Support credentials update with GSet scheme #135

New Issue

Closed

opened 2023-06-09 14:43:36 +00:00 by alexvanin · 1 comment

alexvanin commented 2023-06-09 14:43:36 +00:00

Owner

Is your feature request related to a problem? Please describe.

Accessbox is an object that contains bearer tokens signed for specific gateway keys. Address of accessbox object (cid/oid) is used as access key id for S3 credentials. There is a case when storage network is expanded with new S3 gateways. New S3 gateways can't use existing accessboxes because they don't contain suitable bearer tokens. The only way to handle this case is to issue new tokens.

Describe the solution you'd like

Use 2PSet object versioning scheme for accessbox objects.

S3 Gateway:

1. Searches for the latest version of the object with Filename of access key id in the accessbox container.
2. If no objects found, use access key id as direct address for accessbox.

S3 Authmate:

1. Support issuing secrets with 2PSet headers based on existing accessbox

Describe alternatives you've considered

Tree service looks like a suitable place for accessbox versions, but there are some concerns on tree service data restore after the loss. So tree service isn't preferable option here.

Additional context

It takes about 5-6 seconds to find latest version of the accessbox out of 1000 versions with 2PSet. Seems okay for now.

## Is your feature request related to a problem? Please describe. Accessbox is an object that contains bearer tokens signed for specific gateway keys. Address of accessbox object (cid/oid) is used as access key id for S3 credentials. There is a case when storage network is expanded with new S3 gateways. New S3 gateways can't use existing accessboxes because they don't contain suitable bearer tokens. The only way to handle this case is to issue new tokens. ## Describe the solution you'd like Use 2PSet object versioning scheme for accessbox objects. S3 Gateway: 1. Searches for the latest version of the object with `Filename` of access key id in the accessbox container. 2. If no objects found, use access key id as direct address for accessbox. S3 Authmate: 1. Support issuing secrets with 2PSet headers based on existing accessbox ## Describe alternatives you've considered Tree service looks like a suitable place for accessbox versions, but there are some concerns on tree service data restore after the loss. So tree service isn't preferable option here. ## Additional context It takes about 5-6 seconds to find latest version of the accessbox out of 1000 versions with 2PSet. Seems okay for now.

alexvanin added this to the v0.28.0 milestone 2023-06-09 14:43:36 +00:00

alexvanin added the

enhancement

label 2023-06-09 14:43:36 +00:00

dkirillov was assigned by alexvanin 2023-06-09 14:43:36 +00:00

dkirillov commented 2023-06-13 06:36:47 +00:00

Collaborator

It seems we are about to use GSet (not 2PSet)

It seems we are about to use `GSet` (not `2PSet`)

alexvanin changed title from Support credentials update with 2PSet scheme to Support credentials update with GSet scheme 2023-06-13 06:41:17 +00:00

dkirillov referenced a pull request that will close this issue 2023-06-13 09:39:58 +00:00

[#135] Support GSet for credentials #130

alexvanin referenced this issue from a commit 2023-06-19 10:15:05 +00:00

[#135] crdt: Add GSet

alexvanin referenced this issue from a commit 2023-06-19 10:15:05 +00:00

[#135] frostfs: Add SEARCH operation

alexvanin referenced this issue from a commit 2023-06-19 10:15:05 +00:00

[#135] authmate: Support CRDT GSet for credentials

alexvanin referenced this issue from a commit 2023-06-19 10:15:05 +00:00

[#135] authmate: Update docs

alexvanin closed this issue 2023-06-19 10:15:08 +00:00

alexvanin referenced this issue 2023-07-04 08:11:24 +00:00

Try HEAD request before SEARCH to obtain credentials #159

dkirillov referenced this issue 2024-03-15 13:13:11 +00:00

Improve determining `AccessBox` latest version #335

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

support/v0.29

support/v0.28

support/v0.27

v0.29.0-rc.10

v0.29.0-rc.9

v0.29.0-rc.8

v0.29.0-rc.7

v0.29.0-rc.6

v0.29.0-rc.5

v0.29.0-rc.4

v0.29.0-rc.3

v0.29.0-rc.2

v0.29.0-rc.1

v0.28.1

v0.28.0

v0.28.0-rc.1

v0.27.0

v0.27.0-rc.2

v0.27.0-rc.1

Labels

Clear labels   

P0

Highest   

P1

High   

P2

Medium   

P3

Low   

good first issue

Good for newcomers

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff   

blocked

The issue or PR is blocked by something   

bug

Something is not working   

config

Configuration format update or breaking change   

discussion

Talking about something in order to reach a decision or to exchange ideas   

documentation

Documentation related   

duplicate

This issue or pull request already exists   

enhancement

New feature   

go

Language features adoption   

help wanted

Extra attention is needed   

internal

  

invalid

Something is wrong   

kludge

This is a kludge and we know it   

observability

Related to metrics, tracing and logs   

perfomance

Perfomance related   

question

More information is needed   

refactoring

Refactoring   

wontfix

This won't be fixed

No Label

P0

P1

P2

P3

good first issue

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No Milestone

v0.28.0

Assignees

Clear assignees

No Assignees

dkirillov

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#135

There is no content yet.