object: Introduce soft ape checks #986

aarifullin · 2024-02-14T11:17:55Z

aarifullin commented

2024-02-14 11:17:55 +00:00

Soft APE check means that APE should allow request even it gets status NoRuleFound for a request. Otherwise, it is interpreted as Deny
Soft APE check is performed if basic ACL mask is not set.
* The PR also introduce a new action Object.* and Container.* to make possible to define a rule for all methods
Make default deny for NoRuleFound in container service
Ignore basic acl checks in tree service, if the mask in unset

* Soft APE check means that APE should allow request even it gets status NoRuleFound for a request. Otherwise, it is interpreted as Deny * Soft APE check is performed if basic ACL mask is not set. ~~* The PR also introduce a new action `Object.*` and `Container.*` to make possible to define a rule for all methods~~ * Make default deny for NoRuleFound in container service * Ignore basic acl checks in tree service, if the mask in unset

aarifullin added the

P0

label 2024-02-14 11:17:55 +00:00

aarifullin force-pushed fix/strict_ape_checks from d1a1d98f95 to f697ca511b

2024-02-14 11:18:27 +00:00

Compare

aarifullin requested review from storage-core-committers 2024-02-14 11:18:34 +00:00

aarifullin requested review from storage-core-developers 2024-02-14 11:18:44 +00:00

fyrchik requested review from alexvanin 2024-02-14 11:20:15 +00:00

fyrchik requested review from dkirillov 2024-02-14 11:20:17 +00:00

~~dkirillov referenced this pull request from TrueCloudLab/frostfs-s3-gw 2024-02-14 11:39:37 +00:00~~

bugfix/306-use_APE_instead_eACL #310

dkirillov referenced this pull request from TrueCloudLab/frostfs-s3-gw

2024-02-14 11:39:55 +00:00

bugfix/306-use_APE_instead_eACL #310

dkirillov commented

2024-02-14 11:50:24 +00:00

We have to also add the similar check for tree service. See f697ca511b/pkg/services/tree/signature.go (L79-L87)

We have to also add the similar check for tree service. See https://git.frostfs.info/aarifullin/frostfs-node/src/commit/f697ca511b9623888f53bdd7e78eb19079979b0f/pkg/services/tree/signature.go#L79-L87

acid-ant commented

2024-02-14 13:30:55 +00:00

Looks like needs to reword commit message a bit:
enabled is basic ACL mask is not set --> enabled if basic ACL mask is not set

Looks like needs to reword commit message a bit: enabled is basic ACL mask is not set --> enabled if basic ACL mask is not set

acid-ant reviewed 2024-02-14 13:43:59 +00:00

pkg/services/object/acl/v2/request.go Outdated

					
				@ -107,0 +108,4 @@

				// Strict APE check denies a request if CheckAPE returns NoRuleFound for it,

				// otherwise it allows the request. It is taken for enabled if no bits are set

				// within basic ACL mask.

				func (r RequestInfo) IsStrictAPECheck() bool {

acid-ant commented

2024-02-14 13:43:59 +00:00

You are always using NOT operator with result of this function and with field StrictAPECheck. How about to replace it with SoftAPECheck?

You are always using NOT operator with result of this function and with field `StrictAPECheck`. How about to replace it with `SoftAPECheck`?

aarifullin commented

2024-02-14 15:25:46 +00:00

Replaced to SoftAPECheck. Could u check please if I've left mistakes. Also, I fixed commit message

Replaced to `SoftAPECheck`. Could u check please if I've left mistakes. Also, I fixed commit message

aarifullin force-pushed fix/strict_ape_checks from f697ca511b to 6af79d2d6e

2024-02-14 15:25:10 +00:00

Compare

aarifullin changed title from ~~object: Introduce strict ape checks~~ to object: Introduce soft ape checks

2024-02-14 15:27:30 +00:00

aarifullin force-pushed fix/strict_ape_checks from 6af79d2d6e to d4fee9d5b8

2024-02-14 16:06:20 +00:00

Compare

fyrchik commented

2024-02-15 07:35:06 +00:00

Unit tests fail
What other testing was done?

Unit tests fail What other testing was done?

aarifullin force-pushed fix/strict_ape_checks from d4fee9d5b8 to 259208161e

2024-02-15 10:25:08 +00:00

Compare

aarifullin force-pushed fix/strict_ape_checks from 259208161e to 2943a56b76

2024-02-15 10:29:14 +00:00

Compare

dstepanov-yadro approved these changes 2024-02-15 10:49:16 +00:00

aarifullin added 1 commit 2024-02-15 11:01:39 +00:00

[#986 ] tree: Skip ACL checks if basicACL mask is unset

DCO action / DCO (pull_request) Successful in 3m7s

Details

Vulncheck / Vulncheck (pull_request) Successful in 3m5s

Details

Build / Build Components (1.20) (pull_request) Successful in 3m55s

Details

Build / Build Components (1.21) (pull_request) Successful in 3m51s

Details

Tests and linters / Staticcheck (pull_request) Successful in 4m30s

Details

Tests and linters / Lint (pull_request) Successful in 5m19s

Details

Tests and linters / Tests (1.20) (pull_request) Successful in 5m56s

Details

Tests and linters / Tests (1.21) (pull_request) Successful in 6m6s

Details

Tests and linters / Tests with -race (pull_request) Successful in 7m25s

Details

98ce78be0a

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

aarifullin reviewed 2024-02-15 11:05:14 +00:00

pkg/services/tree/signature.go Outdated

					
				@ -79,1 +79,4 @@

					basicACL := cnr.Value.BasicACL()

					// Basic ACL mask can be unset, if a container operations are performed

					// with strict APE checks only.

					if basicACL == 0x0 {