TrueCloudLab/frostfs-node
20
1
Fork 27
Code Issues 105 Pull requests 11 Projects Releases 2 Activity Actions

node: Add APE chains to Bearer token #1157

Merged
fyrchik merged 4 commits from acid-ant/frostfs-node:feature/bearer-token-ape into master 2024-06-07 12:11:23 +00:00
Conversation 1 Commits 4 Files changed 14 +669 -183
acid-ant commented 2024-06-03 13:19:28 +00:00
Member
Copy link

Signed-off-by: Anton Nikiforov an.nikiforov@yadro.com

Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
acid-ant force-pushed feature/bearer-token-ape from 1ab3313199 to e098554c4c 2024-06-03 13:22:23 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from e098554c4c to 243c09aaf8 2024-06-04 07:24:50 +00:00 Compare
acid-ant commented 2024-06-04 08:00:26 +00:00
Author
Member
Copy link

Test case:

  • Create container:
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml container create --policy 'EC 3.1 IN X CBF 1 SELECT 4 FROM * AS X' --await --basic-acl public-read-write
CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia
awaiting...
container has been persisted on sidechain
  • Generate APE override for Bearer token
$ frostfs-cli bearer generate-ape-override --chain-id AllowPut --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --rule "deny Object.Put *" --output bearer_ape.json
Parsed chain:
Chain ID: AllowPut
     HEX: 416c6c6f77507574
Rules:

	Status: Access denied
	Any: false
	Conditions:
	Actions:	Inverted:false
		PutObject
	Resources:	Inverted:false
		native:object/*
  • Create Bearer token and sign
$ frostfs-cli bearer create --ape bearer_ape.json --expire-at 1000 --json --out bearer.json --owner NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM -w wallets/wallet.json -r s01.frostfs.devenv:8080
$ frostfs-cli util sign bearer-token -w wallets/wallet.json --from bearer.json --json --to bearer-sign.json
Enter password > 
signed bearer token was successfully dumped to bearer-sign.json
  • Try to put object without token
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m
...
[/tmp/object.sample.dev] Object successfully stored
  OID: 9o62JQDRF2WKmL38p2ca6QHndZQEYVQrk8miSh2C8NvH
  CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia
  • Try to put with deny rule
$ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m --bearer bearer-sign.json 
...
rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: bearer token: method PutObject: Access denied
Test case: - Create container: ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml container create --policy 'EC 3.1 IN X CBF 1 SELECT 4 FROM * AS X' --await --basic-acl public-read-write CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia awaiting... container has been persisted on sidechain ``` - Generate `APE` override for `Bearer` token ``` $ frostfs-cli bearer generate-ape-override --chain-id AllowPut --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --rule "deny Object.Put *" --output bearer_ape.json Parsed chain: Chain ID: AllowPut HEX: 416c6c6f77507574 Rules: Status: Access denied Any: false Conditions: Actions: Inverted:false PutObject Resources: Inverted:false native:object/* ``` - Create `Bearer` token and sign ``` $ frostfs-cli bearer create --ape bearer_ape.json --expire-at 1000 --json --out bearer.json --owner NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM -w wallets/wallet.json -r s01.frostfs.devenv:8080 $ frostfs-cli util sign bearer-token -w wallets/wallet.json --from bearer.json --json --to bearer-sign.json Enter password > signed bearer token was successfully dumped to bearer-sign.json ``` - Try to put object without token ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m ... [/tmp/object.sample.dev] Object successfully stored OID: 9o62JQDRF2WKmL38p2ca6QHndZQEYVQrk8miSh2C8NvH CID: 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia ``` - Try to put with `deny` rule ``` $ frostfs-cli -r s01.frostfs.devenv:8080 -c cfg.yml object put --cid 5Lj6D4Y5ntAhxukEh5bnFPHYfiA66K4YRvRW7GoRTNia --file /tmp/object.sample.dev --timeout 20m --bearer bearer-sign.json ... rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: bearer token: method PutObject: Access denied ```
requested reviews from storage-core-committers, storage-core-developers 2024-06-04 08:01:14 +00:00
acid-ant changed title from WIP: Add APE chains to Bearer token to node: Add APE chains to Bearer token 2024-06-04 08:01:24 +00:00
dstepanov-yadro requested changes 2024-06-04 09:13:09 +00:00
cmd/frostfs-cli/modules/bearer/create.go Outdated
@ -41,3 +49,4 @@
func init() {
createCmd.Flags().StringP(eaclFlag, "e", "", "Path to the extended ACL table (mutually exclusive with --impersonate flag)")
createCmd.Flags().StringP(apeFlag, "a", "", "Path to the JSON-encoded APE override (mutually exclusive with --impersonate flag)")
dstepanov-yadro commented 2024-06-04 09:07:43 +00:00
Member
Copy link

mutually exclusive with --impersonate and --eacl flags

`mutually exclusive with --impersonate and --eacl flags`
acid-ant commented 2024-06-04 11:18:32 +00:00
Author
Member
Copy link

Fxied.

Fxied.
dstepanov-yadro marked this conversation as resolved
go.mod Outdated
@ -2,6 +2,8 @@ module git.frostfs.info/TrueCloudLab/frostfs-node
go 1.21
replace git.frostfs.info/TrueCloudLab/frostfs-sdk-go => git.frostfs.info/acid-ant/frostfs-sdk-go v0.0.0-20240604071707-21f327e8dc64
dstepanov-yadro commented 2024-06-04 09:10:22 +00:00
Member
Copy link

debugee

debugee
acid-ant commented 2024-06-04 12:18:50 +00:00
Author
Member
Copy link

Removed.

Removed.
dstepanov-yadro marked this conversation as resolved
acid-ant force-pushed feature/bearer-token-ape from 243c09aaf8 to 68d8761b24 2024-06-04 09:19:20 +00:00 Compare
achuprov reviewed 2024-06-04 09:21:46 +00:00
cmd/frostfs-cli/modules/bearer/generate_override.go Outdated
@ -0,0 +28,4 @@
outputFlag = "output"
)
var genereateAPEOverrideCmd = &cobra.Command{
achuprov commented 2024-06-04 09:21:46 +00:00
Member
Copy link

Typo in genereateAPEOverrideCmd

Typo in `genereateAPEOverrideCmd`
acid-ant commented 2024-06-04 11:18:40 +00:00
Author
Member
Copy link

Fixed.

Fixed.
achuprov marked this conversation as resolved
dstepanov-yadro approved these changes 2024-06-04 11:22:26 +00:00
acid-ant force-pushed feature/bearer-token-ape from 68d8761b24 to 0838b108b5 2024-06-04 12:18:41 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from 0838b108b5 to a2b8832010 2024-06-04 14:07:07 +00:00 Compare
acid-ant force-pushed feature/bearer-token-ape from a2b8832010 to 1589b2e7bd 2024-06-06 06:18:17 +00:00 Compare
fyrchik approved these changes 2024-06-07 07:49:13 +00:00
achuprov approved these changes 2024-06-07 08:37:20 +00:00
fyrchik merged commit a0c588263b into master 2024-06-07 12:11:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
dstepanov-yadro
fyrchik
achuprov
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1157
No description provided.
Delete branch "acid-ant/frostfs-node:feature/bearer-token-ape"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?