From 5c252c9193f638eacce54b580fa7a6493e1651c7 Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Tue, 12 Mar 2024 15:09:55 +0300 Subject: [PATCH] [#1039] object: Skip APE check for certain request roles * Skip APE check if a role is Container. * Skip APE check if a role is IR and methods are get-like. Signed-off-by: Airat Arifullin --- pkg/services/object/ape/checker.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/services/object/ape/checker.go b/pkg/services/object/ape/checker.go index 13dab0ec7..1d42d21d4 100644 --- a/pkg/services/object/ape/checker.go +++ b/pkg/services/object/ape/checker.go @@ -10,6 +10,7 @@ import ( oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" + nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native" ) type checkerImpl struct { @@ -56,6 +57,21 @@ var errMissingOID = errors.New("object ID is not set") // CheckAPE checks if a request or a response is permitted creating an ape request and passing // it to chain router. func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error { + // APE check is ignored for some inter-node requests. + if prm.Role == nativeschema.PropertyValueContainerRoleContainer { + return nil + } else if prm.Role == nativeschema.PropertyValueContainerRoleIR { + switch prm.Method { + case nativeschema.MethodGetObject, + nativeschema.MethodHeadObject, + nativeschema.MethodSearchObject, + nativeschema.MethodRangeObject, + nativeschema.MethodHashObject: + return nil + default: + } + } + r, err := c.newAPERequest(ctx, prm) if err != nil { return fmt.Errorf("failed to create ape request: %w", err)