From 6f841e319de45930ec34a81ca8527f06867845f9 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Wed, 18 Nov 2020 10:46:26 +0300 Subject: [PATCH] [#180] Make separate basic ACL check for inner ring requests Signed-off-by: Alex Vanin --- pkg/services/object/acl/acl.go | 4 ++++ pkg/services/object/acl/basic_helper.go | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 4294aba25..030e80653 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -53,6 +53,7 @@ type ( requestInfo struct { basicACL basicACLHelper requestRole acl.Role + isInnerRing bool operation acl.Operation // put, get, head, etc. owner *owner.ID // container owner @@ -491,6 +492,9 @@ func basicACLCheck(info requestInfo) bool { checkFn = info.basicACL.UserAllowed case acl.RoleSystem: checkFn = info.basicACL.SystemAllowed + if info.isInnerRing { + checkFn = info.basicACL.InnerRingAllowed + } case acl.RoleOthers: checkFn = info.basicACL.OthersAllowed default: diff --git a/pkg/services/object/acl/basic_helper.go b/pkg/services/object/acl/basic_helper.go index c99829aaa..9a82e7a78 100644 --- a/pkg/services/object/acl/basic_helper.go +++ b/pkg/services/object/acl/basic_helper.go @@ -121,6 +121,21 @@ func (a basicACLHelper) SystemAllowed(op eacl.Operation) bool { return false } +// InnerRingAllowed returns true if the operation is allowed by ACL for +// InnerRing nodes, as part of System group. +func (a basicACLHelper) InnerRingAllowed(op eacl.Operation) bool { + switch op { + case eacl.OperationSearch, eacl.OperationRangeHash, eacl.OperationHead: + return true + default: + if n, ok := order[op]; ok { + return isLeftBitSet(a, opOffset+n*bitsPerOp+bitSystem) + } + + return false + } +} + // AllowSystem allows System group the n-th operation in ACL. func (a *basicACLHelper) AllowSystem(op eacl.Operation) { if n, ok := order[op]; ok {