[#180] Make separate basic ACL check for inner ring requests

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2020-11-18 10:46:26 +03:00 committed by Alex Vanin
parent badfd1b6e5
commit 6f841e319d
2 changed files with 19 additions and 0 deletions

View file

@ -53,6 +53,7 @@ type (
requestInfo struct { requestInfo struct {
basicACL basicACLHelper basicACL basicACLHelper
requestRole acl.Role requestRole acl.Role
isInnerRing bool
operation acl.Operation // put, get, head, etc. operation acl.Operation // put, get, head, etc.
owner *owner.ID // container owner owner *owner.ID // container owner
@ -491,6 +492,9 @@ func basicACLCheck(info requestInfo) bool {
checkFn = info.basicACL.UserAllowed checkFn = info.basicACL.UserAllowed
case acl.RoleSystem: case acl.RoleSystem:
checkFn = info.basicACL.SystemAllowed checkFn = info.basicACL.SystemAllowed
if info.isInnerRing {
checkFn = info.basicACL.InnerRingAllowed
}
case acl.RoleOthers: case acl.RoleOthers:
checkFn = info.basicACL.OthersAllowed checkFn = info.basicACL.OthersAllowed
default: default:

View file

@ -121,6 +121,21 @@ func (a basicACLHelper) SystemAllowed(op eacl.Operation) bool {
return false return false
} }
// InnerRingAllowed returns true if the operation is allowed by ACL for
// InnerRing nodes, as part of System group.
func (a basicACLHelper) InnerRingAllowed(op eacl.Operation) bool {
switch op {
case eacl.OperationSearch, eacl.OperationRangeHash, eacl.OperationHead:
return true
default:
if n, ok := order[op]; ok {
return isLeftBitSet(a, opOffset+n*bitsPerOp+bitSystem)
}
return false
}
}
// AllowSystem allows System group the n-th operation in ACL. // AllowSystem allows System group the n-th operation in ACL.
func (a *basicACLHelper) AllowSystem(op eacl.Operation) { func (a *basicACLHelper) AllowSystem(op eacl.Operation) {
if n, ok := order[op]; ok { if n, ok := order[op]; ok {