`ape add-rule-chain` uses incorrect alphabet multisignature account #1393

New issue

Closed

opened 2024-09-24 12:58:51 +00:00 by potyarkin · 2 comments

potyarkin commented

2024-09-24 12:58:51 +00:00

Member

Expected Behavior

frostfs-adm morph ape add-rule-chain should succeed when we provide all alphabet wallets via --alphabet-wallets directory - regardless of how many alphabet members there are.

Current Behavior

With 7-letter alphabet committee and consensus accounts do not match (as expected).

ape add-rule-chain uses committee account to sign the transaction. It fails because policy contract allows AddChain only to storage admin and to consensus alphabet account (returned by common.AlphabetAddress):

 func checkAuthorization(ctx storage.Context) {
 	admin := getAdmin(ctx)
 	if admin != nil && runtime.CheckWitness(admin) {
 		return
 	}
 	if runtime.CheckWitness(common.AlphabetAddress()) {
 		return
 	}
 	panic(ErrNotAuthorized)
 }

Possible Solution

There are multiple possible solutions:

We can modify frostfs-adm to use correct alphabet account (consensus) when signing the transaction
We can modify policy contract to allow signatures made under committee account:
- in addition to current consensus account
- or instead of current consensus account

Steps to Reproduce (for bugs)

Create 7 alphabet wallets
Launch 7 neo-go nodes using those wallets for validators
Execute bootstrap steps: frostfs-adm morph init (should succeed)
Add rule chain using alphabet wallets: see section below (will fail)

Context

I was trying to add a rule chain using 7-letter alphabet wallet:

$ bin/frostfs-adm-v0.42.9 morph ape add-rule-chain --target-type namespace --target-name "" --rule "allow Container.* *" --chain-id "allow_container_ops" --rpc-endpoint http://10.200.104.2:30333 --alphabet-wallets wallet --config frostfs-adm.yml
Parsed chain:
Chain ID: allow_container_ops
     HEX: 616c6c6f775f636f6e7461696e65725f6f7073
Rules:

        Status: Allowed
        Any: false
        Conditions:
        Actions:        Inverted:false
                PutContainer
                DeleteContainer
                GetContainer
                SetContainerEACL
                GetContainerEACL
                ListContainers
        Resources:      Inverted:false
                native:container/*
Waiting for transaction to persist...
add rule chain error: script failed (FAULT state) due to an error: at instruction 599 (THROW): unhandled exception: "none of the signers is authorized to change the contract"

Debugging policy contract (by sprinkling runtime.Log everywhere) has shown that failed transaction is signed using committee account but only admin and consensus account are allowed.

Regression

No.

Your Environment

Version used:
- frostfs-adm v0.42.9
- frostfs-contracts v0.19.4
- neo-go v0.106.3
Server setup and configuration: custom exploratory environment (protocol.privnet.yml)
Operating System and version (uname -a): Linux hostname 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux

## Expected Behavior `frostfs-adm morph ape add-rule-chain` should succeed when we provide all alphabet wallets via `--alphabet-wallets` directory - regardless of how many alphabet members there are. ## Current Behavior With 7-letter alphabet `committee` and `consensus` accounts do not match (as expected). `ape add-rule-chain` uses `committee` account to sign the transaction. It fails because policy contract allows `AddChain` only to storage admin and to `consensus` alphabet account (returned by common.AlphabetAddress): https://git.frostfs.info/TrueCloudLab/frostfs-contract/src/commit/3e221b973a3cfe387113990bab56b33f78bc0c18/policy/policy_contract.go#L60-L70 ## Possible Solution There are multiple possible solutions: - We can modify `frostfs-adm` to use correct alphabet account (`consensus`) when signing the transaction - We can modify policy contract to allow signatures made under `committee` account: - in addition to current `consensus` account - or instead of current `consensus` account ## Steps to Reproduce (for bugs) - Create 7 alphabet wallets - Launch 7 neo-go nodes using those wallets for validators - Execute bootstrap steps: `frostfs-adm morph init` (should succeed) - Add rule chain using alphabet wallets: see section below (will fail) ## Context I was trying to add a rule chain using 7-letter alphabet wallet: ```console $ bin/frostfs-adm-v0.42.9 morph ape add-rule-chain --target-type namespace --target-name "" --rule "allow Container.* *" --chain-id "allow_container_ops" --rpc-endpoint http://10.200.104.2:30333 --alphabet-wallets wallet --config frostfs-adm.yml Parsed chain: Chain ID: allow_container_ops HEX: 616c6c6f775f636f6e7461696e65725f6f7073 Rules: Status: Allowed Any: false Conditions: Actions: Inverted:false PutContainer DeleteContainer GetContainer SetContainerEACL GetContainerEACL ListContainers Resources: Inverted:false native:container/* Waiting for transaction to persist... add rule chain error: script failed (FAULT state) due to an error: at instruction 599 (THROW): unhandled exception: "none of the signers is authorized to change the contract" ``` Debugging policy contract (by sprinkling `runtime.Log` everywhere) has shown that failed transaction is signed using `committee` account but only admin and `consensus` account [are allowed](https://git.frostfs.info/TrueCloudLab/frostfs-contract/src/commit/3e221b973a3cfe387113990bab56b33f78bc0c18/policy/policy_contract.go#L60-L70). ## Regression No. ## Your Environment * Version used: * frostfs-adm v0.42.9 * frostfs-contracts v0.19.4 * neo-go v0.106.3 * Server setup and configuration: custom exploratory environment ([protocol.privnet.yml](https://git.frostfs.info/potyarkin/bringup/src/branch/bug/morph-init-at-100-blocks/morph/protocol.privnet.yml)) * Operating System and version (`uname -a`): `Linux hostname 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux `

potyarkin added the

bug

frostfs-adm

triage

labels 2024-09-24 12:58:51 +00:00

potyarkin commented

2024-09-24 13:04:07 +00:00

Author

Member

Related discussion in a private chat

Related discussion in a [private chat](https://chat.yadro.com/yadro/pl/7b7pmaqae3bqim339bwk4c6a3w)

potyarkin commented

2024-09-24 14:53:20 +00:00

Author

Member

Account selection in frostfs-adm happens here:

 		for _, w := range wallets {
 			acc, err := GetWalletAccount(w, constants.CommitteeAccountName)
 			commonCmd.ExitOnErr(cmd, "can't find committee account: %w", err)
 			accounts = append(accounts, acc)
 		}

This helper is also used by morph nns, I'm not sure if fixing this issue will be as easy as changing line 56 to constants.ConsensusAccountName

Account selection in `frostfs-adm` happens here: https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/fd18aa363b7b33f8b662f9b4bffaf9f3099216a6/cmd/frostfs-adm/internal/modules/morph/helper/actor.go#L55-L59 This helper is also used by [`morph nns`](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/fd18aa363b7b33f8b662f9b4bffaf9f3099216a6/cmd/frostfs-adm/internal/modules/morph/nns/helper.go#L18), I'm not sure if fixing this issue will be as easy as changing line 56 to `constants.ConsensusAccountName`