From 155f9eecb0159ac98ea85de0fefe04bbe24148c7 Mon Sep 17 00:00:00 2001
From: Dmitrii Stepanov <d.stepanov@yadro.com>
Date: Tue, 21 Jan 2025 14:15:59 +0300
Subject: [PATCH] [#1608] config: Add QoS section and config

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
---
 cmd/frostfs-node/config.go                 |  1 +
 cmd/frostfs-node/config/qos/config.go      | 46 ++++++++++++++++++++++
 cmd/frostfs-node/config/qos/config_test.go | 40 +++++++++++++++++++
 cmd/frostfs-node/qos.go                    | 20 ++++++++++
 config/example/node.env                    |  3 ++
 config/example/node.json                   | 14 +++++++
 config/example/node.yaml                   | 10 +++++
 docs/storage-node-configuration.md         | 20 +++++++++-
 8 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 cmd/frostfs-node/config/qos/config.go
 create mode 100644 cmd/frostfs-node/config/qos/config_test.go
 create mode 100644 cmd/frostfs-node/qos.go

diff --git a/cmd/frostfs-node/config.go b/cmd/frostfs-node/config.go
index 75d6f6dec..511777566 100644
--- a/cmd/frostfs-node/config.go
+++ b/cmd/frostfs-node/config.go
@@ -493,6 +493,7 @@ type cfg struct {
 	cfgNetmap         cfgNetmap
 	cfgControlService cfgControlService
 	cfgObject         cfgObject
+	cfgQoSService     cfgQoSService
 }
 
 // ReadCurrentNetMap reads network map which has been cached at the
diff --git a/cmd/frostfs-node/config/qos/config.go b/cmd/frostfs-node/config/qos/config.go
new file mode 100644
index 000000000..85f8180ed
--- /dev/null
+++ b/cmd/frostfs-node/config/qos/config.go
@@ -0,0 +1,46 @@
+package qos
+
+import (
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+)
+
+const (
+	subsection         = "qos"
+	criticalSubSection = "critical"
+	internalSubSection = "internal"
+)
+
+// CriticalAuthorizedKeys parses and returns an array of "critical.authorized_keys" config
+// parameter from "qos" section.
+//
+// Returns an empty list if not set.
+func CriticalAuthorizedKeys(c *config.Config) keys.PublicKeys {
+	return authorizedKeys(c, criticalSubSection)
+}
+
+// InternalAuthorizedKeys parses and returns an array of "internal.authorized_keys" config
+// parameter from "qos" section.
+//
+// Returns an empty list if not set.
+func InternalAuthorizedKeys(c *config.Config) keys.PublicKeys {
+	return authorizedKeys(c, internalSubSection)
+}
+
+func authorizedKeys(c *config.Config, sub string) keys.PublicKeys {
+	strKeys := config.StringSliceSafe(c.Sub(subsection).Sub(sub), "authorized_keys")
+	pubs := make(keys.PublicKeys, 0, len(strKeys))
+
+	for i := range strKeys {
+		pub, err := keys.NewPublicKeyFromString(strKeys[i])
+		if err != nil {
+			panic(fmt.Errorf("invalid authorized key %s for qos.%s: %w", strKeys[i], sub, err))
+		}
+
+		pubs = append(pubs, pub)
+	}
+
+	return pubs
+}
diff --git a/cmd/frostfs-node/config/qos/config_test.go b/cmd/frostfs-node/config/qos/config_test.go
new file mode 100644
index 000000000..b3b6019cc
--- /dev/null
+++ b/cmd/frostfs-node/config/qos/config_test.go
@@ -0,0 +1,40 @@
+package qos
+
+import (
+	"testing"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config"
+	configtest "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/test"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/stretchr/testify/require"
+)
+
+func TestQoSSection(t *testing.T) {
+	t.Run("defaults", func(t *testing.T) {
+		empty := configtest.EmptyConfig()
+
+		require.Empty(t, CriticalAuthorizedKeys(empty))
+		require.Empty(t, InternalAuthorizedKeys(empty))
+	})
+
+	const path = "../../../../config/example/node"
+
+	criticalPubs := make(keys.PublicKeys, 2)
+	criticalPubs[0], _ = keys.NewPublicKeyFromString("035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11")
+	criticalPubs[1], _ = keys.NewPublicKeyFromString("028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6")
+
+	internalPubs := make(keys.PublicKeys, 2)
+	internalPubs[0], _ = keys.NewPublicKeyFromString("02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2")
+	internalPubs[1], _ = keys.NewPublicKeyFromString("031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a")
+
+	fileConfigTest := func(c *config.Config) {
+		require.Equal(t, criticalPubs, CriticalAuthorizedKeys(c))
+		require.Equal(t, internalPubs, InternalAuthorizedKeys(c))
+	}
+
+	configtest.ForEachFileType(path, fileConfigTest)
+
+	t.Run("ENV", func(t *testing.T) {
+		configtest.ForEnvFileType(t, path, fileConfigTest)
+	})
+}
diff --git a/cmd/frostfs-node/qos.go b/cmd/frostfs-node/qos.go
new file mode 100644
index 000000000..20ef43230
--- /dev/null
+++ b/cmd/frostfs-node/qos.go
@@ -0,0 +1,20 @@
+package main
+
+import qosconfig "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-node/config/qos"
+
+type cfgQoSService struct{}
+
+func initQoSService(c *cfg) {
+	criticalPubs := qosconfig.CriticalAuthorizedKeys(c.appCfg)
+	internalPubs := qosconfig.InternalAuthorizedKeys(c.appCfg)
+	rawCriticalPubs := make([][]byte, 0, len(criticalPubs))
+	rawInternalPubs := make([][]byte, 0, len(internalPubs))
+	for i := range criticalPubs {
+		rawCriticalPubs = append(rawCriticalPubs, criticalPubs[i].Bytes())
+	}
+	for i := range internalPubs {
+		rawInternalPubs = append(rawInternalPubs, internalPubs[i].Bytes())
+	}
+
+	c.cfgQoSService = cfgQoSService{}
+}
diff --git a/config/example/node.env b/config/example/node.env
index b2a0633a9..2ba432b1b 100644
--- a/config/example/node.env
+++ b/config/example/node.env
@@ -225,3 +225,6 @@ FROSTFS_MULTINET_SUBNETS_1_SOURCE_IPS="10.78.70.185 10.78.71.185"
 FROSTFS_MULTINET_BALANCER=roundrobin
 FROSTFS_MULTINET_RESTRICT=false
 FROSTFS_MULTINET_FALLBACK_DELAY=350ms
+
+FROSTFS_QOS_CRITICAL_AUTHORIZED_KEYS="035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6"
+FROSTFS_QOS_INTERNAL_AUTHORIZED_KEYS="02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a"
diff --git a/config/example/node.json b/config/example/node.json
index f3192ac2f..cfde8bcc7 100644
--- a/config/example/node.json
+++ b/config/example/node.json
@@ -305,5 +305,19 @@
     "balancer": "roundrobin",
     "restrict": false,
     "fallback_delay": "350ms"
+  },
+  "qos": {
+    "critical": {
+      "authorized_keys": [
+        "035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11",
+        "028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6"
+      ]
+    },
+    "internal": {
+      "authorized_keys": [
+        "02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2",
+        "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a"
+      ]
+    }
   }
 }
diff --git a/config/example/node.yaml b/config/example/node.yaml
index c5acf5386..1f8ec843d 100644
--- a/config/example/node.yaml
+++ b/config/example/node.yaml
@@ -270,3 +270,13 @@ multinet:
   balancer: roundrobin
   restrict: false
   fallback_delay: 350ms
+
+qos:
+  critical:
+    authorized_keys:  # list of hex-encoded public keys that have rights to use `critical` IO tag
+      - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
+      - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+  internal:
+    authorized_keys:  # list of hex-encoded public keys that have rights to use `internal` IO tag
+      - 02b3622bf4017bdfe317c58aed5f4c753f206b7db896046fa7d774bbc4bf7f8dc2
+      - 031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a
diff --git a/docs/storage-node-configuration.md b/docs/storage-node-configuration.md
index 98d72cb69..de2729c68 100644
--- a/docs/storage-node-configuration.md
+++ b/docs/storage-node-configuration.md
@@ -26,7 +26,8 @@ There are some custom types used for brevity:
 | `storage`              | [Storage engine configuration](#storage-section)                    |
 | `runtime`              | [Runtime configuration](#runtime-section)                           |
 | `audit`                | [Audit configuration](#audit-section)                               |
-| `multinet`             | [Multinet configuration](#multinet-section)                            |
+| `multinet`             | [Multinet configuration](#multinet-section)                         |
+| `qos`                  | [QoS configuration](#qos-section)                                   |
 
 # `control` section
 ```yaml
@@ -471,3 +472,20 @@ multinet:
 | `balancer`       | `string`   | ""            | Balancer to select network interfaces, allowed values are "" (no balancing, use first suitable interface) or "roundrobin". |
 | `restrict`       | `bool`     | false         | If `true` then any requests that do not match `subnets` will fail.                                                         |
 | `fallback_delay` | `duration` | 350ms         | Delay before fallback to secondary IP addresses in case of hostname resolve.                                               |
+
+# `qos` section
+```yaml
+qos:
+  critical:
+    authorized_keys:
+      - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
+      - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+  internal:
+    authorized_keys:
+      - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
+      - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+```
+| Parameter                  | Type           | Default value | Description                                                                 |
+| -------------------------- | -------------- | ------------- | --------------------------------------------------------------------------- |
+| `critical.authorized_keys` | `[]public key` | empty         | List of public keys for which requests with the tag `critical` are allowed. |
+| `internal.authorized_keys` | `[]public key` | empty         | List of public keys for which requests with the tag `internal` are allowed. |