Return AccessDenied error instead of ObjectNotFound #1378

Merged
dstepanov-yadro merged 1 commit from dstepanov-yadro/frostfs-node:fix/get_return_error_access_denied into master 2024-10-26 11:30:26 +00:00

Closes #1297

Now AccessDeniedError for object.get requests has higher priority.

Before:

./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --policy "REP 2 CBF 1 SELECT 4 FROM *" --basic-acl '0' --await
CID: 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH
awaiting...
container has been persisted on sidechain

./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' --chain-id 112
Parsed chain:
Chain ID: 112
     HEX: 313132
Rules:

        Status: Allowed
        Any: false
        Conditions:
                Request $Actor:role StringEquals owner
        Actions:        Inverted:false
                PutObject
                GetObject
                HeadObject
                DeleteObject
                SearchObject
                RangeObject
                HashObject
                PatchObject
        Resources:      Inverted:false
                native:object/*
Rule has been added.
Chain ID:  112


./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container'
Parsed chain:
Chain ID: chain-id-0x61d46897e4eb0
     HEX: 636861696e2d69642d307836316434363839376534656230
Rules:

        Status: Allowed
        Any: false
        Conditions:
                Resource check_key StringEquals check_value
                Request $Actor:role StringEquals others
        Actions:        Inverted:false
                GetObject
                HeadObject
                PutObject
        Resources:      Inverted:false
                native:object/*
Rule has been added.
Chain ID:  chain-id-0x61d46897e4eb0

./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2049 message = object not found

 ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2049 message = object not found

./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

After (preparation steps not included):

 ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

 ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

 ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied
Closes #1297 Now AccessDeniedError for object.get requests has higher priority. Before: ``` ./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --policy "REP 2 CBF 1 SELECT 4 FROM *" --basic-acl '0' --await CID: 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH awaiting... container has been persisted on sidechain ./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' --chain-id 112 Parsed chain: Chain ID: 112 HEX: 313132 Rules: Status: Allowed Any: false Conditions: Request $Actor:role StringEquals owner Actions: Inverted:false PutObject GetObject HeadObject DeleteObject SearchObject RangeObject HashObject PatchObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: 112 ./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' Parsed chain: Chain ID: chain-id-0x61d46897e4eb0 HEX: 636861696e2d69642d307836316434363839376534656230 Rules: Status: Allowed Any: false Conditions: Resource check_key StringEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false GetObject HeadObject PutObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61d46897e4eb0 ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2049 message = object not found ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2049 message = object not found ./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ``` After (preparation steps not included): ``` ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ```
dstepanov-yadro added 2 commits 2024-09-16 09:41:09 +00:00
Do not replace the access denied error if it was received earlier.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
[#1297] dev: Bump neo-go version
All checks were successful
DCO action / DCO (pull_request) Successful in 49s
Tests and linters / Run gofumpt (pull_request) Successful in 1m12s
Vulncheck / Vulncheck (pull_request) Successful in 2m5s
Pre-commit hooks / Pre-commit (pull_request) Successful in 2m17s
Build / Build Components (pull_request) Successful in 2m19s
Tests and linters / gopls check (pull_request) Successful in 2m30s
Tests and linters / Staticcheck (pull_request) Successful in 2m42s
Tests and linters / Lint (pull_request) Successful in 3m25s
Tests and linters / Tests (pull_request) Successful in 4m10s
Tests and linters / Tests with -race (pull_request) Successful in 5m52s
2d50b1cf0d
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
dstepanov-yadro reviewed 2024-09-16 09:53:13 +00:00
@ -42,3 +42,3 @@
if errors.As(err, &errAccessDenied) {
r.err = err
} else {
} else if r.err == nil || !errors.As(r.err, &errAccessDenied) {
Author
Member

Get request shouldn't stop in case of AccesssDeniedError, because it could be caused by local APE override.

Get request shouldn't stop in case of AccesssDeniedError, because it could be caused by local APE override.
Member

This change corresponds to the PR description: errAccessDenied error should have higher priority over ObjectNotFound. That's ok.

But for me this comment looks little bit complicating :)
processCurrentEpoch won't stop by processNode anyway as it returns false. How shouldn't it stop then?

This change corresponds to the PR description: `errAccessDenied` error should have higher priority over `ObjectNotFound`. That's ok. But for me this comment looks little bit complicating :) `processCurrentEpoch` won't stop by `processNode` anyway as it returns `false`. How shouldn't it stop then?
Author
Member

with lookupDepth == 0 condition:


	for {
		if r.processCurrentEpoch(ctx) {
			break
		}

		// check the maximum depth has been reached
		if lookupDepth == 0 {
			break
		}

		lookupDepth--

		// go to the previous epoch
		r.curProcEpoch--
	}
with `lookupDepth == 0` condition: ``` for { if r.processCurrentEpoch(ctx) { break } // check the maximum depth has been reached if lookupDepth == 0 { break } lookupDepth-- // go to the previous epoch r.curProcEpoch-- } ```
dstepanov-yadro changed title from WIP: Return AccessDenied error instead of ObjectNotFound to Return AccessDenied error instead of ObjectNotFound 2024-09-16 09:53:50 +00:00
dstepanov-yadro requested review from storage-core-committers 2024-09-16 09:53:57 +00:00
dstepanov-yadro requested review from storage-core-developers 2024-09-16 09:53:58 +00:00
aarifullin approved these changes 2024-09-19 09:18:23 +00:00
Dismissed
dstepanov-yadro force-pushed fix/get_return_error_access_denied from 2d50b1cf0d to 4300dd3a41 2024-09-20 13:05:16 +00:00 Compare
dstepanov-yadro force-pushed fix/get_return_error_access_denied from 4300dd3a41 to 2aa07902eb 2024-09-23 12:36:40 +00:00 Compare
aarifullin approved these changes 2024-09-24 08:09:24 +00:00
acid-ant approved these changes 2024-09-24 08:22:02 +00:00
Member

Please rebase on master.

Please rebase on master.
dstepanov-yadro force-pushed fix/get_return_error_access_denied from 2aa07902eb to bdf386366c 2024-09-24 09:05:27 +00:00 Compare
dstepanov-yadro merged commit bdf386366c into master 2024-09-24 09:16:05 +00:00
dstepanov-yadro deleted branch fix/get_return_error_access_denied 2024-09-24 09:16:14 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1378
No description provided.