forked from TrueCloudLab/frostfs-s3-gw
[#336] Update default session token rules
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva
Alex Vanin
parent
77d731857c
commit
2b4638f6bb
2 changed files with 27 additions and 6 deletions
|
|
@ -396,9 +396,16 @@ func buildContext(rules []byte) ([]*session.ContainerContext, error) {
|
||||||
return sessionCtxs, nil
|
return sessionCtxs, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
sessionCtx := session.NewContainerContext()
|
sessionCtxPut := session.NewContainerContext()
|
||||||
sessionCtx.ForPut()
|
sessionCtxPut.ForPut()
|
||||||
return []*session.ContainerContext{sessionCtx}, nil
|
|
||||||
|
sessionCtxDelete := session.NewContainerContext()
|
||||||
|
sessionCtxDelete.ForDelete()
|
||||||
|
|
||||||
|
sessionCtxEACL := session.NewContainerContext()
|
||||||
|
sessionCtxEACL.ForSetEACL()
|
||||||
|
|
||||||
|
return []*session.ContainerContext{sessionCtxPut, sessionCtxDelete, sessionCtxEACL}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
|
func buildBearerToken(key *keys.PrivateKey, table *eacl.Table, lifetime lifetimeOptions, gateKey *keys.PublicKey) (*token.BearerToken, error) {
|
||||||
|
|
|
||||||
|
|
@ -87,7 +87,7 @@ NhLQpDnerpviUWDF77j5qyjFgavCmasJ4p (simple signature contract):
|
||||||
To issue a secret means to create a Bearer and (optionally) Session tokens and
|
To issue a secret means to create a Bearer and (optionally) Session tokens and
|
||||||
put them as an object into a container on the NeoFS network.
|
put them as an object into a container on the NeoFS network.
|
||||||
|
|
||||||
By default, the tool creates a container with a name `auth-container` and ACL
|
By default, the tool creates a container with a name the same as container ID in NeoFS and ACL
|
||||||
0x3c8c8cce (all operations are forbidden for `OTHERS` and `BEARER` user groups,
|
0x3c8c8cce (all operations are forbidden for `OTHERS` and `BEARER` user groups,
|
||||||
except for `GET`).
|
except for `GET`).
|
||||||
|
|
||||||
|
|
@ -128,17 +128,31 @@ it will be auto-generated with values:
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed), the default value is:
|
Rules for session tokens can be set via param `session-rules` (json-string and file path allowed).
|
||||||
|
|
||||||
|
If the parameter `session-rules` is not set, `authmate` creates and puts three session tokens:
|
||||||
```
|
```
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"verb": "PUT",
|
"verb": "PUT",
|
||||||
"wildcard": true,
|
"wildcard": true,
|
||||||
"containerID": null
|
"containerID": null
|
||||||
}
|
},
|
||||||
|
{
|
||||||
|
"verb": "DELETE",
|
||||||
|
"wildcard": true,
|
||||||
|
"containerID": null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"verb": "SETEACL",
|
||||||
|
"wildcard": true,
|
||||||
|
"containerID": null
|
||||||
|
},
|
||||||
]
|
]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
If you want to allow the user to create buckets you **must** put two session tokens with `PUT` and `SETEACL` rules.
|
||||||
|
|
||||||
If `session-rules` are set, but `create-session-token` is not, no session
|
If `session-rules` are set, but `create-session-token` is not, no session
|
||||||
token will be created.
|
token will be created.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue