Couldn't use local override chain that was added to empty namespace #1073

New issue

Closed

opened 2024-04-03 09:49:47 +00:00 by dkirillov · 1 comment

dkirillov commented 2024-04-03 09:49:47 +00:00

Member

Copy link

Expected Behavior

We can use "" empty namespace name for local overrides

Current Behavior

We can use empty namespace but we cannot list/delete/get policy that was added to such namespace

Possible Solution

Update APE at least to 42497ad242 commit

Steps to Reproduce (for bugs)

Test:

import (
	"context"
	"encoding/json"
	"fmt"
	"testing"

	rpcv2client "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
	nodeControl "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
	nodeControlSrv "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
	engineiam "git.frostfs.info/TrueCloudLab/policy-engine/iam"
	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/stretchr/testify/require"
)

func TestName(t *testing.T) {
	// git.frostfs.info/TrueCloudLab/frostfs-node v0.38.2
	ctx := context.Background()

	key, err := keys.NewPrivateKeyFromWIF("KxDgvEKzgSBPPfuVfw67oPQBSjidEiqTHURKSDL1R7yGaGYAeYnr") // devenv key
	require.NoError(t, err)

	var controlCli client.Client
	controlCli.Init(client.PrmInit{Key: key.PrivateKey})
	err = controlCli.Dial(ctx, client.PrmDial{Endpoint: "s01.frostfs.devenv:8081"})
	require.NoError(t, err)

	policy := `{ "Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*","Action": "s3:PutObject","Resource":"*"}]}`

	var p engineiam.Policy
	err = json.Unmarshal([]byte(policy), &p)
	require.NoError(t, err)

	nativeChain, err := engineiam.ConvertToNativeChain(p, nil)
	require.NoError(t, err)
	nativeChain.ID = []byte("Test")

	err = putPolicy(&controlCli, key, "", nativeChain)
	require.NoError(t, err)

	chains, err := listPolicies(&controlCli, key, "")
	require.NoError(t, err)
	require.Len(t, chains, 1)
	require.Equal(t, string(nativeChain.ID), string(chains[0].ID))

	err = removePolicy(&controlCli, key, "", nativeChain.ID)
	require.NoError(t, err)

	chains, err = listPolicies(&controlCli, key, "")
	require.NoError(t, err)
	require.Empty(t, chains)
}

func putPolicy(cli *client.Client, key *keys.PrivateKey, namespace string, policyChain *chain.Chain) error {
	req := &nodeControl.AddChainLocalOverrideRequest{
		Body: &nodeControl.AddChainLocalOverrideRequest_Body{
			Target: &nodeControl.ChainTarget{
				Type: nodeControl.ChainTarget_NAMESPACE,
				Name: namespace,
			},
			Chain: policyChain.Bytes(),
		},
	}

	if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil {
		return fmt.Errorf("sing msg for node control svc: %w", err)
	}

	return cli.ExecRaw(func(c *rpcv2client.Client) error {
		_, err := nodeControl.AddChainLocalOverride(c, req)
		return err
	})
}

func removePolicy(cli *client.Client, key *keys.PrivateKey, namespace string, chainID chain.ID) error {
	req := &nodeControl.RemoveChainLocalOverrideRequest{
		Body: &nodeControl.RemoveChainLocalOverrideRequest_Body{
			Target: &nodeControl.ChainTarget{
				Type: nodeControl.ChainTarget_NAMESPACE,
				Name: namespace,
			},
			ChainId: []byte(chainID),
		},
	}

	if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil {
		return fmt.Errorf("sing msg for node control svc: %w", err)
	}

	return cli.ExecRaw(func(c *rpcv2client.Client) error {
		_, err := nodeControl.RemoveChainLocalOverride(c, req)
		return err
	})
}

func listPolicies(cli *client.Client, key *keys.PrivateKey, namespace string) ([]chain.Chain, error) {
	req := &nodeControl.ListChainLocalOverridesRequest{
		Body: &nodeControl.ListChainLocalOverridesRequest_Body{
			Target: &nodeControl.ChainTarget{
				Type: nodeControl.ChainTarget_NAMESPACE,
				Name: namespace,
			},
		},
	}

	if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil {
		return nil, fmt.Errorf("sing msg for node control svc: %w", err)
	}

	var list []chain.Chain
	err := cli.ExecRaw(func(c *rpcv2client.Client) error {
		res, inErr := nodeControl.ListChainLocalOverrides(c, req)
		if inErr != nil {
			return inErr
		}

		list = make([]chain.Chain, len(res.GetBody().GetChains()))
		for i, raw := range res.GetBody().GetChains() {
			if inErr = list[i].DecodeBytes(raw); inErr != nil {
				return inErr
			}
		}

		return nil
	})

	return list, err
}

Context

In IAM we cannot manage native policies because of this issue.

Regression

Probably yes

Your Environment

• Version used: v0.38.2
• Server setup and configuration: devenv

<!-- Provide a general summary of the issue in the Title above --> ## Expected Behavior We can use `""` empty namespace name for local overrides ## Current Behavior We can use empty namespace but we cannot list/delete/get policy that was added to such namespace ## Possible Solution Update APE at least to https://git.frostfs.info/TrueCloudLab/policy-engine/commit/42497ad2424c76a625038ff2bfcc008733a5d59b commit ## Steps to Reproduce (for bugs) Test: ```golang import ( "context" "encoding/json" "fmt" "testing" rpcv2client "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client" nodeControl "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control" nodeControlSrv "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control/server" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client" engineiam "git.frostfs.info/TrueCloudLab/policy-engine/iam" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/stretchr/testify/require" ) func TestName(t *testing.T) { // git.frostfs.info/TrueCloudLab/frostfs-node v0.38.2 ctx := context.Background() key, err := keys.NewPrivateKeyFromWIF("KxDgvEKzgSBPPfuVfw67oPQBSjidEiqTHURKSDL1R7yGaGYAeYnr") // devenv key require.NoError(t, err) var controlCli client.Client controlCli.Init(client.PrmInit{Key: key.PrivateKey}) err = controlCli.Dial(ctx, client.PrmDial{Endpoint: "s01.frostfs.devenv:8081"}) require.NoError(t, err) policy := `{ "Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*","Action": "s3:PutObject","Resource":"*"}]}` var p engineiam.Policy err = json.Unmarshal([]byte(policy), &p) require.NoError(t, err) nativeChain, err := engineiam.ConvertToNativeChain(p, nil) require.NoError(t, err) nativeChain.ID = []byte("Test") err = putPolicy(&controlCli, key, "", nativeChain) require.NoError(t, err) chains, err := listPolicies(&controlCli, key, "") require.NoError(t, err) require.Len(t, chains, 1) require.Equal(t, string(nativeChain.ID), string(chains[0].ID)) err = removePolicy(&controlCli, key, "", nativeChain.ID) require.NoError(t, err) chains, err = listPolicies(&controlCli, key, "") require.NoError(t, err) require.Empty(t, chains) } func putPolicy(cli *client.Client, key *keys.PrivateKey, namespace string, policyChain *chain.Chain) error { req := &nodeControl.AddChainLocalOverrideRequest{ Body: &nodeControl.AddChainLocalOverrideRequest_Body{ Target: &nodeControl.ChainTarget{ Type: nodeControl.ChainTarget_NAMESPACE, Name: namespace, }, Chain: policyChain.Bytes(), }, } if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil { return fmt.Errorf("sing msg for node control svc: %w", err) } return cli.ExecRaw(func(c *rpcv2client.Client) error { _, err := nodeControl.AddChainLocalOverride(c, req) return err }) } func removePolicy(cli *client.Client, key *keys.PrivateKey, namespace string, chainID chain.ID) error { req := &nodeControl.RemoveChainLocalOverrideRequest{ Body: &nodeControl.RemoveChainLocalOverrideRequest_Body{ Target: &nodeControl.ChainTarget{ Type: nodeControl.ChainTarget_NAMESPACE, Name: namespace, }, ChainId: []byte(chainID), }, } if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil { return fmt.Errorf("sing msg for node control svc: %w", err) } return cli.ExecRaw(func(c *rpcv2client.Client) error { _, err := nodeControl.RemoveChainLocalOverride(c, req) return err }) } func listPolicies(cli *client.Client, key *keys.PrivateKey, namespace string) ([]chain.Chain, error) { req := &nodeControl.ListChainLocalOverridesRequest{ Body: &nodeControl.ListChainLocalOverridesRequest_Body{ Target: &nodeControl.ChainTarget{ Type: nodeControl.ChainTarget_NAMESPACE, Name: namespace, }, }, } if err := nodeControlSrv.SignMessage(&key.PrivateKey, req); err != nil { return nil, fmt.Errorf("sing msg for node control svc: %w", err) } var list []chain.Chain err := cli.ExecRaw(func(c *rpcv2client.Client) error { res, inErr := nodeControl.ListChainLocalOverrides(c, req) if inErr != nil { return inErr } list = make([]chain.Chain, len(res.GetBody().GetChains())) for i, raw := range res.GetBody().GetChains() { if inErr = list[i].DecodeBytes(raw); inErr != nil { return inErr } } return nil }) return list, err } ``` ## Context In IAM we cannot manage native policies because of this issue. ## Regression Probably yes ## Your Environment <!-- Include as many relevant details about the environment you experienced the bug in --> * Version used: v0.38.2 * Server setup and configuration: devenv

dkirillov added the

bug

triage

labels 2024-04-03 09:49:47 +00:00

fyrchik added this to the v0.38.3 milestone 2024-04-04 08:01:59 +00:00

aarifullin was assigned by fyrchik 2024-04-04 08:02:05 +00:00

fyrchik added

frostfs-node

and removed

triage

labels 2024-04-04 08:02:17 +00:00

fyrchik modified the milestone from v0.38.3 to v0.38.4 2024-04-04 10:28:50 +00:00

fyrchik modified the milestone from v0.38.4 to v0.38.5 2024-04-10 07:04:36 +00:00

fyrchik modified the milestone from v0.38.5 to v0.38.6 2024-05-02 07:35:51 +00:00

fyrchik modified the milestone from v0.38.6 to v0.39.0 2024-05-02 11:42:42 +00:00

fyrchik modified the milestone from v0.39.0 to v0.40.0 2024-05-14 14:05:22 +00:00

fyrchik modified the milestone from v0.40.0 to v0.41.0 2024-06-01 09:19:44 +00:00

fyrchik modified the milestone from v0.41.0 to v0.42.0 2024-06-14 07:06:25 +00:00

aarifullin commented 2024-07-15 12:53:47 +00:00

Member

Copy link

I believe the error (that's related to inmem implementation) was already fixed.

storage_wallet='/home/aarifullin/ws/frostfs-dev-env/services/storage/wallet01.json';

neo-go wallet export -w $storage_wallet -d NejLbQpojKJWec4NQRMBhzsrmCyhXfGJJe
#Kwk6k2eC3L3QuPvD8aiaNyoSXgQ2YL1bwS5CP1oKoA9waeAze97s

Tried with

key, err := keys.NewPrivateKeyFromWIF("Kwk6k2eC3L3QuPvD8aiaNyoSXgQ2YL1bwS5CP1oKoA9waeAze97s") // devenv key

and it passed with OK

I believe the error (that's related to inmem implementation) was already fixed. ``` storage_wallet='/home/aarifullin/ws/frostfs-dev-env/services/storage/wallet01.json'; ``` ```bash neo-go wallet export -w $storage_wallet -d NejLbQpojKJWec4NQRMBhzsrmCyhXfGJJe #Kwk6k2eC3L3QuPvD8aiaNyoSXgQ2YL1bwS5CP1oKoA9waeAze97s ``` Tried with ``` key, err := keys.NewPrivateKeyFromWIF("Kwk6k2eC3L3QuPvD8aiaNyoSXgQ2YL1bwS5CP1oKoA9waeAze97s") // devenv key ``` and it passed with OK

aarifullin closed this issue 2024-07-15 12:54:08 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.42.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

aarifullin

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1073

No description provided.