From 27478995b5889cc79bdd5c477f4d97c02d5e4509 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Mon, 24 Jun 2024 16:54:55 +0300 Subject: [PATCH] [#118] Replace ACLs with polices in readme Signed-off-by: Alex Vanin --- README.md | 87 ++++++++++++++++++++++--------------------------------- 1 file changed, 35 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 6e19d31..aa982db 100644 --- a/README.md +++ b/README.md @@ -466,13 +466,13 @@ You can always upload files to public containers (open for anyone to put objects into), but for restricted containers you need to explicitly allow PUT operations for a request signed with your HTTP Gateway keys. -If your don't want to manage gateway's secret keys and adjust eACL rules when +If you don't want to manage gateway's secret keys and adjust policies when gateway configuration changes (new gate, key rotation, etc) or you plan to use public services, there is an option to let your application backend (or you) to -issue Bearer Tokens ans pass them from the client via gate down to FrostFS level +issue Bearer Tokens and pass them from the client via gate down to FrostFS level to grant access. -FrostFS Bearer Token basically is a container owner-signed ACL data (refer to FrostFS +FrostFS Bearer Token basically is a container owner-signed policy (refer to FrostFS documentation for more details). There are two options to pass them to gateway: * "Authorization" header with "Bearer" type and base64-encoded token in credentials field @@ -482,33 +482,31 @@ For example, you have a mobile application frontend with a backend part storing data in FrostFS. When a user authorizes in the mobile app, the backend issues a FrostFS Bearer token and provides it to the frontend. Then, the mobile app may generate some data and upload it via any available FrostFS HTTP Gateway by adding -the corresponding header to the upload request. Accessing the ACL protected data +the corresponding header to the upload request. Accessing policy protected data works the same way. ##### Example -In order to generate a bearer token, you need to have wallet (which will be used to sign the token) and -the address of the sender who will do the request to FrostFS (in our case, it's a gateway wallet address). +In order to generate a bearer token, you need to have wallet (which will be used to sign the token) -Suppose we have: -* **NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3** (token owner (gateway address)) +1. Suppose you have a container with private policy for wallet key -Firstly, we need to encode the container id and the sender address to base64 (now it's base58). -So use **base58** and **base64** utils. - -1. Encoding token owner id: ``` -$ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64 -# output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg== +$ frostfs-cli container create -r --wallet -policy --basic-acl 0 --await +CID: 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z + +$ frostfs-cli ape-manager add -r --wallet \ + --target-type container --target-name 9dfzyvq82JnFqp5svxcREf2iy6XNuifYcJPusEDnGK9Z \ + --rule "allow Object.* RequestCondition:"\$Actor:publicKey"=03b09baabff3f6107c7e9acb8721a6fc5618d45b50247a314d82e548702cce8cd5 *" \ + --chain-id ``` -2. Form a Bearer token (10000 is lifetime expiration in epoch) and save it to **bearer.json**: + +2. Form a Bearer token (10000 is lifetime expiration in epoch) to impersonate + HTTP Gateway request as wallet signed request and save it to **bearer.json**: ``` { "body": { "allowImpersonate": true, - "ownerID": { - "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==" - }, "lifetime": { "exp": "10000", "nbf": "0", @@ -521,7 +519,7 @@ $ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64 3. Sign it with the wallet: ``` -$ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w ./wallet.json +$ frostfs-cli util sign bearer-token --from bearer.json --to signed.json -w ``` 4. Encode to base64 to use in header: @@ -542,47 +540,32 @@ $ curl -F 'file=@cat.jpeg;filename=cat.jpeg' -H "Authorization: Bearer Ck4KKgoEC # } ``` -##### Note -For the token to work correctly, you need to create a container with a basic ACL that: -1. Allow PUT operation to others -2. Doesn't set "final" bit +##### Note: Bearer Token owner + +You can specify exact key who can use Bearer Token (gateway wallet address). +To do this, encode wallet address in base64 format -For example: ``` -$ frostfs-cli -w ./wallet.json --basic-acl 0x0FFFCFFF -r 192.168.130.72:8080 container create --policy "REP 3" --await +$ echo 'NhVtreTTCoqsMQV5Wp55fqnriiUCpEaKm3' | base58 --decode | base64 +# output: NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg== ``` -To deny access to a container without a token, set the eACL rules: -``` -$ frostfs-cli -w ./wallet.json -r 192.168.130.72:8080 container set-eacl --table eacl.json --await --cid BJeErH9MWmf52VsR1mLWKkgF3pRm3FkubYxM7TZkBP4K -``` - -File **eacl.json**: +Then specify this value in Bearer Token Json ``` { - "version": { - "major": 0, - "minor": 0 - }, - "containerID": { - "value": "mRnZWzewzxjzIPa7Fqlfqdl3TM1KpJ0YnsXsEhafJJg=" - }, - "records": [ - { - "operation": "PUT", - "action": "DENY", - "filters": [], - "targets": [ - { - "role": "OTHERS", - "keys": [] - } - ] - } - ] -} + "body": { + "ownerID": { + "value": "NezFK4ujidF+X7bB88uzREQzRQeAvdj3Gg==" + }, + ... ``` +##### Note: Policy override + +Instead of impersonation, you can define the set of policies that will be applied +to the request sender. This allows to restrict access to specific operation and +specific objects without giving full impersonation control to the token user. + ### Metrics and Pprof If enabled, Prometheus metrics are available at `localhost:8084` endpoint