[] object/acl: Fit sticky bit specification

In previous implementation sticky bit could disrupt access of container
nodes to replication. According to NeoFS specification sticky bit should not
affect the requests sent by nodes from SYSTEM group.

Add role check to `stickyBitCheck`.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2021-09-10 14:35:29 +03:00 committed by Alex Vanin
parent ba77bb44e4
commit 7a13053fab
2 changed files with 23 additions and 0 deletions
pkg/services/object/acl

View file

@ -585,6 +585,12 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
return false
}
// According to NeoFS specification sticky bit has no effect on system nodes
// for correct intra-container work with objects (in particular, replication).
if info.requestRole == acl.RoleSystem {
return true
}
if !info.basicACL.Sticky() {
return true
}

View file

@ -3,6 +3,8 @@ package acl
import (
"testing"
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
ownertest "github.com/nspcc-dev/neofs-api-go/pkg/owner/test"
"github.com/nspcc-dev/neofs-api-go/v2/acl"
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
"github.com/nspcc-dev/neofs-api-go/v2/session"
@ -34,3 +36,18 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
return metaHeader
}
func TestStickyCheck(t *testing.T) {
t.Run("system role", func(t *testing.T) {
var info requestInfo
info.senderKey = make([]byte, 33) // any non-empty key
info.requestRole = eacl.RoleSystem
info.basicACL.SetSticky()
require.True(t, stickyBitCheck(info, ownertest.Generate()))
info.basicACL.ResetSticky()
require.True(t, stickyBitCheck(info, ownertest.Generate()))
})
}