forked from TrueCloudLab/frostfs-s3-gw
[#336] Update default session token rules
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva
Alex Vanin
parent
77d731857c
commit
2b4638f6bb
2 changed files with 27 additions and 6 deletions
|
|
@ -396,9 +396,16 @@ func buildContext(rules []byte) ([]*session.ContainerContext, error) {
|
|||
return sessionCtxs, nil
|
||||
}
|
||||
|
||||
sessionCtx := session.NewContainerContext()
|
||||
sessionCtx.ForPut()
|
||||
return []*session.ContainerContext{sessionCtx}, nil
|
||||
sessionCtxPut := session.NewContainerContext()
|
||||
sessionCtxPut.ForPut()
|
||||
|
||||
sessionCtxDelete := session.NewContainerContext()
|
||||
sessionCtxDelete.ForDelete()
|
||||
|
||||
sessionCtxEACL := session.NewContainerContext()
|
||||
sessionCtxEACL.ForSetEACL()
|
||||
|
||||
return []*session.ContainerContext{sessionCtxPut, sessionCtxDelete, sessionCtxEACL}, nil
|
||||
}
|
||||
|
||||
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ NhLQpDnerpviUWDF77j5qyjFgavCmasJ4p (simple signature contract):
|
|||
To issue a secret means to create a Bearer and (optionally) Session tokens and
|
||||
put them as an object into a container on the NeoFS network.
|
||||
|
||||
By default, the tool creates a container with a name `auth-container` and ACL
|
||||
By default, the tool creates a container with a name the same as container ID in NeoFS and ACL
|
||||
0x3c8c8cce (all operations are forbidden for `OTHERS` and `BEARER` user groups,
|
||||
except for `GET`).
|
||||
|
||||
|
|
@ -128,17 +128,31 @@ it will be auto-generated with values:
|
|||
}
|
||||
```
|
||||
|
||||
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed), the default value is:
|
||||
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
|
||||
|
||||
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens:
|
||||
```
|
||||
[
|
||||
{
|
||||
"verb": "PUT",
|
||||
"wildcard": true,
|
||||
"containerID": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"verb": "DELETE",
|
||||
"wildcard": true,
|
||||
"containerID": null
|
||||
},
|
||||
{
|
||||
"verb": "SETEACL",
|
||||
"wildcard": true,
|
||||
"containerID": null
|
||||
},
|
||||
]
|
||||
```
|
||||
|
||||
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
||||
|
||||
If `session-rules` are set, but `create-session-token` is not, no session
|
||||
token will be created.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue