TrueCloudLab/frostfs-node
20
1
Fork 27
Code Issues 105 Pull requests 13 Projects Releases 2 Activity Actions

Use access policy engine to permit PUT request #770

Merged
fyrchik merged 4 commits from aarifullin/frostfs-node:feature/ape_rules_impl into master 2023-11-08 13:34:05 +00:00
Conversation 2 Commits 4 Files changed 25 +3509 -273
aarifullin commented 2023-10-31 10:54:57 +00:00
Member
Copy link
  • Implement new gRPC methods for control service to dispatch local overrides to a node
  • Implement frostfs-cli commands to manipulate local overrides
  • Add APE (access-policy-engine) checkers for object service to permit PUT request
* Implement new gRPC methods for control service to dispatch local overrides to a node * Implement frostfs-cli commands to manipulate local overrides * Add APE (access-policy-engine) checkers for object service to permit PUT request
aarifullin added the
enhancement
frostfs-cli
frostfs-node
 labels 2023-10-31 10:54:57 +00:00
requested reviews from storage-core-committers, storage-core-developers 2023-10-31 10:55:08 +00:00
aarifullin force-pushed feature/ape_rules_impl from e67a493560 to 8247382a21 2023-10-31 14:12:04 +00:00 Compare
dstepanov-yadro reviewed 2023-10-31 15:37:24 +00:00
cmd/frostfs-cli/modules/util/ape.go Outdated
@ -0,0 +26,4 @@
return nil
}
func ParseAPERule(r *policyengine.Rule, rule string) error {
dstepanov-yadro commented 2023-10-31 15:37:24 +00:00
Member
Copy link

Please add some rule examples. I suppose that simple json will be easier.

Also, as I understand it, it turns out that there are two policy serilizers: one for the cli, the second for json. So having only one (json) will be simpler to maintain.

Please add some `rule` examples. I suppose that simple `json` will be easier. Also, as I understand it, it turns out that there are two policy serilizers: one for the `cli`, the second for `json`. So having only one (`json`) will be simpler to maintain.
aarifullin commented 2023-11-01 08:31:26 +00:00
Author
Member
Copy link

You have probably misunderstood the point - IAM JSON format rules are not processed in cli.

The statements are passed to ParseAPERule are similiar with the format passed to ParseEACLRules like

allow Object.Put *
deny Object.Put *
deny:QuotaLimitReached Object.Put *

etc.

I will writre a unit-test for parsing and that will be clearer

You have probably misunderstood the point - IAM JSON format rules are not processed in cli. The statements are passed to `ParseAPERule` are similiar with the format passed to `ParseEACLRules` like `allow Object.Put *` `deny Object.Put *` `deny:QuotaLimitReached Object.Put *` etc. I will writre a unit-test for parsing and that will be clearer
👍 1
dstepanov-yadro marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 8247382a21 to bc8a21a949 2023-10-31 15:38:12 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from bc8a21a949 to a4a8bc1dbe 2023-10-31 15:48:11 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from a4a8bc1dbe to 4fbce91ce0 2023-10-31 16:02:33 +00:00 Compare
dstepanov-yadro reviewed 2023-10-31 16:33:26 +00:00
cmd/frostfs-node/policy_engine.go Outdated
@ -0,0 +7,4 @@
)
type apeChainSourceImpl struct {
localChainStorage map[cid.ID]policyengine.CachedChainStorage
dstepanov-yadro commented 2023-10-31 16:33:26 +00:00
Member
Copy link

Also mutex is required.

Also mutex is required.
aarifullin commented 2023-10-31 16:51:28 +00:00
Author
Member
Copy link

You are right. I've added. But this mutex will be used agressively for a while (Lock, Unlock) because if there is no source it is created for a container

You are right. I've added. But this mutex will be used agressively for a while (`Lock`, `Unlock`) because if there is no source it is created for a container
dstepanov-yadro reviewed 2023-10-31 16:37:30 +00:00
pkg/services/control/types.proto Outdated
@ -172,0 +184,4 @@
// Access denied.
ACCESS_DENIED = 2;
// Quita limit reached.
dstepanov-yadro commented 2023-10-31 16:37:30 +00:00
Member
Copy link

In my opinion, there is no sense from such comments. Maybe drop it?

In my opinion, there is no sense from such comments. Maybe drop it?
aarifullin commented 2023-10-31 16:50:31 +00:00
Author
Member
Copy link

I agree! This has been with principle "everyone writes and I write too" :) but I also do not find any profit of these comments

I agree! This has been with principle "everyone writes and I write too" :) but I also do not find any profit of these comments
aarifullin commented 2023-10-31 17:00:09 +00:00
Author
Member
Copy link

Removed obvious comments

Removed obvious comments
dstepanov-yadro marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 4fbce91ce0 to a37ae27d4d 2023-10-31 16:48:47 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from a37ae27d4d to 13bd2dd692 2023-10-31 16:59:58 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 13bd2dd692 to 5d493bc52e 2023-11-01 10:33:13 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 5d493bc52e to 9807a291f9 2023-11-01 10:38:39 +00:00 Compare
fyrchik reviewed 2023-11-01 11:14:10 +00:00
pkg/services/control/types.proto Outdated
@ -171,1 +171,4 @@
}
// Access policy enigne rule chain.
message Chain {
fyrchik commented 2023-11-01 11:14:10 +00:00
Owner
Copy link

Statuses are defined in the policy engine library, I think having raw byte slice in chain is OK, at least for now.

Statuses are _defined_ in the policy engine library, I think having raw byte slice in chain is OK, at least for now.
aarifullin commented 2023-11-01 15:03:41 +00:00
Author
Member
Copy link

Alright. I've made proto fill serialized chain instead Chain protobuf

Alright. I've made proto fill serialized chain instead `Chain` protobuf
fyrchik marked this conversation as resolved
aarifullin force-pushed feature/ape_rules_impl from 9807a291f9 to e39a542d46 2023-11-01 13:38:24 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from e39a542d46 to 28777fed0b 2023-11-01 14:15:06 +00:00 Compare
dstepanov-yadro approved these changes 2023-11-03 13:18:27 +00:00
fyrchik approved these changes 2023-11-06 06:49:08 +00:00
fyrchik commented 2023-11-07 07:14:09 +00:00
Owner
Copy link

Please, also fix XX in the commit messages.

Please, also fix `XX` in the commit messages.
aarifullin force-pushed feature/ape_rules_impl from 28777fed0b to 4ab978ac0c 2023-11-07 11:15:45 +00:00 Compare
requested reviews from dstepanov-yadro, fyrchik 2023-11-07 11:15:50 +00:00
aarifullin commented 2023-11-07 11:55:06 +00:00
Author
Member
Copy link

Please, also fix XX in the commit messages.

Fixed

> Please, also fix `XX` in the commit messages. Fixed
acid-ant approved these changes 2023-11-07 12:39:39 +00:00
cmd/frostfs-cli/modules/util/ape.go Outdated
@ -0,0 +137,4 @@
ObjectActor: policyengine.ObjectActor,
}
func parseConitions(lexemes []string) ([]policyengine.Condition, error) {
acid-ant commented 2023-11-07 12:20:02 +00:00
Member
Copy link

parseConitions -> parseConditions

parseConitions -> parseConditions
👍 1
dstepanov-yadro approved these changes 2023-11-07 13:16:09 +00:00
aarifullin force-pushed feature/ape_rules_impl from 4ab978ac0c to 11e80dce61 2023-11-07 19:03:16 +00:00 Compare
aarifullin force-pushed feature/ape_rules_impl from 11e80dce61 to 205cd4628f 2023-11-07 19:28:58 +00:00 Compare
requested reviews from acid-ant, dstepanov-yadro 2023-11-07 19:31:23 +00:00
acid-ant approved these changes 2023-11-08 06:35:10 +00:00
aarifullin force-pushed feature/ape_rules_impl from 205cd4628f to 624f9deb87 2023-11-08 12:37:24 +00:00 Compare
requested review from acid-ant 2023-11-08 13:03:37 +00:00
fyrchik merged commit 66848d3288 into master 2023-11-08 13:34:05 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
fyrchik
dstepanov-yadro
acid-ant
TrueCloudLab/storage-core-developers
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
badger

Badger DB related issues

  
frostfs-adm

   
frostfs-cli

   
frostfs-ir

   
frostfs-lens

   
frostfs-node

   
good first issue

Good for newcomers

  
triage
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
badger
frostfs-adm
frostfs-cli
frostfs-ir
frostfs-lens
frostfs-node
good first issue
triage
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-node#770
No description provided.
Delete branch "aarifullin/frostfs-node:feature/ape_rules_impl"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?