cli: Improve the work with local overrides dispatched to a node #846

New issue

Closed

opened 2023-12-06 13:22:39 +00:00 by aarifullin · 1 comment

aarifullin commented 2023-12-06 13:22:39 +00:00

Member

Copy link

The current implementation of commands that manage local overrides is very limited: it works only for objects in containers.

The current usage

frostfs-cli add-rule ... --cid LxGyWyL... --rule 'deny Object.Put *'

means that we set a chain for all objects within the container.

The usage of these commands should be reconsidered:

• add-rule
• get-rule
• remove-rule
• list-rules

1. We need to set a chain not only for a container (--cid <cid>) but also for namespaces. We can introduce --namespace flag.
2. We need to figure out do we need to set such resources with frostfs-cli
3. The parser is not flexible: we are able to set chains either for all containers in root namespace or for a container (deny Object.Put *). We are not able to set local override for an object/objects; for containers in non-root namespace etc.
4. However the current implementation works fine for a container, a such convertation is incorrect for a container (correct only for namespaces): we need to return nativeschema.ResourceFormatRootContainerObjects
5. We need to check if a container does really exist before setting local override for it

The issue can be solved after control-api will be changed in the PR #842

The [current](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/add_rule.go#L41) implementation of commands that manage local overrides is very limited: it works only for objects in containers. The current usage ```bash frostfs-cli add-rule ... --cid LxGyWyL... --rule 'deny Object.Put *' ``` means that we set a chain for all objects within the container. The usage of these commands should be reconsidered: - [add-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/add_rule.go#L41) - [get-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/get_rule.go) - [remove-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/remove_rule.go) - [list-rules](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/list_rules.go) 1. We need to set a chain not only for a container (`--cid <cid>`) but also for namespaces. We can introduce `--namespace` flag. 2. We need to figure out do we need to set such [resources](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5db67021e10ff1baa0e1f0b0625f782c22a16166/schema/native/consts.go#L12-L14) with `frostfs-cli` 3. The parser is not [flexible](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/util/ape.go#L125-L130): we are able to set chains either for all containers in root namespace or for a container (`deny Object.Put *`). We are **not** able to set local override for an object/objects; for containers in non-root namespace etc. 4. However the current implementation works fine for a container, a such [convertation](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/util/ape.go#L127) is incorrect for a container (correct only for namespaces): we need to return [nativeschema.ResourceFormatRootContainerObjects](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5db67021e10ff1baa0e1f0b0625f782c22a16166/schema/native/consts.go#L17) 5. We need to check if a container does really exist before setting local override for it The issue can be solved after `control-api` will be changed in the PR https://git.frostfs.info/TrueCloudLab/frostfs-node/pulls/842

aarifullin added the

frostfs-cli

label 2023-12-06 13:22:39 +00:00

fyrchik added this to the v0.38.0 milestone 2023-12-22 07:23:12 +00:00

acid-ant self-assigned this 2024-01-19 14:44:10 +00:00

acid-ant referenced this issue 2024-01-22 10:44:12 +00:00

cli: Add support for container in local rules #921

acid-ant commented 2024-01-29 11:21:44 +00:00

Member

Copy link

Implemented in scope of #921. Validation will be added in scope of #937.

Implemented in scope of #921. Validation will be added in scope of #937.

acid-ant closed this issue 2024-01-29 11:21:45 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.42

support/v0.38

support/v0.37

support/v0.36

support/v0.34

support/v0.30

support/v0.27

v0.44.0-rc.13

v0.44.0-rc.12

v0.44.0-rc.11

v0.42.16

v0.44.0-rc.10

v0.44.0-rc.9

v0.44.0-rc.8

v0.44.0-rc.7

v0.44.0-rc.6

v0.44.0-rc.5

v0.44.0-rc.4

v0.44.0-rc.3

v0.44.0-rc.2

v0.44.0-rc.1

v0.43.2

v0.43.1

v0.43.0

v0.42.15

v0.42.14

v0.42.13

v0.42.12

v0.42.11

v0.42.10

v0.42.9

v0.42.8

v0.42.7

v0.42.6

v0.42.5

v0.42.4

v0.42.3

v0.42.2

v0.42.1

v0.42.0

v0.42.0-rc.9

v0.42.0-rc.8

v0.42.0-rc.7

v0.38.9

v0.42.0-rc.6

v0.42.0-rc.5

v0.42.0-rc.4

v0.42.0-rc.3

v0.42.0-rc.2

v0.42.0-rc.1

v0.38.8

v0.41.0

v0.38.7

v0.40.0

v0.39.0

v0.38.6

v0.38.5

v0.38.4

v0.38.3

v0.38.2

v0.38.1

v0.38.0

v0.38.0-rc.2

v0.38.0-rc.1

v0.37.0

v0.37.0-rc.1

v0.36.0

v0.34.0

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

badger

Badger DB related issues

  

frostfs-adm

  

frostfs-cli

  

frostfs-ir

  

frostfs-lens

  

frostfs-node

  

good first issue

Good for newcomers

  

triage

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

badger

frostfs-adm

frostfs-cli

frostfs-ir

frostfs-lens

frostfs-node

good first issue

triage

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.38.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

acid-ant

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#846

No description provided.