Return AccessDenied error instead of ObjectNotFound #1378

dstepanov-yadro · 2024-09-16T09:41:09Z

dstepanov-yadro commented

2024-09-16 09:41:09 +00:00

Now AccessDeniedError for object.get requests has higher priority.

Before:

./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --policy "REP 2 CBF 1 SELECT 4 FROM *" --basic-acl '0' --await
CID: 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH
awaiting...
container has been persisted on sidechain

./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' --chain-id 112
Parsed chain:
Chain ID: 112
     HEX: 313132
Rules:

        Status: Allowed
        Any: false
        Conditions:
                Request $Actor:role StringEquals owner
        Actions:        Inverted:false
                PutObject
                GetObject
                HeadObject
                DeleteObject
                SearchObject
                RangeObject
                HashObject
                PatchObject
        Resources:      Inverted:false
                native:object/*
Rule has been added.
Chain ID:  112


./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container'
Parsed chain:
Chain ID: chain-id-0x61d46897e4eb0
     HEX: 636861696e2d69642d307836316434363839376534656230
Rules:

        Status: Allowed
        Any: false
        Conditions:
                Resource check_key StringEquals check_value
                Request $Actor:role StringEquals others
        Actions:        Inverted:false
                GetObject
                HeadObject
                PutObject
        Resources:      Inverted:false
                native:object/*
Rule has been added.
Chain ID:  chain-id-0x61d46897e4eb0

./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2049 message = object not found

 ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2049 message = object not found

./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

After (preparation steps not included):

 ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

 ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

 ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N
KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m
 0 / ? [------------------------------------------------------------------------------------------------------------------------------=]   0.00% 2562047h47m16s
rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied

Closes #1297 Now AccessDeniedError for object.get requests has higher priority. Before: ``` ./bin/frostfs-cli container create -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --policy "REP 2 CBF 1 SELECT 4 FROM *" --basic-acl '0' --await CID: 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH awaiting... container has been persisted on sidechain ./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --rule 'allow object.* RequestCondition:"\$Actor:role"=owner *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' --chain-id 112 Parsed chain: Chain ID: 112 HEX: 313132 Rules: Status: Allowed Any: false Conditions: Request $Actor:role StringEquals owner Actions: Inverted:false PutObject GetObject HeadObject DeleteObject SearchObject RangeObject HashObject PatchObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: 112 ./bin/frostfs-cli ape-manager add -r 127.0.0.1:8080 --wallet /home/dstepanov/src/frostfs-node/dev/wallet.json -c /home/dstepanov/src/frostfs-node/dev/empty_pass.yml --chain-id 'chain-id-0x61d46897e4eb0' --rule 'allow object.get object.head object.put ResourceCondition:"check_key"="check_value" RequestCondition:"\$Actor:role"=others *' --target-name '7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH' --target-type 'container' Parsed chain: Chain ID: chain-id-0x61d46897e4eb0 HEX: 636861696e2d69642d307836316434363839376534656230 Rules: Status: Allowed Any: false Conditions: Resource check_key StringEquals check_value Request $Actor:role StringEquals others Actions: Inverted:false GetObject HeadObject PutObject Resources: Inverted:false native:object/* Rule has been added. Chain ID: chain-id-0x61d46897e4eb0 ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2049 message = object not found ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2049 message = object not found ./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 7N5q9G7bJP3CkH1DGuKVX54yYPQfp8V3QYoCnvhbzoDH --oid 7hZxypZ2CQYiv9NcxC8zWAqvaEaf7J1xkifMxymBJ8t9 --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [---------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ``` After (preparation steps not included): ``` ./bin/frostfs-cli object get -r 127.0.0.1:8080 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8082 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8084 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ./bin/frostfs-cli object get -r 127.0.0.1:8086 -g --cid 2hAAQUycW947mWMjGMURzJpUauEpk2JcHX8SEn9dByu9 --oid EZ6LydvTiV5N KFYR7rdXwRYzU1hAj2jVitSEXBxAtsfr --file /home/dstepanov/src/frostfs-node/.cache/tmp.bin --timeout=1m 0 / ? [------------------------------------------------------------------------------------------------------------------------------=] 0.00% 2562047h47m16s rpc error: read object header: status: code = 2048 message = access to object operation denied: ape denied request: status: code = 2048 message = access to object operation denied ```

dstepanov-yadro added 2 commits 2024-09-16 09:41:09 +00:00

[#1297 ] getSvc: Return AccessDenied instead of ObjectNotFound e7d8b71a36

Do not replace the access denied error if it was received earlier.

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>

[#1297 ] dev: Bump neo-go version

DCO action / DCO (pull_request) Successful in 49s

Details

Tests and linters / Run gofumpt (pull_request) Successful in 1m12s

Details

Vulncheck / Vulncheck (pull_request) Successful in 2m5s

Details

Pre-commit hooks / Pre-commit (pull_request) Successful in 2m17s

Details

Build / Build Components (pull_request) Successful in 2m19s

Details

Tests and linters / gopls check (pull_request) Successful in 2m30s

Details

Tests and linters / Staticcheck (pull_request) Successful in 2m42s

Details

Tests and linters / Lint (pull_request) Successful in 3m25s

Details

Tests and linters / Tests (pull_request) Successful in 4m10s

Details

Tests and linters / Tests with -race (pull_request) Successful in 5m52s

Details

2d50b1cf0d

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>

dstepanov-yadro reviewed 2024-09-16 09:53:13 +00:00

pkg/services/object/get/remote.go Outdated

					
				@ -42,3 +42,3 @@

							if errors.As(err, &errAccessDenied) {

								r.err = err

							} else {

							} else if r.err == nil || !errors.As(r.err, &errAccessDenied) {

dstepanov-yadro commented

2024-09-16 09:53:13 +00:00

Get request shouldn't stop in case of AccesssDeniedError, because it could be caused by local APE override.

aarifullin commented

2024-09-19 08:55:43 +00:00

This change corresponds to the PR description: errAccessDenied error should have higher priority over ObjectNotFound. That's ok.

But for me this comment looks little bit complicating :)
processCurrentEpoch won't stop by processNode anyway as it returns false. How shouldn't it stop then?

This change corresponds to the PR description: `errAccessDenied` error should have higher priority over `ObjectNotFound`. That's ok. But for me this comment looks little bit complicating :) `processCurrentEpoch` won't stop by `processNode` anyway as it returns `false`. How shouldn't it stop then?

dstepanov-yadro commented

2024-09-19 09:05:40 +00:00

with lookupDepth == 0 condition:


	for {
		if r.processCurrentEpoch(ctx) {
			break
		}

		// check the maximum depth has been reached
		if lookupDepth == 0 {
			break
		}

		lookupDepth--

		// go to the previous epoch
		r.curProcEpoch--
	}

with `lookupDepth == 0` condition: ``` for { if r.processCurrentEpoch(ctx) { break } // check the maximum depth has been reached if lookupDepth == 0 { break } lookupDepth-- // go to the previous epoch r.curProcEpoch-- } ```

dstepanov-yadro changed title from ~~WIP: Return AccessDenied error instead of ObjectNotFound~~ to Return AccessDenied error instead of ObjectNotFound

2024-09-16 09:53:50 +00:00

dstepanov-yadro requested review from storage-core-committers 2024-09-16 09:53:57 +00:00

dstepanov-yadro requested review from storage-core-developers 2024-09-16 09:53:58 +00:00

aarifullin approved these changes 2024-09-19 09:18:23 +00:00

Dismissed

dstepanov-yadro force-pushed fix/get_return_error_access_denied from 2d50b1cf0d to 4300dd3a41

2024-09-20 13:05:16 +00:00

Compare

dstepanov-yadro force-pushed fix/get_return_error_access_denied from 4300dd3a41 to 2aa07902eb

2024-09-23 12:36:40 +00:00

Compare

aarifullin approved these changes 2024-09-24 08:09:24 +00:00