TrueCloudLab/frostfs-node
18
1
Fork 27
Code Issues 94 Pull requests 3 Projects Releases 1 Activity Actions

Storage node doesn't respect group policies #1190

New issue
Closed
opened 2024-06-19 14:12:36 +00:00 by dkirillov · 1 comment
dkirillov commented 2024-06-19 14:12:36 +00:00
Member
Copy link

Expected Behavior

User can put object if he belongs to group that has rights to do this.

Current Behavior

User cannot put object

rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: method PutObject: NoRuleFound

Possible Solution

We need to take into account user groups policies in the following places

Steps to Reproduce (for bugs)

  1. Create frostfsid user:
frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid create-subject --subject-key 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a --subject-name devenv
  1. Create frostfsid group:
frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid create-group --group-name some-group
Waiting for transactions to persist...
group 'some-group' created with id: 2
  1. Add user to group:
frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid add-subject-to-group --group-id 2 --subject-address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM
  1. Add the following chain to policy contract
{
  "ID": "dGVzdA==",
  "Rules": [{
      "Status": "Allow",
      "Actions": {
        "Inverted": false,
        "Names": ["PutObject"]
      },
      "Resources": {
        "Inverted": false,
        "Names": ["native:object/*"]
      },
      "Any": false,
      "Condition": [{
          "Op": "SliceContains",
          "Kind": "Request",
          "Key": "frostfsid:groupID",
          "Value": "2"
      }]
  }],
  "MatchType": "DenyPriority"
}
  1. Create container:
frostfs-dev-env$ frostfs-cli -r s01.frostfs.devenv:8080 -w wallets/wallet.json container create  --policy 'REP 1' --basic-acl 0x0 --await

Enter password > 
CID: 6hbNVQsf7pWkVRs4AVundoDYbYLhLup6HMY5hqmnyPmi
awaiting...
container has been persisted on sidechain
  1. Try to put object:
frostfs-dev-env$ frostfs-cli object put -r s01.frostfs.devenv:8080 --cid 6hbNVQsf7pWkVRs4AVundoDYbYLhLup6HMY5hqmnyPmi --file frostfs-adm.yml  -w wallets/wallet.json

Enter password > 
 402 / 402 [==================================================================================================================================================] 100.00% 0s
rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: method PutObject: NoRuleFound

Context

The initial problem was: cannot create bucket using s3. This has happened because after container creation we update bucket settings (that is stored as node in tree service). And because storage node doesn't handle group policies user doesn't have permission to use tree service

Regression

Probably not.

Your Environment

  • Version used: v0.40.0
  • Server setup and configuration: devenv
## Expected Behavior User can put object if he belongs to group that has rights to do this. ## Current Behavior User cannot put object ``` rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: method PutObject: NoRuleFound ``` ## Possible Solution We need to take into account user groups policies in the following places * [tree ape](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/75eedf71f31c8d0d68500779954e708fa884c3ee/pkg/services/tree/ape.go#L164) * [object ape](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/75eedf71f31c8d0d68500779954e708fa884c3ee/pkg/services/object/ape/checker.go#L188) * [container ape 1](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/75eedf71f31c8d0d68500779954e708fa884c3ee/pkg/services/container/ape.go#L323) * [container ape 2](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/75eedf71f31c8d0d68500779954e708fa884c3ee/pkg/services/container/ape.go#L230) * [container ape 3](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/75eedf71f31c8d0d68500779954e708fa884c3ee/pkg/services/container/ape.go#L172) ## Steps to Reproduce (for bugs) 1. Create frostfsid user: ``` frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid create-subject --subject-key 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a --subject-name devenv ``` 2. Create frostfsid group: ``` frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid create-group --group-name some-group Waiting for transactions to persist... group 'some-group' created with id: 2 ``` 3. Add user to group: ``` frostfs-dev-env$ frostfs-adm -c frostfs-adm.yml morph frostfsid add-subject-to-group --group-id 2 --subject-address NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM ``` 4. Add the following chain to `policy` contract ```json { "ID": "dGVzdA==", "Rules": [{ "Status": "Allow", "Actions": { "Inverted": false, "Names": ["PutObject"] }, "Resources": { "Inverted": false, "Names": ["native:object/*"] }, "Any": false, "Condition": [{ "Op": "SliceContains", "Kind": "Request", "Key": "frostfsid:groupID", "Value": "2" }] }], "MatchType": "DenyPriority" } ``` 5. Create container: ``` frostfs-dev-env$ frostfs-cli -r s01.frostfs.devenv:8080 -w wallets/wallet.json container create --policy 'REP 1' --basic-acl 0x0 --await Enter password > CID: 6hbNVQsf7pWkVRs4AVundoDYbYLhLup6HMY5hqmnyPmi awaiting... container has been persisted on sidechain ``` 6. Try to put object: ``` frostfs-dev-env$ frostfs-cli object put -r s01.frostfs.devenv:8080 --cid 6hbNVQsf7pWkVRs4AVundoDYbYLhLup6HMY5hqmnyPmi --file frostfs-adm.yml -w wallets/wallet.json Enter password > 402 / 402 [==================================================================================================================================================] 100.00% 0s rpc error: client failure: status: code = 2048 message = access to object operation denied: ape denied request: method PutObject: NoRuleFound ``` ## Context The initial problem was: cannot create bucket using s3. This has happened because after container creation we update bucket settings (that is stored as node in tree service). And because storage node doesn't handle group policies user doesn't have permission to use tree service ## Regression Probably not. ## Your Environment <!-- Include as many relevant details about the environment you experienced the bug in --> * Version used: v0.40.0 * Server setup and configuration: devenv
dkirillov added the
bug
triage
 labels 2024-06-19 14:12:36 +00:00
dkirillov changed title from Storage node doesn't respect group policy to Storage node doesn't respect group policies 2024-06-19 14:13:48 +00:00
alexvanin commented 2024-06-19 14:14:57 +00:00
Owner
Copy link

Context issue link: TrueCloudLab/frostfs-s3-gw#407

Context issue link: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pulls/407
aarifullin was assigned by fyrchik 2024-06-19 17:19:58 +00:00
fyrchik added this to the v0.42.0 milestone 2024-06-20 11:30:54 +00:00
fyrchik added
frostfs-node
 and removed
triage
 labels 2024-06-20 11:31:03 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
support/v0.42
support/v0.38
support/v0.37
support/v0.36
support/v0.34
support/v0.30
support/v0.27
v0.43.1
v0.43.0
v0.42.15
v0.42.14
v0.42.13
v0.42.12
v0.42.11
v0.42.10
v0.42.9
v0.42.8
v0.42.7
v0.42.6
v0.42.5
v0.42.4
v0.42.3
v0.42.2
v0.42.1
v0.42.0
v0.42.0-rc.9
v0.42.0-rc.8
v0.42.0-rc.7
v0.38.9
v0.42.0-rc.6
v0.42.0-rc.5
v0.42.0-rc.4
v0.42.0-rc.3
v0.42.0-rc.2
v0.42.0-rc.1
v0.38.8
v0.41.0
v0.38.7
v0.40.0
v0.39.0
v0.38.6
v0.38.5
v0.38.4
v0.38.3
v0.38.2
v0.38.1
v0.38.0
v0.38.0-rc.2
v0.38.0-rc.1
v0.37.0
v0.37.0-rc.1
v0.36.0
v0.34.0
v0.22.1
v0.22.0
v0.21.1
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.0
v0.16.0
v0.15.0
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.14.0-rc.1
v0.13.2
v0.13.1
v0.13.0
v0.13.0-rc.1
v0.12.1
v0.12.0
v0.12.0-rc3
v0.12.0-rc2
v0.12.0-rc1
v0.11.0
v0.10.0
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
v0.42.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
aarifullin
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1190
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?