRingAllowed(op eacl.Operation) bool {
+	switch op {
+	case eacl.OperationSearch, eacl.OperationRangeHash, eacl.OperationHead:
+		return true
+	default:
+		if n, ok := order[op]; ok {
+			return isLeftBitSet(a, opOffset+n*bitsPerOp+bitSystem)
+		}
+
+		return false
+	}
+}
+
 // AllowSystem allows System group the n-th operation in ACL.
 func (a *basicACLHelper) AllowSystem(op eacl.Operation) {
 	if n, ok := order[op]; ok {