Revise storage interface for policy engine #7

New issue

Closed

opened 2023-10-26 14:09:29 +00:00 by fyrchik · 3 comments

fyrchik commented 2023-10-26 14:09:29 +00:00

Owner

Copy link

There are 2 problems with it:

1. AddNamespace and AddResource could really combined in a single method (see policy contract for an example).
2. Allow to remove local override rules.

The following scheme must be easy to implement:

1. Local overrides via control service (possibly, chain could be identified with a name, so support removal of a single rule)
2. All other methods will be called with chains from the policy contract.

There are 2 problems with it: 1. `AddNamespace` and `AddResource` could really combined in a single method (see policy contract for an example). 2. Allow to remove local override rules. The following scheme must be easy to implement: 1. Local overrides via control service (possibly, chain could be identified with a name, so support removal of a single rule) 2. All other methods will be called with chains from the policy contract.

fyrchik added the

refactoring

label 2023-10-26 14:13:00 +00:00

aarifullin commented 2023-10-30 10:06:03 +00:00

Member

Copy link

I think we need to split CachedChainStorage into several interfaces. Each interface would adhere to SRP. That nukes out CachedChainStorage at all:

1. Engine should be kept standalone

    IsAllowed(...)
   

2. LocalOverrides/LocalRuleChainSource/, LocalRuleChains with methods

   type LocalOverrides interface {
       AddChain(name Name) (ChainID, error)
       RemoveChain(name Name, chainID ChainID) error
       GetChain(name Name, chainID ChainID) (*Chain, error)
       ListChains(name Name)  ([]Chain, error)
   }
   

3. MorphRuleChainSource with methods

   type MorphRuleChainSource interface {
      AddChain(name Name, entity string) error
      RemoveChain(name Name, entity string) error
      GetChain(name Name, entity string) (*Chain, error)
      ListChains(name Name)  ([]Chain, error)
   }
   

Also, I would consider to rename Engine to ChainRouter name with method:

type ChainRouter interface {
   CheckPermission(name Name, namespace string, r Request) (status Status, ruleFound bool)
}

WDYT?

I think we need to split [CachedChainStorage](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/31a308ea61fb9b478773c988548f352ccf453913/interface.go#L4) into several interfaces. Each interface would adhere to SRP. That nukes out `CachedChainStorage` at all: 1. `Engine` should be kept standalone ```golang IsAllowed(...) ``` 2. `LocalOverrides`/`LocalRuleChainSource`/, `LocalRuleChains` with methods ```golang type LocalOverrides interface { AddChain(name Name) (ChainID, error) RemoveChain(name Name, chainID ChainID) error GetChain(name Name, chainID ChainID) (*Chain, error) ListChains(name Name) ([]Chain, error) } ``` 3. `MorphRuleChainSource` with methods ```golang type MorphRuleChainSource interface { AddChain(name Name, entity string) error RemoveChain(name Name, entity string) error GetChain(name Name, entity string) (*Chain, error) ListChains(name Name) ([]Chain, error) } ``` Also, I would consider to rename `Engine` to `ChainRouter` name with method: ```golang type ChainRouter interface { CheckPermission(name Name, namespace string, r Request) (status Status, ruleFound bool) } ``` WDYT?

fyrchik referenced this issue 2023-10-31 10:24:00 +00:00

Introduce ChainID type and several methods for interface #13

aarifullin referenced this issue 2023-10-31 14:20:47 +00:00

Introduce ChainID type and several methods for interface #13

aarifullin referenced this issue 2023-11-02 10:49:28 +00:00

Add a smart-contract and a neo-go client wrapper #3

aarifullin self-assigned this 2023-11-02 11:28:50 +00:00

aarifullin referenced this issue 2023-11-07 11:04:19 +00:00

[#7] engine: Revise storage interface #15

dkirillov referenced this issue from TrueCloudLab/frostfs-s3-gw 2023-11-07 12:29:25 +00:00

Add basic support of policy engine #257

fyrchik referenced this issue from a commit 2023-11-15 09:22:45 +00:00

[#7] engine: Move globMatch to common util package

fyrchik referenced this issue from a commit 2023-11-15 09:22:45 +00:00

[#7] engine: Set project structure pattern for files

fyrchik referenced this issue from a commit 2023-11-15 09:22:45 +00:00

[#7] engine: Revise CachedChainStorage interface

dkirillov commented 2023-11-29 09:59:15 +00:00

Member

Copy link

Why does the LocalOverrideStorage require resource instead of namespace unlike MorphRuleChainStorage ?

Probably the namespace be part of resource anyway. But it seems this is right only for storage-node (not for s3).
Furthermore when we want to add local overrides using control api (in s3/node) we have to know resource name from chain rules. But what if there are more than just one resource in chain (do we have to split rules into different chains then)?

Why does the [LocalOverrideStorage](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5fa9d91903bae3d0e29f5078a5d21f7f66de17b5/pkg/engine/interface.go#L17) require `resource` instead of namespace unlike [MorphRuleChainStorage](https://git.frostfs.info/TrueCloudLab/policy-engine/src/commit/5fa9d91903bae3d0e29f5078a5d21f7f66de17b5/pkg/engine/interface.go#L57) ? Probably the namespace be part of resource anyway. But it seems this is right only for storage-node (not for s3). Furthermore when we want to add local overrides using control api (in s3/node) we have to know resource name from chain rules. But what if there are more than just one resource in chain (do we have to split rules into different chains then)?

aarifullin commented 2024-01-11 14:34:04 +00:00

Member

Copy link

The interface has been revised in PRs mentioned above

The interface has been revised in PRs mentioned above

aarifullin closed this issue 2024-01-11 14:34:05 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

feat/list_by_iterator

feature/3_policy-contract-interface

feature/support-iam_to_native_converter

init

No results found.

Labels

Clear labels

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

aarifullin

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/policy-engine#7

No description provided.