TrueCloudLab/frostfs-node
18
1
Fork 27
Code Issues 90 Pull requests 3 Projects Releases 1 Activity Actions

Make services GroupIDs must also be target of APE checks #1193

Merged
fyrchik merged 4 commits from aarifullin/frostfs-node:feat/groupids_target into master 2024-06-25 08:49:27 +00:00
Conversation 0 Commits 4 Files changed 6 +225 -8
aarifullin commented 2024-06-20 12:51:32 +00:00
Member
Copy link
  • tree: GroupIDs must also be target of APE checks
  • object: GroupIDs must also be target of APE checks
  • container: GroupIDs must also be target of APE checks
  • ape: Introduce Groups util function to retrieve actor's groupIDs
  • Also add new test case for ape middleware in container service.

Close #1190

* tree: GroupIDs must also be target of APE checks * object: GroupIDs must also be target of APE checks * container: GroupIDs must also be target of APE checks * ape: Introduce `Groups` util function to retrieve actor's groupIDs * Also add new test case for ape middleware in container service. Close #1190
aarifullin requested review from dkirillov 2024-06-20 12:54:48 +00:00
aarifullin requested review from storage-core-committers 2024-06-20 12:54:52 +00:00
aarifullin requested review from storage-core-developers 2024-06-20 12:55:56 +00:00
aarifullin force-pushed feat/groupids_target from c1ae4640ad to 6feb58978c 2024-06-20 13:04:39 +00:00 Compare
aarifullin force-pushed feat/groupids_target from 6feb58978c to 9ab5801c29 2024-06-20 13:07:16 +00:00 Compare
dkirillov reviewed 2024-06-20 13:57:12 +00:00
pkg/ape/request/frostfsid.go
@ -37,0 +37,4 @@
// Groups return the actor's group ids from frostfsid contract.
func Groups(frostFSIDClient frostfsidcore.SubjectProvider, pk *keys.PublicKey) ([]string, error) {
subj, err := frostFSIDClient.GetSubjectExtended(pk.GetScriptHash())
dkirillov commented 2024-06-20 13:54:20 +00:00
Member
Copy link

We have cache in frostfsIDClient that's why we can freely invoke Groups function along with FormFrostfsIDRequestProperties ?

We have cache in `frostfsIDClient` that's why we can freely invoke `Groups` function along with `FormFrostfsIDRequestProperties` ?
aarifullin commented 2024-06-20 14:40:15 +00:00
Author
Member
Copy link

we can freely

Sorry, I don't get your point. Do you mean we can retrieve groups after FormFrostfsIDRequestProperties? Yes, we can but this requires some hurtful refactor in all services. For me that was easier to perform some duplication as the cache is used

> we can freely Sorry, I don't get your point. Do you mean we can retrieve groups after `FormFrostfsIDRequestProperties`? Yes, we can but this requires some hurtful refactor in all services. For me that was easier to perform some duplication as the cache is used
👍 1
pkg/services/container/ape.go Outdated
@ -171,1 +176,4 @@
}
rt.Groups = make([]policyengine.Target, len(groups))
for i := range groups {
rt.Groups[i] = policyengine.GroupTarget(groups[i])
dkirillov commented 2024-06-20 13:48:22 +00:00
Member
Copy link

As I know, group target must be <ns>:<gropuID> rather than just <groupID>

As I know, group target must be `<ns>:<gropuID>` rather than just `<groupID>`
aarifullin commented 2024-06-21 07:25:22 +00:00
Author
Member
Copy link

Didn't think about that - fixed

Didn't think about that - fixed
👍 1
pkg/services/object/ape/checker.go Outdated
@ -167,2 +169,4 @@
return fmt.Errorf("failed to get group ids: %w", err)
}
if prm.BearerToken != nil && !prm.BearerToken.Impersonate() {
dkirillov commented 2024-06-20 13:57:01 +00:00
Member
Copy link

I'm not sure the following question relates to this PR but still.
Why do we check only container target (policyengine.NewRequestTargetWithContainer) in case of APE chains from bearer token? As I understand user can set any target in APEOverride

I'm not sure the following question relates to this PR but still. Why do we check only container target (`policyengine.NewRequestTargetWithContainer`) in case of APE chains from bearer token? As I understand user can set any target in `APEOverride`
aarifullin commented 2024-06-20 14:42:33 +00:00
Author
Member
Copy link

This is great that you've asked this. Because I was wondering can be other targets used in BT? In some sense I "inherited" this scheme from eACL tables in BT where eACL table's target was only container. Let's discuss

This is great that you've asked this. Because I was wondering can be other targets used in BT? In some sense I "inherited" this scheme from eACL tables in BT where eACL table's target was only container. Let's discuss
dkirillov commented 2024-06-24 06:16:44 +00:00
Member
Copy link

Probably we should ask @fyrchik @alexvanin

Probably we should ask @fyrchik @alexvanin
fyrchik commented 2024-06-24 06:38:27 +00:00
Owner
Copy link

The current implementation was indeed intended to serve as a replacement for EACL.
For namespaces there are some security considerations:

  1. Container owner should not be able to override rules set by the namespace admin. Or should it?
  2. If namespace admin allowed user A to get an object with a bearer token, can user A allow user B to get the same object if namespace rules prohibit user B any operations?

Another thing is that overriding namespace rules in isolation is probably not that useful, we would like to probably combine that with other overrides.

The current implementation was indeed intended to serve as a replacement for EACL. For namespaces there are some security considerations: 1. Container **owner** should not be able to override rules set by the namespace **admin**. Or should it? 2. If namespace admin allowed user A to get an object with a bearer token, can user A allow user B to get the same object if namespace rules prohibit user B any operations? Another thing is that overriding namespace rules in isolation is probably not that useful, we would like to probably combine that with other overrides.
👍 1
dkirillov commented 2024-06-24 07:48:36 +00:00
Member
Copy link

I've just meant that if we allow form APE chain with any target in bearer token we should be able process such token in node

I've just meant that if we allow form APE chain with [any target](https://git.frostfs.info/TrueCloudLab/frostfs-sdk-go/src/commit/1a5886e776de79fc6598838242e4dc7ff21e7bea/bearer/bearer.go#L52) in bearer token we should be able process such token in node
aarifullin commented 2024-06-24 11:13:30 +00:00
Author
Member
Copy link

if we allow form APE chain with

Yes, sdk freely sets a target for APEOverride within a bearer token but sdk doesn't care would a service that uses this token should allow or deny such target. The question is do we really or will we want to override other targets with BT

> if we allow form APE chain with Yes, `sdk` freely sets a target for `APEOverride` within a bearer token but `sdk` doesn't care would a service that uses this token should allow or deny such target. The question is do we really or will we want to override other targets with BT
aarifullin force-pushed feat/groupids_target from 9ab5801c29 to 63c28f0052 2024-06-21 07:11:52 +00:00 Compare
dstepanov-yadro approved these changes 2024-06-21 14:03:43 +00:00
fyrchik approved these changes 2024-06-24 13:31:08 +00:00
acid-ant approved these changes 2024-06-25 06:56:57 +00:00
dkirillov approved these changes 2024-06-25 08:34:37 +00:00
fyrchik merged commit 11a38a0a84 into master 2024-06-25 08:49:27 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
dstepanov-yadro
fyrchik
acid-ant
dkirillov
TrueCloudLab/storage-core-developers
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
5 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1193
No description provided.
Delete branch "aarifullin/frostfs-node:feat/groupids_target"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?