diff --git a/CHANGELOG.md b/CHANGELOG.md index 31c57f5..8692844 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ This document outlines major changes between releases. ### Added - Exposure of pool metrics (#615) - Configuration of `set_copies_number` (#634, #637) +- Configuration of list of allowed `AccessKeyID` prefixes (#674) ### Changed - Improved wallet configuration via `.yaml` config and environment variables (#607) - Update go version for build to 1.19 (#694) diff --git a/config/config.env b/config/config.env index b90ac0a..61fdfc9 100644 --- a/config/config.env +++ b/config/config.env @@ -103,3 +103,7 @@ S3_GW_CORS_DEFAULT_MAX_AGE=600 # Number of the object copies to consider PUT to NeoFS successful. # If not set, default value 0 will be used -- it means that object will be processed according to the container's placement policy S3_GW_NEOFS_SET_COPIES_NUMBER=0 + +# List of allowed AccessKeyID prefixes +# If not set, S3 GW will accept all AccessKeyIDs +S3_GW_ALLOWED_ACCESS_KEY_ID_PREFIXES=Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn diff --git a/config/config.yaml b/config/config.yaml index 95fda40..ae21863 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -117,3 +117,9 @@ neofs: # Number of the object copies to consider PUT to NeoFS successful. # `0` means that object will be processed according to the container's placement policy set_copies_number: 0 + +# List of allowed AccessKeyID prefixes +# If the parameter is omitted, S3 GW will accept all AccessKeyIDs +allowed_access_key_id_prefixes: + - Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX + - 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn diff --git a/docs/configuration.md b/docs/configuration.md index 0fffdc1..7d4adcf 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -154,20 +154,25 @@ max_clients_count: 100 max_clients_deadline: 30s default_policy: REP 3 + +allowed_access_key_id_prefixes: + - Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX + - 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn ``` -| Parameter | Type | Default value | Description | -|------------------------|------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `listen_address` | `string` | `0.0.0.0:8080` | The address that the gateway is listening on. | -| `rpc_endpoint` | `string` | | The address of the RPC host to which the gateway connects to resolve bucket names (required to use the `nns` resolver). | -| `resolve_order` | `[]string` | `[dns]` | Order of bucket name resolvers to use. Available resolvers: `dns`, `nns`. | | -| `connect_timeout` | `duration` | `10s` | Timeout to connect to a node. | -| `healthcheck_timeout` | `duration` | `15s` | Timeout to check node health during rebalance. | -| `rebalance_interval` | `duration` | `60s` | Interval to check node health. | -| `pool_error_threshold` | `uint32` | `100` | The number of errors on connection after which node is considered as unhealthy. | -| `max_clients_count` | `int` | `100` | Limits for processing of clients' requests. | -| `max_clients_deadline` | `duration` | `30s` | Deadline after which the gate sends error `RequestTimeout` to a client. | -| `default_policy` | `string` | `REP 3` | Default policy of placing containers in NeoFS. If a user sends a request `CreateBucket` and doesn't define policy for placing of a container in NeoFS, the S3 Gateway will put the container with default policy. | +| Parameter | Type | Default value | Description | +|----------------------------------|------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `listen_address` | `string` | `0.0.0.0:8080` | The address that the gateway is listening on. | +| `rpc_endpoint` | `string` | | The address of the RPC host to which the gateway connects to resolve bucket names (required to use the `nns` resolver). | +| `resolve_order` | `[]string` | `[dns]` | Order of bucket name resolvers to use. Available resolvers: `dns`, `nns`. | | +| `connect_timeout` | `duration` | `10s` | Timeout to connect to a node. | +| `healthcheck_timeout` | `duration` | `15s` | Timeout to check node health during rebalance. | +| `rebalance_interval` | `duration` | `60s` | Interval to check node health. | +| `pool_error_threshold` | `uint32` | `100` | The number of errors on connection after which node is considered as unhealthy. | +| `max_clients_count` | `int` | `100` | Limits for processing of clients' requests. | +| `max_clients_deadline` | `duration` | `30s` | Deadline after which the gate sends error `RequestTimeout` to a client. | +| `default_policy` | `string` | `REP 3` | Default policy of placing containers in NeoFS. If a user sends a request `CreateBucket` and doesn't define policy for placing of a container in NeoFS, the S3 Gateway will put the container with default policy. | +| `allowed_access_key_id_prefixes` | `[]string` | | List of allowed `AccessKeyID` prefixes which S3 GW serve. If the parameter is omitted, all `AccessKeyID` will be accepted. | ### `wallet` section