Object Not Found error instead of APE Denied Request #1297

New issue

Closed

opened 2024-08-06 13:38:43 +00:00 by abereziny · 1 comment

abereziny commented

2024-08-06 13:38:43 +00:00

Member

Expected Behavior

NoRuleFound since we don't have a rule for objects without attribute.

Error:
return code: 2 
Output: rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: method GetObject: NoRuleFound

Current Behavior

Sometimes instead of APE Deny we get

Error with retcode 1
Output: 
rpc error: read object header: status: code = 2049 message = object not found

Steps to Reproduce (for bugs)

Create container with owner wallet and basic_acl = '0'

frostfs-cli --config user_0x61d4686e73a49-config.yml container create --rpc-endpoint '10.10.100.100' --basic-acl '0' --await --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X'
Success:
return code: 0 
Output: CID: 5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf
awaiting...
container has been persisted on sidechain

Apply APE rule for owner wallet on this container

frostfs-cli --config user_0x61d4686e73a49-config.yml ape-manager add --rpc-endpoint '10.10.100.100' --chain-id 'chain-id-0x61d4688391be1' --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --target-type 'container'
Success:
return code: 0 
Output: Parsed chain:
Chain ID: chain-id-0x61d4688391be1
     HEX: 636861696e2d69642d307836316434363838333931626531
Rules:

	Status: Allowed
	Any: false
	Conditions:
		Request $Actor:role StringEquals owner
	Actions:	Inverted:false
		PutObject
		GetObject
		HeadObject
		DeleteObject
		SearchObject
		HashObject
	Resources:	Inverted:false
		native:object/*
Rule has been added.
Chain ID:  chain-id-0x61d4688391be1

Apply APE rule for others with ResourceCondition

frostfs-cli --config user_0x61d4686e73a49-config.yml ape-manager add --rpc-endpoint '10.10.100.100' --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --target-type 'container'
Success:
return code: 0 
Output: Parsed chain:
Chain ID: chain-id-0x61d46897e4eb0
     HEX: 636861696e2d69642d307836316434363839376534656230
Rules:

	Status: Allowed
	Any: false
	Conditions:
		Resource check_key StringEquals check_value
		Request $Actor:role StringEquals others
	Actions:	Inverted:false
		GetObject
		HeadObject
		PutObject
	Resources:	Inverted:false
		native:object/*
Rule has been added.
Chain ID:  chain-id-0x61d46897e4eb0

Put object using owner wallet without attributes

frostfs-cli --config user_0x61d4686e73a49-config.yml object put --rpc-endpoint '10.10.100.100' --cid '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --file 'object-0x61d468806e82c'
Success:
return code: 0 
Output: [object-0x61d468806e82c] Object successfully stored
  OID: 7Cn43X7YzSerSmwpR4N8EXDoqjpaXqsjKgzyaoQCXTrg
  CID: 5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf

Get object using second wallet.
Notes:
Object without attributes, so it should be denied.
Also, try this request with ALL the nodes, not just one

frostfs-cli --config user-0x61d4685d657e7-config.yml object get --rpc-endpoint '10.10.100.100' --cid '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --oid '7Cn43X7YzSerSmwpR4N8EXDoqjpaXqsjKgzyaoQCXTrg' --file '21d190e9-980a-441d-afb1-e2fc99fdeda6'

Context

This was found during eACL to APE transition for autotests

Regression

No(?)

## Expected Behavior NoRuleFound since we don't have a rule for objects without attribute. ``` Error: return code: 2 Output: rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: method GetObject: NoRuleFound ``` ## Current Behavior Sometimes instead of APE Deny we get ``` Error with retcode 1 Output: rpc error: read object header: status: code = 2049 message = object not found ``` ## Steps to Reproduce (for bugs) 1. Create container with owner wallet and basic_acl = '0' ``` frostfs-cli --config user_0x61d4686e73a49-config.yml container create --rpc-endpoint '10.10.100.100' --basic-acl '0' --await --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X' Success: return code: 0 Output: CID: 5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf awaiting... container has been persisted on sidechain ``` 2. Apply APE rule for owner wallet on this container ``` frostfs-cli --config user_0x61d4686e73a49-config.yml ape-manager add --rpc-endpoint '10.10.100.100' --chain-id 'chain-id-0x61d4688391be1' --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --target-type 'container' Success: return code: 0 Output: Parsed chain: Chain ID: chain-id-0x61d4688391be1 HEX: 636861696e2d69642d307836316434363838333931626531 Rules: Status: Allowed Any: false Conditions: Request $Actor:role StringEquals owner Actions: Inverted:false PutObject GetObject HeadObject DeleteObject SearchObject HashObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61d4688391be1 ``` 3. Apply APE rule for others with ResourceCondition ``` frostfs-cli --config user_0x61d4686e73a49-config.yml ape-manager add --rpc-endpoint '10.10.100.100' --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --target-type 'container' Success: return code: 0 Output: Parsed chain: Chain ID: chain-id-0x61d46897e4eb0 HEX: 636861696e2d69642d307836316434363839376534656230 Rules: Status: Allowed Any: false Conditions: Resource check_key StringEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false GetObject HeadObject PutObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61d46897e4eb0 ``` 4. Put object using owner wallet without attributes ``` frostfs-cli --config user_0x61d4686e73a49-config.yml object put --rpc-endpoint '10.10.100.100' --cid '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --file 'object-0x61d468806e82c' Success: return code: 0 Output: [object-0x61d468806e82c] Object successfully stored OID: 7Cn43X7YzSerSmwpR4N8EXDoqjpaXqsjKgzyaoQCXTrg CID: 5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf ``` 5. Get object using second wallet. Notes: Object without attributes, so it should be denied. **Also, try this request with ALL the nodes, not just one** ``` frostfs-cli --config user-0x61d4685d657e7-config.yml object get --rpc-endpoint '10.10.100.100' --cid '5iHHfLo65wGUoh2syF3W776av7WEbq74jeZmVD3fjeCf' --oid '7Cn43X7YzSerSmwpR4N8EXDoqjpaXqsjKgzyaoQCXTrg' --file '21d190e9-980a-441d-afb1-e2fc99fdeda6' ``` ## Context This was found during eACL to APE transition for autotests ## Regression No(?)

abereziny added the

bug

triage

labels 2024-08-06 13:38:43 +00:00

fyrchik commented

2024-08-19 08:45:10 +00:00

Owner

We had a similar problem with Range, the problem was that status error was not propagated in stream RPCs.
In this task, try to use HEAD in similar situation.

We had a similar problem with Range, the problem was that status error was not propagated in stream RPCs. In this task, try to use HEAD in similar situation.