Couldn't delete container without session token

dkirillov commented

2023-05-02 13:58:53 +00:00

If container was created using session token, we cannot delete it without session token even if we have owner key.

Expected Behavior

We can always delete container using container owner key without any tokens.

Current Behavior

We have to use session token to delete container.

Steps to Reproduce (for bugs)

See test that should pass:

func TestSessionContainer(t *testing.T) {
        ctx := context.Background()
	devenvKey := "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb"
	key, err := keys.NewPrivateKeyFromHex(devenvKey)
	require.NoError(t, err)

	var owner user.ID
	user.IDFromKey(&owner, key.PrivateKey.PublicKey)

	tokPut := new(session.Container)
	tokPut.ForVerb(session.VerbContainerPut)
	tokPut.SetID(uuid.New())
	tokPut.SetAuthKey((*frostfsecdsa.PublicKey)(&key.PrivateKey.PublicKey))
	tokPut.SetExp(math.MaxUint64)
	err = tokPut.Sign(key.PrivateKey)
	require.NoError(t, err)

	var prm pool.InitParameters
	prm.SetKey(&key.PrivateKey)
	prm.SetNodeDialTimeout(5 * time.Second)
	prm.AddNode(pool.NewNodeParam(1, "s01.frostfs.devenv:8080", 1))
	clientPool, err := pool.NewPool(prm)
	require.NoError(t, err)
	err = clientPool.Dial(ctx)
	require.NoError(t, err)

	var pp netmap.PlacementPolicy
	err = pp.DecodeString("REP 1")
	require.NoError(t, err)

	var cnr container.Container
	cnr.Init()
	cnr.SetOwner(owner)
	cnr.SetBasicACL(acl.PublicRWExtended)
	cnr.SetPlacementPolicy(pp)

	var cnrPut pool.PrmContainerPut
	cnrPut.WithinSession(*tokPut)
	cnrPut.SetContainer(cnr)

	cnrID, err := clientPool.PutContainer(ctx, cnrPut)
	require.NoError(t, err)
	fmt.Println(cnrID)

	var cnrDelete pool.PrmContainerDelete
	cnrDelete.SetContainerID(cnrID)
	err = clientPool.DeleteContainer(ctx, cnrDelete)
	require.NoError(t, err)
}

Test starts pass if we user the following token for deleting:

        tokDelete := new(session.Container)
	tokDelete.ForVerb(session.VerbContainerDelete)
	tokDelete.SetID(uuid.New())
	tokDelete.SetAuthKey((*frostfsecdsa.PublicKey)(&key.PrivateKey.PublicKey))
	tokDelete.SetExp(math.MaxUint64)
	err = tokDelete.Sign(key.PrivateKey)
	require.NoError(t, err)

	var cnrDelete pool.PrmContainerDelete
	cnrDelete.SetContainerID(cnrID)
	cnrDelete.SetSessionToken(*tokDelete)

In ir logs:

2023-05-02T13:48:34.297Z        info    container/handlers.go:33        notification    {"type": "container delete", "id": "AubMnKTgMdDik9YoKMaBJgESPTnHx343kWfqgB6KxiTv"}
2023-05-02T13:48:34.298Z        error   container/process_container.go:131      delete container check failed   {"error": "auth container removal: receive owner keys NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM: could not perform test invocation (key): frostfs error: chain/client: contract execution finished with state FAULT; exception: at instruction 57 (SYSCALL): System.Contract.Call failed: called contract 1943e9bb78a0fe2fe0c95fd2677eec2da6aa4aa5 not found: key not found"}

Context

This happened when we create bucket/container using s3-gw and try to remove using frostfs-cli

Your Environment

Version used: 0.34.0-579-g235fe84e
Server setup and configuration: devenv
Operating System and version (uname -a): Linux dkirillov 6.0.12-x64v1-xanmod1 # 0~20221208.ff9eceb SMP PREEMPT_DYNAMIC Thu Dec 8 22:12:49 UTC 2 x86_64 GNU/Linux

If container was created using session token, we cannot delete it without session token even if we have owner key. ## Expected Behavior We can always delete container using container owner key without any tokens. ## Current Behavior We have to use session token to delete container. ## Steps to Reproduce (for bugs) See test that should pass: ```golang func TestSessionContainer(t *testing.T) { ctx := context.Background() devenvKey := "1dd37fba80fec4e6a6f13fd708d8dcb3b29def768017052f6c930fa1c5d90bbb" key, err := keys.NewPrivateKeyFromHex(devenvKey) require.NoError(t, err) var owner user.ID user.IDFromKey(&owner, key.PrivateKey.PublicKey) tokPut := new(session.Container) tokPut.ForVerb(session.VerbContainerPut) tokPut.SetID(uuid.New()) tokPut.SetAuthKey((*frostfsecdsa.PublicKey)(&key.PrivateKey.PublicKey)) tokPut.SetExp(math.MaxUint64) err = tokPut.Sign(key.PrivateKey) require.NoError(t, err) var prm pool.InitParameters prm.SetKey(&key.PrivateKey) prm.SetNodeDialTimeout(5 * time.Second) prm.AddNode(pool.NewNodeParam(1, "s01.frostfs.devenv:8080", 1)) clientPool, err := pool.NewPool(prm) require.NoError(t, err) err = clientPool.Dial(ctx) require.NoError(t, err) var pp netmap.PlacementPolicy err = pp.DecodeString("REP 1") require.NoError(t, err) var cnr container.Container cnr.Init() cnr.SetOwner(owner) cnr.SetBasicACL(acl.PublicRWExtended) cnr.SetPlacementPolicy(pp) var cnrPut pool.PrmContainerPut cnrPut.WithinSession(*tokPut) cnrPut.SetContainer(cnr) cnrID, err := clientPool.PutContainer(ctx, cnrPut) require.NoError(t, err) fmt.Println(cnrID) var cnrDelete pool.PrmContainerDelete cnrDelete.SetContainerID(cnrID) err = clientPool.DeleteContainer(ctx, cnrDelete) require.NoError(t, err) } ``` Test starts pass if we user the following token for deleting: ```golang tokDelete := new(session.Container) tokDelete.ForVerb(session.VerbContainerDelete) tokDelete.SetID(uuid.New()) tokDelete.SetAuthKey((*frostfsecdsa.PublicKey)(&key.PrivateKey.PublicKey)) tokDelete.SetExp(math.MaxUint64) err = tokDelete.Sign(key.PrivateKey) require.NoError(t, err) var cnrDelete pool.PrmContainerDelete cnrDelete.SetContainerID(cnrID) cnrDelete.SetSessionToken(*tokDelete) ``` In `ir` logs: ``` 2023-05-02T13:48:34.297Z info container/handlers.go:33 notification {"type": "container delete", "id": "AubMnKTgMdDik9YoKMaBJgESPTnHx343kWfqgB6KxiTv"} 2023-05-02T13:48:34.298Z error container/process_container.go:131 delete container check failed {"error": "auth container removal: receive owner keys NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM: could not perform test invocation (key): frostfs error: chain/client: contract execution finished with state FAULT; exception: at instruction 57 (SYSCALL): System.Contract.Call failed: called contract 1943e9bb78a0fe2fe0c95fd2677eec2da6aa4aa5 not found: key not found"} ``` ## Context This happened when we create bucket/container using `s3-gw` and try to remove using `frostfs-cli` ## Your Environment * Version used: 0.34.0-579-g235fe84e * Server setup and configuration: devenv * Operating System and version (`uname -a`): Linux dkirillov 6.0.12-x64v1-xanmod1 # 0~20221208.ff9eceb SMP PREEMPT_DYNAMIC Thu Dec 8 22:12:49 UTC 2 x86_64 GNU/Linux

dkirillov added the

triage

label 2023-05-02 13:58:53 +00:00

fyrchik added the

frostfs-node

label 2023-05-02 14:39:11 +00:00

fyrchik commented

2023-05-02 17:30:46 +00:00

Owner

The exception tells us that some contract is called by invalid hash. We may first check that frostfs-adm correctly sets hashes of all contracts and provides validate their parameters.

dkirillov commented

2023-05-03 06:11:05 +00:00

Poster

Using more old version of node (somewhere here) gives us the following ir error:

May 02 09:12:36 glagoli neofs-ir[22563]: 2023-05-02T09:12:36.971Z        info        container/handlers.go:32        notification        {"type": "container delete", "id": "5nfBhCAD6PgJGA4iUP6LhJ7QziSBLqSw9XkuF7DGhR9m"}
May 02 09:12:36 glagoli neofs-ir[22563]: 2023-05-02T09:12:36.975Z        error        container/process_container.go:138        delete container check failed        {"error": "auth container removal: signature is invalid or calculated with the key not bound to the container owner"}

Using more old version of node (somewhere [here](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/branch/support/v0.34)) gives us the following ir error: ``` May 02 09:12:36 glagoli neofs-ir[22563]: 2023-05-02T09:12:36.971Z info container/handlers.go:32 notification {"type": "container delete", "id": "5nfBhCAD6PgJGA4iUP6LhJ7QziSBLqSw9XkuF7DGhR9m"} May 02 09:12:36 glagoli neofs-ir[22563]: 2023-05-02T09:12:36.975Z error container/process_container.go:138 delete container check failed {"error": "auth container removal: signature is invalid or calculated with the key not bound to the container owner"} ```

acid-ant was assigned by fyrchik

2023-05-03 13:14:48 +00:00

snegurochka added the

bug

label 2023-05-03 17:14:39 +00:00

acid-ant referenced this issue from TrueCloudLab/frostfs-dev-env

2023-05-04 14:44:26 +00:00

[#24] Update frostfsid id #25

acid-ant commented

2023-05-04 14:47:21 +00:00

Collaborator

Initial error was about config in dev-env. Will be fixed by TrueCloudLab/frostfs-dev-env#25
Continue working on bellow error from ir log:

2023-05-04T14:08:18.924Z        error   container/process_container.go:131      delete container check failed   {"error": "auth container removal: signature is invalid or ca
lculated with the key not bound to the container owner"}

Initial error was about config in dev-env. Will be fixed by https://git.frostfs.info/TrueCloudLab/frostfs-dev-env/pulls/25 Continue working on bellow error from `ir` log: ``` 2023-05-04T14:08:18.924Z error container/process_container.go:131 delete container check failed {"error": "auth container removal: signature is invalid or ca lculated with the key not bound to the container owner"} ```

fyrchik added this to the v0.38.0 milestone 2023-05-18 08:31:33 +00:00

acid-ant commented

2023-05-24 08:21:30 +00:00

Collaborator

Need to do the same thing in contract as implemented for put.

acid-ant referenced this issue from TrueCloudLab/frostfs-contract

2023-06-01 08:34:00 +00:00

Add public key as argument for `container_contract.Delete()` method #27

acid-ant referenced a pull request that will close this issue

2023-06-01 09:00:54 +00:00

ir: Use public key when validate container deletion #415

fyrchik referenced this issue from a commit