acid-ant/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#115] Make ACL classifier errors transparent for client

Browse source 
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2020-10-21 20:39:14 +03:00 committed by Alex Vanin
parent ca552f53c6
commit 094248690b
2 changed files with 16 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
pkg/services/object/acl/acl.go
View file

@ -86,6 +86,7 @@ type accessErr struct {
var ( var (
ErrMalformedRequest = errors.New("malformed request") ErrMalformedRequest = errors.New("malformed request")
ErrInternal = errors.New("internal error")
ErrUnknownRole = errors.New("can't classify request sender") ErrUnknownRole = errors.New("can't classify request sender")
ErrUnknownContainer = errors.New("can't fetch container info") ErrUnknownContainer = errors.New("can't fetch container info")
) )
@ -387,7 +388,11 @@ func (b Service) findRequestInfo(
} }
// find request role and key // find request role and key
role, key := b.sender.Classify(req, cid, cnr) role, key, err := b.sender.Classify(req, cid, cnr)
if err != nil {
return info, err
}
if role == acl.RoleUnknown { if role == acl.RoleUnknown {
return info, ErrUnknownRole return info, ErrUnknownRole
} }

24
pkg/services/object/acl/classifier.go
View file

@ -44,17 +44,15 @@ func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
func (c SenderClassifier) Classify( func (c SenderClassifier) Classify(
req metaWithToken, req metaWithToken,
cid *container.ID, cid *container.ID,
cnr *container.Container) (acl.Role, []byte) { cnr *container.Container) (acl.Role, []byte, error) {
if cid == nil { if cid == nil {
// log there return 0, nil, errors.Wrap(ErrMalformedRequest, "container id is not set")
return acl.RoleUnknown, nil
} }
ownerID, ownerKey, err := requestOwner(req) ownerID, ownerKey, err := requestOwner(req)
if err != nil || ownerID == nil || ownerKey == nil { if err != nil {
// log there return 0, nil, err
return acl.RoleUnknown, nil
} }
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey) ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
@ -63,27 +61,25 @@ func (c SenderClassifier) Classify(
// if request owner is the same as container owner, return RoleUser // if request owner is the same as container owner, return RoleUser
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) { if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
return acl.RoleUser, ownerKeyInBytes return acl.RoleUser, ownerKeyInBytes, nil
} }
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes) isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
if err != nil { if err != nil {
// log there return 0, nil, errors.Wrap(err, "can't check if request from inner ring")
return acl.RoleUnknown, nil
} else if isInnerRingNode { } else if isInnerRingNode {
return acl.RoleSystem, ownerKeyInBytes return acl.RoleSystem, ownerKeyInBytes, nil
} }
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr) isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
if err != nil { if err != nil {
// log there return 0, nil, errors.Wrap(err, "can't check if request from container node")
return acl.RoleUnknown, nil
} else if isContainerNode { } else if isContainerNode {
return acl.RoleSystem, ownerKeyInBytes return acl.RoleSystem, ownerKeyInBytes, nil
} }
// if none of above, return RoleOthers // if none of above, return RoleOthers
return acl.RoleOthers, ownerKeyInBytes return acl.RoleOthers, ownerKeyInBytes, nil
} }
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) { func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {