[#350] object/acl: Make best effort to classify request

Classifier looks at list of inner ring nodes and container
nodes from current and previous epoch to classify request.
Sometimes these checks might return error.

Consider there is a request from unknown key and container's
placement policy valid for current epoch and invalid for past
epoch. Classifier tries to find if key belongs to container
node from current epoch -- it is not. Then it tries to find if
key belongs to container node from past epoch and it throws
error, because placement policy is invalid for past epoch.

This is a legit case and classifier should ignore such errors
to provide best effort in matching. The only error classifier
should return is an error when request does not contain
public key to classify it.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2021-01-27 11:47:40 +03:00 committed by Alex Vanin
parent 6e8f5b9d63
commit e252f93dbf
2 changed files with 13 additions and 3 deletions

View file

@ -287,6 +287,7 @@ func initObjectService(c *cfg) {
acl.New( acl.New(
acl.WithSenderClassifier( acl.WithSenderClassifier(
acl.NewSenderClassifier( acl.NewSenderClassifier(
c.log,
c.cfgNetmap.wrapper, c.cfgNetmap.wrapper,
c.cfgNetmap.wrapper, c.cfgNetmap.wrapper,
), ),

View file

@ -16,6 +16,7 @@ import (
crypto "github.com/nspcc-dev/neofs-crypto" crypto "github.com/nspcc-dev/neofs-crypto"
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap" core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
"github.com/pkg/errors" "github.com/pkg/errors"
"go.uber.org/zap"
) )
type ( type (
@ -31,14 +32,16 @@ type (
} }
SenderClassifier struct { SenderClassifier struct {
log *zap.Logger
innerRing InnerRingFetcher innerRing InnerRingFetcher
netmap core.Source netmap core.Source
} }
) )
// fixme: update classifier constructor // fixme: update classifier constructor
func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier { func NewSenderClassifier(l *zap.Logger, ir InnerRingFetcher, nm core.Source) SenderClassifier {
return SenderClassifier{ return SenderClassifier{
log: l,
innerRing: ir, innerRing: ir,
netmap: nm, netmap: nm,
} }
@ -68,14 +71,20 @@ func (c SenderClassifier) Classify(
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes) isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
if err != nil { if err != nil {
return 0, false, nil, errors.Wrap(err, "can't check if request from inner ring") // do not throw error, try best case matching
c.log.Debug("can't check if request from inner ring",
zap.String("error", err.Error()))
} else if isInnerRingNode { } else if isInnerRingNode {
return acl.RoleSystem, true, ownerKeyInBytes, nil return acl.RoleSystem, true, ownerKeyInBytes, nil
} }
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr) isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
if err != nil { if err != nil {
return 0, false, nil, errors.Wrap(err, "can't check if request from container node") // error might happen if request has `RoleOther` key and placement
// is not possible for previous epoch, so
// do not throw error, try best case matching
c.log.Debug("can't check if request from container node",
zap.String("error", err.Error()))
} else if isContainerNode { } else if isContainerNode {
return acl.RoleSystem, false, ownerKeyInBytes, nil return acl.RoleSystem, false, ownerKeyInBytes, nil
} }