TrueCloudLab
/
frostfs-node
18
1
Fork 20
Code Issues 88 Pull Requests 7 Actions Releases Activity

node: Add APE chains to Bearer token #1157

Merged
fyrchik merged 4 commits from acid-ant/frostfs-node:feature/bearer-token-ape into master 2024-06-07 12:11:23 +00:00
Conversation 1 Commits 4 Files Changed 14
acid-ant commented 2024-06-03 13:19:28 +00:00
Collaborator

Signed-off-by: Anton Nikiforov an.nikiforov@yadro.com

Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
acid-ant added 5 commits 2024-06-03 13:19:32 +00:00
03b171bdfe [#xx] go.mod: Update sdk version 
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
f8b4e7fb8d [#xx] ape: Introduce single-run chain router 
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
d5f23cca46 [#xx] object: Make APE checker use Bearer-token's APE overrides 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
08b75ecf82 [#xx] tree: Make tree service use Bearer token's APE overrides 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Build / Build Components (1.21) (pull_request) Failing after 2m1s Details
Build / Build Components (1.22) (pull_request) Failing after 2m20s Details
DCO action / DCO (pull_request) Failing after 2m27s Details
Tests and linters / Tests with -race (pull_request) Failing after 3m13s Details
Pre-commit hooks / Pre-commit (pull_request) Failing after 3m48s Details
Vulncheck / Vulncheck (pull_request) Failing after 3m21s Details
Tests and linters / Tests (1.22) (pull_request) Failing after 3m50s Details
Tests and linters / Tests (1.21) (pull_request) Failing after 4m4s Details
Tests and linters / Staticcheck (pull_request) Failing after 4m17s Details
Tests and linters / gopls check (pull_request) Failing after 5m40s Details
Tests and linters / Lint (pull_request) Failing after 6m51s Details
1ab3313199 [#xx] cli: Support adding APE overrides to Bearer token 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
acid-ant force-pushed feature/bearer-token-ape from 1ab3313199 to e098554c4c 2024-06-03 13:22:23 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from e098554c4c to 243c09aaf8 2024-06-04 07:24:50 +00:00 Compare
acid-ant commented 2024-06-04 08:00:26 +00:00
Poster
Collaborator

Test case:

  • Create container:
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml container create --policy 'EC 3.1 IN X CBF 1 SELECT 4 FROM * AS X' --await --basic-acl public-read-write
CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia
awaiting...
container has been persisted on sidechain
  • Generate APE override for Bearer token
$ frostfs-cli bearer generate-ape-override --chain-id AllowPut --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --rule "deny Object.Put *" --output bearer_ape.json
Parsed chain:
Chain ID: AllowPut
     HEX: 416c6c6f77507574
Rules:

	Status: Access denied
	Any: false
	Conditions:
	Actions:	Inverted:false
		PutObject
	Resources:	Inverted:false
		native:object/*
  • Create Bearer token and sign
$ frostfs-cli bearer create --ape bearer_ape.json --expire-at 1000 --json --out bearer.json --owner NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM -w wallets/wallet.json -r s01.frostfs.devenv:8080
$ frostfs-cli util sign bearer-token -w wallets/wallet.json --from bearer.json --json --to bearer-sign.json
Enter password > 
signed bearer token was successfully dumped to bearer-sign.json
  • Try to put object without token
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m
...
[/tmp/object.sample.dev] Object successfully stored
  OID: 9o62JQDRF2WKmL38p2ca6QHndZQEYVQrk8miSh2C8NvH
  CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia
  • Try to put with deny rule
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m --bearer bearer-sign.json 
...
rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: bearer token: method PutObject: Access denied
Test case: - Create container: ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml container create --policy 'EC 3.1 IN X CBF 1 SELECT 4 FROM * AS X' --await --basic-acl public-read-write CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia awaiting... container has been persisted on sidechain ``` - Generate `APE` override for `Bearer` token ``` $ frostfs-cli bearer generate-ape-override --chain-id AllowPut --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --rule "deny Object.Put *" --output bearer_ape.json Parsed chain: Chain ID: AllowPut HEX: 416c6c6f77507574 Rules: Status: Access denied Any: false Conditions: Actions: Inverted:false PutObject Resources: Inverted:false native:object/* ``` - Create `Bearer` token and sign ``` $ frostfs-cli bearer create --ape bearer_ape.json --expire-at 1000 --json --out bearer.json --owner NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM -w wallets/wallet.json -r s01.frostfs.devenv:8080 $ frostfs-cli util sign bearer-token -w wallets/wallet.json --from bearer.json --json --to bearer-sign.json Enter password > signed bearer token was successfully dumped to bearer-sign.json ``` - Try to put object without token ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m ... [/tmp/object.sample.dev] Object successfully stored OID: 9o62JQDRF2WKmL38p2ca6QHndZQEYVQrk8miSh2C8NvH CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia ``` - Try to put with `deny` rule ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m --bearer bearer-sign.json ... rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: bearer token: method PutObject: Access denied ```
acid-ant requested review from storage-core-committers 2024-06-04 08:01:13 +00:00
acid-ant requested review from storage-core-developers 2024-06-04 08:01:14 +00:00
acid-ant changed title from WIP: Add `APE` chains to `Bearer` token to node: Add `APE` chains to `Bearer` token 2024-06-04 08:01:24 +00:00
dstepanov-yadro requested changes 2024-06-04 09:13:09 +00:00
cmd/frostfs-cli/modules/bearer/create.go Outdated
@ -41,3 +49,4 @@
func init() {
createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table (mutually exclusive with --impersonate flag)")
createCmd.Flags().StringP(apeFlag, "a", "", "Path to the JSON-encoded APE override (mutually exclusive with --impersonate flag)")
dstepanov-yadro commented 2024-06-04 09:07:43 +00:00
Collaborator

mutually exclusive with --impersonate and --eacl flags

`mutually exclusive with --impersonate and --eacl flags`
acid-ant commented 2024-06-04 11:18:32 +00:00
Poster
Collaborator

Fxied.

Fxied.
dstepanov-yadro marked this conversation as resolved
go.mod Outdated
@ -2,6 +2,8 @@ module git.frostfs.info/TrueCloudLab/frostfs-node
go 1.21
replace git.frostfs.info/TrueCloudLab/frostfs-sdk-go => git.frostfs.info/acid-ant/frostfs-sdk-go v0.0.0-20240604071707-21f327e8dc64
dstepanov-yadro commented 2024-06-04 09:10:22 +00:00
Collaborator

debugee

debugee
acid-ant commented 2024-06-04 12:18:50 +00:00
Poster
Collaborator

Removed.

Removed.
dstepanov-yadro marked this conversation as resolved
acid-ant force-pushed feature/bearer-token-ape from 243c09aaf8 to 68d8761b24 2024-06-04 09:19:20 +00:00 Compare
achuprov reviewed 2024-06-04 09:21:46 +00:00
cmd/frostfs-cli/modules/bearer/generate_override.go Outdated
@ -0,0 +28,4 @@
outputFlag = "output"
)
var genereateAPEOverrideCmd = &cobra.Command{
achuprov commented 2024-06-04 09:21:46 +00:00
Collaborator

Typo in genereateAPEOverrideCmd

Typo in `genereateAPEOverrideCmd`
acid-ant commented 2024-06-04 11:18:40 +00:00
Poster
Collaborator

Fixed.

Fixed.
achuprov marked this conversation as resolved
dstepanov-yadro approved these changes 2024-06-04 11:22:26 +00:00
acid-ant force-pushed feature/bearer-token-ape from 68d8761b24 to 0838b108b5 2024-06-04 12:18:41 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from 0838b108b5 to a2b8832010 2024-06-04 14:07:07 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from a2b8832010 to 1589b2e7bd 2024-06-06 06:18:17 +00:00 Compare
fyrchik approved these changes 2024-06-07 07:49:13 +00:00
achuprov approved these changes 2024-06-07 08:37:20 +00:00
fyrchik merged commit a0c588263b into master 2024-06-07 12:11:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
dstepanov-yadro
fyrchik
achuprov
Labels
Clear labels   
P0

Highest   
P1

High   
P2

Medium   
P3

Low   
badger

Badger DB related issues   
frostfs-adm
   
frostfs-cli
   
frostfs-ir
   
frostfs-lens
   
frostfs-node
   
good first issue

Good for newcomers   
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff   
blocked

The issue or PR is blocked by something   
bug

Something is not working   
config

Configuration format update or breaking change   
discussion

Talking about something in order to reach a decision or to exchange ideas   
documentation

Documentation related   
duplicate

This issue or pull request already exists   
enhancement

New feature   
go

Language features adoption   
help wanted

Extra attention is needed   
internal
   
invalid

Something is wrong   
kludge

This is a kludge and we know it   
observability

Related to metrics, tracing and logs   
perfomance

Perfomance related   
question

More information is needed   
refactoring

Refactoring   
wontfix

This won't be fixed
No Label
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1157
There is no content yet.
Delete Branch "acid-ant/frostfs-node:feature/bearer-token-ape"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?