Local override rule affects tree service RPC #1406

New issue

Closed

opened 2024-10-01 14:21:55 +00:00 by alexvanin · 1 comment

alexvanin commented

2024-10-01 14:21:55 +00:00

Owner

Expected Behavior

object.Put RPC is denied
object.Delete RPC is allowed
tree.Remove RPC is allowed

Current Behavior

object.Put RPC is denied
object.Delete RPC is allowed
tree.Remove RPC is denied with an error

code = Unknown desc = status: code = 2048 message = access to object operation denied

Steps to Reproduce (for bugs)

Create container (or create S3 Bucket)
Upload an object into container
Upload tree node into container (or upload object into S3 Bucket)
Set local override rule
Try to remove an object
Try to remove tree node (or delete object from S3 Bucket)

Rule in JSON format:

{
  "ID": "cXVvdGFz",
  "Rules": [
    {
      "Status": "AccessDenied",
      "Actions": {
        "Inverted": false,
        "Names": [
          "PutObject"
        ]
      },
      "Resources": {
        "Inverted": false,
        "Names": [
          "native:object//6Z8PoLGkfSo8Wh1JAQdjpeu5LKaraQ7MedFTGZ2QL6aj/*"
        ]
      },
      "Any": false,
      "Condition": [
        {
          "Op": "StringNotEquals",
          "Object": "Resource",
          "Key": "$Object:objectType",
          "Value": "TOMBSTONE"
        }
      ]
    }
  ],
  "MatchType": "DenyPriority"
}

Request body to set the rule

req := &nodeControl.AddChainLocalOverrideRequest{
	Body: &nodeControl.AddChainLocalOverrideRequest_Body{
		Target: &nodeControl.ChainTarget{
			Type: nodeControl.ChainTarget_NAMESPACE,
			Name: namespace,
		},
		Chain: policyChain.Bytes(),
	},
}

Context

Regression

Not sure, but this case had to be tested.

Your Environment

frostfs-node v0.38.5 or higher
frostfs-s3-gw v0.29.0 or higher

S3 Gateway creates containers and upload some nodes into tree service along with the objects. External service may restrict object upload by setting local override rule. Example of this rule presented in 'Steps to reproduce'. This rule allows object removal, so restriction may be lifted at some point. ## Expected Behavior * `object.Put` RPC is denied * `object.Delete` RPC is allowed * `tree.Remove` RPC is allowed ## Current Behavior * `object.Put` RPC is denied * `object.Delete` RPC is allowed * `tree.Remove` RPC **is denied** with an error ``` code = Unknown desc = status: code = 2048 message = access to object operation denied ``` ## Steps to Reproduce (for bugs) 1. Create container (or create S3 Bucket) 2. Upload an object into container 3. Upload tree node into container (or upload object into S3 Bucket) 4. Set local override rule 5. Try to remove an object 6. Try to remove tree node (or delete object from S3 Bucket) Rule in JSON format: ```json { "ID": "cXVvdGFz", "Rules": [ { "Status": "AccessDenied", "Actions": { "Inverted": false, "Names": [ "PutObject" ] }, "Resources": { "Inverted": false, "Names": [ "native:object//6Z8PoLGkfSo8Wh1JAQdjpeu5LKaraQ7MedFTGZ2QL6aj/*" ] }, "Any": false, "Condition": [ { "Op": "StringNotEquals", "Object": "Resource", "Key": "$Object:objectType", "Value": "TOMBSTONE" } ] } ], "MatchType": "DenyPriority" } ``` Request body to set the rule ```go req := &nodeControl.AddChainLocalOverrideRequest{ Body: &nodeControl.AddChainLocalOverrideRequest_Body{ Target: &nodeControl.ChainTarget{ Type: nodeControl.ChainTarget_NAMESPACE, Name: namespace, }, Chain: policyChain.Bytes(), }, } ``` ## Context ## Regression Not sure, but this case had to be tested. ## Your Environment frostfs-node v0.38.5 or higher frostfs-s3-gw v0.29.0 or higher

alexvanin added the

bug

triage

labels 2024-10-01 14:21:56 +00:00

aarifullin self-assigned this 2024-10-01 14:56:46 +00:00

aarifullin commented

2024-10-01 15:22:54 +00:00

Member

When tree.Remove prepares APE-request, it sets PutObject verb but omits resource properties. When policy-engine performs matching, it gets empty string by the key "$Object:objectType" and the condition works out: "" != "TOMBSTONE".
We could fix policy-engine - just ignore the condition check if the value is not presented but then we may get the opposite situation when empty value is actually a valid case.
I'd suggest to introduce a backward-compatible flag for Condition: NotIgnoreEmpty that could be false by default. If NotIgnoreEmpty == true, then this takes the described case for empty string in account

When `tree.Remove` prepares APE-request, it sets `PutObject` verb but omits resource properties. When `policy-engine` performs matching, it gets empty string by the key `"$Object:objectType"` and the condition works out: `"" != "TOMBSTONE"`. We could fix `policy-engine` - just ignore the condition check if the value is not presented but then we may get the opposite situation when empty value is actually a valid case. I'd suggest to introduce a backward-compatible flag for `Condition`: `NotIgnoreEmpty` that could be `false` by default. If `NotIgnoreEmpty == true`, then this takes the described case for empty string in account