From d5a14041e00d52a8511dc8c9c2bc1134a0d16c3c Mon Sep 17 00:00:00 2001 From: Pavel Karpy Date: Fri, 11 Nov 2022 20:57:56 +0300 Subject: [PATCH] [#2040] node: Do not attach tokens in the assembly process A container node is expected to have full "get" access to assemble the object. A non-container node is expected to forward any request to a container node. Any token is expected to be issued for an original request sender not for a node so any new request is invalid by design with that token. Signed-off-by: Pavel Karpy --- CHANGELOG.md | 1 + pkg/services/object/get/assemble.go | 13 +++++++++++++ pkg/services/object/util/prm.go | 9 +++++++++ 3 files changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d5109a9..7259f6d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ Changelog for NeoFS Node - Malformed request errors' reasons in the responses (#2028) - Session token's IAT and NBF checks in ACL service (#2028) - Losing meta information on request forwarding (#2040) +- Assembly process triggered by a request with a bearer token (#2040) ### Removed ### Updated diff --git a/pkg/services/object/get/assemble.go b/pkg/services/object/get/assemble.go index 58cb9513..8a9f959f 100644 --- a/pkg/services/object/get/assemble.go +++ b/pkg/services/object/get/assemble.go @@ -13,6 +13,19 @@ func (exec *execCtx) assemble() { return } + // Any access tokens are not expected to be used in the assembly process: + // - there is no requirement to specify child objects in session/bearer + // token for `GET`/`GETRANGE`/`RANGEHASH` requests in the API protocol, + // and, therefore, their missing in the original request should not be + // considered as error; on the other hand, without session for every child + // object, it is impossible to attach bearer token in the new generated + // requests correctly because the token has not been issued for that node's + // key; + // - the assembly process is expected to be handled on a container node + // only since the requests forwarding mechanism presentation; such the + // node should have enough rights for getting any child object by design. + exec.prm.common.ForgetTokens() + // Do not use forwarding during assembly stage. // Request forwarding closure inherited in produced // `execCtx` so it should be disabled there. diff --git a/pkg/services/object/util/prm.go b/pkg/services/object/util/prm.go index 952f1282..d608ad68 100644 --- a/pkg/services/object/util/prm.go +++ b/pkg/services/object/util/prm.go @@ -98,6 +98,15 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) { } } +// ForgetTokens forgets all the tokens read from the request's +// meta information before. +func (p *CommonPrm) ForgetTokens() { + if p != nil { + p.token = nil + p.bearer = nil + } +} + func CommonPrmFromV2(req interface { GetMetaHeader() *session.RequestMetaHeader }) (*CommonPrm, error) {