forked from TrueCloudLab/frostfs-s3-gw
[#306] Remove flag to disable policy contract
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
8f89f275bd
commit
56b50f2075
7 changed files with 15 additions and 179 deletions
|
@ -61,8 +61,6 @@ type (
|
||||||
GetBucketPolicy(ns string, cnrID cid.ID) ([]byte, error)
|
GetBucketPolicy(ns string, cnrID cid.ID) ([]byte, error)
|
||||||
SaveACLChains(ns string, chains []*chain.Chain) error
|
SaveACLChains(ns string, chains []*chain.Chain) error
|
||||||
}
|
}
|
||||||
|
|
||||||
frostfsIDDisabled struct{}
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var _ api.Handler = (*handler)(nil)
|
var _ api.Handler = (*handler)(nil)
|
||||||
|
@ -76,10 +74,8 @@ func New(log *zap.Logger, obj layer.Client, notificator Notificator, cfg Config,
|
||||||
return nil, errors.New("empty logger")
|
return nil, errors.New("empty logger")
|
||||||
case storage == nil:
|
case storage == nil:
|
||||||
return nil, errors.New("empty policy storage")
|
return nil, errors.New("empty policy storage")
|
||||||
}
|
case ffsid == nil:
|
||||||
|
return nil, errors.New("empty frostfsid")
|
||||||
if ffsid == nil {
|
|
||||||
ffsid = frostfsIDDisabled{}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if !cfg.NotificatorEnabled() {
|
if !cfg.NotificatorEnabled() {
|
||||||
|
@ -98,14 +94,6 @@ func New(log *zap.Logger, obj layer.Client, notificator Notificator, cfg Config,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f frostfsIDDisabled) GetUserAddress(_, _ string) (string, error) {
|
|
||||||
return "", errors.New("frostfsid disabled")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f frostfsIDDisabled) GetUserKey(account, name string) (string, error) {
|
|
||||||
return "", errors.New("frostfsid disabled")
|
|
||||||
}
|
|
||||||
|
|
||||||
// pickCopiesNumbers chooses the return values following this logic:
|
// pickCopiesNumbers chooses the return values following this logic:
|
||||||
// 1) array of copies numbers sent in request's header has the highest priority.
|
// 1) array of copies numbers sent in request's header has the highest priority.
|
||||||
// 2) array of copies numbers with corresponding location constraint provided in the config file.
|
// 2) array of copies numbers with corresponding location constraint provided in the config file.
|
||||||
|
|
|
@ -466,13 +466,7 @@ func (a *App) initFrostfsID(ctx context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *App) initPolicyStorage(ctx context.Context) {
|
func (a *App) initPolicyStorage(ctx context.Context) {
|
||||||
var (
|
policyContract, err := contract.New(ctx, contract.Config{
|
||||||
err error
|
|
||||||
policyContract policy.Contract
|
|
||||||
)
|
|
||||||
|
|
||||||
if a.cfg.GetBool(cfgPolicyEnabled) {
|
|
||||||
policyContract, err = contract.New(ctx, contract.Config{
|
|
||||||
RPCAddress: a.cfg.GetString(cfgRPCEndpoint),
|
RPCAddress: a.cfg.GetString(cfgRPCEndpoint),
|
||||||
Contract: a.cfg.GetString(cfgPolicyContract),
|
Contract: a.cfg.GetString(cfgPolicyContract),
|
||||||
ProxyContract: a.cfg.GetString(cfgProxyContract),
|
ProxyContract: a.cfg.GetString(cfgProxyContract),
|
||||||
|
@ -481,9 +475,6 @@ func (a *App) initPolicyStorage(ctx context.Context) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
a.log.Fatal(logs.InitPolicyContractFailed, zap.Error(err))
|
a.log.Fatal(logs.InitPolicyContractFailed, zap.Error(err))
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
policyContract = contract.NewInMemoryContract()
|
|
||||||
}
|
|
||||||
|
|
||||||
a.policyStorage = policy.NewStorage(policy.StorageConfig{
|
a.policyStorage = policy.NewStorage(policy.StorageConfig{
|
||||||
Contract: policyContract,
|
Contract: policyContract,
|
||||||
|
@ -960,16 +951,9 @@ func getMorphPolicyCacheConfig(v *viper.Viper, l *zap.Logger) *cache.Config {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *App) initHandler() {
|
func (a *App) initHandler() {
|
||||||
var (
|
var err error
|
||||||
err error
|
|
||||||
ffsid handler.FrostFSID
|
|
||||||
)
|
|
||||||
|
|
||||||
if a.frostfsid != nil {
|
a.api, err = handler.New(a.log, a.obj, a.nc, a.settings, a.policyStorage, a.frostfsid)
|
||||||
ffsid = a.frostfsid
|
|
||||||
}
|
|
||||||
|
|
||||||
a.api, err = handler.New(a.log, a.obj, a.nc, a.settings, a.policyStorage, ffsid)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
a.log.Fatal(logs.CouldNotInitializeAPIHandler, zap.Error(err))
|
a.log.Fatal(logs.CouldNotInitializeAPIHandler, zap.Error(err))
|
||||||
}
|
}
|
||||||
|
|
|
@ -217,7 +217,6 @@ const ( // Settings.
|
||||||
cfgFrostfsIDValidationEnabled = "frostfsid.validation.enabled"
|
cfgFrostfsIDValidationEnabled = "frostfsid.validation.enabled"
|
||||||
|
|
||||||
// Policy.
|
// Policy.
|
||||||
cfgPolicyEnabled = "policy.enabled"
|
|
||||||
cfgPolicyContract = "policy.contract"
|
cfgPolicyContract = "policy.contract"
|
||||||
|
|
||||||
// Proxy.
|
// Proxy.
|
||||||
|
@ -729,7 +728,6 @@ func newSettings() *viper.Viper {
|
||||||
|
|
||||||
// policy
|
// policy
|
||||||
v.SetDefault(cfgPolicyContract, "policy.frostfs")
|
v.SetDefault(cfgPolicyContract, "policy.frostfs")
|
||||||
v.SetDefault(cfgPolicyEnabled, true)
|
|
||||||
|
|
||||||
// proxy
|
// proxy
|
||||||
v.SetDefault(cfgProxyContract, "proxy.frostfs")
|
v.SetDefault(cfgProxyContract, "proxy.frostfs")
|
||||||
|
|
|
@ -205,8 +205,6 @@ S3_GW_FROSTFSID_CONTRACT=frostfsid.frostfs
|
||||||
S3_GW_FROSTFSID_VALIDATION_ENABLED=true
|
S3_GW_FROSTFSID_VALIDATION_ENABLED=true
|
||||||
|
|
||||||
# Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
|
# Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
|
||||||
# Enables using policies from Policy contract.
|
|
||||||
S3_GW_POLICY_ENABLED=true
|
|
||||||
# Policy contract hash (LE) or name in NNS.
|
# Policy contract hash (LE) or name in NNS.
|
||||||
S3_GW_POLICY_CONTRACT=policy.frostfs
|
S3_GW_POLICY_CONTRACT=policy.frostfs
|
||||||
|
|
||||||
|
|
|
@ -243,8 +243,6 @@ frostfsid:
|
||||||
|
|
||||||
# Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
|
# Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
|
||||||
policy:
|
policy:
|
||||||
# Enables using policies from Policy contract.
|
|
||||||
enabled: true
|
|
||||||
# Policy contract hash (LE) or name in NNS.
|
# Policy contract hash (LE) or name in NNS.
|
||||||
contract: policy.frostfs
|
contract: policy.frostfs
|
||||||
|
|
||||||
|
|
|
@ -675,13 +675,11 @@ Policy contract configuration. To enable this functionality the `rpc_endpoint` p
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
policy:
|
policy:
|
||||||
enabled: false
|
|
||||||
contract: policy.frostfs
|
contract: policy.frostfs
|
||||||
```
|
```
|
||||||
|
|
||||||
| Parameter | Type | SIGHUP reload | Default value | Description |
|
| Parameter | Type | SIGHUP reload | Default value | Description |
|
||||||
|------------|----------|---------------|----------------|-------------------------------------------------------------------|
|
|------------|----------|---------------|----------------|-------------------------------------------|
|
||||||
| `enabled` | `bool` | no | true | Enables using policies from Policy contract to check permissions. |
|
|
||||||
| `contract` | `string` | no | policy.frostfs | Policy contract hash (LE) or name in NNS. |
|
| `contract` | `string` | no | policy.frostfs | Policy contract hash (LE) or name in NNS. |
|
||||||
|
|
||||||
# `proxy` section
|
# `proxy` section
|
||||||
|
|
|
@ -1,128 +0,0 @@
|
||||||
package contract
|
|
||||||
|
|
||||||
import (
|
|
||||||
"errors"
|
|
||||||
"strings"
|
|
||||||
"sync"
|
|
||||||
|
|
||||||
policycontract "git.frostfs.info/TrueCloudLab/frostfs-contract/policy"
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/policy"
|
|
||||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
|
||||||
)
|
|
||||||
|
|
||||||
type InMemoryContract struct {
|
|
||||||
iamChains *syncedMap
|
|
||||||
containerChains *syncedMap
|
|
||||||
namespaceChains *syncedMap
|
|
||||||
}
|
|
||||||
|
|
||||||
type syncedMap struct {
|
|
||||||
mu sync.RWMutex
|
|
||||||
data map[string][]byte
|
|
||||||
}
|
|
||||||
|
|
||||||
var _ policy.Contract = (*InMemoryContract)(nil)
|
|
||||||
|
|
||||||
var ErrChainNotFound = errors.New("chain not found")
|
|
||||||
|
|
||||||
// NewInMemoryContract creates new inmemory Policy contract wrapper.
|
|
||||||
func NewInMemoryContract() *InMemoryContract {
|
|
||||||
return &InMemoryContract{
|
|
||||||
iamChains: &syncedMap{data: map[string][]byte{}},
|
|
||||||
containerChains: &syncedMap{data: map[string][]byte{}},
|
|
||||||
namespaceChains: &syncedMap{data: map[string][]byte{}},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) AddChain(kind policycontract.Kind, entity string, name []byte, chain []byte) (util.Uint256, uint32, error) {
|
|
||||||
syncMap := c.getMap(kind)
|
|
||||||
syncMap.mu.Lock()
|
|
||||||
syncMap.data[entity+string(name)] = chain
|
|
||||||
syncMap.mu.Unlock()
|
|
||||||
|
|
||||||
return util.Uint256{}, 0, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) GetChain(kind policycontract.Kind, entity string, name []byte) ([]byte, error) {
|
|
||||||
syncMap := c.getMap(kind)
|
|
||||||
syncMap.mu.RLock()
|
|
||||||
defer syncMap.mu.RUnlock()
|
|
||||||
|
|
||||||
val, ok := syncMap.data[entity+string(name)]
|
|
||||||
if !ok {
|
|
||||||
return nil, ErrChainNotFound
|
|
||||||
}
|
|
||||||
return val, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) RemoveChain(kind policycontract.Kind, entity string, name []byte) (util.Uint256, uint32, error) {
|
|
||||||
syncMap := c.getMap(kind)
|
|
||||||
syncMap.mu.Lock()
|
|
||||||
delete(syncMap.data, entity+string(name))
|
|
||||||
syncMap.mu.Unlock()
|
|
||||||
|
|
||||||
return util.Uint256{}, 0, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) ListChains(kind policycontract.Kind, entity string, name []byte) ([][]byte, error) {
|
|
||||||
syncMap := c.getMap(kind)
|
|
||||||
syncMap.mu.RLock()
|
|
||||||
defer syncMap.mu.RUnlock()
|
|
||||||
|
|
||||||
var res [][]byte
|
|
||||||
for key, val := range syncMap.data {
|
|
||||||
if strings.HasPrefix(key, entity+string(name)) {
|
|
||||||
res = append(res, val)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return res, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) Wait(_ util.Uint256, _ uint32, err error) error {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) StartTx() policy.MultiTransaction {
|
|
||||||
return &inMemoryTx{operations: make([]func(*InMemoryContract), 0)}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) SendTx(tx policy.MultiTransaction) error {
|
|
||||||
for _, operation := range tx.(*inMemoryTx).operations {
|
|
||||||
operation(c)
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *InMemoryContract) getMap(kind policycontract.Kind) *syncedMap {
|
|
||||||
switch kind {
|
|
||||||
case policycontract.IAM:
|
|
||||||
return c.iamChains
|
|
||||||
case policycontract.Container:
|
|
||||||
return c.containerChains
|
|
||||||
case policycontract.Namespace:
|
|
||||||
return c.namespaceChains
|
|
||||||
default:
|
|
||||||
return &syncedMap{data: map[string][]byte{}}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type inMemoryTx struct {
|
|
||||||
operations []func(contract *InMemoryContract)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (t *inMemoryTx) AddChain(kind policycontract.Kind, entity string, name []byte, chain []byte) {
|
|
||||||
t.operations = append(t.operations, func(c *InMemoryContract) {
|
|
||||||
_, _, _ = c.AddChain(kind, entity, name, chain)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
func (t *inMemoryTx) RemoveChain(kind policycontract.Kind, entity string, name []byte) {
|
|
||||||
t.operations = append(t.operations, func(c *InMemoryContract) {
|
|
||||||
_, _, _ = c.RemoveChain(kind, entity, name)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
func (t *inMemoryTx) Scripts() ([][]byte, error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
Loading…
Reference in a new issue