TrueCloudLab/frostfs-node
18
1
Fork 27
Code Issues 93 Pull requests 3 Projects Releases 1 Activity Actions

APE ignores xheaders RequestConditions which were working in eACL #1243

New issue
Open
opened 2024-07-11 12:49:34 +00:00 by abereziny · 2 comments
abereziny commented 2024-07-11 12:49:34 +00:00
Member
Copy link

Expected Behavior

Request should be blocked by APE rule.

Current Behavior

Success:
return code: 0 
Output: [TemporaryDir/object-0x61cf8149b5b6f] Object successfully stored
  OID: CsB6XpPtphmemBbm8NKFTha3biNgJAqFkaGKikjY8ZNY
  CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj

Possible Solution

 No fix can be suggested by a QA engineer. Further solutions shall be up to developers.

Steps to Reproduce (for bugs)

  1. Create public container
frostfs-cli container create --wallet owner.json --basic-acl '0FBFBFFF' --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X'
CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj
  1. Deny all operations for others via APE with request conditions
frostfs-cli ape-manager add --wallet owner.json --chain-id 'chain-id-0x61cf815c51632' --rule 'deny object.put object.get object.head object.range object.hash object.search object.delete RequestCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --target-type 'container'
Success:
return code: 0 
Output: Parsed chain:
Chain ID: chain-id-0x61cf815c51632
     HEX: 636861696e2d69642d307836316366383135633531363332
Rules:

	Status: Access denied
	Any: false
	Conditions:
		Request check_key StringEquals check_value
		Request $Actor:role StringEquals others
	Actions:	Inverted:false
		PutObject
		GetObject
		HeadObject
		RangeObject
		HashObject
		SearchObject
		DeleteObject
	Resources:	Inverted:false
		native:object/*
Rule has been added.
Chain ID:  chain-id-0x61cf815c51632
  1. Send put request with xheaders from others wallet
frostfs-cli object put --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --file 'test.txt' --xhdr 'check_key=check_value'

Context

This was working with eACL rules. Now, with migration to APE this piece of functionality is lost.

Regression

Yes*
Technically it's a regression. However, APE is new functionality.

<!-- Provide a general summary of the issue in the Title above --> ## Expected Behavior Request should be blocked by APE rule. ## Current Behavior ``` Success: return code: 0 Output: [TemporaryDir/object-0x61cf8149b5b6f] Object successfully stored OID: CsB6XpPtphmemBbm8NKFTha3biNgJAqFkaGKikjY8ZNY CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj ``` ## Possible Solution No fix can be suggested by a QA engineer. Further solutions shall be up to developers. ## Steps to Reproduce (for bugs) 1. Create public container ``` frostfs-cli container create --wallet owner.json --basic-acl '0FBFBFFF' --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X' CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj ``` 2. Deny all operations for others via APE with request conditions ``` frostfs-cli ape-manager add --wallet owner.json --chain-id 'chain-id-0x61cf815c51632' --rule 'deny object.put object.get object.head object.range object.hash object.search object.delete RequestCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --target-type 'container' Success: return code: 0 Output: Parsed chain: Chain ID: chain-id-0x61cf815c51632 HEX: 636861696e2d69642d307836316366383135633531363332 Rules: Status: Access denied Any: false Conditions: Request check_key StringEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false PutObject GetObject HeadObject RangeObject HashObject SearchObject DeleteObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61cf815c51632 ``` 3. Send put request with xheaders from `others` wallet ``` frostfs-cli object put --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --file 'test.txt' --xhdr 'check_key=check_value' ``` ## Context This was working with eACL rules. Now, with migration to APE this piece of functionality is lost. ## Regression Yes* Technically it's a regression. However, APE is new functionality.
abereziny added the
bug
triage
 labels 2024-07-11 12:49:34 +00:00
abereziny changed title from APE ignores xheaders RequestConditions which were worked in eACL to APE ignores xheaders RequestConditions which were working in eACL 2024-07-11 12:50:27 +00:00
aarifullin self-assigned this 2024-07-11 12:55:56 +00:00
abereziny commented 2024-08-02 14:10:21 +00:00
Author
Member
Copy link

Still doesn't work with GET and HEAD requests.

Steps are the same but instead of put, use get and head

Expected Behavior

Request should be blocked by APE rule.

Current Behavior

Get and Head succeeds

Possible Solution

 No fix can be suggested by a QA engineer. Further solutions shall be up to developers.

Steps to Reproduce (for bugs)

  1. Create public container
frostfs-cli container create --wallet owner.json --basic-acl '0FBFBFFF' --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X'
CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj
  1. Put object using owner wallet (attributes are garbage info to test APE rule doesn't rely on them in THIS case)
frostfs-cli --config owner.json object put --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --file 'file.txt' --attributes 'key_one=check_value,x_key=xvalue,check_key=check_value,key=2' --no-progress --timeout '100s'

  OID: 3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL
  CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj
  1. Deny all operations for others via APE with request conditions
frostfs-cli ape-manager add --wallet owner.json --chain-id 'chain-id-0x61cf815c51632' --rule 'deny object.put object.get object.head object.range object.hash object.search object.delete RequestCondition:"frostfs:xheader/check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --target-type 'container'
Success:
return code: 0 
Output: Parsed chain:
Chain ID: chain-id-0x61cf815c51632
     HEX: 636861696e2d69642d307836316366383135633531363332
Rules:

	Status: Access denied
	Any: false
	Conditions:
		Request check_key StringEquals check_value
		Request $Actor:role StringEquals others
	Actions:	Inverted:false
		PutObject
		GetObject
		HeadObject
		RangeObject
		HashObject
		SearchObject
		DeleteObject
	Resources:	Inverted:false
		native:object/*
Rule has been added.
Chain ID:  chain-id-0x61cf815c51632
  1. Send get request with xheaders from others wallet
frostfs-cli object get --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --oid '3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL' --file 'test_download.txt'  --xhdr 'check_key=check_value'
  1. Send head request with xheaders from others wallet
frostfs-cli object head --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --oid '3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL' --xhdr 'check_key=check_value'
Still doesn't work with GET and HEAD requests. Steps are the same but instead of `put`, use `get` and `head` <!-- Provide a general summary of the issue in the Title above --> ## Expected Behavior Request should be blocked by APE rule. ## Current Behavior Get and Head succeeds ## Possible Solution No fix can be suggested by a QA engineer. Further solutions shall be up to developers. ## Steps to Reproduce (for bugs) 1. Create public container ``` frostfs-cli container create --wallet owner.json --basic-acl '0FBFBFFF' --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X' CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj ``` 2. Put object using owner wallet (attributes are garbage info to test APE rule doesn't rely on them in THIS case) ``` frostfs-cli --config owner.json object put --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --file 'file.txt' --attributes 'key_one=check_value,x_key=xvalue,check_key=check_value,key=2' --no-progress --timeout '100s' OID: 3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL CID: Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj ``` 3. Deny all operations for others via APE with request conditions ``` frostfs-cli ape-manager add --wallet owner.json --chain-id 'chain-id-0x61cf815c51632' --rule 'deny object.put object.get object.head object.range object.hash object.search object.delete RequestCondition:"frostfs:xheader/check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --target-type 'container' Success: return code: 0 Output: Parsed chain: Chain ID: chain-id-0x61cf815c51632 HEX: 636861696e2d69642d307836316366383135633531363332 Rules: Status: Access denied Any: false Conditions: Request check_key StringEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false PutObject GetObject HeadObject RangeObject HashObject SearchObject DeleteObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61cf815c51632 ``` 3. Send get request with xheaders from `others` wallet ``` frostfs-cli object get --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --oid '3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL' --file 'test_download.txt' --xhdr 'check_key=check_value' ``` 4. Send head request with xheaders from `others` wallet ``` frostfs-cli object head --wallet others.json --cid 'Bf5xGjzL3K6UYsDZKDGAxuR7j8cZEtGWTTmHeYd2iaxj' --oid '3R1YNuCG25K9JJcsVeiLupWcQXFZXgDxDMTZxoiLTbUL' --xhdr 'check_key=check_value' ```
aarifullin commented 2024-08-02 14:13:22 +00:00
Member
Copy link

Put works fine, but Head, Get has got the problem.
The problem that @abereziny is struggling: xheaders are not forwarded when the request is proxied to the container node. That's why the rule doesn't work out

`Put` works fine, but `Head`, `Get` has got the problem. The problem that @abereziny is struggling: `xheaders` are not forwarded when the request is proxied to the container node. That's why the rule doesn't work out
fyrchik added this to the v0.43.0 milestone 2024-08-19 08:47:18 +00:00
fyrchik added
frostfs-node
 and removed
triage
 labels 2024-08-19 08:47:24 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
support/v0.42
support/v0.38
support/v0.37
support/v0.36
support/v0.34
support/v0.30
support/v0.27
v0.42.15
v0.42.14
v0.42.13
v0.42.12
v0.42.11
v0.42.10
v0.42.9
v0.42.8
v0.42.7
v0.42.6
v0.42.5
v0.42.4
v0.42.3
v0.42.2
v0.42.1
v0.42.0
v0.42.0-rc.9
v0.42.0-rc.8
v0.42.0-rc.7
v0.38.9
v0.42.0-rc.6
v0.42.0-rc.5
v0.42.0-rc.4
v0.42.0-rc.3
v0.42.0-rc.2
v0.42.0-rc.1
v0.38.8
v0.41.0
v0.38.7
v0.40.0
v0.39.0
v0.38.6
v0.38.5
v0.38.4
v0.38.3
v0.38.2
v0.38.1
v0.38.0
v0.38.0-rc.2
v0.38.0-rc.1
v0.37.0
v0.37.0-rc.1
v0.36.0
v0.34.0
v0.22.1
v0.22.0
v0.21.1
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.0
v0.16.0
v0.15.0
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.14.0-rc.1
v0.13.2
v0.13.1
v0.13.0
v0.13.0-rc.1
v0.12.1
v0.12.0
v0.12.0-rc3
v0.12.0-rc2
v0.12.0-rc1
v0.11.0
v0.10.0
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
v0.43.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
aarifullin
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1243
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?