go.mod: Update api-go #1276
17 changed files with 5 additions and 406 deletions
|
@ -214,29 +214,6 @@ func EACL(ctx context.Context, prm EACLPrm) (res EACLRes, err error) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetEACLPrm groups parameters of SetEACL operation.
|
|
||||||
type SetEACLPrm struct {
|
|
||||||
Client *client.Client
|
|
||||||
ClientParams client.PrmContainerSetEACL
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetEACLRes groups the resulting values of SetEACL operation.
|
|
||||||
type SetEACLRes struct{}
|
|
||||||
|
|
||||||
// SetEACL requests to save an eACL table in FrostFS.
|
|
||||||
//
|
|
||||||
// Operation is asynchronous and no guaranteed even in the absence of errors.
|
|
||||||
// The required time is also not predictable.
|
|
||||||
//
|
|
||||||
// Success can be verified by reading by container identifier.
|
|
||||||
//
|
|
||||||
// Returns any error which prevented the operation from completing correctly in error return.
|
|
||||||
func SetEACL(ctx context.Context, prm SetEACLPrm) (res SetEACLRes, err error) {
|
|
||||||
_, err = prm.Client.ContainerSetEACL(ctx, prm.ClientParams)
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// NetworkInfoPrm groups parameters of NetworkInfo operation.
|
// NetworkInfoPrm groups parameters of NetworkInfo operation.
|
||||||
type NetworkInfoPrm struct {
|
type NetworkInfoPrm struct {
|
||||||
Client *client.Client
|
Client *client.Client
|
||||||
|
|
|
@ -26,7 +26,6 @@ func init() {
|
||||||
listContainerObjectsCmd,
|
listContainerObjectsCmd,
|
||||||
getContainerInfoCmd,
|
getContainerInfoCmd,
|
||||||
getExtendedACLCmd,
|
getExtendedACLCmd,
|
||||||
setExtendedACLCmd,
|
|
||||||
containerNodesCmd,
|
containerNodesCmd,
|
||||||
policyPlaygroundCmd,
|
policyPlaygroundCmd,
|
||||||
}
|
}
|
||||||
|
@ -39,7 +38,6 @@ func init() {
|
||||||
initContainerListObjectsCmd()
|
initContainerListObjectsCmd()
|
||||||
initContainerInfoCmd()
|
initContainerInfoCmd()
|
||||||
initContainerGetEACLCmd()
|
initContainerGetEACLCmd()
|
||||||
initContainerSetEACLCmd()
|
|
||||||
initContainerNodesCmd()
|
initContainerNodesCmd()
|
||||||
initContainerPolicyPlaygroundCmd()
|
initContainerPolicyPlaygroundCmd()
|
||||||
|
|
||||||
|
@ -53,7 +51,6 @@ func init() {
|
||||||
}{
|
}{
|
||||||
{createContainerCmd, "PUT"},
|
{createContainerCmd, "PUT"},
|
||||||
{deleteContainerCmd, "DELETE"},
|
{deleteContainerCmd, "DELETE"},
|
||||||
{setExtendedACLCmd, "SETEACL"},
|
|
||||||
} {
|
} {
|
||||||
commonflags.InitSession(el.cmd, "container "+el.verb)
|
commonflags.InitSession(el.cmd, "container "+el.verb)
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,108 +0,0 @@
|
||||||
package container
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"errors"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
internalclient "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/client"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/common"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
|
|
||||||
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
|
|
||||||
"github.com/spf13/cobra"
|
|
||||||
)
|
|
||||||
|
|
||||||
var flagVarsSetEACL struct {
|
|
||||||
noPreCheck bool
|
|
||||||
|
|
||||||
srcPath string
|
|
||||||
}
|
|
||||||
|
|
||||||
var setExtendedACLCmd = &cobra.Command{
|
|
||||||
Use: "set-eacl",
|
|
||||||
Short: "Set new extended ACL table for container",
|
|
||||||
Long: `Set new extended ACL table for container.
|
|
||||||
Container ID in EACL table will be substituted with ID from the CLI.`,
|
|
||||||
Run: func(cmd *cobra.Command, _ []string) {
|
|
||||||
id := parseContainerID(cmd)
|
|
||||||
eaclTable := common.ReadEACL(cmd, flagVarsSetEACL.srcPath)
|
|
||||||
|
|
||||||
tok := getSession(cmd)
|
|
||||||
|
|
||||||
eaclTable.SetCID(id)
|
|
||||||
|
|
||||||
pk := key.GetOrGenerate(cmd)
|
|
||||||
cli := internalclient.GetSDKClientByFlag(cmd, pk, commonflags.RPC)
|
|
||||||
|
|
||||||
if !flagVarsSetEACL.noPreCheck {
|
|
||||||
cmd.Println("Checking the ability to modify access rights in the container...")
|
|
||||||
|
|
||||||
extendable, err := internalclient.IsACLExtendable(cmd.Context(), cli, id)
|
|
||||||
commonCmd.ExitOnErr(cmd, "Extensibility check failure: %w", err)
|
|
||||||
|
|
||||||
if !extendable {
|
|
||||||
commonCmd.ExitOnErr(cmd, "", errors.New("container ACL is immutable"))
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd.Println("ACL extension is enabled in the container, continue processing.")
|
|
||||||
}
|
|
||||||
|
|
||||||
setEACLPrm := internalclient.SetEACLPrm{
|
|
||||||
Client: cli,
|
|
||||||
ClientParams: client.PrmContainerSetEACL{
|
|
||||||
Table: eaclTable,
|
|
||||||
Session: tok,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err := internalclient.SetEACL(cmd.Context(), setEACLPrm)
|
|
||||||
commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
|
|
||||||
|
|
||||||
if containerAwait {
|
|
||||||
exp, err := eaclTable.Marshal()
|
|
||||||
commonCmd.ExitOnErr(cmd, "broken EACL table: %w", err)
|
|
||||||
|
|
||||||
cmd.Println("awaiting...")
|
|
||||||
|
|
||||||
getEACLPrm := internalclient.EACLPrm{
|
|
||||||
Client: cli,
|
|
||||||
ClientParams: client.PrmContainerEACL{
|
|
||||||
ContainerID: &id,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for i := 0; i < awaitTimeout; i++ {
|
|
||||||
time.Sleep(1 * time.Second)
|
|
||||||
|
|
||||||
res, err := internalclient.EACL(cmd.Context(), getEACLPrm)
|
|
||||||
if err == nil {
|
|
||||||
// compare binary values because EACL could have been set already
|
|
||||||
table := res.EACL()
|
|
||||||
got, err := table.Marshal()
|
|
||||||
if err != nil {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if bytes.Equal(exp, got) {
|
|
||||||
cmd.Println("EACL has been persisted on sidechain")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
commonCmd.ExitOnErr(cmd, "", errSetEACLTimeout)
|
|
||||||
}
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
func initContainerSetEACLCmd() {
|
|
||||||
commonflags.Init(setExtendedACLCmd)
|
|
||||||
|
|
||||||
flags := setExtendedACLCmd.Flags()
|
|
||||||
flags.StringVar(&containerID, commonflags.CIDFlag, "", commonflags.CIDFlagUsage)
|
|
||||||
flags.StringVar(&flagVarsSetEACL.srcPath, "table", "", "path to file with JSON or binary encoded EACL table")
|
|
||||||
flags.BoolVar(&containerAwait, "await", false, "block execution until EACL is persisted")
|
|
||||||
flags.BoolVar(&flagVarsSetEACL.noPreCheck, "no-precheck", false, "do not pre-check the extensibility of the container ACL")
|
|
||||||
}
|
|
|
@ -20,7 +20,6 @@ const (
|
||||||
var (
|
var (
|
||||||
errCreateTimeout = errors.New("timeout: container has not been persisted on sidechain")
|
errCreateTimeout = errors.New("timeout: container has not been persisted on sidechain")
|
||||||
errDeleteTimeout = errors.New("timeout: container has not been removed from sidechain")
|
errDeleteTimeout = errors.New("timeout: container has not been removed from sidechain")
|
||||||
errSetEACLTimeout = errors.New("timeout: EACL has not been persisted on sidechain")
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func parseContainerID(cmd *cobra.Command) cid.ID {
|
func parseContainerID(cmd *cobra.Command) cid.ID {
|
||||||
|
|
6
go.mod
6
go.mod
|
@ -4,12 +4,12 @@ go 1.21
|
||||||
|
|
||||||
require (
|
require (
|
||||||
code.gitea.io/sdk/gitea v0.17.1
|
code.gitea.io/sdk/gitea v0.17.1
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240530152826-2f6d3209e1d3
|
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240726072425-3dfa2f4fd65e
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240621131249-49e5270f673e
|
git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.3-0.20240621131249-49e5270f673e
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0
|
git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-locode-db v0.4.1-0.20240710074952-65761deb5c0d
|
git.frostfs.info/TrueCloudLab/frostfs-locode-db v0.4.1-0.20240710074952-65761deb5c0d
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240617140730-1a5886e776de
|
git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240726111349-9da46f566fec
|
||||||
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
git.frostfs.info/TrueCloudLab/hrw v1.2.1
|
||||||
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240712081403-2628f6184984
|
git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240712081403-2628f6184984
|
||||||
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
git.frostfs.info/TrueCloudLab/tzhash v1.8.0
|
||||||
|
@ -24,7 +24,7 @@ require (
|
||||||
github.com/mitchellh/go-homedir v1.1.0
|
github.com/mitchellh/go-homedir v1.1.0
|
||||||
github.com/mr-tron/base58 v1.2.0
|
github.com/mr-tron/base58 v1.2.0
|
||||||
github.com/multiformats/go-multiaddr v0.12.1
|
github.com/multiformats/go-multiaddr v0.12.1
|
||||||
github.com/nspcc-dev/neo-go v0.106.0
|
github.com/nspcc-dev/neo-go v0.106.2
|
||||||
github.com/olekukonko/tablewriter v0.0.5
|
github.com/olekukonko/tablewriter v0.0.5
|
||||||
github.com/panjf2000/ants/v2 v2.9.0
|
github.com/panjf2000/ants/v2 v2.9.0
|
||||||
github.com/prometheus/client_golang v1.19.0
|
github.com/prometheus/client_golang v1.19.0
|
||||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -11,7 +11,6 @@ import (
|
||||||
// Client is an interface of FrostFS storage
|
// Client is an interface of FrostFS storage
|
||||||
// node's client.
|
// node's client.
|
||||||
type Client interface {
|
type Client interface {
|
||||||
ContainerAnnounceUsedSpace(context.Context, client.PrmAnnounceSpace) (*client.ResAnnounceSpace, error)
|
|
||||||
ObjectPutInit(context.Context, client.PrmObjectPutInit) (client.ObjectWriter, error)
|
ObjectPutInit(context.Context, client.PrmObjectPutInit) (client.ObjectWriter, error)
|
||||||
ObjectPutSingle(context.Context, client.PrmObjectPutSingle) (*client.ResObjectPutSingle, error)
|
ObjectPutSingle(context.Context, client.PrmObjectPutSingle) (*client.ResObjectPutSingle, error)
|
||||||
ObjectDelete(context.Context, client.PrmObjectDelete) (*client.ResObjectDelete, error)
|
ObjectDelete(context.Context, client.PrmObjectDelete) (*client.ResObjectDelete, error)
|
||||||
|
|
|
@ -1,53 +1,13 @@
|
||||||
package container
|
package container
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha256"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
v2refs "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
v2refs "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/morph/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
|
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
)
|
)
|
||||||
|
|
||||||
// AnnounceLoadPrm groups parameters of AnnounceLoad operation.
|
|
||||||
type AnnounceLoadPrm struct {
|
|
||||||
a container.SizeEstimation
|
|
||||||
key []byte
|
|
||||||
|
|
||||||
client.InvokePrmOptional
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetAnnouncement sets announcement.
|
|
||||||
func (a2 *AnnounceLoadPrm) SetAnnouncement(a container.SizeEstimation) {
|
|
||||||
a2.a = a
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetReporter sets public key of the reporter.
|
|
||||||
func (a2 *AnnounceLoadPrm) SetReporter(key []byte) {
|
|
||||||
a2.key = key
|
|
||||||
}
|
|
||||||
|
|
||||||
// AnnounceLoad saves container size estimation calculated by storage node
|
|
||||||
// with key in FrostFS system through Container contract call.
|
|
||||||
//
|
|
||||||
// Returns any error encountered that caused the saving to interrupt.
|
|
||||||
func (c *Client) AnnounceLoad(p AnnounceLoadPrm) error {
|
|
||||||
binCnr := make([]byte, sha256.Size)
|
|
||||||
p.a.Container().Encode(binCnr)
|
|
||||||
|
|
||||||
prm := client.InvokePrm{}
|
|
||||||
prm.SetMethod(putSizeMethod)
|
|
||||||
prm.SetArgs(p.a.Epoch(), binCnr, p.a.Value(), p.key)
|
|
||||||
prm.InvokePrmOptional = p.InvokePrmOptional
|
|
||||||
|
|
||||||
_, err := c.client.Invoke(prm)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not invoke method (%s): %w", putSizeMethod, err)
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// EstimationID is an identity of container load estimation inside Container contract.
|
// EstimationID is an identity of container load estimation inside Container contract.
|
||||||
type EstimationID []byte
|
type EstimationID []byte
|
||||||
|
|
||||||
|
|
9
pkg/network/cache/multi.go
vendored
9
pkg/network/cache/multi.go
vendored
|
@ -239,15 +239,6 @@ func (x *multiClient) ObjectPutSingle(ctx context.Context, p client.PrmObjectPut
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *multiClient) ContainerAnnounceUsedSpace(ctx context.Context, prm client.PrmAnnounceSpace) (res *client.ResAnnounceSpace, err error) {
|
|
||||||
err = x.iterateClients(ctx, func(c clientcore.Client) error {
|
|
||||||
res, err = c.ContainerAnnounceUsedSpace(ctx, prm)
|
|
||||||
return err
|
|
||||||
})
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func (x *multiClient) ObjectDelete(ctx context.Context, p client.PrmObjectDelete) (res *client.ResObjectDelete, err error) {
|
func (x *multiClient) ObjectDelete(ctx context.Context, p client.PrmObjectDelete) (res *client.ResObjectDelete, err error) {
|
||||||
err = x.iterateClients(ctx, func(c clientcore.Client) error {
|
err = x.iterateClients(ctx, func(c clientcore.Client) error {
|
||||||
res, err = c.ObjectDelete(ctx, p)
|
res, err = c.ObjectDelete(ctx, p)
|
||||||
|
|
|
@ -81,21 +81,6 @@ func (s *Server) List(ctx context.Context, req *containerGRPC.ListRequest) (*con
|
||||||
return resp.ToGRPCMessage().(*containerGRPC.ListResponse), nil
|
return resp.ToGRPCMessage().(*containerGRPC.ListResponse), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExtendedACL converts gRPC SetExtendedACLRequest message and passes it to internal Container service.
|
|
||||||
func (s *Server) SetExtendedACL(ctx context.Context, req *containerGRPC.SetExtendedACLRequest) (*containerGRPC.SetExtendedACLResponse, error) {
|
|
||||||
setEACLReq := new(container.SetExtendedACLRequest)
|
|
||||||
if err := setEACLReq.FromGRPCMessage(req); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := s.srv.SetExtendedACL(ctx, setEACLReq)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return resp.ToGRPCMessage().(*containerGRPC.SetExtendedACLResponse), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetExtendedACL converts gRPC GetExtendedACLRequest message and passes it to internal Container service.
|
// GetExtendedACL converts gRPC GetExtendedACLRequest message and passes it to internal Container service.
|
||||||
func (s *Server) GetExtendedACL(ctx context.Context, req *containerGRPC.GetExtendedACLRequest) (*containerGRPC.GetExtendedACLResponse, error) {
|
func (s *Server) GetExtendedACL(ctx context.Context, req *containerGRPC.GetExtendedACLRequest) (*containerGRPC.GetExtendedACLResponse, error) {
|
||||||
getEACLReq := new(container.GetExtendedACLRequest)
|
getEACLReq := new(container.GetExtendedACLRequest)
|
||||||
|
@ -110,18 +95,3 @@ func (s *Server) GetExtendedACL(ctx context.Context, req *containerGRPC.GetExten
|
||||||
|
|
||||||
return resp.ToGRPCMessage().(*containerGRPC.GetExtendedACLResponse), nil
|
return resp.ToGRPCMessage().(*containerGRPC.GetExtendedACLResponse), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// AnnounceUsedSpace converts gRPC AnnounceUsedSpaceRequest message and passes it to internal Container service.
|
|
||||||
func (s *Server) AnnounceUsedSpace(ctx context.Context, req *containerGRPC.AnnounceUsedSpaceRequest) (*containerGRPC.AnnounceUsedSpaceResponse, error) {
|
|
||||||
announceReq := new(container.AnnounceUsedSpaceRequest)
|
|
||||||
if err := announceReq.FromGRPCMessage(req); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := s.srv.AnnounceUsedSpace(ctx, announceReq)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return resp.ToGRPCMessage().(*containerGRPC.AnnounceUsedSpaceResponse), nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -78,15 +78,6 @@ func NewAPEServer(router policyengine.ChainRouter, reader containers, ir ir, nm
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ac *apeChecker) AnnounceUsedSpace(ctx context.Context, req *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
|
|
||||||
ctx, span := tracing.StartSpanFromContext(ctx, "apeChecker.AnnounceUsedSpace")
|
|
||||||
defer span.End()
|
|
||||||
|
|
||||||
// this method is not used, so not checked
|
|
||||||
|
|
||||||
return ac.next.AnnounceUsedSpace(ctx, req)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ac *apeChecker) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
|
func (ac *apeChecker) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
|
||||||
ctx, span := tracing.StartSpanFromContext(ctx, "apeChecker.Delete")
|
ctx, span := tracing.StartSpanFromContext(ctx, "apeChecker.Delete")
|
||||||
defer span.End()
|
defer span.End()
|
||||||
|
@ -303,18 +294,6 @@ func (ac *apeChecker) getRoleWithoutContainerID(oID *refs.OwnerID, mh *session.R
|
||||||
return nativeschema.PropertyValueContainerRoleOthers, pk, nil
|
return nativeschema.PropertyValueContainerRoleOthers, pk, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ac *apeChecker) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
|
||||||
ctx, span := tracing.StartSpanFromContext(ctx, "apeChecker.SetExtendedACL")
|
|
||||||
defer span.End()
|
|
||||||
|
|
||||||
if err := ac.validateContainerBoundedOperation(ctx, req.GetBody().GetEACL().GetContainerID(), req.GetMetaHeader(), req.GetVerificationHeader(),
|
|
||||||
nativeschema.MethodSetContainerEACL); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return ac.next.SetExtendedACL(ctx, req)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, containerID *refs.ContainerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader, op string) error {
|
func (ac *apeChecker) validateContainerBoundedOperation(ctx context.Context, containerID *refs.ContainerID, mh *session.RequestMetaHeader, vh *session.RequestVerificationHeader, op string) error {
|
||||||
if vh == nil {
|
if vh == nil {
|
||||||
return errMissingVerificationHeader
|
return errMissingVerificationHeader
|
||||||
|
|
|
@ -9,7 +9,6 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
||||||
session "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
|
session "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
|
||||||
|
@ -50,7 +49,6 @@ func TestAPE(t *testing.T) {
|
||||||
t.Run("deny get container by user claim tag", testDenyGetContainerByUserClaimTag)
|
t.Run("deny get container by user claim tag", testDenyGetContainerByUserClaimTag)
|
||||||
t.Run("deny get container by IP", testDenyGetContainerByIP)
|
t.Run("deny get container by IP", testDenyGetContainerByIP)
|
||||||
t.Run("deny get container by group id", testDenyGetContainerByGroupID)
|
t.Run("deny get container by group id", testDenyGetContainerByGroupID)
|
||||||
t.Run("deny set container eACL for IR", testDenySetContainerEACLForIR)
|
|
||||||
t.Run("deny get container eACL for IR with session token", testDenyGetContainerEACLForIRSessionToken)
|
t.Run("deny get container eACL for IR with session token", testDenyGetContainerEACLForIRSessionToken)
|
||||||
t.Run("deny put container for others with session token", testDenyPutContainerForOthersSessionToken)
|
t.Run("deny put container for others with session token", testDenyPutContainerForOthersSessionToken)
|
||||||
t.Run("deny put container, read namespace from frostfsID", testDenyPutContainerReadNamespaceFromFrostfsID)
|
t.Run("deny put container, read namespace from frostfsID", testDenyPutContainerReadNamespaceFromFrostfsID)
|
||||||
|
@ -665,84 +663,6 @@ func testDenyGetContainerByGroupID(t *testing.T) {
|
||||||
require.ErrorAs(t, err, &errAccessDenied)
|
require.ErrorAs(t, err, &errAccessDenied)
|
||||||
}
|
}
|
||||||
|
|
||||||
func testDenySetContainerEACLForIR(t *testing.T) {
|
|
||||||
t.Parallel()
|
|
||||||
srv := &srvStub{
|
|
||||||
calls: map[string]int{},
|
|
||||||
}
|
|
||||||
router := inmemory.NewInMemory()
|
|
||||||
contRdr := &containerStub{
|
|
||||||
c: map[cid.ID]*containercore.Container{},
|
|
||||||
}
|
|
||||||
ir := &irStub{
|
|
||||||
keys: [][]byte{},
|
|
||||||
}
|
|
||||||
nm := &netmapStub{}
|
|
||||||
frostfsIDSubjectReader := &frostfsidStub{
|
|
||||||
subjects: map[util.Uint160]*client.Subject{},
|
|
||||||
}
|
|
||||||
apeSrv := NewAPEServer(router, contRdr, ir, nm, frostfsIDSubjectReader, srv)
|
|
||||||
|
|
||||||
contID := cidtest.ID()
|
|
||||||
testContainer := containertest.Container()
|
|
||||||
pp := netmap.PlacementPolicy{}
|
|
||||||
require.NoError(t, pp.DecodeString("REP 1"))
|
|
||||||
testContainer.SetPlacementPolicy(pp)
|
|
||||||
contRdr.c[contID] = &containercore.Container{Value: testContainer}
|
|
||||||
|
|
||||||
nm.currentEpoch = 100
|
|
||||||
nm.netmaps = map[uint64]*netmap.NetMap{}
|
|
||||||
var testNetmap netmap.NetMap
|
|
||||||
testNetmap.SetEpoch(nm.currentEpoch)
|
|
||||||
testNetmap.SetNodes([]netmap.NodeInfo{{}})
|
|
||||||
nm.netmaps[nm.currentEpoch] = &testNetmap
|
|
||||||
nm.netmaps[nm.currentEpoch-1] = &testNetmap
|
|
||||||
|
|
||||||
_, _, err := router.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, engine.ContainerTarget(contID.EncodeToString()), &chain.Chain{
|
|
||||||
Rules: []chain.Rule{
|
|
||||||
{
|
|
||||||
Status: chain.AccessDenied,
|
|
||||||
Actions: chain.Actions{
|
|
||||||
Names: []string{
|
|
||||||
nativeschema.MethodSetContainerEACL,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Resources: chain.Resources{
|
|
||||||
Names: []string{
|
|
||||||
fmt.Sprintf(nativeschema.ResourceFormatRootContainer, contID.EncodeToString()),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Condition: []chain.Condition{
|
|
||||||
{
|
|
||||||
Kind: chain.KindRequest,
|
|
||||||
Key: nativeschema.PropertyKeyActorRole,
|
|
||||||
Value: nativeschema.PropertyValueContainerRoleIR,
|
|
||||||
Op: chain.CondStringEquals,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
})
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
req := &container.SetExtendedACLRequest{}
|
|
||||||
req.SetBody(&container.SetExtendedACLRequestBody{})
|
|
||||||
var refContID refs.ContainerID
|
|
||||||
contID.WriteToV2(&refContID)
|
|
||||||
req.GetBody().SetEACL(&acl.Table{})
|
|
||||||
req.GetBody().GetEACL().SetContainerID(&refContID)
|
|
||||||
|
|
||||||
pk, err := keys.NewPrivateKey()
|
|
||||||
require.NoError(t, err)
|
|
||||||
require.NoError(t, signature.SignServiceMessage(&pk.PrivateKey, req))
|
|
||||||
ir.keys = append(ir.keys, pk.PublicKey().Bytes())
|
|
||||||
|
|
||||||
resp, err := apeSrv.SetExtendedACL(context.Background(), req)
|
|
||||||
require.Nil(t, resp)
|
|
||||||
var errAccessDenied *apistatus.ObjectAccessDenied
|
|
||||||
require.ErrorAs(t, err, &errAccessDenied)
|
|
||||||
}
|
|
||||||
|
|
||||||
func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
|
func testDenyGetContainerEACLForIRSessionToken(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
srv := &srvStub{
|
srv := &srvStub{
|
||||||
|
@ -1229,11 +1149,6 @@ type srvStub struct {
|
||||||
calls map[string]int
|
calls map[string]int
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *srvStub) AnnounceUsedSpace(context.Context, *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
|
|
||||||
s.calls["AnnounceUsedSpace"]++
|
|
||||||
return &container.AnnounceUsedSpaceResponse{}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *srvStub) Delete(context.Context, *container.DeleteRequest) (*container.DeleteResponse, error) {
|
func (s *srvStub) Delete(context.Context, *container.DeleteRequest) (*container.DeleteResponse, error) {
|
||||||
s.calls["Delete"]++
|
s.calls["Delete"]++
|
||||||
return &container.DeleteResponse{}, nil
|
return &container.DeleteResponse{}, nil
|
||||||
|
@ -1259,11 +1174,6 @@ func (s *srvStub) Put(context.Context, *container.PutRequest) (*container.PutRes
|
||||||
return &container.PutResponse{}, nil
|
return &container.PutResponse{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *srvStub) SetExtendedACL(context.Context, *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
|
||||||
s.calls["SetExtendedACL"]++
|
|
||||||
return &container.SetExtendedACLResponse{}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
type irStub struct {
|
type irStub struct {
|
||||||
keys [][]byte
|
keys [][]byte
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@ import (
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container"
|
||||||
container_grpc "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container/grpc"
|
container_grpc "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/container/grpc"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/audit"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/internal/audit"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/util/logger"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
|
@ -29,24 +28,6 @@ func NewAuditService(next Server, log *logger.Logger, enabled *atomic.Bool) Serv
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// AnnounceUsedSpace implements Server.
|
|
||||||
func (a *auditService) AnnounceUsedSpace(ctx context.Context, req *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
|
|
||||||
res, err := a.next.AnnounceUsedSpace(ctx, req)
|
|
||||||
if !a.enabled.Load() {
|
|
||||||
return res, err
|
|
||||||
}
|
|
||||||
|
|
||||||
var ids []*refs.ContainerID
|
|
||||||
for _, v := range req.GetBody().GetAnnouncements() {
|
|
||||||
ids = append(ids, v.GetContainerID())
|
|
||||||
}
|
|
||||||
|
|
||||||
audit.LogRequest(a.log, container_grpc.ContainerService_AnnounceUsedSpace_FullMethodName, req,
|
|
||||||
audit.TargetFromRefs(ids, &cid.ID{}), err == nil)
|
|
||||||
|
|
||||||
return res, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Delete implements Server.
|
// Delete implements Server.
|
||||||
func (a *auditService) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
|
func (a *auditService) Delete(ctx context.Context, req *container.DeleteRequest) (*container.DeleteResponse, error) {
|
||||||
res, err := a.next.Delete(ctx, req)
|
res, err := a.next.Delete(ctx, req)
|
||||||
|
@ -103,14 +84,3 @@ func (a *auditService) Put(ctx context.Context, req *container.PutRequest) (*con
|
||||||
audit.TargetFromRef(res.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
audit.TargetFromRef(res.GetBody().GetContainerID(), &cid.ID{}), err == nil)
|
||||||
return res, err
|
return res, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExtendedACL implements Server.
|
|
||||||
func (a *auditService) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
|
||||||
res, err := a.next.SetExtendedACL(ctx, req)
|
|
||||||
if !a.enabled.Load() {
|
|
||||||
return res, err
|
|
||||||
}
|
|
||||||
audit.LogRequest(a.log, container_grpc.ContainerService_SetExtendedACL_FullMethodName, req,
|
|
||||||
audit.TargetFromRef(req.GetBody().GetEACL().GetContainerID(), &cid.ID{}), err == nil)
|
|
||||||
return res, err
|
|
||||||
}
|
|
||||||
|
|
|
@ -14,7 +14,6 @@ type ServiceExecutor interface {
|
||||||
Delete(context.Context, *session.Token, *container.DeleteRequestBody) (*container.DeleteResponseBody, error)
|
Delete(context.Context, *session.Token, *container.DeleteRequestBody) (*container.DeleteResponseBody, error)
|
||||||
Get(context.Context, *container.GetRequestBody) (*container.GetResponseBody, error)
|
Get(context.Context, *container.GetRequestBody) (*container.GetResponseBody, error)
|
||||||
List(context.Context, *container.ListRequestBody) (*container.ListResponseBody, error)
|
List(context.Context, *container.ListRequestBody) (*container.ListResponseBody, error)
|
||||||
SetExtendedACL(context.Context, *session.Token, *container.SetExtendedACLRequestBody) (*container.SetExtendedACLResponseBody, error)
|
|
||||||
GetExtendedACL(context.Context, *container.GetExtendedACLRequestBody) (*container.GetExtendedACLResponseBody, error)
|
GetExtendedACL(context.Context, *container.GetExtendedACLRequestBody) (*container.GetExtendedACLResponseBody, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,24 +95,6 @@ func (s *executorSvc) List(ctx context.Context, req *container.ListRequest) (*co
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *executorSvc) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
|
||||||
meta := req.GetMetaHeader()
|
|
||||||
for origin := meta.GetOrigin(); origin != nil; origin = meta.GetOrigin() {
|
|
||||||
meta = origin
|
|
||||||
}
|
|
||||||
|
|
||||||
respBody, err := s.exec.SetExtendedACL(ctx, meta.GetSessionToken(), req.GetBody())
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("could not execute SetEACL request: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
resp := new(container.SetExtendedACLResponse)
|
|
||||||
resp.SetBody(respBody)
|
|
||||||
|
|
||||||
s.respSvc.SetMeta(resp)
|
|
||||||
return resp, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *executorSvc) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
|
func (s *executorSvc) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
|
||||||
respBody, err := s.exec.GetExtendedACL(ctx, req.GetBody())
|
respBody, err := s.exec.GetExtendedACL(ctx, req.GetBody())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -13,8 +13,6 @@ import (
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
"google.golang.org/grpc/codes"
|
|
||||||
"google.golang.org/grpc/status"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var errMissingUserID = errors.New("missing user ID")
|
var errMissingUserID = errors.New("missing user ID")
|
||||||
|
@ -204,10 +202,6 @@ func (s *morphExecutor) List(_ context.Context, body *container.ListRequestBody)
|
||||||
return res, nil
|
return res, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *morphExecutor) SetExtendedACL(_ context.Context, _ *sessionV2.Token, _ *container.SetExtendedACLRequestBody) (*container.SetExtendedACLResponseBody, error) {
|
|
||||||
return nil, status.Errorf(codes.Unimplemented, "method SetExtendedACL not implemented")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *morphExecutor) GetExtendedACL(_ context.Context, body *container.GetExtendedACLRequestBody) (*container.GetExtendedACLResponseBody, error) {
|
func (s *morphExecutor) GetExtendedACL(_ context.Context, body *container.GetExtendedACLRequestBody) (*container.GetExtendedACLResponseBody, error) {
|
||||||
idV2 := body.GetContainerID()
|
idV2 := body.GetContainerID()
|
||||||
if idV2 == nil {
|
if idV2 == nil {
|
||||||
|
|
|
@ -12,7 +12,5 @@ type Server interface {
|
||||||
Get(context.Context, *container.GetRequest) (*container.GetResponse, error)
|
Get(context.Context, *container.GetRequest) (*container.GetResponse, error)
|
||||||
Delete(context.Context, *container.DeleteRequest) (*container.DeleteResponse, error)
|
Delete(context.Context, *container.DeleteRequest) (*container.DeleteResponse, error)
|
||||||
List(context.Context, *container.ListRequest) (*container.ListResponse, error)
|
List(context.Context, *container.ListRequest) (*container.ListResponse, error)
|
||||||
SetExtendedACL(context.Context, *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error)
|
|
||||||
GetExtendedACL(context.Context, *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error)
|
GetExtendedACL(context.Context, *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error)
|
||||||
AnnounceUsedSpace(context.Context, *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error)
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,15 +57,6 @@ func (s *signService) List(ctx context.Context, req *container.ListRequest) (*co
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
return resp, s.sigSvc.SignResponse(resp, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *signService) SetExtendedACL(ctx context.Context, req *container.SetExtendedACLRequest) (*container.SetExtendedACLResponse, error) {
|
|
||||||
if err := s.sigSvc.VerifyRequest(req); err != nil {
|
|
||||||
resp := new(container.SetExtendedACLResponse)
|
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
|
||||||
}
|
|
||||||
resp, err := util.EnsureNonNilResponse(s.svc.SetExtendedACL(ctx, req))
|
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *signService) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
|
func (s *signService) GetExtendedACL(ctx context.Context, req *container.GetExtendedACLRequest) (*container.GetExtendedACLResponse, error) {
|
||||||
if err := s.sigSvc.VerifyRequest(req); err != nil {
|
if err := s.sigSvc.VerifyRequest(req); err != nil {
|
||||||
resp := new(container.GetExtendedACLResponse)
|
resp := new(container.GetExtendedACLResponse)
|
||||||
|
@ -74,12 +65,3 @@ func (s *signService) GetExtendedACL(ctx context.Context, req *container.GetExte
|
||||||
resp, err := util.EnsureNonNilResponse(s.svc.GetExtendedACL(ctx, req))
|
resp, err := util.EnsureNonNilResponse(s.svc.GetExtendedACL(ctx, req))
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
return resp, s.sigSvc.SignResponse(resp, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *signService) AnnounceUsedSpace(ctx context.Context, req *container.AnnounceUsedSpaceRequest) (*container.AnnounceUsedSpaceResponse, error) {
|
|
||||||
if err := s.sigSvc.VerifyRequest(req); err != nil {
|
|
||||||
resp := new(container.AnnounceUsedSpaceResponse)
|
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
|
||||||
}
|
|
||||||
resp, err := util.EnsureNonNilResponse(s.svc.AnnounceUsedSpace(ctx, req))
|
|
||||||
return resp, s.sigSvc.SignResponse(resp, err)
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in a new issue