TrueCloudLab/frostfs-node
21
1
Fork 27
Code Issues 105 Pull requests 3 Projects Releases 2 Activity Actions

Make descriptive help for--rule option #1519

Merged
fyrchik merged 1 commit from aarifullin/frostfs-node:feat/ape_rule_help into master 2024-11-25 07:21:06 +00:00
Conversation 0 Commits 1 Files changed 1 +61 -1
aarifullin commented 2024-11-22 12:53:24 +00:00
Member
Copy link

All APE-related subcommands that use --rule option to parse APE-policy have got descriptive --help

frostfs-cli ape-manager add --help

Outputs:

Add rule chain for a target

Usage:
  frostfs-cli ape-manager add [flags]

Flags:
      --address string        Address of wallet account
      --chain-id string       Chain id
      --chain-id-hex          Flag to parse chain ID as hex
  -g, --generate-key          Generate new private key
  -h, --help                  help for add
      --path string           Path to encoded chain in JSON or binary format
  -r, --rpc-endpoint string   Remote node address (as 'multiaddr' or '<host>:<port>')
      --rule stringArray      Defines an Access Policy Engine (APE) rule in the format:
                                  <status>[:status_detail] <action>... <condition>... <resource>...
                              
                              Status:
                                - allow                   Permits specified actions
                                - deny                    Prohibits specified actions
                                - deny:QuotaLimitReached  Denies access due to quota limits
                              
                              Actions:
                                  Object operations:
                                  - Object.Put, Object.Get, etc.
                                  - Object.*     (all object operations)
                                  Container operations:
                                  - Container.Put, Container.Get, etc.
                                  - Container.*  (all container operations)
                              
                              Conditions:
                                  ResourceCondition:
                                    Format: ResourceCondition:"key"=value, "key"!=value
                                      Reserved properties (use '\' before '$'):
                                      - $Object:version
                                      - $Object:objectID
                                      - $Object:containerID
                                      - $Object:ownerID
                                      - $Object:creationEpoch
                                      - $Object:payloadLength
                                      - $Object:payloadHash
                                      - $Object:objectType
                                      - $Object:homomorphicHash
                              
                              RequestCondition:
                                  Format: RequestCondition:"key"=value, "key"!=value
                                    Reserved properties (use '\' before '$'):
                                      - $Actor:publicKey
                                      - $Actor:role
                              
                                    Example:
                                      ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others
                              
                              Resources:
                                  For objects:
                                    - namespace/cid/oid    (specific object)
                                    - namespace/cid/*      (all objects in container)
                                    - namespace/*          (all objects in namespace)
                                    - *                    (all objects)
                                    - /*                   (all objects in root namespace)
                                    - /cid/*              (all objects in root container)
                                    - /cid/oid            (specific object in root container)
                              
                                  For containers:
                                    - namespace/cid        (specific container)
                                    - namespace/*          (all containers in namespace)
                                    - *                    (all containers)
                                    - /cid                (root container)
                                    - /*                  (all root containers)
                              
                              Notes:
                                  - Cannot mix object and container operations in one rule
                                  - Default behavior is Any=false unless 'any' is specified
                                  - Use 'all' keyword to explicitly set Any=false
      --target-name string    Resource name in APE resource name format
      --target-type string    Resource type(container/namespace)
  -t, --timeout duration      Timeout for an operation (default 15s)
      --trace                 Generate trace ID and print it.
  -w, --wallet string         Path to the wallet or binary key

Global Flags:
  -c, --config string       Config file (default is $HOME/.config/frostfs-cli/config.yaml)
      --config-dir string   Config directory
  -v, --verbose             Verbose output
All APE-related subcommands that use `--rule` option to parse APE-policy have got descriptive `--help` ```bash frostfs-cli ape-manager add --help ``` Outputs: ``` Add rule chain for a target Usage: frostfs-cli ape-manager add [flags] Flags: --address string Address of wallet account --chain-id string Chain id --chain-id-hex Flag to parse chain ID as hex -g, --generate-key Generate new private key -h, --help help for add --path string Path to encoded chain in JSON or binary format -r, --rpc-endpoint string Remote node address (as 'multiaddr' or '<host>:<port>') --rule stringArray Defines an Access Policy Engine (APE) rule in the format: <status>[:status_detail] <action>... <condition>... <resource>... Status: - allow Permits specified actions - deny Prohibits specified actions - deny:QuotaLimitReached Denies access due to quota limits Actions: Object operations: - Object.Put, Object.Get, etc. - Object.* (all object operations) Container operations: - Container.Put, Container.Get, etc. - Container.* (all container operations) Conditions: ResourceCondition: Format: ResourceCondition:"key"=value, "key"!=value Reserved properties (use '\' before '$'): - $Object:version - $Object:objectID - $Object:containerID - $Object:ownerID - $Object:creationEpoch - $Object:payloadLength - $Object:payloadHash - $Object:objectType - $Object:homomorphicHash RequestCondition: Format: RequestCondition:"key"=value, "key"!=value Reserved properties (use '\' before '$'): - $Actor:publicKey - $Actor:role Example: ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others Resources: For objects: - namespace/cid/oid (specific object) - namespace/cid/* (all objects in container) - namespace/* (all objects in namespace) - * (all objects) - /* (all objects in root namespace) - /cid/* (all objects in root container) - /cid/oid (specific object in root container) For containers: - namespace/cid (specific container) - namespace/* (all containers in namespace) - * (all containers) - /cid (root container) - /* (all root containers) Notes: - Cannot mix object and container operations in one rule - Default behavior is Any=false unless 'any' is specified - Use 'all' keyword to explicitly set Any=false --target-name string Resource name in APE resource name format --target-type string Resource type(container/namespace) -t, --timeout duration Timeout for an operation (default 15s) --trace Generate trace ID and print it. -w, --wallet string Path to the wallet or binary key Global Flags: -c, --config string Config file (default is $HOME/.config/frostfs-cli/config.yaml) --config-dir string Config directory -v, --verbose Verbose output ```
aarifullin added 1 commit 2024-11-22 12:53:24 +00:00
[#xx] cli: Make descriptive help for--rule option
Some checks failed
Tests and linters / Run gofumpt (pull_request) Successful in 2m39s
Details
DCO action / DCO (pull_request) Failing after 2m55s
Details
Pre-commit hooks / Pre-commit (pull_request) Successful in 2m53s
Details
Build / Build Components (pull_request) Successful in 4m27s
Details
Tests and linters / Staticcheck (pull_request) Successful in 4m46s
Details
Tests and linters / Lint (pull_request) Successful in 4m55s
Details
Vulncheck / Vulncheck (pull_request) Successful in 4m56s
Details
Tests and linters / gopls check (pull_request) Successful in 6m14s
Details
Tests and linters / Tests (pull_request) Successful in 7m37s
Details
Tests and linters / Tests with -race (pull_request) Successful in 7m45s
Details
fe76411aa8 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
aarifullin force-pushed feat/ape_rule_help from fe76411aa8 to b02c3daf7c 2024-11-22 12:53:53 +00:00 Compare
aarifullin requested review from storage-core-committers 2024-11-22 13:00:18 +00:00
aarifullin requested review from storage-core-developers 2024-11-22 13:00:19 +00:00
fyrchik requested review from anikeev-yadro 2024-11-22 13:24:17 +00:00
fyrchik requested review from amaks 2024-11-22 13:24:18 +00:00
dstepanov-yadro approved these changes 2024-11-22 13:46:44 +00:00
anikeev-yadro approved these changes 2024-11-22 14:00:16 +00:00
fyrchik merged commit 3ebd560f42 into master 2024-11-25 07:21:06 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
amaks
dstepanov-yadro
anikeev-yadro
TrueCloudLab/storage-core-developers
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#1519
No description provided.
Delete branch "aarifullin/frostfs-node:feat/ape_rule_help"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?