diff --git a/CHANGELOG.md b/CHANGELOG.md index 0aa3cee57..958b44ec3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,19 @@ This document outlines major changes between releases. ## [Unreleased] +### Fixed +- Unrestricted access to not owned objects via cache (#713) + +### Updating from v0.24.0 +New config parameters were added. Make sure the default parameters are appropriate for you. + +```yaml +cache: + accesscontrol: + lifetime: 1m + size: 100000 +``` + ## [0.24.0] - 2022-09-14 ### Added diff --git a/config/config.env b/config/config.env index b4ee0eb02..0730c5564 100644 --- a/config/config.env +++ b/config/config.env @@ -84,6 +84,9 @@ S3_GW_CACHE_SYSTEM_SIZE=100000 # Cache which stores access box with tokens by its address S3_GW_CACHE_ACCESSBOX_LIFETIME=10m S3_GW_CACHE_ACCESSBOX_SIZE=100 +# Cache which stores owner to cache operation mapping +S3_GW_CACHE_ACCESSCONTROL_LIFETIME=1m +S3_GW_CACHE_ACCESSCONTROL_SIZE=100000 # NATS S3_GW_NATS_ENABLED=true diff --git a/config/config.yaml b/config/config.yaml index 70f8a10c1..09d07a838 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -89,14 +89,18 @@ cache: buckets: lifetime: 1m size: 500 - # Cache for system objects in a bucket: bucket settings, notification configuration etc + # Cache for system objects in a bucket: bucket settings, notification configuration etc system: lifetime: 2m size: 1000 - # Cache which stores access box with tokens by its address + # Cache which stores access box with tokens by its address accessbox: lifetime: 5m size: 10 + # Cache which stores owner to cache operation mapping + accesscontrol: + lifetime: 1m + size: 100000 nats: enabled: true @@ -118,8 +122,8 @@ cors: # Parameters of requests to NeoFS neofs: -# Number of the object copies to consider PUT to NeoFS successful. -# `0` means that object will be processed according to the container's placement policy + # Number of the object copies to consider PUT to NeoFS successful. + # `0` means that object will be processed according to the container's placement policy set_copies_number: 0 # List of allowed AccessKeyID prefixes diff --git a/docs/configuration.md b/docs/configuration.md index 7b3eb886e..c8901f6da 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -311,16 +311,20 @@ cache: accessbox: lifetime: 5m size: 10 + accesscontrol: + lifetime: 1m + size: 100000 ``` -| Parameter | Type | Default value | Description | -|-------------|-----------------------------------|-----------------------------------|----------------------------------------------------------------------------------------| -| `objects` | [Cache config](#cache-subsection) | `lifetime: 5m`
`size: 1000000` | Cache for objects (NeoFS headers). | -| `list` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 100000` | Cache which keeps lists of objects in buckets. | -| `names` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 10000` | Cache which contains mapping of nice name to object addresses. | -| `buckets` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 1000` | Cache which contains mapping of bucket name to bucket info. | -| `system` | [Cache config](#cache-subsection) | `lifetime: 5m`
`size: 10000` | Cache for system objects in a bucket: bucket settings, notification configuration etc. | -| `accessbox` | [Cache config](#cache-subsection) | `lifetime: 10m`
`size: 100` | Cache which stores access box with tokens by its address. | +| Parameter | Type | Default value | Description | +|-----------------|-----------------------------------|-----------------------------------|----------------------------------------------------------------------------------------| +| `objects` | [Cache config](#cache-subsection) | `lifetime: 5m`
`size: 1000000` | Cache for objects (NeoFS headers). | +| `list` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 100000` | Cache which keeps lists of objects in buckets. | +| `names` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 10000` | Cache which contains mapping of nice name to object addresses. | +| `buckets` | [Cache config](#cache-subsection) | `lifetime: 60s`
`size: 1000` | Cache which contains mapping of bucket name to bucket info. | +| `system` | [Cache config](#cache-subsection) | `lifetime: 5m`
`size: 10000` | Cache for system objects in a bucket: bucket settings, notification configuration etc. | +| `accessbox` | [Cache config](#cache-subsection) | `lifetime: 10m`
`size: 100` | Cache which stores access box with tokens by its address. | +| `accesscontrol` | [Cache config](#cache-subsection) | `lifetime: 1m`
`size: 100000` | Cache which stores owner to cache operation mapping. | #### `cache` subsection