TrueCloudLab/frostfs-s3-gw
18
3
Fork 20
Code Issues 29 Pull requests 7 Projects Releases 23 Packages 1 Activity Actions

poc impersonate #39

Merged
KirillovDenis merged 1 commit from KirillovDenis/poc/impersonate into master 2023-05-04 06:42:25 +00:00
Conversation 0 Commits 1 Files changed 6 +39 -11
KirillovDenis commented 2023-02-21 08:41:41 +00:00 (Migrated from github.com)
Copy link

close #81

Should be merged after TrueCloudLab/frostfs-node#68

close #81 Should be merged after https://git.frostfs.info/TrueCloudLab/frostfs-node/pulls/68
alexvanin changed title from poc impersonate to WIP: poc impersonate 2023-03-07 06:43:10 +00:00
dkirillov added 23 commits 2023-04-18 12:02:25 +00:00 
Due to source code relocation from GitHub.

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This parameter enables parsing xml body without
xmlns="http://s3.amazonaws.com/doc/2006-03-01/" attribute
for CompleteMultipartUpload requests

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Periodic white space XML writer sends XML header
and white spaces to the io.Writer.

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Such functions should be used together with periodic white space
XML writer.

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This mechanism is used by Amazon S3 to keep client's
connection alive while object is being constructed from
the upload parts.

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Reduce code duplication for error handling

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Add bug report and feature request templates

Signed-off-by: Liza <e.chichindaeva@yadro.com>
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Since we have pkg 'internal/frostfs/services/tree' that is downloading
during build we cannot export any package that is depended on it.

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Signed-off-by: Artem Tataurov <a.tataurov@yadro.com>
dkirillov self-assigned this 2023-04-18 12:02:51 +00:00
dkirillov changed title from WIP: poc impersonate to poc impersonate 2023-04-18 14:57:48 +00:00
dkirillov requested review from storage-services-committers 2023-04-18 14:57:56 +00:00
dkirillov requested review from storage-services-developers 2023-04-18 14:57:56 +00:00
dkirillov force-pushed KirillovDenis/poc/impersonate from 36edd0d1d0 to 5909633649 2023-04-26 07:32:41 +00:00 Compare
dkirillov force-pushed KirillovDenis/poc/impersonate from 5909633649 to b387f5e6ff 2023-04-26 07:34:30 +00:00 Compare
dkirillov requested review from realloc 2023-04-26 07:44:50 +00:00
dkirillov force-pushed KirillovDenis/poc/impersonate from b387f5e6ff to fb1817f672 2023-04-27 12:22:43 +00:00 Compare
dkirillov force-pushed KirillovDenis/poc/impersonate from fb1817f672 to 72ed3b1f45 2023-04-27 14:01:59 +00:00 Compare
alexvanin reviewed 2023-05-03 13:34:04 +00:00
internal/frostfs/services/tree_client_grpc.go Outdated
@ -388,3 +387,1 @@
if bktInfo.Owner.Equals(bearer.ResolveIssuer(*bd.Gate.BearerToken)) {
return bd.Gate.BearerToken.Marshal()
}
return bd.Gate.BearerToken.Marshal()
alexvanin commented 2023-05-03 13:34:04 +00:00
Owner
Copy link

To be fully backward compatible, it seems that bearer token without impersonation flag should be treated as before: return token if bktInfo.Owner.Equals(bearer.ResolveIssuer(*bd.Gate.BearerToken)). Need to check that by accessing public-read-write bucket with foreign credentials without impersonation flag.

To be fully backward compatible, it seems that bearer token without impersonation flag should be treated as before: return token if `bktInfo.Owner.Equals(bearer.ResolveIssuer(*bd.Gate.BearerToken))`. Need to check that by accessing public-read-write bucket with foreign credentials without impersonation flag.
dkirillov commented 2023-05-03 14:22:30 +00:00
Member
Copy link

You are right, we have to handle not impersonate tokens as before

You are right, we have to handle not impersonate tokens as before
alexvanin marked this conversation as resolved
dkirillov force-pushed KirillovDenis/poc/impersonate from 72ed3b1f45 to b366e75366 2023-05-03 14:25:35 +00:00 Compare
alexvanin approved these changes 2023-05-03 14:32:51 +00:00
alexvanin left a comment
Owner
Copy link

LGTM.
We can also use lighter extended ACLs with less records by using impersonated tokens (private buckets may remove a set of allow rules for gate public keys).

Probably it should be discussed with new ACL scheme. /cc @realloc

LGTM. We can also use lighter extended ACLs with less records by using impersonated tokens (private buckets may remove a set of allow rules for gate public keys). Probably it should be discussed with new ACL scheme. /cc @realloc
alexvanin merged commit b366e75366 into master 2023-05-04 06:42:25 +00:00
alexvanin deleted branch KirillovDenis/poc/impersonate 2023-05-04 06:42:26 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
realloc
alexvanin
TrueCloudLab/storage-services-developers
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
good first issue

Good for newcomers

  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
good first issue
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dkirillov
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#39
No description provided.
Delete branch "KirillovDenis/poc/impersonate"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?