TrueCloudLab
/
frostfs-node
19
1
Fork 20
Code Issues 93 Pull Requests 9 Actions Releases Activity

Use access policy engine to permit PUT request #770

Merged
fyrchik merged 4 commits from aarifullin/frostfs-node:feature/ape_rules_impl into master 2023-11-08 13:34:05 +00:00
Conversation 2 Commits 4 Files Changed 25
aarifullin commented 2023-10-31 10:54:57 +00:00
Collaborator
  • Implement new gRPC methods for control service to dispatch local overrides to a node
  • Implement frostfs-cli commands to manipulate local overrides
  • Add APE (access-policy-engine) checkers for object service to permit PUT request
* Implement new gRPC methods for control service to dispatch local overrides to a node * Implement frostfs-cli commands to manipulate local overrides * Add APE (access-policy-engine) checkers for object service to permit PUT request
aarifullin added the
enhancement
frostfs-cli
frostfs-node
 labels 2023-10-31 10:54:57 +00:00
aarifullin requested review from storage-core-committers 2023-10-31 10:55:07 +00:00
aarifullin requested review from storage-core-developers 2023-10-31 10:55:08 +00:00
aarifullin force-pushed feature/ape_rules_impl from e67a493560 to 8247382a21 2023-10-31 14:12:04 +00:00 Compare
dstepanov-yadro reviewed 2023-10-31 15:37:24 +00:00
cmd/frostfs-cli/modules/util/ape.go Outdated
@ -0,0 +26,4 @@
return nil
}
func ParseAPERule(r *policyengine.Rule, rule string) error {
dstepanov-yadro commented 2023-10-31 15:37:24 +00:00
Collaborator

Please add some rule examples. I suppose that simple json will be easier.

Also, as I understand it, it turns out that there are two policy serilizers: one for the cli, the second for json. So having only one (json) will be simpler to maintain.

Please add some `rule` examples. I suppose that simple `json` will be easier. Also, as I understand it, it turns out that there are two policy serilizers: one for the `cli`, the second for `json`. So having only one (`json`) will be simpler to maintain.
aarifullin commented 2023-11-01 08:31:26 +00:00
Poster
Collaborator

You have probably misunderstood the point - IAM JSON format rules are not processed in cli.

The statements are passed to ParseAPERule are similiar with the format passed to ParseEACLRules like

allow Object.Put *
deny Object.Put *
deny:QuotaLimitReached Object.Put *

etc.

I will writre a unit-test for parsing and that will be clearer

You have probably misunderstood the point - IAM JSON format rules are not processed in cli. The statements are passed to `ParseAPERule` are similiar with the format passed to `ParseEACLRules` like `allow Object.Put *` `deny Object.Put *` `deny:QuotaLimitReached Object.Put *` etc. I will writre a unit-test for parsing and that will be clearer
👍 1
dstepanov-yadro marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 8247382a21 to bc8a21a949 2023-10-31 15:38:12 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from bc8a21a949 to a4a8bc1dbe 2023-10-31 15:48:11 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from a4a8bc1dbe to 4fbce91ce0 2023-10-31 16:02:33 +00:00 Compare
dstepanov-yadro reviewed 2023-10-31 16:33:26 +00:00
cmd/frostfs-node/policy_engine.go Outdated
@ -0,0 +7,4 @@
)
type apeChainSourceImpl struct {
localChainStorage map[cid.ID]policyengine.CachedChainStorage
dstepanov-yadro commented 2023-10-31 16:33:26 +00:00
Collaborator

Also mutex is required.

Also mutex is required.
aarifullin commented 2023-10-31 16:51:28 +00:00
Poster
Collaborator

You are right. I've added. But this mutex will be used agressively for a while (Lock, Unlock) because if there is no source it is created for a container

You are right. I've added. But this mutex will be used agressively for a while (`Lock`, `Unlock`) because if there is no source it is created for a container
dstepanov-yadro reviewed 2023-10-31 16:37:30 +00:00
pkg/services/control/types.proto Outdated
@ -172,0 +184,4 @@
// Access denied.
ACCESS_DENIED = 2;
// Quita limit reached.
dstepanov-yadro commented 2023-10-31 16:37:30 +00:00
Collaborator

In my opinion, there is no sense from such comments. Maybe drop it?

In my opinion, there is no sense from such comments. Maybe drop it?
aarifullin commented 2023-10-31 16:50:31 +00:00
Poster
Collaborator

I agree! This has been with principle "everyone writes and I write too" :) but I also do not find any profit of these comments

I agree! This has been with principle "everyone writes and I write too" :) but I also do not find any profit of these comments
aarifullin commented 2023-10-31 17:00:09 +00:00
Poster
Collaborator

Removed obvious comments

Removed obvious comments
dstepanov-yadro marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 4fbce91ce0 to a37ae27d4d 2023-10-31 16:48:47 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from a37ae27d4d to 13bd2dd692 2023-10-31 16:59:58 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 13bd2dd692 to 5d493bc52e 2023-11-01 10:33:13 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 5d493bc52e to 9807a291f9 2023-11-01 10:38:39 +00:00 Compare
fyrchik reviewed 2023-11-01 11:14:10 +00:00
pkg/services/control/types.proto Outdated
@ -171,1 +171,4 @@
}
// Access policy enigne rule chain.
message Chain {
fyrchik commented 2023-11-01 11:14:10 +00:00
Owner

Statuses are defined in the policy engine library, I think having raw byte slice in chain is OK, at least for now.

Statuses are _defined_ in the policy engine library, I think having raw byte slice in chain is OK, at least for now.
aarifullin commented 2023-11-01 15:03:41 +00:00
Poster
Collaborator

Alright. I've made proto fill serialized chain instead Chain protobuf

Alright. I've made proto fill serialized chain instead `Chain` protobuf
fyrchik marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 9807a291f9 to e39a542d46 2023-11-01 13:38:24 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from e39a542d46 to 28777fed0b 2023-11-01 14:15:06 +00:00 Compare
dstepanov-yadro approved these changes 2023-11-03 13:18:27 +00:00
fyrchik approved these changes 2023-11-06 06:49:08 +00:00
fyrchik commented 2023-11-07 07:14:09 +00:00
Owner

Please, also fix XX in the commit messages.

Please, also fix `XX` in the commit messages.
aarifullin force-pushed feature/ape_rules_impl from 28777fed0b to 4ab978ac0c 2023-11-07 11:15:45 +00:00 Compare
aarifullin requested review from dstepanov-yadro 2023-11-07 11:15:50 +00:00
aarifullin requested review from fyrchik 2023-11-07 11:15:50 +00:00
aarifullin commented 2023-11-07 11:55:06 +00:00
Poster
Collaborator

Please, also fix XX in the commit messages.

Fixed

> Please, also fix `XX` in the commit messages. Fixed
acid-ant approved these changes 2023-11-07 12:39:39 +00:00
cmd/frostfs-cli/modules/util/ape.go Outdated
@ -0,0 +137,4 @@
ObjectActor: policyengine.ObjectActor,
}
func parseConitions(lexemes []string) ([]policyengine.Condition, error) {
acid-ant commented 2023-11-07 12:20:02 +00:00
Collaborator

parseConitions -> parseConditions

parseConitions -> parseConditions
👍 1
dstepanov-yadro approved these changes 2023-11-07 13:16:09 +00:00
aarifullin force-pushed feature/ape_rules_impl from 4ab978ac0c to 11e80dce61 2023-11-07 19:03:16 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 11e80dce61 to 205cd4628f 2023-11-07 19:28:58 +00:00 Compare
aarifullin requested review from acid-ant 2023-11-07 19:31:22 +00:00
aarifullin requested review from dstepanov-yadro 2023-11-07 19:31:23 +00:00
acid-ant approved these changes 2023-11-08 06:35:10 +00:00
aarifullin force-pushed feature/ape_rules_impl from 205cd4628f to 624f9deb87 2023-11-08 12:37:24 +00:00 Compare
aarifullin requested review from acid-ant 2023-11-08 13:03:37 +00:00
fyrchik merged commit 66848d3288 into master 2023-11-08 13:34:05 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
fyrchik
dstepanov-yadro
acid-ant
TrueCloudLab/storage-core-developers
Labels
Clear labels   
P0

Highest   
P1

High   
P2

Medium   
P3

Low   
badger

Badger DB related issues   
frostfs-adm
   
frostfs-cli
   
frostfs-ir
   
frostfs-lens
   
frostfs-node
   
good first issue

Good for newcomers   
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff   
blocked

The issue or PR is blocked by something   
bug

Something is not working   
config

Configuration format update or breaking change   
discussion

Talking about something in order to reach a decision or to exchange ideas   
documentation

Documentation related   
duplicate

This issue or pull request already exists   
enhancement

New feature   
go

Language features adoption   
help wanted

Extra attention is needed   
internal
   
invalid

Something is wrong   
kludge

This is a kludge and we know it   
observability

Related to metrics, tracing and logs   
perfomance

Perfomance related   
question

More information is needed   
refactoring

Refactoring   
wontfix

This won't be fixed
No Label
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#770
There is no content yet.
Delete Branch "aarifullin/frostfs-node:feature/ape_rules_impl"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?