Support new FrostFS ID contract #260

New issue

Closed

opened 2023-11-01 14:21:56 +00:00 by alexvanin · 1 comment

alexvanin commented 2023-11-01 14:21:56 +00:00

Owner

Copy link

After TrueCloudLab/frostfs-contract#48 support new FrostFS ID contract in the S3 Gateway. Add new configuration flag (enabled by default), to check if access box key is registered in FrostFS ID contract. Use checks for bucket-related operations and ignore it for object-related operations, because:

1. objects are belong to user-owned bucket,
2. objects are controlled by ACL and policies,
3. objects can be accessed anonymously in S3.

Update authmate with optional flag to register private key in FrostFS ID contract.

Fetch namespace from FrostFS ID subject.

Edit 1: This approach restricts inter-namespace communication. Such communication is valid, so fetch namespace from the HTTP header which can be set by proxy server for specific namespace. Configure HTTP header key in config file.

Use namespace during bucket resolving:

1. default root namespace should be converted in .container NNS zone as before,
2. all non-default namespaces converted to NNS zone directly.

After https://git.frostfs.info/TrueCloudLab/frostfs-contract/issues/48 support new FrostFS ID contract in the S3 Gateway. Add new configuration flag (enabled by default), to check if access box key is registered in FrostFS ID contract. Use checks for bucket-related operations and ignore it for object-related operations, because: 1) objects are belong to user-owned bucket, 2) objects are controlled by ACL and policies, 3) objects can be accessed anonymously in S3. Update authmate with optional flag to register private key in FrostFS ID contract. ~~Fetch namespace from FrostFS ID subject.~~ Edit 1: This approach restricts inter-namespace communication. Such communication is valid, so fetch namespace from the HTTP header which can be set by proxy server for specific namespace. Configure HTTP header key in config file. Use namespace during bucket resolving: 1) default `root` namespace should be converted in `.container` NNS zone as before, 2) all non-default namespaces converted to NNS zone directly.

alexvanin added this to the v0.29.0 milestone 2023-11-01 14:21:56 +00:00

dkirillov was assigned by alexvanin 2023-11-01 14:21:56 +00:00

alexvanin referenced this issue from TrueCloudLab/frostfs-http-gw 2023-11-01 15:27:09 +00:00

Support namespaces based on namespace header value #91

dkirillov referenced this issue from a pull request that will close it, 2023-11-16 12:13:28 +00:00

feature/260-support_frostfsid #265

alexvanin commented 2023-11-20 07:59:05 +00:00

Author

Owner

Copy link

@dkirillov I updated the issue, please change namespace fetching mechanism.

@dkirillov I updated the issue, please change namespace fetching mechanism.

👍 1

alexvanin referenced this issue from a commit 2023-11-27 14:36:44 +00:00

[#260] Refactor api/auth/center.go

alexvanin referenced this issue from a commit 2023-11-27 14:36:45 +00:00

[#260] Support frostfsid validation

alexvanin referenced this issue from a commit 2023-11-27 14:36:45 +00:00

[#260] authmate: Support key registration in frostfsid contract

alexvanin referenced this issue from a commit 2023-11-27 14:36:45 +00:00

[#260] Use namespace as domain when resolve bucket

alexvanin referenced this issue from a commit 2023-11-27 14:36:45 +00:00

[#260] Update CHANGELOG.md

alexvanin referenced this issue from a commit 2023-11-27 14:36:45 +00:00

[#260] Use namespace as domain when create bucket

alexvanin closed this issue 2023-11-27 14:36:53 +00:00

alexvanin modified the milestone from v0.29.0 to v0.28.0 2024-05-27 10:26:09 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.30

support/v0.29

support/v0.28

support/v0.27

v0.31.0

v0.31.0-rc.6

v0.31.0-rc.5

v0.31.0-rc.4

v0.30.8

v0.31.0-rc.3

v0.30.7

v0.31.0-rc.2

v0.31.0-rc.1

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.30.0-rc.5

v0.29.2

v0.30.0-rc.4

v0.30.0-rc.3

v0.30.0-rc.2

v0.29.1

v0.30.0-rc.1

v0.29.0

v0.28.2

v0.29.0-rc.11

v0.29.0-rc.10

v0.29.0-rc.9

v0.29.0-rc.8

v0.29.0-rc.7

v0.29.0-rc.6

v0.29.0-rc.5

v0.29.0-rc.4

v0.29.0-rc.3

v0.29.0-rc.2

v0.29.0-rc.1

v0.28.1

v0.28.0

v0.28.0-rc.1

v0.27.0

v0.27.0-rc.2

v0.27.0-rc.1

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

good first issue

Good for newcomers

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

good first issue

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.28.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

dkirillov

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#260

No description provided.