[#509] Update docs

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-10-11 15:29:00 +03:00 · 2024-10-11 15:29:00 +03:00 · 6a90f4e624
commit 6a90f4e624
parent cb3753f286
2 changed files with 36 additions and 6 deletions
--- a/docs/authentication.md
+++ b/docs/authentication.md
@ -159,8 +159,10 @@ storage node.
 Object s3 credentials are formed based on:

 * `AccessKeyId` - is concatenated container id and object id (`<cid>0<oid>`) of `AccessBox` (
-  e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`)
-* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload)
+  e.g. `2XGRML5EW3LMHdf64W2DkBy1Nkuu4y4wGhUj44QjbXBi05ZNvs8WVwy1XTmSEkcVkydPKzCgtmR7U3zyLYTj3Snxf`). 
+  Or it can be arbitrary user-provided unique string with min length 4 and max length 128. 
+* `SecretAccessKey` - hex-encoded random generated 32 bytes (that is encrypted and stored in object payload).
+  Or it can be arbitrary user-provided unique string with min length 4 and max length 128.

 > **Note**: sensitive info in `AccessBox` is [encrypted](#encryption), so only someone who posses specific private key
 > can decrypt such info.
@ -192,7 +194,7 @@ It contains:
 * List of gate data:
    * Gate public key (so that gate (when it will decrypt data later) know which item from the list it should process)
    * Encrypted tokens:
-        * `SecretAccessKey` - hex-encoded random generated 32 bytes
+        * `SecretAccessKey` - hex-encoded random generated 32 bytes (or arbitrary user-provided string)
        * Marshaled bearer token - more detail
          in [spec](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/commit/4c68d92468503b10282c8a92af83a56f170c8a3a/acl/types.proto#L189)
        * Marshaled session token - more detail
@ -229,10 +231,12 @@ relevant data) the following sequence is used:
 </a>

 * Search all object whose attribute `S3-Access-Box-CRDT-Name` is equal to `AccessKeyId` (extract container id
-  from `AccessKeyId` that has format: `<cid>0<oid>`).
+  from `AccessKeyId` that has format: `<cid>0<oid>` if `AccessBox` was created with default parameters, or it can also 
+  be arbitrary user-defined string).
 * Get metadata for these object using `HEAD` requests (not `Get` to reduce network traffic)
 * Sort all these objects by creation epoch and object id
-* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `<cid>0<oid>`.
+* Pick last object id (If no object is found then extract object id from `AccessKeyId` that has format: `<cid>0<oid>`
+ (if `AccessBox` was created with default parameters, or it can also be arbitrary user-defined string).
  We need to do this because versions of `AccessBox` can miss the `S3-Access-Box-CRDT-Name` attribute.)
 * Get appropriate object from FrostFS storage
 * Decrypt `AccessBox` (see [encryption](#encryption))
@ -253,7 +257,7 @@ secp256r1 or prime256v1) is used (unless otherwise stated).

 * Create ephemeral key (`SeedKey`), it's need to generate shared secret
 * Generate random 32-byte (that after hex-encoded be `SecretAccessKey`) or use existing secret access key
-  (if `AccessBox` is being updated rather than creating brand new)
+  (if `AccessBox` is being updated rather than creating brand new) or use arbitrary user-provided string
 * Generate shared secret as [ECDH](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman)
 * Derive 32-byte key using shared secret from previous step with key derivation function based on
  HMAC with SHA256 [HKDF](https://en.wikipedia.org/wiki/HKDF)
--- a/docs/authmate.md
+++ b/docs/authmate.md
@ -146,6 +146,32 @@ the secret. Format of `access_key_id`: `%cid0%oid`, where 0(zero) is a delimiter
  24h). Default value is `720h` (30 days). It will be ceil rounded to the nearest amount of epoch
 * `--aws-cli-credentials` - path to the aws cli credentials file, where authmate will write `access_key_id` and
  `secret_access_key` to
+* `--rpc-endpoint` - NEO node RPC address (must be provided if `--container-id` is NNS name)
+* `--access-key-id` - access key id of s3 credential that must be created (must be unique)
+* `--secret-access-key` - secret access key of s3 credential that must be used
+
+You also can specify `AccessKeyID`/`SecretAccessKey` pair that should be created:
+
+```shell
+$ frostfs-s3-authmate issue-secret --wallet wallet.json \
+--peer 192.168.130.71:8080 \
+ --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \
+ --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \
+ --access-key-id my-access-key \
+ --secret-access-key my-secret-key \
+ --container-id BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6
+
+ Enter password for wallet.json >
+
+{
+  "initial_access_key_id": "my-access-key-3",
+  "access_key_id": "my-access-key",
+  "secret_access_key": "my-secret-key",
+  "owner_private_key": "d9972cc4f21b07a90f4b347c72c33c1d1611c2b9a2cfd0cc28cee8cb221e8e55",
+  "wallet_public_key": "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a",
+  "container_id": "BpExV76416Vo7GrkJsGwXGoLM35xsBwup8voedDZR3c6"
+}
+```

 ### Bearer tokens