Factor out ACL middleware in object service #1052

New issue

Open

opened 2024-03-20 12:31:28 +00:00 by aarifullin · 0 comments

aarifullin commented 2024-03-20 12:31:28 +00:00

Member

Copy link

Since APE was introduced in object service, ACL is getting irrelevant to check request permissions.

For the context: if a container is created with zero-filled basic acl (--basic-acl 0), then hard ape check is performed and acl/eacl checks are skipped like here. Thus ACL/eACL checks can be disabled.

Still passing a request through ACL middleware is very important at least because of findRequestInfo. The method perfoms useful calculations that are passed within RequestContext (see how it is initialized). The formed request context is used in the next middleware (APE).
These steps should be borrowed from findRequestInfo:

• Check for session token expiration
• Assert verb
• Get request owner and classify its role
• Get container onwer
• Get namespace - very important
• Get sendery key
• questionable: Get bearer. Note that bearer token may set impersonate flag that means it should be wiped. Bearer token was used to retrieve eACL table
  These values apart from bearer token are already passsed within RequestContext.

So, it makes sense to not entirely nuke out ACL middleware but rename it to like common and refactor it:

• Remove all things related to acl/eacl checks (CheckBasicACL, CheckEACL etc.)
• Slightly refactor findRequestInfo method (see above)
• Keep session token checks
• Remove irrelevant files from the package

Since APE was introduced in object service, ACL is getting irrelevant to check request permissions. For the context: if a container is created with zero-filled basic acl (`--basic-acl 0`), then **hard** ape check is performed **and** `acl/eacl` checks are **skipped** like [here](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L460-L466). Thus ACL/eACL checks can be disabled. Still passing a request through ACL middleware is very important at least because of [findRequestInfo](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L733-L788). The method perfoms useful calculations that are passed within [RequestContext](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/request_context.go) (see how it is [initialized](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L114-L122)). The formed request context is used in the next middleware (APE). These steps should be borrowed from [findRequestInfo](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L733-L788): - Check for session token [expiration](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L739-L750) - [Assert verb](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L752-L754) - Get request owner and [classify its role](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L758-L765) - Get [container onwer](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L770) - Get [namespace](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L773-L776) - **very important** - Get [sendery key](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L780) - ~~*questionable*~~: Get [bearer](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/v2/service.go#L783). Note that bearer token may set `impersonate` flag that means it should be [wiped](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/master/pkg/services/object/acl/acl.go#L113-L115). *Bearer token was used to retrieve eACL table* These values apart from bearer token are already passsed within RequestContext. So, it makes sense to not entirely nuke out `ACL` middleware but rename it to like `common` and refactor it: - Remove all things related to acl/eacl checks (`CheckBasicACL`, `CheckEACL` etc.) - Slightly refactor `findRequestInfo` method (see above) - Keep session token checks - Remove irrelevant files from the package

aarifullin added the

discussion

frostfs-node

refactoring

labels 2024-03-20 12:31:28 +00:00

fyrchik added this to the v0.39.0 milestone 2024-04-05 13:34:17 +00:00

fyrchik modified the milestone from v0.39.0 to v0.40.0 2024-05-14 14:11:19 +00:00

fyrchik modified the milestone from v0.40.0 to v0.41.0 2024-06-01 09:19:45 +00:00

fyrchik modified the milestone from v0.41.0 to v0.42.0 2024-06-14 07:06:31 +00:00

fyrchik modified the milestone from v0.42.0 to v0.43.0 2024-07-23 06:34:41 +00:00

fyrchik modified the milestone from v0.43.0 to v0.44.0 2024-09-30 11:51:33 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.44.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1052

No description provided.