diff --git a/go.mod b/go.mod index 3cbcfa6ee..374bc6ad8 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b git.frostfs.info/TrueCloudLab/hrw v1.2.1 - git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec + git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a git.frostfs.info/TrueCloudLab/tzhash v1.8.0 git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02 github.com/cheggaaa/pb v1.0.29 diff --git a/go.sum b/go.sum index 0976e4076..489f70eca 100644 --- a/go.sum +++ b/go.sum @@ -12,8 +12,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b/go.mod h1:XcgrbZ88XfvhAMxmZCQJ0dv6FyRSq6Mg2J7nN8uuO0k= git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc= git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM= -git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec h1:OG8tBs5CN2HKp10sAWdtiFaX8qSGFyLGWfQmf4FQ6bE= -git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240410114823-1f190e1668ec/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ= +git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a h1:wbndKvHbwDQiSMQWL75RxiTZCeUyCi7NUj1lsfdAGkc= +git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240412130734-0e69e485115a/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA= git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc= git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA= diff --git a/pkg/services/container/ape.go b/pkg/services/container/ape.go index 7622a40bc..02549bded 100644 --- a/pkg/services/container/ape.go +++ b/pkg/services/container/ape.go @@ -157,9 +157,12 @@ func (ac *apeChecker) List(ctx context.Context, req *container.ListRequest) (*co reqProps, ) - s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTargetWithNamespace(namespace), - request) + rt := policyengine.NewRequestTargetWithNamespace(namespace) + rt.User = &policyengine.Target{ + Type: policyengine.User, + Name: fmt.Sprintf("%s:%s", namespace, pk.Address()), + } + s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return nil, err } @@ -202,9 +205,12 @@ func (ac *apeChecker) Put(ctx context.Context, req *container.PutRequest) (*cont reqProps, ) - s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTargetWithNamespace(namespace), - request) + rt := policyengine.NewRequestTargetWithNamespace(namespace) + rt.User = &policyengine.Target{ + Type: policyengine.User, + Name: fmt.Sprintf("%s:%s", namespace, pk.Address()), + } + s, found, err := ac.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return nil, err } @@ -277,7 +283,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai return err } - reqProps, err := ac.getRequestProps(mh, vh, cont, id) + reqProps, pk, err := ac.getRequestProps(mh, vh, cont, id) if err != nil { return err } @@ -298,7 +304,7 @@ func (ac *apeChecker) validateContainerBoundedOperation(containerID *refs.Contai ) s, found, err := ac.router.IsAllowed(apechain.Ingress, - policyengine.NewRequestTarget(namespace, id.EncodeToString()), + policyengine.NewRequestTargetExtended(namespace, id.EncodeToString(), fmt.Sprintf("%s:%s", namespace, pk.Address()), nil), request) if err != nil { return err @@ -350,19 +356,19 @@ func (ac *apeChecker) getContainerProps(c *containercore.Container) map[string]s func (ac *apeChecker) getRequestProps(mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader, cont *containercore.Container, cnrID cid.ID, -) (map[string]string, error) { +) (map[string]string, *keys.PublicKey, error) { actor, pk, err := ac.getActorAndPublicKey(mh, vh, cnrID) if err != nil { - return nil, err + return nil, nil, err } role, err := ac.getRole(actor, pk, cont, cnrID) if err != nil { - return nil, err + return nil, nil, err } return map[string]string{ nativeschema.PropertyKeyActorPublicKey: hex.EncodeToString(pk.Bytes()), nativeschema.PropertyKeyActorRole: role, - }, nil + }, pk, nil } func (ac *apeChecker) getRole(actor *user.ID, pk *keys.PublicKey, cont *containercore.Container, cnrID cid.ID) (string, error) { diff --git a/pkg/services/control/server/policy_engine.go b/pkg/services/control/server/policy_engine.go index 16b365b21..7ec3d58ac 100644 --- a/pkg/services/control/server/policy_engine.go +++ b/pkg/services/control/server/policy_engine.go @@ -19,6 +19,10 @@ func apeTarget(chainTarget *control.ChainTarget) (engine.Target, error) { return engine.ContainerTarget(chainTarget.GetName()), nil case control.ChainTarget_NAMESPACE: return engine.NamespaceTarget(chainTarget.GetName()), nil + case control.ChainTarget_USER: + return engine.UserTarget(chainTarget.GetName()), nil + case control.ChainTarget_GROUP: + return engine.GroupTarget(chainTarget.GetName()), nil default: } return engine.Target{}, status.Error(codes.InvalidArgument, @@ -42,6 +46,16 @@ func controlTarget(chainTarget *engine.Target) (control.ChainTarget, error) { Name: nm, Type: control.ChainTarget_NAMESPACE, }, nil + case engine.User: + return control.ChainTarget{ + Name: chainTarget.Name, + Type: control.ChainTarget_USER, + }, nil + case engine.Group: + return control.ChainTarget{ + Name: chainTarget.Name, + Type: control.ChainTarget_GROUP, + }, nil default: } return control.ChainTarget{}, status.Error(codes.InvalidArgument, diff --git a/pkg/services/control/service.pb.go b/pkg/services/control/service.pb.go index 345110bab..9c597beec 100644 --- a/pkg/services/control/service.pb.go +++ b/pkg/services/control/service.pb.go @@ -3188,7 +3188,8 @@ type FlushCacheRequest_Body struct { // ID of the shard. Shard_ID [][]byte `protobuf:"bytes,1,rep,name=shard_ID,json=shardID,proto3" json:"shard_ID,omitempty"` - // If true, then writecache will be left in read-only mode after flush completed. + // If true, then writecache will be left in read-only mode after flush + // completed. Seal bool `protobuf:"varint,2,opt,name=seal,proto3" json:"seal,omitempty"` } @@ -3525,7 +3526,8 @@ type GetShardEvacuationStatusResponse_Body struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Total objects to evacuate count. The value is approximate, so evacuated + failed + skipped == total is not guaranteed after completion. + // Total objects to evacuate count. The value is approximate, so evacuated + + // failed + skipped == total is not guaranteed after completion. TotalObjects uint64 `protobuf:"varint,1,opt,name=total_objects,json=totalObjects,proto3" json:"total_objects,omitempty"` // Evacuated objects count. EvacuatedObjects uint64 `protobuf:"varint,2,opt,name=evacuated_objects,json=evacuatedObjects,proto3" json:"evacuated_objects,omitempty"` diff --git a/pkg/services/control/service.proto b/pkg/services/control/service.proto index 04ea62e0e..94032b346 100644 --- a/pkg/services/control/service.proto +++ b/pkg/services/control/service.proto @@ -6,658 +6,656 @@ import "pkg/services/control/types.proto"; option go_package = "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"; -// `ControlService` provides an interface for internal work with the storage node. +// `ControlService` provides an interface for internal work with the storage +// node. service ControlService { - // Performs health check of the storage node. - rpc HealthCheck (HealthCheckRequest) returns (HealthCheckResponse); + // Performs health check of the storage node. + rpc HealthCheck(HealthCheckRequest) returns (HealthCheckResponse); - // Sets status of the storage node in FrostFS network map. - rpc SetNetmapStatus (SetNetmapStatusRequest) returns (SetNetmapStatusResponse); + // Sets status of the storage node in FrostFS network map. + rpc SetNetmapStatus(SetNetmapStatusRequest) returns (SetNetmapStatusResponse); - // Mark objects to be removed from node's local object storage. - rpc DropObjects (DropObjectsRequest) returns (DropObjectsResponse); + // Mark objects to be removed from node's local object storage. + rpc DropObjects(DropObjectsRequest) returns (DropObjectsResponse); - // Returns list that contains information about all shards of a node. - rpc ListShards (ListShardsRequest) returns (ListShardsResponse); + // Returns list that contains information about all shards of a node. + rpc ListShards(ListShardsRequest) returns (ListShardsResponse); - // Sets mode of the shard. - rpc SetShardMode (SetShardModeRequest) returns (SetShardModeResponse); + // Sets mode of the shard. + rpc SetShardMode(SetShardModeRequest) returns (SetShardModeResponse); - // Synchronizes all log operations for the specified tree. - rpc SynchronizeTree (SynchronizeTreeRequest) returns (SynchronizeTreeResponse); + // Synchronizes all log operations for the specified tree. + rpc SynchronizeTree(SynchronizeTreeRequest) returns (SynchronizeTreeResponse); - // EvacuateShard moves all data from one shard to the others. - // Deprecated: Use StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation - rpc EvacuateShard (EvacuateShardRequest) returns (EvacuateShardResponse); + // EvacuateShard moves all data from one shard to the others. + // Deprecated: Use + // StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation + rpc EvacuateShard(EvacuateShardRequest) returns (EvacuateShardResponse); - // StartShardEvacuation starts moving all data from one shard to the others. - rpc StartShardEvacuation (StartShardEvacuationRequest) returns (StartShardEvacuationResponse); + // StartShardEvacuation starts moving all data from one shard to the others. + rpc StartShardEvacuation(StartShardEvacuationRequest) + returns (StartShardEvacuationResponse); - // GetShardEvacuationStatus returns evacuation status. - rpc GetShardEvacuationStatus (GetShardEvacuationStatusRequest) returns (GetShardEvacuationStatusResponse); + // GetShardEvacuationStatus returns evacuation status. + rpc GetShardEvacuationStatus(GetShardEvacuationStatusRequest) + returns (GetShardEvacuationStatusResponse); - // ResetShardEvacuationStatus resets evacuation status if there is no running evacuation process. - rpc ResetShardEvacuationStatus (ResetShardEvacuationStatusRequest) returns (ResetShardEvacuationStatusResponse); + // ResetShardEvacuationStatus resets evacuation status if there is no running + // evacuation process. + rpc ResetShardEvacuationStatus(ResetShardEvacuationStatusRequest) + returns (ResetShardEvacuationStatusResponse); - // StopShardEvacuation stops moving all data from one shard to the others. - rpc StopShardEvacuation (StopShardEvacuationRequest) returns (StopShardEvacuationResponse); + // StopShardEvacuation stops moving all data from one shard to the others. + rpc StopShardEvacuation(StopShardEvacuationRequest) + returns (StopShardEvacuationResponse); - // FlushCache moves all data from one shard to the others. - rpc FlushCache (FlushCacheRequest) returns (FlushCacheResponse); + // FlushCache moves all data from one shard to the others. + rpc FlushCache(FlushCacheRequest) returns (FlushCacheResponse); - // Doctor performs storage restructuring operations on engine. - rpc Doctor (DoctorRequest) returns (DoctorResponse); + // Doctor performs storage restructuring operations on engine. + rpc Doctor(DoctorRequest) returns (DoctorResponse); - // Add local access policy engine overrides to a node. - rpc AddChainLocalOverride (AddChainLocalOverrideRequest) returns (AddChainLocalOverrideResponse); + // Add local access policy engine overrides to a node. + rpc AddChainLocalOverride(AddChainLocalOverrideRequest) + returns (AddChainLocalOverrideResponse); - // Get local access policy engine overrides stored in the node by chain id. - rpc GetChainLocalOverride (GetChainLocalOverrideRequest) returns (GetChainLocalOverrideResponse); + // Get local access policy engine overrides stored in the node by chain id. + rpc GetChainLocalOverride(GetChainLocalOverrideRequest) + returns (GetChainLocalOverrideResponse); - // List local access policy engine overrides stored in the node by container id. - rpc ListChainLocalOverrides (ListChainLocalOverridesRequest) returns (ListChainLocalOverridesResponse); + // List local access policy engine overrides stored in the node by container + // id. + rpc ListChainLocalOverrides(ListChainLocalOverridesRequest) + returns (ListChainLocalOverridesResponse); - // Remove local access policy engine overrides stored in the node by chaind id. - rpc RemoveChainLocalOverride (RemoveChainLocalOverrideRequest) returns (RemoveChainLocalOverrideResponse); + // Remove local access policy engine overrides stored in the node by chaind + // id. + rpc RemoveChainLocalOverride(RemoveChainLocalOverrideRequest) + returns (RemoveChainLocalOverrideResponse); - // Remove local access policy engine overrides stored in the node by chaind id. - rpc RemoveChainLocalOverridesByTarget (RemoveChainLocalOverridesByTargetRequest) returns (RemoveChainLocalOverridesByTargetResponse); + // Remove local access policy engine overrides stored in the node by chaind + // id. + rpc RemoveChainLocalOverridesByTarget( + RemoveChainLocalOverridesByTargetRequest) + returns (RemoveChainLocalOverridesByTargetResponse); - // List targets of the local APE overrides stored in the node. - rpc ListTargetsLocalOverrides (ListTargetsLocalOverridesRequest) returns (ListTargetsLocalOverridesResponse); + // List targets of the local APE overrides stored in the node. + rpc ListTargetsLocalOverrides(ListTargetsLocalOverridesRequest) + returns (ListTargetsLocalOverridesResponse); - // Flush objects from write-cache and move it to degraded read only mode. - rpc SealWriteCache(SealWriteCacheRequest) returns (SealWriteCacheResponse); + // Flush objects from write-cache and move it to degraded read only mode. + rpc SealWriteCache(SealWriteCacheRequest) returns (SealWriteCacheResponse); - // DetachShards detaches and closes shards. - rpc DetachShards(DetachShardsRequest) returns (DetachShardsResponse); + // DetachShards detaches and closes shards. + rpc DetachShards(DetachShardsRequest) returns (DetachShardsResponse); } // Health check request. message HealthCheckRequest { - // Health check request body. - message Body { - } + // Health check request body. + message Body {} - // Body of health check request message. - Body body = 1; + // Body of health check request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Health check request. message HealthCheckResponse { - // Health check response body - message Body { - // Status of the storage node in FrostFS network map. - NetmapStatus netmap_status = 1; + // Health check response body + message Body { + // Status of the storage node in FrostFS network map. + NetmapStatus netmap_status = 1; - // Health status of storage node application. - HealthStatus health_status = 2; - } + // Health status of storage node application. + HealthStatus health_status = 2; + } - // Body of health check response message. - Body body = 1; + // Body of health check response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Set netmap status request. message SetNetmapStatusRequest { - // Set netmap status request body. - message Body { - // New storage node status in FrostFS network map. - // If status is MAINTENANCE, the node checks whether maintenance is - // allowed in the network settings. In case of prohibition, the request - // is denied. Otherwise, node switches to local maintenance state. To - // force local maintenance, use `force_maintenance` flag. - NetmapStatus status = 1; + // Set netmap status request body. + message Body { + // New storage node status in FrostFS network map. + // If status is MAINTENANCE, the node checks whether maintenance is + // allowed in the network settings. In case of prohibition, the request + // is denied. Otherwise, node switches to local maintenance state. To + // force local maintenance, use `force_maintenance` flag. + NetmapStatus status = 1; - // MAINTENANCE status validation skip flag. If set, node starts local - // maintenance regardless of network settings. The flag MUST NOT be - // set for any other status. - bool force_maintenance = 2; - } + // MAINTENANCE status validation skip flag. If set, node starts local + // maintenance regardless of network settings. The flag MUST NOT be + // set for any other status. + bool force_maintenance = 2; + } - // Body of set netmap status request message. - Body body = 1; + // Body of set netmap status request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Set netmap status response. message SetNetmapStatusResponse { - // Set netmap status response body - message Body { - } + // Set netmap status response body + message Body {} - // Body of set netmap status response message. - Body body = 1; + // Body of set netmap status response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Request to drop the objects. message DropObjectsRequest { - // Request body structure. - message Body { - // List of object addresses to be removed. - // in FrostFS API binary format. - repeated bytes address_list = 1; - } + // Request body structure. + message Body { + // List of object addresses to be removed. + // in FrostFS API binary format. + repeated bytes address_list = 1; + } - // Body of the request message. - Body body = 1; + // Body of the request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Response to request to drop the objects. message DropObjectsResponse { - // Response body structure. - message Body { - } + // Response body structure. + message Body {} - // Body of the response message. - Body body = 1; + // Body of the response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Request to list all shards of the node. message ListShardsRequest { - // Request body structure. - message Body { - } + // Request body structure. + message Body {} - // Body of the request message. - Body body = 1; + // Body of the request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // ListShards response. message ListShardsResponse { - // Response body structure. - message Body { - // List of the node's shards. - repeated ShardInfo shards = 1; - } + // Response body structure. + message Body { + // List of the node's shards. + repeated ShardInfo shards = 1; + } - // Body of the response message. - Body body = 1; + // Body of the response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // Request to set mode of the shard. message SetShardModeRequest { - // Request body structure. - message Body { - // ID of the shard. - repeated bytes shard_ID = 1; + // Request body structure. + message Body { + // ID of the shard. + repeated bytes shard_ID = 1; - // Mode that requested to be set. - ShardMode mode = 2; + // Mode that requested to be set. + ShardMode mode = 2; - // Flag signifying whether error counter should be set to 0. - bool resetErrorCounter = 3; - } + // Flag signifying whether error counter should be set to 0. + bool resetErrorCounter = 3; + } - // Body of set shard mode request message. - Body body = 1; + // Body of set shard mode request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // SetShardMode response. message SetShardModeResponse { - // Response body structure. - message Body { - } + // Response body structure. + message Body {} - // Body of set shard mode response message. - Body body = 1; + // Body of set shard mode response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // SynchronizeTree request. message SynchronizeTreeRequest { - // Request body structure. - message Body { - bytes container_id = 1; - string tree_id = 2; - // Starting height for the synchronization. Can be omitted. - uint64 height = 3; - } + // Request body structure. + message Body { + bytes container_id = 1; + string tree_id = 2; + // Starting height for the synchronization. Can be omitted. + uint64 height = 3; + } - // Body of restore shard request message. - Body body = 1; + // Body of restore shard request message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } // SynchronizeTree response. message SynchronizeTreeResponse { - // Response body structure. - message Body { - } + // Response body structure. + message Body {} - // Body of restore shard response message. - Body body = 1; + // Body of restore shard response message. + Body body = 1; - // Body signature. - Signature signature = 2; + // Body signature. + Signature signature = 2; } - // EvacuateShard request. message EvacuateShardRequest { - // Request body structure. - message Body { - // ID of the shard. - repeated bytes shard_ID = 1; + // Request body structure. + message Body { + // ID of the shard. + repeated bytes shard_ID = 1; - // Flag indicating whether object read errors should be ignored. - bool ignore_errors = 2; - } + // Flag indicating whether object read errors should be ignored. + bool ignore_errors = 2; + } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // EvacuateShard response. message EvacuateShardResponse { - // Response body structure. - message Body { - uint32 count = 1; - } + // Response body structure. + message Body { uint32 count = 1; } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // FlushCache request. message FlushCacheRequest { - // Request body structure. - message Body { - // ID of the shard. - repeated bytes shard_ID = 1; - // If true, then writecache will be left in read-only mode after flush completed. - bool seal = 2; - } + // Request body structure. + message Body { + // ID of the shard. + repeated bytes shard_ID = 1; + // If true, then writecache will be left in read-only mode after flush + // completed. + bool seal = 2; + } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // FlushCache response. message FlushCacheResponse { - // Response body structure. - message Body { - } + // Response body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } - // Doctor request. message DoctorRequest { - // Request body structure. - message Body { - // Number of threads to use for the operation. - uint32 concurrency = 1; - // Flag to search engine for duplicate objects and leave only one copy. - bool remove_duplicates = 2; - } + // Request body structure. + message Body { + // Number of threads to use for the operation. + uint32 concurrency = 1; + // Flag to search engine for duplicate objects and leave only one copy. + bool remove_duplicates = 2; + } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // Doctor response. message DoctorResponse { - // Response body structure. - message Body { - } + // Response body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // StartShardEvacuation request. message StartShardEvacuationRequest { - // Request body structure. - message Body { - enum Scope { - NONE = 0; - OBJECTS = 1; - TREES = 2; - } - - // IDs of the shards. - repeated bytes shard_ID = 1; - // Flag indicating whether object read errors should be ignored. - bool ignore_errors = 2; - // Evacuation scope. - uint32 scope = 3; + // Request body structure. + message Body { + enum Scope { + NONE = 0; + OBJECTS = 1; + TREES = 2; } - Body body = 1; - Signature signature = 2; + // IDs of the shards. + repeated bytes shard_ID = 1; + // Flag indicating whether object read errors should be ignored. + bool ignore_errors = 2; + // Evacuation scope. + uint32 scope = 3; + } + + Body body = 1; + Signature signature = 2; } // StartShardEvacuation response. message StartShardEvacuationResponse { - // Response body structure. - message Body {} + // Response body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // GetShardEvacuationStatus request. message GetShardEvacuationStatusRequest { - // Request body structure. - message Body {} + // Request body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // GetShardEvacuationStatus response. message GetShardEvacuationStatusResponse { - // Response body structure. - message Body { - // Evacuate status enum. - enum Status { - EVACUATE_SHARD_STATUS_UNDEFINED = 0; - RUNNING = 1; - COMPLETED = 2; - } - - // Unix timestamp value. - message UnixTimestamp { - int64 value = 1; - } - - // Duration in seconds. - message Duration { - int64 seconds = 1; - } - - // Total objects to evacuate count. The value is approximate, so evacuated + failed + skipped == total is not guaranteed after completion. - uint64 total_objects = 1; - // Evacuated objects count. - uint64 evacuated_objects = 2; - // Failed objects count. - uint64 failed_objects = 3; - - // Shard IDs. - repeated bytes shard_ID = 4; - // Evacuation process status. - Status status = 5; - // Evacuation process duration. - Duration duration = 6; - // Evacuation process started at timestamp. - UnixTimestamp started_at = 7; - // Error message if evacuation failed. - string error_message = 8; - - // Skipped objects count. - uint64 skipped_objects = 9; - - // Total trees to evacuate count. - uint64 total_trees = 10; - // Evacuated trees count. - uint64 evacuated_trees = 11; - // Failed trees count. - uint64 failed_trees = 12; + // Response body structure. + message Body { + // Evacuate status enum. + enum Status { + EVACUATE_SHARD_STATUS_UNDEFINED = 0; + RUNNING = 1; + COMPLETED = 2; } - Body body = 1; - Signature signature = 2; + // Unix timestamp value. + message UnixTimestamp { int64 value = 1; } + + // Duration in seconds. + message Duration { int64 seconds = 1; } + + // Total objects to evacuate count. The value is approximate, so evacuated + + // failed + skipped == total is not guaranteed after completion. + uint64 total_objects = 1; + // Evacuated objects count. + uint64 evacuated_objects = 2; + // Failed objects count. + uint64 failed_objects = 3; + + // Shard IDs. + repeated bytes shard_ID = 4; + // Evacuation process status. + Status status = 5; + // Evacuation process duration. + Duration duration = 6; + // Evacuation process started at timestamp. + UnixTimestamp started_at = 7; + // Error message if evacuation failed. + string error_message = 8; + + // Skipped objects count. + uint64 skipped_objects = 9; + + // Total trees to evacuate count. + uint64 total_trees = 10; + // Evacuated trees count. + uint64 evacuated_trees = 11; + // Failed trees count. + uint64 failed_trees = 12; + } + + Body body = 1; + Signature signature = 2; } // ResetShardEvacuationStatus request. message ResetShardEvacuationStatusRequest { - message Body {} + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // ResetShardEvacuationStatus response. message ResetShardEvacuationStatusResponse { - message Body {} + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // StopShardEvacuation request. message StopShardEvacuationRequest { - // Request body structure. - message Body {} + // Request body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // StopShardEvacuation response. message StopShardEvacuationResponse { - // Response body structure. - message Body {} + // Response body structure. + message Body {} - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } // AddChainLocalOverride request. message AddChainLocalOverrideRequest { - message Body { - // Target for which the overrides are applied. - ChainTarget target = 1; + message Body { + // Target for which the overrides are applied. + ChainTarget target = 1; - // Serialized rule chain. If chain ID is left empty - // in the chain, then it will be generated and returned - // in the response. - bytes chain = 2; - } + // Serialized rule chain. If chain ID is left empty + // in the chain, then it will be generated and returned + // in the response. + bytes chain = 2; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // AddChainLocalOverride response. message AddChainLocalOverrideResponse { - message Body { - // Chain ID assigned for the added rule chain. - // If chain ID is left empty in the request, then - // it will be generated. - bytes chain_id = 1; - } + message Body { + // Chain ID assigned for the added rule chain. + // If chain ID is left empty in the request, then + // it will be generated. + bytes chain_id = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // GetChainLocalOverride request. message GetChainLocalOverrideRequest { - message Body { - // Target for which the overrides are applied. - ChainTarget target = 1; + message Body { + // Target for which the overrides are applied. + ChainTarget target = 1; - // Chain ID assigned for the added rule chain. - bytes chain_id = 2; - } + // Chain ID assigned for the added rule chain. + bytes chain_id = 2; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // GetChainLocalOverride response. message GetChainLocalOverrideResponse { - message Body { - // Serialized rule chain. - bytes chain = 1; - } + message Body { + // Serialized rule chain. + bytes chain = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // ListChainLocalOverrides request. message ListChainLocalOverridesRequest { - message Body { - // Target for which the overrides are applied. - ChainTarget target = 1; - } + message Body { + // Target for which the overrides are applied. + ChainTarget target = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // ListChainLocalOverrides response. message ListChainLocalOverridesResponse { - message Body { - // The list of serialized rule chain. - repeated bytes chains = 1; - } + message Body { + // The list of serialized rule chain. + repeated bytes chains = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // ListTargetsLocalOverrides request. message ListTargetsLocalOverridesRequest { - message Body { - // Target for which the overrides are applied. - string chainName = 1; - } + message Body { + // Target for which the overrides are applied. + string chainName = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } // ListTargetsLocalOverrides response. message ListTargetsLocalOverridesResponse { - message Body { - // The list of chain targets. - repeated ChainTarget targets = 1; - } + message Body { + // The list of chain targets. + repeated ChainTarget targets = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } message RemoveChainLocalOverrideRequest { - message Body { - // Target for which the overrides are applied. - ChainTarget target = 1; + message Body { + // Target for which the overrides are applied. + ChainTarget target = 1; - // Chain ID assigned for the added rule chain. - bytes chain_id = 2; - } + // Chain ID assigned for the added rule chain. + bytes chain_id = 2; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } message RemoveChainLocalOverrideResponse { - message Body { - } + message Body {} - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } message RemoveChainLocalOverridesByTargetRequest { - message Body { - // Target for which the overrides are applied. - ChainTarget target = 1; - } + message Body { + // Target for which the overrides are applied. + ChainTarget target = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } -message RemoveChainLocalOverridesByTargetResponse { - message Body { - } +message RemoveChainLocalOverridesByTargetResponse { + message Body {} - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } message SealWriteCacheRequest { - // Request body structure. - message Body { - // ID of the shard. - repeated bytes shard_ID = 1; + // Request body structure. + message Body { + // ID of the shard. + repeated bytes shard_ID = 1; - // Flag indicating whether object read errors should be ignored. - bool ignore_errors = 2; - } + // Flag indicating whether object read errors should be ignored. + bool ignore_errors = 2; + } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } message SealWriteCacheResponse { - message Body { - message Status { - bytes shard_ID = 1; - bool success = 2; - string error = 3; - } - repeated Status results = 1; + message Body { + message Status { + bytes shard_ID = 1; + bool success = 2; + string error = 3; } + repeated Status results = 1; + } - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } message DetachShardsRequest { - message Body { - repeated bytes shard_ID = 1; - } + message Body { repeated bytes shard_ID = 1; } - Body body = 1; - Signature signature = 2; + Body body = 1; + Signature signature = 2; } message DetachShardsResponse { - message Body { - } + message Body {} - Body body = 1; + Body body = 1; - Signature signature = 2; + Signature signature = 2; } diff --git a/pkg/services/control/service_grpc.pb.go b/pkg/services/control/service_grpc.pb.go index 95264fcd3..feeee0006 100644 --- a/pkg/services/control/service_grpc.pb.go +++ b/pkg/services/control/service_grpc.pb.go @@ -59,13 +59,15 @@ type ControlServiceClient interface { // Synchronizes all log operations for the specified tree. SynchronizeTree(ctx context.Context, in *SynchronizeTreeRequest, opts ...grpc.CallOption) (*SynchronizeTreeResponse, error) // EvacuateShard moves all data from one shard to the others. - // Deprecated: Use StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation + // Deprecated: Use + // StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation EvacuateShard(ctx context.Context, in *EvacuateShardRequest, opts ...grpc.CallOption) (*EvacuateShardResponse, error) // StartShardEvacuation starts moving all data from one shard to the others. StartShardEvacuation(ctx context.Context, in *StartShardEvacuationRequest, opts ...grpc.CallOption) (*StartShardEvacuationResponse, error) // GetShardEvacuationStatus returns evacuation status. GetShardEvacuationStatus(ctx context.Context, in *GetShardEvacuationStatusRequest, opts ...grpc.CallOption) (*GetShardEvacuationStatusResponse, error) - // ResetShardEvacuationStatus resets evacuation status if there is no running evacuation process. + // ResetShardEvacuationStatus resets evacuation status if there is no running + // evacuation process. ResetShardEvacuationStatus(ctx context.Context, in *ResetShardEvacuationStatusRequest, opts ...grpc.CallOption) (*ResetShardEvacuationStatusResponse, error) // StopShardEvacuation stops moving all data from one shard to the others. StopShardEvacuation(ctx context.Context, in *StopShardEvacuationRequest, opts ...grpc.CallOption) (*StopShardEvacuationResponse, error) @@ -77,11 +79,14 @@ type ControlServiceClient interface { AddChainLocalOverride(ctx context.Context, in *AddChainLocalOverrideRequest, opts ...grpc.CallOption) (*AddChainLocalOverrideResponse, error) // Get local access policy engine overrides stored in the node by chain id. GetChainLocalOverride(ctx context.Context, in *GetChainLocalOverrideRequest, opts ...grpc.CallOption) (*GetChainLocalOverrideResponse, error) - // List local access policy engine overrides stored in the node by container id. + // List local access policy engine overrides stored in the node by container + // id. ListChainLocalOverrides(ctx context.Context, in *ListChainLocalOverridesRequest, opts ...grpc.CallOption) (*ListChainLocalOverridesResponse, error) - // Remove local access policy engine overrides stored in the node by chaind id. + // Remove local access policy engine overrides stored in the node by chaind + // id. RemoveChainLocalOverride(ctx context.Context, in *RemoveChainLocalOverrideRequest, opts ...grpc.CallOption) (*RemoveChainLocalOverrideResponse, error) - // Remove local access policy engine overrides stored in the node by chaind id. + // Remove local access policy engine overrides stored in the node by chaind + // id. RemoveChainLocalOverridesByTarget(ctx context.Context, in *RemoveChainLocalOverridesByTargetRequest, opts ...grpc.CallOption) (*RemoveChainLocalOverridesByTargetResponse, error) // List targets of the local APE overrides stored in the node. ListTargetsLocalOverrides(ctx context.Context, in *ListTargetsLocalOverridesRequest, opts ...grpc.CallOption) (*ListTargetsLocalOverridesResponse, error) @@ -305,13 +310,15 @@ type ControlServiceServer interface { // Synchronizes all log operations for the specified tree. SynchronizeTree(context.Context, *SynchronizeTreeRequest) (*SynchronizeTreeResponse, error) // EvacuateShard moves all data from one shard to the others. - // Deprecated: Use StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation + // Deprecated: Use + // StartShardEvacuation/GetShardEvacuationStatus/StopShardEvacuation EvacuateShard(context.Context, *EvacuateShardRequest) (*EvacuateShardResponse, error) // StartShardEvacuation starts moving all data from one shard to the others. StartShardEvacuation(context.Context, *StartShardEvacuationRequest) (*StartShardEvacuationResponse, error) // GetShardEvacuationStatus returns evacuation status. GetShardEvacuationStatus(context.Context, *GetShardEvacuationStatusRequest) (*GetShardEvacuationStatusResponse, error) - // ResetShardEvacuationStatus resets evacuation status if there is no running evacuation process. + // ResetShardEvacuationStatus resets evacuation status if there is no running + // evacuation process. ResetShardEvacuationStatus(context.Context, *ResetShardEvacuationStatusRequest) (*ResetShardEvacuationStatusResponse, error) // StopShardEvacuation stops moving all data from one shard to the others. StopShardEvacuation(context.Context, *StopShardEvacuationRequest) (*StopShardEvacuationResponse, error) @@ -323,11 +330,14 @@ type ControlServiceServer interface { AddChainLocalOverride(context.Context, *AddChainLocalOverrideRequest) (*AddChainLocalOverrideResponse, error) // Get local access policy engine overrides stored in the node by chain id. GetChainLocalOverride(context.Context, *GetChainLocalOverrideRequest) (*GetChainLocalOverrideResponse, error) - // List local access policy engine overrides stored in the node by container id. + // List local access policy engine overrides stored in the node by container + // id. ListChainLocalOverrides(context.Context, *ListChainLocalOverridesRequest) (*ListChainLocalOverridesResponse, error) - // Remove local access policy engine overrides stored in the node by chaind id. + // Remove local access policy engine overrides stored in the node by chaind + // id. RemoveChainLocalOverride(context.Context, *RemoveChainLocalOverrideRequest) (*RemoveChainLocalOverrideResponse, error) - // Remove local access policy engine overrides stored in the node by chaind id. + // Remove local access policy engine overrides stored in the node by chaind + // id. RemoveChainLocalOverridesByTarget(context.Context, *RemoveChainLocalOverridesByTargetRequest) (*RemoveChainLocalOverridesByTargetResponse, error) // List targets of the local APE overrides stored in the node. ListTargetsLocalOverrides(context.Context, *ListTargetsLocalOverridesRequest) (*ListTargetsLocalOverridesResponse, error) diff --git a/pkg/services/control/types.pb.go b/pkg/services/control/types.pb.go index 2fc16a926..858755694 100644 --- a/pkg/services/control/types.pb.go +++ b/pkg/services/control/types.pb.go @@ -205,6 +205,8 @@ const ( ChainTarget_UNDEFINED ChainTarget_TargetType = 0 ChainTarget_NAMESPACE ChainTarget_TargetType = 1 ChainTarget_CONTAINER ChainTarget_TargetType = 2 + ChainTarget_USER ChainTarget_TargetType = 3 + ChainTarget_GROUP ChainTarget_TargetType = 4 ) // Enum value maps for ChainTarget_TargetType. @@ -213,11 +215,15 @@ var ( 0: "UNDEFINED", 1: "NAMESPACE", 2: "CONTAINER", + 3: "USER", + 4: "GROUP", } ChainTarget_TargetType_value = map[string]int32{ "UNDEFINED": 0, "NAMESPACE": 1, "CONTAINER": 2, + "USER": 3, + "GROUP": 4, } ) @@ -814,40 +820,41 @@ var file_pkg_services_control_types_proto_rawDesc = []byte{ 0x6d, 0x61, 0x50, 0x61, 0x74, 0x68, 0x22, 0x36, 0x0a, 0x0c, 0x42, 0x6c, 0x6f, 0x62, 0x73, 0x74, 0x6f, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, - 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x91, + 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0xa6, 0x01, 0x0a, 0x0b, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x33, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2e, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x2e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x39, 0x0a, 0x0a, 0x54, 0x61, 0x72, 0x67, 0x65, + 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x4e, 0x0a, 0x0a, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x4e, 0x41, 0x4d, 0x45, 0x53, 0x50, 0x41, 0x43, 0x45, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x45, 0x52, - 0x10, 0x02, 0x2a, 0x4e, 0x0a, 0x0c, 0x4e, 0x65, 0x74, 0x6d, 0x61, 0x70, 0x53, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x12, 0x14, 0x0a, 0x10, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, - 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x4f, 0x4e, 0x4c, 0x49, - 0x4e, 0x45, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x4f, 0x46, 0x46, 0x4c, 0x49, 0x4e, 0x45, 0x10, - 0x02, 0x12, 0x0f, 0x0a, 0x0b, 0x4d, 0x41, 0x49, 0x4e, 0x54, 0x45, 0x4e, 0x41, 0x4e, 0x43, 0x45, - 0x10, 0x03, 0x2a, 0x6a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x12, 0x1b, 0x0a, 0x17, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, - 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x41, 0x52, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x09, 0x0a, - 0x05, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x02, 0x12, 0x11, 0x0a, 0x0d, 0x53, 0x48, 0x55, 0x54, - 0x54, 0x49, 0x4e, 0x47, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x03, 0x12, 0x11, 0x0a, 0x0d, 0x52, - 0x45, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x55, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x04, 0x2a, 0x6a, - 0x0a, 0x09, 0x53, 0x68, 0x61, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x53, - 0x48, 0x41, 0x52, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, - 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x41, 0x44, 0x5f, 0x57, 0x52, - 0x49, 0x54, 0x45, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x52, 0x45, 0x41, 0x44, 0x5f, 0x4f, 0x4e, - 0x4c, 0x59, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x44, 0x45, 0x47, 0x52, 0x41, 0x44, 0x45, 0x44, - 0x10, 0x03, 0x12, 0x16, 0x0a, 0x12, 0x44, 0x45, 0x47, 0x52, 0x41, 0x44, 0x45, 0x44, 0x5f, 0x52, - 0x45, 0x41, 0x44, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, - 0x74, 0x2e, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2e, 0x69, 0x6e, 0x66, 0x6f, 0x2f, 0x54, - 0x72, 0x75, 0x65, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x4c, 0x61, 0x62, 0x2f, 0x66, 0x72, 0x6f, 0x73, - 0x74, 0x66, 0x73, 0x2d, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x62, 0x06, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x55, 0x53, 0x45, 0x52, 0x10, 0x03, 0x12, 0x09, 0x0a, 0x05, + 0x47, 0x52, 0x4f, 0x55, 0x50, 0x10, 0x04, 0x2a, 0x4e, 0x0a, 0x0c, 0x4e, 0x65, 0x74, 0x6d, 0x61, + 0x70, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x10, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, + 0x06, 0x4f, 0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x4f, 0x46, 0x46, + 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x02, 0x12, 0x0f, 0x0a, 0x0b, 0x4d, 0x41, 0x49, 0x4e, 0x54, 0x45, + 0x4e, 0x41, 0x4e, 0x43, 0x45, 0x10, 0x03, 0x2a, 0x6a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x6c, 0x74, + 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1b, 0x0a, 0x17, 0x48, 0x45, 0x41, 0x4c, 0x54, + 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, + 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x41, 0x52, 0x54, 0x49, 0x4e, 0x47, + 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x02, 0x12, 0x11, 0x0a, + 0x0d, 0x53, 0x48, 0x55, 0x54, 0x54, 0x49, 0x4e, 0x47, 0x5f, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x03, + 0x12, 0x11, 0x0a, 0x0d, 0x52, 0x45, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x55, 0x52, 0x49, 0x4e, + 0x47, 0x10, 0x04, 0x2a, 0x6a, 0x0a, 0x09, 0x53, 0x68, 0x61, 0x72, 0x64, 0x4d, 0x6f, 0x64, 0x65, + 0x12, 0x18, 0x0a, 0x14, 0x53, 0x48, 0x41, 0x52, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, + 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, + 0x41, 0x44, 0x5f, 0x57, 0x52, 0x49, 0x54, 0x45, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x52, 0x45, + 0x41, 0x44, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x44, 0x45, 0x47, + 0x52, 0x41, 0x44, 0x45, 0x44, 0x10, 0x03, 0x12, 0x16, 0x0a, 0x12, 0x44, 0x45, 0x47, 0x52, 0x41, + 0x44, 0x45, 0x44, 0x5f, 0x52, 0x45, 0x41, 0x44, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, + 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74, 0x2e, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2e, 0x69, + 0x6e, 0x66, 0x6f, 0x2f, 0x54, 0x72, 0x75, 0x65, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x4c, 0x61, 0x62, + 0x2f, 0x66, 0x72, 0x6f, 0x73, 0x74, 0x66, 0x73, 0x2d, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x70, 0x6b, + 0x67, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/services/control/types.proto b/pkg/services/control/types.proto index 00fcb98d1..55636d88a 100644 --- a/pkg/services/control/types.proto +++ b/pkg/services/control/types.proto @@ -6,183 +6,186 @@ option go_package = "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/con // Signature of some message. message Signature { - // Public key used for signing. - bytes key = 1 [json_name = "key"]; + // Public key used for signing. + bytes key = 1 [ json_name = "key" ]; - // Binary signature. - bytes sign = 2 [json_name = "signature"]; + // Binary signature. + bytes sign = 2 [ json_name = "signature" ]; } // Status of the storage node in the FrostFS network map. enum NetmapStatus { - // Undefined status, default value. - STATUS_UNDEFINED = 0; + // Undefined status, default value. + STATUS_UNDEFINED = 0; - // Node is online. - ONLINE = 1; + // Node is online. + ONLINE = 1; - // Node is offline. - OFFLINE = 2; + // Node is offline. + OFFLINE = 2; - // Node is maintained by the owner. - MAINTENANCE = 3; + // Node is maintained by the owner. + MAINTENANCE = 3; } // FrostFS node description. message NodeInfo { - // Public key of the FrostFS node in a binary format. - bytes public_key = 1 [json_name = "publicKey"]; + // Public key of the FrostFS node in a binary format. + bytes public_key = 1 [ json_name = "publicKey" ]; - // Ways to connect to a node. - repeated string addresses = 2 [json_name = "addresses"]; + // Ways to connect to a node. + repeated string addresses = 2 [ json_name = "addresses" ]; - // Administrator-defined Attributes of the FrostFS Storage Node. - // - // `Attribute` is a Key-Value metadata pair. Key name must be a valid UTF-8 - // string. Value can't be empty. - // - // Node's attributes are mostly used during Storage Policy evaluation to - // calculate object's placement and find a set of nodes satisfying policy - // requirements. There are some "well-known" node attributes common to all the - // Storage Nodes in the network and used implicitly with default values if not - // explicitly set: - // - // * Capacity \ + // Administrator-defined Attributes of the FrostFS Storage Node. + // + // `Attribute` is a Key-Value metadata pair. Key name must be a valid UTF-8 + // string. Value can't be empty. + // + // Node's attributes are mostly used during Storage Policy evaluation to + // calculate object's placement and find a set of nodes satisfying policy + // requirements. There are some "well-known" node attributes common to all the + // Storage Nodes in the network and used implicitly with default values if not + // explicitly set: + // + // * Capacity \ // Total available disk space in Gigabytes. - // * Price \ + // * Price \ // Price in GAS tokens for storing one GB of data during one Epoch. In node - // attributes it's a string presenting floating point number with comma or - // point delimiter for decimal part. In the Network Map it will be saved as - // 64-bit unsigned integer representing number of minimal token fractions. - // * Locode \ + // attributes it's a string presenting floating point number with comma or + // point delimiter for decimal part. In the Network Map it will be saved as + // 64-bit unsigned integer representing number of minimal token fractions. + // * Locode \ // Node's geographic location in - // [UN/LOCODE](https://www.unece.org/cefact/codesfortrade/codes_index.html) - // format approximated to the nearest point defined in standard. - // * Country \ + // [UN/LOCODE](https://www.unece.org/cefact/codesfortrade/codes_index.html) + // format approximated to the nearest point defined in standard. + // * Country \ // Country code in - // [ISO 3166-1_alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) - // format. Calculated automatically from `Locode` attribute - // * Region \ + // [ISO 3166-1_alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) + // format. Calculated automatically from `Locode` attribute + // * Region \ // Country's administative subdivision where node is located. Calculated - // automatically from `Locode` attribute based on `SubDiv` field. Presented - // in [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) format. - // * City \ + // automatically from `Locode` attribute based on `SubDiv` field. Presented + // in [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) format. + // * City \ // City, town, village or rural area name where node is located written - // without diacritics . Calculated automatically from `Locode` attribute. - // - // For detailed description of each well-known attribute please see the - // corresponding section in FrostFS Technical specification. - message Attribute { - // Key of the node attribute. - string key = 1 [json_name = "key"]; + // without diacritics . Calculated automatically from `Locode` attribute. + // + // For detailed description of each well-known attribute please see the + // corresponding section in FrostFS Technical specification. + message Attribute { + // Key of the node attribute. + string key = 1 [ json_name = "key" ]; - // Value of the node attribute. - string value = 2 [json_name = "value"]; + // Value of the node attribute. + string value = 2 [ json_name = "value" ]; - // Parent keys, if any. For example for `City` it could be `Region` and - // `Country`. - repeated string parents = 3 [json_name = "parents"]; - } - // Carries list of the FrostFS node attributes in a key-value form. Key name - // must be a node-unique valid UTF-8 string. Value can't be empty. NodeInfo - // structures with duplicated attribute names or attributes with empty values - // will be considered invalid. - repeated Attribute attributes = 3 [json_name = "attributes"]; + // Parent keys, if any. For example for `City` it could be `Region` and + // `Country`. + repeated string parents = 3 [ json_name = "parents" ]; + } + // Carries list of the FrostFS node attributes in a key-value form. Key name + // must be a node-unique valid UTF-8 string. Value can't be empty. NodeInfo + // structures with duplicated attribute names or attributes with empty values + // will be considered invalid. + repeated Attribute attributes = 3 [ json_name = "attributes" ]; - // Carries state of the FrostFS node. - NetmapStatus state = 4 [json_name = "state"]; + // Carries state of the FrostFS node. + NetmapStatus state = 4 [ json_name = "state" ]; } // Network map structure. message Netmap { - // Network map revision number. - uint64 epoch = 1 [json_name = "epoch"]; + // Network map revision number. + uint64 epoch = 1 [ json_name = "epoch" ]; - // Nodes presented in network. - repeated NodeInfo nodes = 2 [json_name = "nodes"]; + // Nodes presented in network. + repeated NodeInfo nodes = 2 [ json_name = "nodes" ]; } // Health status of the storage node application. enum HealthStatus { - // Undefined status, default value. - HEALTH_STATUS_UNDEFINED = 0; + // Undefined status, default value. + HEALTH_STATUS_UNDEFINED = 0; - // Storage node application is starting. - STARTING = 1; + // Storage node application is starting. + STARTING = 1; - // Storage node application is started and serves all services. - READY = 2; + // Storage node application is started and serves all services. + READY = 2; - // Storage node application is shutting down. - SHUTTING_DOWN = 3; + // Storage node application is shutting down. + SHUTTING_DOWN = 3; - // Storage node application is reconfiguring. - RECONFIGURING = 4; + // Storage node application is reconfiguring. + RECONFIGURING = 4; } // Shard description. message ShardInfo { - // ID of the shard. - bytes shard_ID = 1 [json_name = "shardID"]; + // ID of the shard. + bytes shard_ID = 1 [ json_name = "shardID" ]; - // Path to shard's metabase. - string metabase_path = 2 [json_name = "metabasePath"]; + // Path to shard's metabase. + string metabase_path = 2 [ json_name = "metabasePath" ]; - // Shard's blobstor info. - repeated BlobstorInfo blobstor = 3 [json_name = "blobstor"]; + // Shard's blobstor info. + repeated BlobstorInfo blobstor = 3 [ json_name = "blobstor" ]; - // Path to shard's write-cache, empty if disabled. - string writecache_path = 4 [json_name = "writecachePath"]; + // Path to shard's write-cache, empty if disabled. + string writecache_path = 4 [ json_name = "writecachePath" ]; - // Work mode of the shard. - ShardMode mode = 5; + // Work mode of the shard. + ShardMode mode = 5; - // Amount of errors occured. - uint32 errorCount = 6; + // Amount of errors occured. + uint32 errorCount = 6; - // Path to shard's pilorama storage. - string pilorama_path = 7 [json_name = "piloramaPath"]; + // Path to shard's pilorama storage. + string pilorama_path = 7 [ json_name = "piloramaPath" ]; } // Blobstor component description. message BlobstorInfo { - // Path to the root. - string path = 1 [json_name = "path"]; - // Component type. - string type = 2 [json_name = "type"]; + // Path to the root. + string path = 1 [ json_name = "path" ]; + // Component type. + string type = 2 [ json_name = "type" ]; } // Work mode of the shard. enum ShardMode { - // Undefined mode, default value. - SHARD_MODE_UNDEFINED = 0; + // Undefined mode, default value. + SHARD_MODE_UNDEFINED = 0; - // Read-write. - READ_WRITE = 1; + // Read-write. + READ_WRITE = 1; - // Read-only. - READ_ONLY = 2; + // Read-only. + READ_ONLY = 2; - // Degraded. - DEGRADED = 3; + // Degraded. + DEGRADED = 3; - // DegradedReadOnly. - DEGRADED_READ_ONLY = 4; + // DegradedReadOnly. + DEGRADED_READ_ONLY = 4; } - // ChainTarget is an object to which local overrides // are applied. message ChainTarget { - enum TargetType { - UNDEFINED = 0; + enum TargetType { + UNDEFINED = 0; - NAMESPACE = 1; + NAMESPACE = 1; - CONTAINER = 2; - } + CONTAINER = 2; - TargetType type = 1; + USER = 3; - string Name = 2; + GROUP = 4; + } + + TargetType type = 1; + + string Name = 2; } diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go index 119df5fc0..1063bd901 100644 --- a/pkg/services/object/ape/checker.go +++ b/pkg/services/object/ape/checker.go @@ -12,6 +12,7 @@ import ( apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" ) type checkerImpl struct { @@ -84,8 +85,13 @@ func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { return fmt.Errorf("failed to create ape request: %w", err) } - status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, - policyengine.NewRequestTarget(prm.Namespace, prm.Container.EncodeToString()), r) + pub, err := keys.NewPublicKeyFromString(prm.SenderKey) + if err != nil { + return err + } + + rt := policyengine.NewRequestTargetExtended(prm.Namespace, prm.Container.EncodeToString(), fmt.Sprintf("%s:%s", prm.Namespace, pub.Address()), nil) + status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, rt, r) if err != nil { return err } diff --git a/pkg/services/object/ape/checker_test.go b/pkg/services/object/ape/checker_test.go index 443414959..fc915715c 100644 --- a/pkg/services/object/ape/checker_test.go +++ b/pkg/services/object/ape/checker_test.go @@ -16,6 +16,7 @@ import ( policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory" nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/stretchr/testify/require" ) @@ -147,7 +148,9 @@ var ( role = "Container" - senderKey = hex.EncodeToString([]byte{1, 0, 0, 1}) + senderPrivateKey, _ = keys.NewPrivateKey() + + senderKey = hex.EncodeToString(senderPrivateKey.PublicKey().Bytes()) ) func TestAPECheck(t *testing.T) { diff --git a/pkg/services/tree/ape.go b/pkg/services/tree/ape.go index 52036074a..5da49a591 100644 --- a/pkg/services/tree/ape.go +++ b/pkg/services/tree/ape.go @@ -51,7 +51,8 @@ func (s *Service) checkAPE(container *core.Container, cid cid.ID, operation acl. reqProps, ) - status, found, err := s.router.IsAllowed(apechain.Ingress, engine.NewRequestTarget(namespace, cid.EncodeToString()), request) + rt := engine.NewRequestTargetExtended(namespace, cid.EncodeToString(), fmt.Sprintf("%s:%s", namespace, publicKey.Address()), nil) + status, found, err := s.router.IsAllowed(apechain.Ingress, rt, request) if err != nil { return apeErr(err) }