From 5ec73fe8a0b6c3c2ab31b093a43c6fdfa7423773 Mon Sep 17 00:00:00 2001
From: Airat Arifullin <a.arifullin@yadro.com>
Date: Mon, 30 Oct 2023 16:48:02 +0300
Subject: [PATCH] [#770] node: Introduce ape chain source

* Provide methods to access rule chains with access
  policy engine (APE) chain source
* Initialize apeChainSource within object service
  initialization
* Share apeChainSource with control service
* Implement dummy apeChainSource instance based on
  in-memory implementation

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
---
 cmd/frostfs-node/config.go            |   5 +++++
 cmd/frostfs-node/control.go           |   1 +
 cmd/frostfs-node/object.go            |   2 ++
 cmd/frostfs-node/policy_engine.go     |  28 ++++++++++++++++++++++++++
 go.mod                                |   1 +
 go.sum                                | Bin 327866 -> 328127 bytes
 pkg/core/container/storage.go         |   8 ++++++++
 pkg/services/control/server/server.go |  10 +++++++++
 8 files changed, 55 insertions(+)
 create mode 100644 cmd/frostfs-node/policy_engine.go

diff --git a/cmd/frostfs-node/config.go b/cmd/frostfs-node/config.go
index e3e56e5de..a41b73d92 100644
--- a/cmd/frostfs-node/config.go
+++ b/cmd/frostfs-node/config.go
@@ -510,6 +510,11 @@ type cfgObject struct {
 
 	eaclSource container.EACLSource
 
+	// Access policy chain source is used by object service to
+	// check for operation permissions but this source is also shared with
+	// control service that dispatches local overrides.
+	apeChainSource container.AccessPolicyEngineChainSource
+
 	pool cfgObjectRoutines
 
 	cfgLocalStorage cfgLocalStorage
diff --git a/cmd/frostfs-node/control.go b/cmd/frostfs-node/control.go
index 98d893c38..30d644803 100644
--- a/cmd/frostfs-node/control.go
+++ b/cmd/frostfs-node/control.go
@@ -51,6 +51,7 @@ func initControlService(c *cfg) {
 		controlSvc.WithTreeService(treeSynchronizer{
 			c.treeService,
 		}),
+		controlSvc.WithAPEChainSource(c.cfgObject.apeChainSource),
 	)
 
 	lis, err := net.Listen("tcp", endpoint)
diff --git a/cmd/frostfs-node/object.go b/cmd/frostfs-node/object.go
index 2f714b821..bbaec01ed 100644
--- a/cmd/frostfs-node/object.go
+++ b/cmd/frostfs-node/object.go
@@ -157,6 +157,8 @@ func initObjectService(c *cfg) {
 
 	c.replicator = createReplicator(c, keyStorage, c.bgClientCache)
 
+	c.cfgObject.apeChainSource = NewAPESource()
+
 	addPolicer(c, keyStorage, c.bgClientCache)
 
 	traverseGen := util.NewTraverserGenerator(c.netMapSource, c.cfgObject.cnrSource, c)
diff --git a/cmd/frostfs-node/policy_engine.go b/cmd/frostfs-node/policy_engine.go
new file mode 100644
index 000000000..039124a6b
--- /dev/null
+++ b/cmd/frostfs-node/policy_engine.go
@@ -0,0 +1,28 @@
+package main
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+)
+
+type apeChainSourceImpl struct {
+	localChainStorage map[cid.ID]policyengine.CachedChainStorage
+}
+
+func NewAPESource() container.AccessPolicyEngineChainSource {
+	return &apeChainSourceImpl{
+		localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage),
+	}
+}
+
+var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
+
+func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) {
+	s, ok := c.localChainStorage[cid]
+	if ok {
+		return s, nil
+	}
+	c.localChainStorage[cid] = policyengine.NewInMemory()
+	return c.localChainStorage[cid], nil
+}
diff --git a/go.mod b/go.mod
index 37cb477bf..4f6505e87 100644
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29
 	github.com/chzyer/readline v1.5.1
diff --git a/go.sum b/go.sum
index 62fd85c8638b566b9ed6b79042ddaa1bf0600038..05a870b807b1c4b7521a41313a6f85a6e27b721a 100644
GIT binary patch
delta 232
zcmdnhD6+p<q+tuABX3+meokg`rEY3odS+g#LYaXc5b7Ek7#SNH8W<W_7?~KE>YApe
zrWz)i8ylM#8!2QMT2&bY6sBaldU`~78x=ZR7^j*Q<W_`6nHHo5SUP+97&v8^<_74e
zXq!Y#f5^+Im`17{`sw+4x%nv|s|wSMoh&ngtIX1!ebbWD$_leHLP|{&v$fqTjDobw
g^G!UGEzEuLyek6I+ZA~kftU%1nYSzQvdsJp0J%d&H~;_u

delta 29
hcmdnrEV8Rnq+tuABX7GKA0rSm0WtG-H$Ili&j6En2|EA)

diff --git a/pkg/core/container/storage.go b/pkg/core/container/storage.go
index 0766ced31..f48fc73ac 100644
--- a/pkg/core/container/storage.go
+++ b/pkg/core/container/storage.go
@@ -6,6 +6,7 @@ import (
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
 )
 
 // Container groups information about the FrostFS container stored in the FrostFS network.
@@ -70,3 +71,10 @@ type EACLSource interface {
 	// eACL table is not in source.
 	GetEACL(cid.ID) (*EACL, error)
 }
+
+// AccessPolicyEngineChainSource interface provides methods to access and manipulate
+// policy engine chain storage.
+type AccessPolicyEngineChainSource interface {
+	// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
+	GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
+}
diff --git a/pkg/services/control/server/server.go b/pkg/services/control/server/server.go
index a0ad44e23..ae024a82d 100644
--- a/pkg/services/control/server/server.go
+++ b/pkg/services/control/server/server.go
@@ -59,6 +59,8 @@ type cfg struct {
 
 	cnrSrc container.Source
 
+	apeChainSrc container.AccessPolicyEngineChainSource
+
 	replicator *replicator.Replicator
 
 	nodeState NodeState
@@ -151,3 +153,11 @@ func WithTreeService(s TreeService) Option {
 		c.treeService = s
 	}
 }
+
+// WithAPEChainSource returns the option to set access policy engine
+// chain source.
+func WithAPEChainSource(apeChainSrc container.AccessPolicyEngineChainSource) Option {
+	return func(c *cfg) {
+		c.apeChainSrc = apeChainSrc
+	}
+}