object: Skip APE check for certain request roles #1039
1 changed files with 16 additions and 0 deletions
|
@ -10,6 +10,7 @@ import (
|
|||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
||||
)
|
||||
|
||||
type checkerImpl struct {
|
||||
|
@ -56,6 +57,21 @@ var errMissingOID = errors.New("object ID is not set")
|
|||
// CheckAPE checks if a request or a response is permitted creating an ape request and passing
|
||||
// it to chain router.
|
||||
func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
|
||||
// APE check is ignored for some inter-node requests.
|
||||
if prm.Role == nativeschema.PropertyValueContainerRoleContainer {
|
||||
return nil
|
||||
} else if prm.Role == nativeschema.PropertyValueContainerRoleIR {
|
||||
switch prm.Method {
|
||||
fyrchik marked this conversation as resolved
Outdated
|
||||
case nativeschema.MethodGetObject,
|
||||
nativeschema.MethodHeadObject,
|
||||
nativeschema.MethodSearchObject,
|
||||
nativeschema.MethodRangeObject,
|
||||
nativeschema.MethodHashObject:
|
||||
return nil
|
||||
fyrchik marked this conversation as resolved
Outdated
fyrchik
commented
I would rather make I would rather make `return nil` on explicit enumeration of read methods: this way we won't accidentally allow writing something when new method is added.
aarifullin
commented
Sure. Fixed Sure. Fixed
|
||||
default:
|
||||
}
|
||||
}
|
||||
|
||||
r, err := c.newAPERequest(ctx, prm)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create ape request: %w", err)
|
||||
|
|
Loading…
Reference in a new issue
Can we do this check before
newAPERequest
call? It seems we do not use the result.Moved this checks at the top. Also, I replaced checking
prm.Role
by if-else statements insteadswitch