forked from TrueCloudLab/frostfs-node
Compare commits
3 commits
master
...
feature/85
Author | SHA1 | Date | |
---|---|---|---|
9646d77ae1 | |||
da9c75f9aa | |||
9275c6b3e1 |
12 changed files with 23 additions and 25 deletions
|
@ -4,7 +4,6 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
||||||
|
@ -14,7 +13,6 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -62,13 +60,11 @@ func addRule(cmd *cobra.Command, _ []string) {
|
||||||
cmd.Println("Container ID: " + cidStr)
|
cmd.Println("Container ID: " + cidStr)
|
||||||
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, serializedChain))
|
cmd.Println("Parsed chain:\n" + prettyJSONFormat(cmd, serializedChain))
|
||||||
|
|
||||||
name := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cidStr)
|
|
||||||
|
|
||||||
req := &control.AddChainLocalOverrideRequest{
|
req := &control.AddChainLocalOverrideRequest{
|
||||||
Body: &control.AddChainLocalOverrideRequest_Body{
|
Body: &control.AddChainLocalOverrideRequest_Body{
|
||||||
Target: &control.ChainTarget{
|
Target: &control.ChainTarget{
|
||||||
Type: control.ChainTarget_CONTAINER,
|
Type: control.ChainTarget_CONTAINER,
|
||||||
Name: name,
|
Name: cidStr,
|
||||||
},
|
},
|
||||||
Chain: serializedChain,
|
Chain: serializedChain,
|
||||||
},
|
},
|
||||||
|
|
|
@ -2,7 +2,6 @@ package control
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
||||||
|
@ -11,7 +10,6 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -34,12 +32,10 @@ func getRule(cmd *cobra.Command, _ []string) {
|
||||||
|
|
||||||
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
||||||
|
|
||||||
name := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cidStr)
|
|
||||||
|
|
||||||
req := &control.GetChainLocalOverrideRequest{
|
req := &control.GetChainLocalOverrideRequest{
|
||||||
Body: &control.GetChainLocalOverrideRequest_Body{
|
Body: &control.GetChainLocalOverrideRequest_Body{
|
||||||
Target: &control.ChainTarget{
|
Target: &control.ChainTarget{
|
||||||
Name: name,
|
Name: cidStr,
|
||||||
Type: control.ChainTarget_CONTAINER,
|
Type: control.ChainTarget_CONTAINER,
|
||||||
},
|
},
|
||||||
ChainId: chainID,
|
ChainId: chainID,
|
||||||
|
|
|
@ -2,7 +2,6 @@ package control
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
||||||
|
@ -11,7 +10,6 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -32,12 +30,10 @@ func listRules(cmd *cobra.Command, _ []string) {
|
||||||
rawCID := make([]byte, sha256.Size)
|
rawCID := make([]byte, sha256.Size)
|
||||||
cnr.Encode(rawCID)
|
cnr.Encode(rawCID)
|
||||||
|
|
||||||
name := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cidStr)
|
|
||||||
|
|
||||||
req := &control.ListChainLocalOverridesRequest{
|
req := &control.ListChainLocalOverridesRequest{
|
||||||
Body: &control.ListChainLocalOverridesRequest_Body{
|
Body: &control.ListChainLocalOverridesRequest_Body{
|
||||||
Target: &control.ChainTarget{
|
Target: &control.ChainTarget{
|
||||||
Name: name,
|
Name: cidStr,
|
||||||
Type: control.ChainTarget_CONTAINER,
|
Type: control.ChainTarget_CONTAINER,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -2,7 +2,6 @@ package control
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/commonflags"
|
||||||
|
@ -10,7 +9,6 @@ import (
|
||||||
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/services/control"
|
||||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -37,12 +35,10 @@ func removeRule(cmd *cobra.Command, _ []string) {
|
||||||
|
|
||||||
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
chainID, _ := cmd.Flags().GetString(chainIDFlag)
|
||||||
|
|
||||||
name := fmt.Sprintf(nativeschema.ResourceFormatRootContainerObjects, cidStr)
|
|
||||||
|
|
||||||
req := &control.RemoveChainLocalOverrideRequest{
|
req := &control.RemoveChainLocalOverrideRequest{
|
||||||
Body: &control.RemoveChainLocalOverrideRequest_Body{
|
Body: &control.RemoveChainLocalOverrideRequest_Body{
|
||||||
Target: &control.ChainTarget{
|
Target: &control.ChainTarget{
|
||||||
Name: name,
|
Name: cidStr,
|
||||||
Type: control.ChainTarget_CONTAINER,
|
Type: control.ChainTarget_CONTAINER,
|
||||||
},
|
},
|
||||||
ChainId: chainID,
|
ChainId: chainID,
|
||||||
|
|
|
@ -69,7 +69,7 @@ import (
|
||||||
objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
objectSDK "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/version"
|
||||||
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
policy_client "git.frostfs.info/TrueCloudLab/policy-engine/pkg/morph/policy"
|
||||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
neogoutil "github.com/nspcc-dev/neo-go/pkg/util"
|
neogoutil "github.com/nspcc-dev/neo-go/pkg/util"
|
||||||
"github.com/panjf2000/ants/v2"
|
"github.com/panjf2000/ants/v2"
|
||||||
|
@ -542,6 +542,8 @@ type cfgLocalStorage struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type cfgAccessPolicyEngine struct {
|
type cfgAccessPolicyEngine struct {
|
||||||
|
policyContractHash neogoutil.Uint160
|
||||||
|
|
||||||
accessPolicyEngine *accessPolicyEngine
|
accessPolicyEngine *accessPolicyEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -987,7 +989,9 @@ func initAccessPolicyEngine(_ context.Context, c *cfg) {
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
morphRuleStorage := inmemory.NewInmemoryMorphRuleChainStorage()
|
morphRuleStorage := policy_client.NewContractStorage(
|
||||||
|
c.cfgMorph.client.GetActor(),
|
||||||
|
c.cfgObject.cfgAccessPolicyEngine.policyContractHash)
|
||||||
|
|
||||||
ape := newAccessPolicyEngine(morphRuleStorage, localOverrideDB)
|
ape := newAccessPolicyEngine(morphRuleStorage, localOverrideDB)
|
||||||
c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine = ape
|
c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine = ape
|
||||||
|
|
|
@ -98,14 +98,15 @@ func initApp(ctx context.Context, c *cfg) {
|
||||||
fatalOnErr(c.cfgObject.cfgLocalStorage.localStorage.Init(ctx))
|
fatalOnErr(c.cfgObject.cfgLocalStorage.localStorage.Init(ctx))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
initAndLog(c, "gRPC", initGRPC)
|
||||||
|
initAndLog(c, "netmap", func(c *cfg) { initNetmapService(ctx, c) })
|
||||||
|
|
||||||
initAccessPolicyEngine(ctx, c)
|
initAccessPolicyEngine(ctx, c)
|
||||||
initAndLog(c, "access policy engine", func(c *cfg) {
|
initAndLog(c, "access policy engine", func(c *cfg) {
|
||||||
fatalOnErr(c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.LocalOverrideDatabaseCore().Open(ctx))
|
fatalOnErr(c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.LocalOverrideDatabaseCore().Open(ctx))
|
||||||
fatalOnErr(c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.LocalOverrideDatabaseCore().Init())
|
fatalOnErr(c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.LocalOverrideDatabaseCore().Init())
|
||||||
})
|
})
|
||||||
|
|
||||||
initAndLog(c, "gRPC", initGRPC)
|
|
||||||
initAndLog(c, "netmap", func(c *cfg) { initNetmapService(ctx, c) })
|
|
||||||
initAndLog(c, "accounting", func(c *cfg) { initAccountingService(ctx, c) })
|
initAndLog(c, "accounting", func(c *cfg) { initAccountingService(ctx, c) })
|
||||||
initAndLog(c, "container", func(c *cfg) { initContainerService(ctx, c) })
|
initAndLog(c, "container", func(c *cfg) { initContainerService(ctx, c) })
|
||||||
initAndLog(c, "session", initSessionService)
|
initAndLog(c, "session", initSessionService)
|
||||||
|
|
|
@ -289,6 +289,7 @@ func lookupScriptHashesInNNS(c *cfg) {
|
||||||
{&c.cfgAccounting.scriptHash, client.NNSBalanceContractName},
|
{&c.cfgAccounting.scriptHash, client.NNSBalanceContractName},
|
||||||
{&c.cfgContainer.scriptHash, client.NNSContainerContractName},
|
{&c.cfgContainer.scriptHash, client.NNSContainerContractName},
|
||||||
{&c.cfgMorph.proxyScriptHash, client.NNSProxyContractName},
|
{&c.cfgMorph.proxyScriptHash, client.NNSProxyContractName},
|
||||||
|
{&c.cfgObject.cfgAccessPolicyEngine.policyContractHash, client.NNSPolicyContractName},
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -2,6 +2,8 @@ module git.frostfs.info/TrueCloudLab/frostfs-node
|
||||||
|
|
||||||
go 1.20
|
go 1.20
|
||||||
|
|
||||||
|
replace git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231211080303-8c673ee4f4af => git.frostfs.info/aarifullin/policy-engine v0.0.0-20231212185618-def903261503
|
||||||
|
|
||||||
require (
|
require (
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20231031104748-498877e378fd
|
git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20231031104748-498877e378fd
|
||||||
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
|
git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
|
||||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -539,3 +539,7 @@ func (c *Client) setActor(act *actor.Actor) {
|
||||||
c.gasToken = nep17.New(act, gas.Hash)
|
c.gasToken = nep17.New(act, gas.Hash)
|
||||||
c.rolemgmt = rolemgmt.New(act)
|
c.rolemgmt = rolemgmt.New(act)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *Client) GetActor() *actor.Actor {
|
||||||
|
return c.rpcActor
|
||||||
|
}
|
||||||
|
|
|
@ -33,6 +33,8 @@ const (
|
||||||
NNSProxyContractName = "proxy.frostfs"
|
NNSProxyContractName = "proxy.frostfs"
|
||||||
// NNSGroupKeyName is a name for the FrostFS group key record in NNS.
|
// NNSGroupKeyName is a name for the FrostFS group key record in NNS.
|
||||||
NNSGroupKeyName = "group.frostfs"
|
NNSGroupKeyName = "group.frostfs"
|
||||||
|
// NNSPolicyContractName is a name of the policy contract in NNS.
|
||||||
|
NNSPolicyContractName = "policy.frostfs"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|
|
@ -26,7 +26,7 @@ func (c *apeCheckerImpl) CheckIfRequestPermitted(reqInfo v2.RequestInfo) error {
|
||||||
request := new(Request)
|
request := new(Request)
|
||||||
request.FromRequestInfo(reqInfo)
|
request.FromRequestInfo(reqInfo)
|
||||||
|
|
||||||
cnrTarget := getResource(reqInfo).Name()
|
cnrTarget := reqInfo.ContainerID().EncodeToString()
|
||||||
|
|
||||||
status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, policyengine.NewRequestTargetWithContainer(cnrTarget), request)
|
status, ruleFound, err := c.chainRouter.IsAllowed(apechain.Ingress, policyengine.NewRequestTargetWithContainer(cnrTarget), request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue