forked from TrueCloudLab/frostfs-node
[#818] object/acl: Fit sticky bit specification
In previous implementation sticky bit could disrupt access of container nodes to replication. According to NeoFS specification sticky bit should not affect the requests sent by nodes from SYSTEM group. Add role check to `stickyBitCheck`. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
ba77bb44e4
commit
7a13053fab
2 changed files with 23 additions and 0 deletions
pkg/services/object/acl
|
@ -585,6 +585,12 @@ func stickyBitCheck(info requestInfo, owner *owner.ID) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// According to NeoFS specification sticky bit has no effect on system nodes
|
||||
// for correct intra-container work with objects (in particular, replication).
|
||||
if info.requestRole == acl.RoleSystem {
|
||||
return true
|
||||
}
|
||||
|
||||
if !info.basicACL.Sticky() {
|
||||
return true
|
||||
}
|
||||
|
|
|
@ -3,6 +3,8 @@ package acl
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
||||
ownertest "github.com/nspcc-dev/neofs-api-go/pkg/owner/test"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/acl"
|
||||
acltest "github.com/nspcc-dev/neofs-api-go/v2/acl/test"
|
||||
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
||||
|
@ -34,3 +36,18 @@ func testGenerateMetaHeader(depth uint32, b *acl.BearerToken, s *session.Session
|
|||
|
||||
return metaHeader
|
||||
}
|
||||
|
||||
func TestStickyCheck(t *testing.T) {
|
||||
t.Run("system role", func(t *testing.T) {
|
||||
var info requestInfo
|
||||
|
||||
info.senderKey = make([]byte, 33) // any non-empty key
|
||||
info.requestRole = eacl.RoleSystem
|
||||
|
||||
info.basicACL.SetSticky()
|
||||
require.True(t, stickyBitCheck(info, ownertest.Generate()))
|
||||
|
||||
info.basicACL.ResetSticky()
|
||||
require.True(t, stickyBitCheck(info, ownertest.Generate()))
|
||||
})
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue