cli: Improve the work with local overrides dispatched to a node #846

New Issue

Closed

opened 2023-12-06 13:22:39 +00:00 by aarifullin · 1 comment

aarifullin commented

2023-12-06 13:22:39 +00:00

Collaborator

The current implementation of commands that manage local overrides is very limited: it works only for objects in containers.

The current usage

frostfs-cli add-rule ... --cid LxGyWyL... --rule 'deny Object.Put *'

means that we set a chain for all objects within the container.

The usage of these commands should be reconsidered:

We need to set a chain not only for a container (--cid <cid>) but also for namespaces. We can introduce --namespace flag.
We need to figure out do we need to set such resources with frostfs-cli
The parser is not flexible: we are able to set chains either for all containers in root namespace or for a container (deny Object.Put *). We are not able to set local override for an object/objects; for containers in non-root namespace etc.
However the current implementation works fine for a container, a such convertation is incorrect for a container (correct only for namespaces): we need to return nativeschema.ResourceFormatRootContainerObjects
We need to check if a container does really exist before setting local override for it

The issue can be solved after control-api will be changed in the PR #842

The [current](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/add_rule.go#L41) implementation of commands that manage local overrides is very limited: it works only for objects in containers. The current usage ```bash frostfs-cli add-rule ... --cid LxGyWyL... --rule 'deny Object.Put *' ``` means that we set a chain for all objects within the container. The usage of these commands should be reconsidered: - [add-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/add_rule.go#L41) - [get-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/get_rule.go) - [remove-rule](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/remove_rule.go) - [list-rules](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/control/list_rules.go) 1. We need to set a chain not only for a container (`--cid <cid>`) but also for namespaces. We can introduce `--namespace` flag. 2. We need to figure out do we need to set such [resources](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5db67021e10ff1baa0e1f0b0625f782c22a16166/schema/native/consts.go#L12-L14) with `frostfs-cli` 3. The parser is not [flexible](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/util/ape.go#L125-L130): we are able to set chains either for all containers in root namespace or for a container (`deny Object.Put *`). We are **not** able to set local override for an object/objects; for containers in non-root namespace etc. 4. However the current implementation works fine for a container, a such [convertation](https://git.frostfs.info/TrueCloudLab/frostfs-node/src/commit/a982c3df18194f6cad2d5289194afaf364ece262/cmd/frostfs-cli/modules/util/ape.go#L127) is incorrect for a container (correct only for namespaces): we need to return [nativeschema.ResourceFormatRootContainerObjects](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5db67021e10ff1baa0e1f0b0625f782c22a16166/schema/native/consts.go#L17) 5. We need to check if a container does really exist before setting local override for it The issue can be solved after `control-api` will be changed in the PR https://git.frostfs.info/TrueCloudLab/frostfs-node/pulls/842