* Introduce ContainerOwner field in RequestContext.
* Set ContainerOwner in aclv2 middleware.
* Set PropertyKeyContainerOwnerID for object ape request.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
DCO action / DCO (pull_request) Successful in 1m31sDetails
Vulncheck / Vulncheck (pull_request) Successful in 2m52sDetails
Build / Build Components (1.21) (pull_request) Successful in 3m52sDetails
Build / Build Components (1.20) (pull_request) Successful in 4m16sDetails
Tests and linters / gopls check (pull_request) Successful in 11m54sDetails
Tests and linters / Staticcheck (pull_request) Successful in 12m31sDetails
Tests and linters / Tests (1.21) (pull_request) Successful in 12m49sDetails
Tests and linters / Tests (1.20) (pull_request) Successful in 13m8sDetails
Tests and linters / Tests with -race (pull_request) Successful in 13m14sDetails
Tests and linters / Lint (pull_request) Successful in 13m31sDetails
* Skip APE check if a role is Container.
* Skip APE check if a role is IR and methods are get-like.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
DCO action / DCO (pull_request) Successful in 2m40sDetails
Vulncheck / Vulncheck (pull_request) Successful in 3m41sDetails
Build / Build Components (1.20) (pull_request) Successful in 4m27sDetails
Build / Build Components (1.21) (pull_request) Successful in 5m6sDetails
Tests and linters / Staticcheck (pull_request) Successful in 6m16sDetails
Tests and linters / gopls check (pull_request) Successful in 6m23sDetails
Tests and linters / Lint (pull_request) Successful in 6m48sDetails
Tests and linters / Tests (1.20) (pull_request) Successful in 9m4sDetails
Tests and linters / Tests with -race (pull_request) Successful in 9m9sDetails
Tests and linters / Tests (1.21) (pull_request) Successful in 9m23sDetails
`fmt.Errorf can be replaced with errors.New` and `fmt.Sprintf can be replaced with string addition`
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
* Remove removed flag in service.proto for RemoveChainLocalOverrideResponse.
* Regenerate control API.
* Return error only if RemoveOverride returns non-NotFound code.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* If APE check returns NoRuleFound, then it is taken for request deny.
* Add more unit-test for ape container middleware.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* Soft APE check means that APE should allow request even
it gets status NoRuleFound for a request. Otherwise,
it is interpreted as Deny.
* Soft APE check is performed if basic ACL mask is not set.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
It may be required to evacuate only objects or only tree or all, so
now it spossible to specify.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
We already provide the pool and this argument is used only for
preallocation. No functional changes.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
ContainersOf() is better in almost every aspect, besides creating a
session when the containers number is between 1024 and 2048 (prefetch
script does limited unwrapping). Making List() private helps to ensure
it is no longer used and can be safely removed in future.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
DCO action / DCO (pull_request) Successful in 2m55sDetails
Vulncheck / Vulncheck (pull_request) Successful in 3m22sDetails
Tests and linters / Staticcheck (pull_request) Successful in 4m10sDetails
Build / Build Components (1.20) (pull_request) Successful in 4m58sDetails
Build / Build Components (1.21) (pull_request) Successful in 4m54sDetails
Tests and linters / Lint (pull_request) Successful in 5m47sDetails
Tests and linters / Tests (1.20) (pull_request) Successful in 6m45sDetails
Tests and linters / Tests (1.21) (pull_request) Successful in 6m58sDetails
Tests and linters / Tests with -race (pull_request) Successful in 7m42sDetails
processObject() returns 3 types of errors: container not found errors,
could not get container error and placement vector building error. Every
error will occur for all objects in container simultaneously, so we can
log each error once and safely ignore the rest.
Signed-off-by: Ekaterina Lebedeva <ekaterina.lebedeva@yadro.com>
* Those methods that can access already existing containers and thus
can get container properties should read namespace from Zone
property. If Zone is not set, take a namespace for root.
* Otherwise, define namespaces by owner ID via frostfs-id contract.
* Improve unit-tests, consider more cases.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Previously, the check was in place only when session token was missing.
Format validator checks are applied only to fully-prepared object, so
this lead to the following situation:
1. Object is put locally with malformed token, because there are no
checks.
2. Object cannot be replicated, because the token is malformed.
This is now fixed and token check is done before any payload receival.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
* Wrap all APE middleware errors in apeErr that
makes errors more explicit with status AccessDenied.
* Use denyingRuleErr for denying status from chain router.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Evgenii Stratonikov
Anton Nikiforov
Airat Arifullin
Dmitrii Stepanov
Ekaterina Lebedeva