TrueCloudLab/frostfs-node
20
1
Fork 27
Code Issues 110 Pull requests 6 Projects Releases 2 Activity Actions

Add example of APE rules to cli commands help #1575

New issue
Open
opened 2024-12-20 10:07:01 +00:00 by dkirillov · 4 comments
dkirillov commented 2024-12-20 10:07:01 +00:00
Member
Copy link

Is your feature request related to a problem? Please describe.

It would be very nice to see syntax for --rules flag in help for

  • frostfs-adm morph ape add-rule-chain
  • frostfs-cli ape-manager add

Currently there is only comment in code

Lines 62 to 76 in 148d689
// ParseAPERule parses access-policy-engine statement from the following form:
// <status>[:status_detail] <action>... [<condition>...] <resource>...
//
// Examples:
// deny Object.Put *
// deny:QuotaLimitReached Object.Put *
// allow Object.Put *
// allow Object.Get ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.Get any ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.Get all ResourceCondition:Department=HR RequestCondition:Actor=ownerA *
// allow Object.* *
// allow Container.* *
//
//nolint:godot
func ParseAPERule(r *apechain.Rule, rule string) error {

Describe the solution you'd like

Add examples to help

Describe alternatives you've considered

No

Additional context

No

## Is your feature request related to a problem? Please describe. It would be very nice to see syntax for `--rules` flag in help for * `frostfs-adm morph ape add-rule-chain` * `frostfs-cli ape-manager add` Currently there is only comment in code https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/148d68933bb1f3fda17db2c7f4fe073336554f67/pkg/util/ape/parser.go#L62-L76 ## Describe the solution you'd like Add examples to help ## Describe alternatives you've considered No ## Additional context No
dkirillov added the
triage
 label 2024-12-20 10:07:01 +00:00
a-savchuk commented 2024-12-23 07:49:11 +00:00
Member
Copy link

The help message for the --rule flag in the CLI was recently made more descriptive (#1519). This change is only for the CLI, not for frostfs-adm. The need of having it in frostfs-adm should be considered. Does the existing help message lack anything you might need?

The help message for the `--rule` flag in the CLI was recently made more descriptive (https://git.frostfs.info/TrueCloudLab/frostfs-node/pulls/1519). This change is only for the CLI, not for `frostfs-adm`. The need of having it in `frostfs-adm` should be considered. **Does the existing help message lack anything you might need?**
dkirillov commented 2024-12-23 11:46:13 +00:00
Author
Member
Copy link
  • I'd like to see all possible actions in help instead of etc
Actions:
  Object operations:
    - Object.Put, Object.Get, etc.
    - Object.*     (all object operations)
 Container operations:
   - Container.Put, Container.Get, etc.
   - Container.*  (all container operations)

For example: Can I use Container.List (or action for ListContainer has different name in cli?) in container operations or this is possible only for namespace?

  • Can I provide rule with StringLike condition?
    Probably we support only = and != for the sake of simplicity. But we should mention this and advise to use json format for complex rules.
    But probably we could support wildcard in condition with =/!= and consider it as *Like condition

  • Finally I'd like to see a couple of exact examples of rules e.g.

      --rule stringArray      Defines an Access Policy Engine (APE) rule in the format:
                                  <status>[:status_detail] <action>... <condition>... <resource>...
                              
                               * Allow any container operation in namespae:
                                   allow Container.* *
                               * Make your container public-read:
                                   allow ...
                               * Make your container public-read-write:
                                   allow ... 
                               * Make your container public-read for specific public key:
                                   allow ...
                              
                              Status:
                                 // ...
* I'd like to see all possible actions in help instead of `etc` ``` Actions: Object operations: - Object.Put, Object.Get, etc. - Object.* (all object operations) Container operations: - Container.Put, Container.Get, etc. - Container.* (all container operations) ``` For example: Can I use `Container.List` (or action for [ListContainer](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/a3bc3099bd5bfefd702b44070d58982e477a56e9/schema/native/consts.go#L16) has different name in cli?) in container operations or this is possible only for namespace? * Can I provide rule with `StringLike` [condition](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/a3bc3099bd5bfefd702b44070d58982e477a56e9/pkg/chain/chain.go#L124)? Probably we support only `=` and `!=` for the sake of simplicity. But we should mention this and advise to use json format for complex rules. But probably we could support wildcard in condition with `=`/`!=` and consider it as `*Like` condition * Finally I'd like to see a couple of exact examples of rules e.g. ``` --rule stringArray Defines an Access Policy Engine (APE) rule in the format: <status>[:status_detail] <action>... <condition>... <resource>... * Allow any container operation in namespae: allow Container.* * * Make your container public-read: allow ... * Make your container public-read-write: allow ... * Make your container public-read for specific public key: allow ... Status: // ... ```
👍 1
fyrchik commented 2024-12-23 12:15:36 +00:00
Owner
Copy link

I'd like to see all possible actions in help instead of etc

I think we should link to a spec then. This help is useful, but not need to be exhaustive. For us Container.List is just a string (correct me if I am wrong), and the "real" list of methods depends on the API version.

>I'd like to see all possible actions in help instead of etc I think we should link to a spec then. This help is useful, but not need to be exhaustive. For us `Container.List` is just a string (correct me if I am wrong), and the "real" list of methods depends on the API version.
dkirillov commented 2024-12-23 12:55:04 +00:00
Author
Member
Copy link

I think we should link to a spec then

What spec do you mean? If you mean api-go or policy-engine it seems I will see PutObject or similar const there. But cli accept this in different format.
Probably we should fix frostfs-cli then so it accepts exactly string from spec (PutObect, ListContainers etc.) rather than Object.Put

> I think we should link to a spec then What spec do you mean? If you mean `api-go` or `policy-engine` it seems I will see `PutObject` or similar const there. But cli accept this in different format. Probably we should fix `frostfs-cli` then so it accepts exactly string from spec (`PutObect`, `ListContainers` etc.) rather than `Object.Put`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
support/v0.44
support/v0.42
support/v0.38
support/v0.37
support/v0.36
support/v0.34
support/v0.30
support/v0.27
v0.45.0-rc.4
v0.45.0-rc.3
v0.45.0-rc.2
v0.44.9
v0.45.0-rc.1
v0.44.8
v0.44.7
v0.44.6
v0.44.5
v0.44.4
v0.42.18
v0.44.3
v0.44.2
v0.42.17
v0.44.1
v0.44.0
v0.44.0-rc.13
v0.44.0-rc.12
v0.44.0-rc.11
v0.42.16
v0.44.0-rc.10
v0.44.0-rc.9
v0.44.0-rc.8
v0.44.0-rc.7
v0.44.0-rc.6
v0.44.0-rc.5
v0.44.0-rc.4
v0.44.0-rc.3
v0.44.0-rc.2
v0.44.0-rc.1
v0.43.2
v0.43.1
v0.43.0
v0.42.15
v0.42.14
v0.42.13
v0.42.12
v0.42.11
v0.42.10
v0.42.9
v0.42.8
v0.42.7
v0.42.6
v0.42.5
v0.42.4
v0.42.3
v0.42.2
v0.42.1
v0.42.0
v0.42.0-rc.9
v0.42.0-rc.8
v0.42.0-rc.7
v0.38.9
v0.42.0-rc.6
v0.42.0-rc.5
v0.42.0-rc.4
v0.42.0-rc.3
v0.42.0-rc.2
v0.42.0-rc.1
v0.38.8
v0.41.0
v0.38.7
v0.40.0
v0.39.0
v0.38.6
v0.38.5
v0.38.4
v0.38.3
v0.38.2
v0.38.1
v0.38.0
v0.38.0-rc.2
v0.38.0-rc.1
v0.37.0
v0.37.0-rc.1
v0.36.0
v0.34.0
v0.22.1
v0.22.0
v0.21.1
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.0
v0.16.0
v0.15.0
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.14.0-rc.1
v0.13.2
v0.13.1
v0.13.0
v0.13.0-rc.1
v0.12.1
v0.12.0
v0.12.0-rc3
v0.12.0-rc2
v0.12.0-rc1
v0.11.0
v0.10.0
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1575
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?