ape: Add container source to object policy checker

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
Alexey Vanin 2024-03-14 21:10:31 +03:00
parent c6f0545298
commit f41d743203
3 changed files with 20 additions and 2 deletions

View file

@ -444,6 +444,7 @@ func createAPEService(c *cfg, splitSvc *objectService.TransportSplitter) *object
objectAPE.NewChecker( objectAPE.NewChecker(
c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.chainRouter, c.cfgObject.cfgAccessPolicyEngine.accessPolicyEngine.chainRouter,
objectAPE.NewStorageEngineHeaderProvider(c.cfgObject.cfgLocalStorage.localStorage), objectAPE.NewStorageEngineHeaderProvider(c.cfgObject.cfgLocalStorage.localStorage),
c.cfgObject.cnrSource,
), ),
splitSvc, splitSvc,
) )

View file

@ -5,23 +5,32 @@ import (
"fmt" "fmt"
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object" objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
containercore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain" apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine" policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
) )
type containers interface {
Get(cid.ID) (*containercore.Container, error)
}
type checkerImpl struct { type checkerImpl struct {
chainRouter policyengine.ChainRouter chainRouter policyengine.ChainRouter
headerProvider HeaderProvider headerProvider HeaderProvider
reader containers
} }
func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider) Checker { func NewChecker(chainRouter policyengine.ChainRouter, headerProvider HeaderProvider, reader containers) Checker {
return &checkerImpl{ return &checkerImpl{
chainRouter: chainRouter, chainRouter: chainRouter,
headerProvider: headerProvider, headerProvider: headerProvider,
reader: reader,
} }
} }

View file

@ -145,11 +145,19 @@ func (c *checkerImpl) newAPERequest(ctx context.Context, prm Prm) (*request, err
} }
} }
cont, err := c.reader.Get(prm.Container)
if err != nil {
return nil, fmt.Errorf("get container: %s", err)
}
props := objectProperties(prm.Container, prm.Object, header)
props[nativeschema.PropertyKeyContainerOwnerID] = cont.Value.Owner().EncodeToString()
return &request{ return &request{
operation: prm.Method, operation: prm.Method,
resource: &resource{ resource: &resource{
name: resourceName(prm.Container, prm.Object, prm.Namespace), name: resourceName(prm.Container, prm.Object, prm.Namespace),
properties: objectProperties(prm.Container, prm.Object, header), properties: props,
}, },
properties: map[string]string{ properties: map[string]string{
nativeschema.PropertyKeyActorPublicKey: prm.SenderKey, nativeschema.PropertyKeyActorPublicKey: prm.SenderKey,