APE access to receive specific object from specific container #1101

New Issue

Closed

opened 2024-04-19 11:24:52 +00:00 by alexvanin · 1 comment

alexvanin commented

2024-04-19 11:24:52 +00:00

Owner

I got this APE rule set by S3 Gateway

([]*chain.Chain) (len=2 cap=2) {                                                                   
 (*chain.Chain)(0xc001193580)({                                                                    
  ID: (chain.ID) (len=43 cap=43) {                                                                 
   00000000  69 6e 67 72 65 73 73 3a  62 6b 74 28 d9 8b af 8e  |ingress:bkt(....|                  
   00000010  6c a8 d1 2e 76 3a 73 27  b1 91 98 9f ff 5d 0d 49  |l...v:s'.....].I|
   00000020  08 34 b4 8b 94 a0 fd 7c  14 b2 2f                 |.4.....|../|                       
  },                                                                                               
  Rules: ([]chain.Rule) (len=1 cap=1) {                                                            
   (chain.Rule) {                                                                                  
    Status: (chain.Status) Allowed,                                                                
    Actions: (chain.Actions) {                                                   
     Inverted: (bool) false,                                                                       
     Names: ([]string) (len=6 cap=6) {                                                             
      (string) (len=12) "GetContainer",                                          
      (string) (len=9) "GetObject",                                                                
      (string) (len=10) "HeadObject",                                                              
      (string) (len=12) "SearchObject",                                          
      (string) (len=11) "RangeObject",                                                             
      (string) (len=10) "HashObject"
     }
    },
    Resources: (chain.Resources) {
     Inverted: (bool) false,
     Names: ([]string) (len=2 cap=2) {
      (string) (len=61) "native:object//3kThyGz5pBKiWMBWMCufnCB77BaUyLqjLd8JBYX5TXhQ/*",
      (string) (len=62) "native:container//3kThyGz5pBKiWMBWMCufnCB77BaUyLqjLd8JBYX5TXhQ"
     }
    },
    Any: (bool) false,
    Condition: ([]chain.Condition) (len=2 cap=2) {
     (chain.Condition) {
      Op: (chain.ConditionType) StringEquals,
      Object: (chain.ObjectType) 1,
      Key: (string) (len=16) "$Actor:publicKey",
      Value: (string) (len=66) "0212f413f56c7da16102f721b4e3c7302efb35013e2291e28a1b58ce28ec1117c4"
     },
     (chain.Condition) {
      Op: (chain.ConditionType) StringLike,
      Object: (chain.ObjectType) 0,
      Key: (string) (len=8) "FilePath",
      Value: (string) (len=7) "cat.jpg"
     }
    }
   }
  },
  MatchType: (chain.MatchType) 0
 }),

To access cat.jpg, S3 Gateway uses tree service and object service (head / get object). Requests contain bearer token with impersonate flag, signed by 0212f413f56c7da16102f721b4e3c7302efb35013e2291e28a1b58ce28ec1117c4 public key.

Expected Behavior

Access is granted.

Current Behavior

Access is denied due to several issues:

Tree service denies request because FilePath attribute is not passed to request context.
Object service denies Head request.

Possible Solution

Steps to Reproduce (for bugs)

Create private bucket in S3 Gateway
Attach bucket policy

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam:::user/catvisitor"
         },
         "Action": [
            "s3:GetObject"
         ],
         "Resource": "arn:aws:s3:::private-cat-stor/cat.jpg"
      }
   ]
}

Regression

Your Environment

frostfs-node v0.38.5
frostfs-s3-gw v0.29.0-rc.7

/cc @fyrchik, @dkirillov

I got this APE rule set by S3 Gateway ``` ([]*chain.Chain) (len=2 cap=2) { (*chain.Chain)(0xc001193580)({ ID: (chain.ID) (len=43 cap=43) { 00000000 69 6e 67 72 65 73 73 3a 62 6b 74 28 d9 8b af 8e |ingress:bkt(....| 00000010 6c a8 d1 2e 76 3a 73 27 b1 91 98 9f ff 5d 0d 49 |l...v:s'.....].I| 00000020 08 34 b4 8b 94 a0 fd 7c 14 b2 2f |.4.....|../| }, Rules: ([]chain.Rule) (len=1 cap=1) { (chain.Rule) { Status: (chain.Status) Allowed, Actions: (chain.Actions) { Inverted: (bool) false, Names: ([]string) (len=6 cap=6) { (string) (len=12) "GetContainer", (string) (len=9) "GetObject", (string) (len=10) "HeadObject", (string) (len=12) "SearchObject", (string) (len=11) "RangeObject", (string) (len=10) "HashObject" } }, Resources: (chain.Resources) { Inverted: (bool) false, Names: ([]string) (len=2 cap=2) { (string) (len=61) "native:object//3kThyGz5pBKiWMBWMCufnCB77BaUyLqjLd8JBYX5TXhQ/*", (string) (len=62) "native:container//3kThyGz5pBKiWMBWMCufnCB77BaUyLqjLd8JBYX5TXhQ" } }, Any: (bool) false, Condition: ([]chain.Condition) (len=2 cap=2) { (chain.Condition) { Op: (chain.ConditionType) StringEquals, Object: (chain.ObjectType) 1, Key: (string) (len=16) "$Actor:publicKey", Value: (string) (len=66) "0212f413f56c7da16102f721b4e3c7302efb35013e2291e28a1b58ce28ec1117c4" }, (chain.Condition) { Op: (chain.ConditionType) StringLike, Object: (chain.ObjectType) 0, Key: (string) (len=8) "FilePath", Value: (string) (len=7) "cat.jpg" } } } }, MatchType: (chain.MatchType) 0 }), ``` To access `cat.jpg`, S3 Gateway uses tree service and object service (head / get object). Requests contain bearer token with `impersonate` flag, signed by `0212f413f56c7da16102f721b4e3c7302efb35013e2291e28a1b58ce28ec1117c4` public key. ## Expected Behavior Access is granted. ## Current Behavior Access is denied due to several issues: 1) Tree service denies request because `FilePath` attribute is not passed to request context. 2) Object service denies Head request. ## Possible Solution ## Steps to Reproduce (for bugs) 1. Create private bucket in S3 Gateway 2. Attach bucket policy ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::user/catvisitor" }, "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::private-cat-stor/cat.jpg" } ] } ``` ## Regression No ## Your Environment frostfs-node v0.38.5 frostfs-s3-gw v0.29.0-rc.7 /cc @fyrchik, @dkirillov