Delete operation not allowed with Bearer token and eACL with deny all operations (complex object) #700

New issue

Open

opened 2023-09-20 13:40:50 +00:00 by anikeev-yadro · 1 comment

anikeev-yadro commented 2023-09-20 13:40:50 +00:00

Member

Copy link

May be related to #687

Autotest

testsuites.acl.test_bearer.TestACLBearer#test_bearer_token_compound_operations
testsuites.acl.test_bearer.TestACLBearer#test_bearer_token_operations

Expected Behavior

Delete operation should be allowed with Bearer token (complex object).

Current Behavior

Delete operation not allowed with Bearer token (complex object).

Steps to Reproduce (for bugs)

1. Create container
2. PUT object
3. Set deny all operations for others via eACL
4. Create bearer token for others with all operations allowed
5. Check others with token has access to all operations with container. Cannot delete object from container:

COMMAND: frostfs-cli --config /jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/wallet_config.yml object delete --rpc-endpoint '172.26.161.185:8080' --wallet '/jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/TemporaryDir/1de0d0f7-527b-4575-8313-d7d4a4b1468f.json' --cid 'J1DuMViuG8hAWEeKS64DgXPfxk8bWbn7ZNqVgkpkcfK1' --oid '9Yy434brzL8s6Bv5FbFCV4s8f3h3NrTTURzexcNbMV56' --bearer '/jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/TemporaryDir/75280e62-91f9-4057-b309-738a1728b091'
RETCODE: 2

STDOUT:
failed to search objects by split ID: read object list: status: code = 2048 message = access to object operation denied: access to operation OBJECT_SEARCH is denied by extended ACL check: denied by rule

STDERR:

Start / End / Elapsed	 00:09:04.818412 / 00:09:05.183623 / 0:00:00.365211

Regression

Yes

Version

0.37.0-rc.1-2-g368774be

Your Environment

Cloud

May be related to #687 ## Autotest testsuites.acl.test_bearer.TestACLBearer#test_bearer_token_compound_operations testsuites.acl.test_bearer.TestACLBearer#test_bearer_token_operations ## Expected Behavior Delete operation should be allowed with Bearer token (complex object). ## Current Behavior Delete operation not allowed with Bearer token (complex object). ## Steps to Reproduce (for bugs) 1. Create container 2. PUT object 3. Set deny all operations for others via eACL 4. Create bearer token for others with all operations allowed 5. Check others with token has access to all operations with container. Cannot delete object from container: ``` COMMAND: frostfs-cli --config /jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/wallet_config.yml object delete --rpc-endpoint '172.26.161.185:8080' --wallet '/jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/TemporaryDir/1de0d0f7-527b-4575-8313-d7d4a4b1468f.json' --cid 'J1DuMViuG8hAWEeKS64DgXPfxk8bWbn7ZNqVgkpkcfK1' --oid '9Yy434brzL8s6Bv5FbFCV4s8f3h3NrTTURzexcNbMV56' --bearer '/jenkins/workspace/sbercloud_functional_tests_nightly/tmp.ymWkhkOMZZ/frostfs-testcases/TemporaryDir/75280e62-91f9-4057-b309-738a1728b091' RETCODE: 2 STDOUT: failed to search objects by split ID: read object list: status: code = 2048 message = access to object operation denied: access to operation OBJECT_SEARCH is denied by extended ACL check: denied by rule STDERR: Start / End / Elapsed 00:09:04.818412 / 00:09:05.183623 / 0:00:00.365211 ``` ## Regression Yes ## Version ``` 0.37.0-rc.1-2-g368774be ``` ## Your Environment Cloud

anikeev-yadro added the

bug

triage

labels 2023-09-20 13:40:50 +00:00

dstepanov-yadro self-assigned this 2023-09-21 07:54:59 +00:00

dstepanov-yadro removed their assignment 2023-09-21 14:08:25 +00:00

dstepanov-yadro commented 2023-09-21 14:10:06 +00:00

Member

Copy link

How to reproduce:

In the cmd/frostfs-cli/module/object/util file.go comment out the lines:

splitInfo:= arr split.Split Into() 

//if members, ok := tryGetSplitMembersByLinkingObject(cmd, splitInfo, prmHead, cnr); ok { 
// return members 
//} 

if members, ok:=tryGetSplitMembersBySplitID(cmd, splitInfo, cli, clr); ok { return members } 

returntryRestoreChainInReverse(cmd, splitInfo, prmHead, cli, cnr, obj)

Run tests again dev-env
The bug is that the tryGetSplitMembersBySplitID method does Search, and the bearer token is not used.

How to reproduce: In the `cmd/frostfs-cli/module/object/util file.go` comment out the lines: ``` splitInfo:= arr split.Split Into() //if members, ok := tryGetSplitMembersByLinkingObject(cmd, splitInfo, prmHead, cnr); ok { // return members //} if members, ok:=tryGetSplitMembersBySplitID(cmd, splitInfo, cli, clr); ok { return members } returntryRestoreChainInReverse(cmd, splitInfo, prmHead, cli, cnr, obj) ``` Run tests again dev-env The bug is that the tryGetSplitMembersBySplitID method does Search, and the bearer token is not used.

fyrchik added this to the v0.38.0 milestone 2023-10-02 10:43:12 +00:00

fyrchik added

frostfs-node

and removed

triage

labels 2023-10-02 10:43:41 +00:00

fyrchik modified the milestone from v0.38.0 to v0.39.0 2024-03-29 12:28:24 +00:00

fyrchik modified the milestone from v0.39.0 to v0.38.0 2024-03-29 12:28:30 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.38.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#700

No description provided.