TrueCloudLab/frostfs-node
20
1
Fork 28
Code Issues 107 Pull requests 4 Projects Releases 2 Packages 4 Activity Actions 1

[#1574] container: Introduce debug logging for APE check failures
Some checks failed
DCO action / DCO (pull_request) Successful in 40s
Details
Vulncheck / Vulncheck (pull_request) Successful in 51s
Details
Tests and linters / Staticcheck (pull_request) Failing after 1m7s
Details
Pre-commit hooks / Pre-commit (pull_request) Successful in 1m25s
Details
Build / Build Components (pull_request) Successful in 1m27s
Details
Tests and linters / Tests (pull_request) Failing after 1m24s
Details
Tests and linters / Tests with -race (pull_request) Failing after 1m58s
Details
Tests and linters / gopls check (pull_request) Failing after 2m8s
Details
Tests and linters / Run gofumpt (pull_request) Successful in 2m50s
Details
Tests and linters / Lint (pull_request) Successful in 3m6s
Details

Browse source 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2025-02-25 16:27:47 +03:00
parent 6b2bce21d1
commit bd30e4838f
2 changed files with 28 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/frostfs-node/container.go
View file

@ -56,7 +56,7 @@ func initContainerService(_ context.Context, c *cfg) {
) )
service := containerService.NewSignService( service := containerService.NewSignService(
&c.key.PrivateKey, &c.key.PrivateKey,
containerService.NewAPEServer(defaultChainRouter, cnrRdr, containerService.NewAPEServer(c.log, defaultChainRouter, cnrRdr,
newCachedIRFetcher(createInnerRingFetcher(c)), c.netMapSource, c.shared.frostfsidClient, newCachedIRFetcher(createInnerRingFetcher(c)), c.netMapSource, c.shared.frostfsidClient,
containerService.NewSplitterService( containerService.NewSplitterService(
c.cfgContainer.containerBatchSize, c.respSvc, c.cfgContainer.containerBatchSize, c.respSvc,

35
pkg/services/container/ape.go
View file

@ -12,10 +12,13 @@ import (
"net" "net"
"strings" "strings"
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/logs"
aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request" aperequest "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/request"
containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container" containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid" frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap" "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/netmap"
apecommon "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/common/ape"
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing" "git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/container"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
@ -31,6 +34,7 @@ import (
commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common" commonschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"go.uber.org/zap"
"google.golang.org/grpc/peer" "google.golang.org/grpc/peer"
) )
@ -57,6 +61,7 @@ type containers interface {
} }
type apeChecker struct { type apeChecker struct {
logger *logger.Logger
router policyengine.ChainRouter router policyengine.ChainRouter
reader containers reader containers
ir ir ir ir
@ -67,8 +72,9 @@ type apeChecker struct {
next Server next Server
} }
func NewAPEServer(router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server { func NewAPEServer(logger *logger.Logger, router policyengine.ChainRouter, reader containers, ir ir, nm netmap.Source, frostFSIDClient frostfsidcore.SubjectProvider, srv Server) Server {
return &apeChecker{ return &apeChecker{
logger: logger,
router: router, router: router,
reader: reader, reader: reader,
ir: ir, ir: ir,
@ -172,7 +178,10 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co
return ac.next.List(ctx, req) return ac.next.List(ctx, req)
} }
return nil, apeErr(nativeschema.MethodListContainers, s) chRouterErr := apecommon.NewChainRouterError(rt, request, s)
ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
return nil, apeErr(chRouterErr)
} }
func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListStream) error { func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListStream) error {
@ -245,7 +254,10 @@ func (ac *apeChecker) ListStream(req *container.ListStreamRequest, stream ListSt
return ac.next.ListStream(req, stream) return ac.next.ListStream(req, stream)
} }
return apeErr(nativeschema.MethodListContainers, s) chRouterErr := apecommon.NewChainRouterError(rt, request, s)
ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
return apeErr(chRouterErr)
} }
func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) { func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*container.PutResponse, error) {
@ -318,7 +330,10 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont
return ac.next.Put(ctx, req) return ac.next.Put(ctx, req)
} }
return nil, apeErr(nativeschema.MethodPutContainer, s) chRouterErr := apecommon.NewChainRouterError(rt, request, s)
ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
return nil, apeErr(chRouterErr)
} }
func (ac *apeChecker) getRoleWithoutContainerID(ctx context.Context, oID *refs.OwnerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader) (string, *keys.PublicKey, error) { func (ac *apeChecker) getRoleWithoutContainerID(ctx context.Context, oID *refs.OwnerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader) (string, *keys.PublicKey, error) {
@ -400,8 +415,9 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
reqProps, reqProps,
) )
rt := policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups)
s, found, err := ac.router.IsAllowed(apechain.Ingress, s, found, err := ac.router.IsAllowed(apechain.Ingress,
policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), groups), rt,
request) request)
if err != nil { if err != nil {
return err return err
@ -411,12 +427,15 @@ func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, con
return nil return nil
} }
return apeErr(op, s) chRouterErr := apecommon.NewChainRouterError(rt, request, s)
ac.logger.Debug(ctx, logs.APECheckDeniedRequest, zap.Object("details", chRouterErr))
return apeErr(chRouterErr)
} }
func apeErr(operation string, status apechain.Status) error { func apeErr(err error) error {
errAccessDenied := &apistatus.ObjectAccessDenied{} errAccessDenied := &apistatus.ObjectAccessDenied{}
errAccessDenied.WriteReason(fmt.Sprintf("access to container operation %s is denied by access policy engine: %s", operation, status.String())) errAccessDenied.WriteReason(err.Error())
return errAccessDenied return errAccessDenied
} }