Complex object cannot be put when it should pass APE rule. #1300

New issue

Open

opened 2024-08-07 10:29:58 +00:00 by abereziny · 2 comments

abereziny commented 2024-08-07 10:29:58 +00:00

Member

Copy link

Expected Behavior

Successfull object put

Current Behavior

Error with retcode 1
Output: 
rpc error: client failure: status: code = 1024 message = incomplete object PUT by placement: could not write header: (*putsvc.remoteTarget) could not put single object to [/ip4/192.168.201.173/tcp/8080 /ip4/192.168.200.173/tcp/8080]: put single object via client: status: code = 2048 message = access to object operation denied

Possible Solution

 No fix can be suggested by a QA engineer. Further solutions shall be up to developers.

Steps to Reproduce (for bugs)

1. Create public container with owner wallet

frostfs-cli --config owner.yml container create --rpc-endpoint '10.10.10.100' --basic-acl '0FBFBFFF' --await --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X'
Success with retcode 0
Output: 
CID: J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP

2. Deny placement for others with ResourceCondition "check_key"!="check_value" (StringNotEquals)

11:57:28 [INFO] Command: frostfs-cli --config owner ape-manager add --rpc-endpoint '10.10.10.100' --chain-id 'chain-id-0x61f14197cf7f8' --rule 'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP' --target-type 'container'
Success with retcode 0
Output: 
Parsed chain:
Chain ID: chain-id-0x61f14197cf7f8
     HEX: 636861696e2d69642d307836316631343139376366376638
Rules:

	Status: Access denied
	Any: false
	Conditions:
		Resource check_key StringNotEquals check_value
		Request $Actor:role StringEquals others
	Actions:	Inverted:false
		GetObject
		HeadObject
		PutObject
	Resources:	Inverted:false
		native:object/*
Rule has been added.
Chain ID:  chain-id-0x61f14197cf7f8

3. Put COMPLEX object with attribute check_key=check_value. It should pass the rule, since check_value is equals the rule (which is StringNotEquals).

frostfs-cli --config others.yml object put --rpc-endpoint '10.10.10.100' --cid 'J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP' --file 'TemporaryDir/object-0x61f1411591dd4' --attributes 'check_key=check_value'

IMPORTANT NOTE:
Same issue may happen if we do ResourceCondition "check_key"="" (i.e. we want to deny objects with empty attribute) and put complex object with this attribute not empty.

Context

Migration of ACL => APE autotests

Regression

No(?)

## Expected Behavior Successfull object put ## Current Behavior ``` Error with retcode 1 Output: rpc error: client failure: status: code = 1024 message = incomplete object PUT by placement: could not write header: (*putsvc.remoteTarget) could not put single object to [/ip4/192.168.201.173/tcp/8080 /ip4/192.168.200.173/tcp/8080]: put single object via client: status: code = 2048 message = access to object operation denied ``` ## Possible Solution No fix can be suggested by a QA engineer. Further solutions shall be up to developers. ## Steps to Reproduce (for bugs) 1. Create public container with owner wallet ``` frostfs-cli --config owner.yml container create --rpc-endpoint '10.10.10.100' --basic-acl '0FBFBFFF' --await --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X' Success with retcode 0 Output: CID: J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP ``` 2. Deny placement for others with ResourceCondition "check_key"!="check_value" (StringNotEquals) ``` 11:57:28 [INFO] Command: frostfs-cli --config owner ape-manager add --rpc-endpoint '10.10.10.100' --chain-id 'chain-id-0x61f14197cf7f8' --rule 'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" RequestCondition:"\$Actor:role"=others *' --target-name 'J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP' --target-type 'container' Success with retcode 0 Output: Parsed chain: Chain ID: chain-id-0x61f14197cf7f8 HEX: 636861696e2d69642d307836316631343139376366376638 Rules: Status: Access denied Any: false Conditions: Resource check_key StringNotEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false GetObject HeadObject PutObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61f14197cf7f8 ``` 3. Put **COMPLEX** object with attribute `check_key=check_value`. It should pass the rule, since `check_value` is equals the rule (which is StringNotEquals). ``` frostfs-cli --config others.yml object put --rpc-endpoint '10.10.10.100' --cid 'J93jqd38xy49pEukYx1Hxf6jLFtccTeKty156FrhNLBP' --file 'TemporaryDir/object-0x61f1411591dd4' --attributes 'check_key=check_value' ``` IMPORTANT NOTE: Same issue may happen if we do `ResourceCondition "check_key"=""` (i.e. we want to deny objects with empty attribute) and put complex object with this attribute not empty. ## Context Migration of ACL => APE autotests ## Regression No(?)

abereziny added the

bug

triage

labels 2024-08-07 10:29:58 +00:00

aarifullin commented 2024-08-07 10:40:40 +00:00

Member

Copy link

This can be checked with frostfs-dev-env but the object must be huge

dd if=/dev/urandom of=random_payload.bin bs=1M count=65

If you try to upload random_payload.bin by object put, then you'll encounter the error. This happens because the compex object parts are sent without attributes but

Resource check_key StringNotEquals check_value

works out although attribute doesn't come ("" != "check_value" == true). So, this probably requires a change within policy-engine that should read value by presented key.

The problem that @abereziny is struggling can be temporarily solved by this

--rule  'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" ResourceCondition:"check_key"!="" RequestCondition:"\$Actor:role"=others *'

This can be checked with `frostfs-dev-env` but the object must be huge ```bash dd if=/dev/urandom of=random_payload.bin bs=1M count=65 ``` If you try to upload `random_payload.bin` by `object put`, then you'll encounter the error. This happens because the compex object parts are sent without attributes but ``` Resource check_key StringNotEquals check_value ``` works out although attribute doesn't come (`"" != "check_value" == true`). So, this probably requires a change within `policy-engine` that should read value by presented key. The problem that @abereziny is struggling can be **temporarily** solved by this ``` --rule 'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" ResourceCondition:"check_key"!="" RequestCondition:"\$Actor:role"=others *' ```

aarifullin self-assigned this 2024-09-16 07:35:28 +00:00

aarifullin commented 2024-11-05 08:40:11 +00:00

Member

Copy link

This can be checked with frostfs-dev-env but the object must be huge

dd if=/dev/urandom of=random_payload.bin bs=1M count=65

If you try to upload random_payload.bin by object put, then you'll encounter the error. This happens because the compex object parts are sent without attributes but

Resource check_key StringNotEquals check_value

works out although attribute doesn't come ("" != "check_value" == true). So, this probably requires a change within policy-engine that should read value by presented key.

The problem that @abereziny is struggling can be temporarily solved by this

--rule  'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" ResourceCondition:"check_key"!="" RequestCondition:"\$Actor:role"=others *'

TBH, I am barely able to recall the full context of the discussion. Looking at this comment I got an idea that this point actually exists in fact but it's irrelevant to the issue.
I tried to reproduce the issue on the latest commit and got no errors

Same issue may happen if we do ResourceCondition "check_key"="" (i.e. we want to deny objects with empty attribute) and put complex object with this attribute not empty.

This was reproduced neither.
@abereziny, Can you recheck on your own, please?

> This can be checked with `frostfs-dev-env` but the object must be huge > > ```bash > dd if=/dev/urandom of=random_payload.bin bs=1M count=65 > ``` > > If you try to upload `random_payload.bin` by `object put`, then you'll encounter the error. This happens because the compex object parts are sent without attributes but > > ``` > Resource check_key StringNotEquals check_value > ``` > > works out although attribute doesn't come (`"" != "check_value" == true`). So, this probably requires a change within `policy-engine` that should read value by presented key. > > The problem that @abereziny is struggling can be **temporarily** solved by this > > ``` > --rule 'deny object.get object.head object.put ResourceCondition:"check_key"!="check_value" ResourceCondition:"check_key"!="" RequestCondition:"\$Actor:role"=others *' > ``` TBH, I am barely able to recall the full context of the discussion. Looking at this comment I got an idea that this point actually exists in fact but it's irrelevant to the issue. I tried to reproduce the issue on the latest commit and got no errors > Same issue may happen if we do ResourceCondition "check_key"="" (i.e. we want to deny objects with empty attribute) and put complex object with this attribute not empty. This was reproduced neither. @abereziny, Can you recheck on your own, please?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

aarifullin

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1300

No description provided.