[#54] acl: Add APE chains to Bearer token

Signed-off-by: Airat Arifullin <aarifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-05-28 11:52:42 +03:00 committed by Evgenii Stratonikov
parent 393c95899f
commit 4c2193443e
3 changed files with 44 additions and 3 deletions

View file

@ -6,6 +6,7 @@ option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl/grpc;ac
option csharp_namespace = "Neo.FileStorage.API.Acl"; option csharp_namespace = "Neo.FileStorage.API.Acl";
import "refs/types.proto"; import "refs/types.proto";
import "ape/types.proto";
// Target role of the access control rule in access control list. // Target role of the access control rule in access control list.
enum Role { enum Role {
@ -194,6 +195,8 @@ message BearerToken {
// container. If it contains `container_id` field, bearer token is only // container. If it contains `container_id` field, bearer token is only
// valid for this specific container. Otherwise, any container of the same // valid for this specific container. Otherwise, any container of the same
// owner is allowed. // owner is allowed.
//
// Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead.
EACLTable eacl_table = 1 [ json_name = "eaclTable" ]; EACLTable eacl_table = 1 [ json_name = "eaclTable" ];
// `OwnerID` defines to whom the token was issued. It must match the request // `OwnerID` defines to whom the token was issued. It must match the request
@ -218,6 +221,23 @@ message BearerToken {
// AllowImpersonate flag to consider token signer as request owner. // AllowImpersonate flag to consider token signer as request owner.
// If this field is true extended ACL table in token body isn't processed. // If this field is true extended ACL table in token body isn't processed.
bool allow_impersonate = 4 [ json_name = "allowImpersonate" ]; bool allow_impersonate = 4 [ json_name = "allowImpersonate" ];
// APEOverride is the list of APE chains defined for a target.
// These chains are meant to serve as overrides to the already defined (or even undefined)
// APE chains for the target (see contract `Policy`).
//
// The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
// to override chains for the target, preventing unauthorized access through the APE mechanism.
message APEOverride {
// Target for which chains are applied.
frostfs.v2.ape.ChainTarget target = 1 [ json_name = "target" ];
// The list of APE chains.
repeated frostfs.v2.ape.Chain chains = 2 [ json_name = "chains" ];
}
// APE override for the target.
APEOverride ape_override = 5 [ json_name = "apeOverride" ];
} }
// Bearer Token body // Bearer Token body
Body body = 1 [ json_name = "body" ]; Body body = 1 [ json_name = "body" ];

View file

@ -8,6 +8,7 @@
- Messages - Messages
- [BearerToken](#neo.fs.v2.acl.BearerToken) - [BearerToken](#neo.fs.v2.acl.BearerToken)
- [BearerToken.Body](#neo.fs.v2.acl.BearerToken.Body) - [BearerToken.Body](#neo.fs.v2.acl.BearerToken.Body)
- [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride)
- [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) - [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime)
- [EACLRecord](#neo.fs.v2.acl.EACLRecord) - [EACLRecord](#neo.fs.v2.acl.EACLRecord)
- [EACLRecord.Filter](#neo.fs.v2.acl.EACLRecord.Filter) - [EACLRecord.Filter](#neo.fs.v2.acl.EACLRecord.Filter)
@ -57,10 +58,30 @@ container owner with additional information preventing token abuse.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. | | eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed.
Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead. |
| owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. | | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. |
| lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) | | Token expiration and valid time period parameters | | lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) | | Token expiration and valid time period parameters |
| allow_impersonate | [bool](#bool) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. | | allow_impersonate | [bool](#bool) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |
| ape_override | [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride) | | APE override for the target. |
<a name="neo.fs.v2.acl.BearerToken.Body.APEOverride"></a>
### Message BearerToken.Body.APEOverride
APEOverride is the list of APE chains defined for a target.
These chains are meant to serve as overrides to the already defined (or even undefined)
APE chains for the target (see contract `Policy`).
The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
to override chains for the target, preventing unauthorized access through the APE mechanism.
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which chains are applied. |
| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of APE chains. |
<a name="neo.fs.v2.acl.BearerToken.Body.TokenLifetime"></a> <a name="neo.fs.v2.acl.BearerToken.Body.TokenLifetime"></a>

View file

@ -72,8 +72,8 @@ TargetType is a type target to which a rule chain is defined.
| ----------- | ----- | -------- | --------- | ----------- | | ----------- | ----- | -------- | --------- | ----------- |
| <a name="double" /> double | | double | double | float | | <a name="double" /> double | | double | double | float |
| <a name="float" /> float | | float | float | float | | <a name="float" /> float | | float | float | float |
| <a name="int32" /> int32 | Uses variable-length encoding. Inefficient for encoding negative numbers if your field is likely to have negative values, use sint32 instead. | int32 | int | int | | <a name="int32" /> int32 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
| <a name="int64" /> int64 | Uses variable-length encoding. Inefficient for encoding negative numbers if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long | | <a name="int64" /> int64 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
| <a name="uint32" /> uint32 | Uses variable-length encoding. | uint32 | int | int/long | | <a name="uint32" /> uint32 | Uses variable-length encoding. | uint32 | int | int/long |
| <a name="uint64" /> uint64 | Uses variable-length encoding. | uint64 | long | int/long | | <a name="uint64" /> uint64 | Uses variable-length encoding. | uint64 | long | int/long |
| <a name="sint32" /> sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int | | <a name="sint32" /> sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |