fyrchik/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity
4889 commits 23 branches 26 tags 45 MiB
Commit graph

30 commits

Author SHA1 Message Date
Airat Arifullin
eeab417dcf [#1307] object: Add APE check for Patch handler 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-08-16 14:13:09 +00:00
Airat Arifullin
e890f1b4b1 [#1307] object: Implement Patch method 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-08-16 14:13:09 +00:00
Airat Arifullin
a4a1c3f18b [#1307] go.mod: Bump frostfs-sdk-go/frostfs-api-go/v2 versions 
* Also, resolve dependencies and conflicts for object service
  by creating stub for `Patch` method.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-08-16 14:13:09 +00:00
Airat Arifullin
eadcea8df0 [#1249] object: Remove all APE pre-checks in handlers 
* Methods `Head`, `Get`, `GetRangeHash` should no longer use APE pre-checks
  as that leads only to incorrect rule chain processing for requests:
  1. Immediate return with `NoRuleFound` may be unexpected as some `Allow`
     rule is actually defined but can't be matched yet as it gets no object
     attributes;
  2. Immdediate return with `Allow` may be incorrect as some `Deny` rule
     is actually defined but can't bet matched yet as it gets no object
     attirbutes;
  3. Pre-check breaks compatibility for converted EACL-tables.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-18 13:52:43 +00:00
Airat Arifullin
d5dc14c639 [#1243] object: Make APE checker set x-headers to request properties 
* Update go.mod, go.sum;
* Add x-headers to request properties;
* Add a unit-test.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-16 07:28:42 +00:00
Airat Arifullin
0c2b6f3dac [#1216] ape: Make services use bearer chains fed router 
* Refactor object and tree service - they should instantiate
  chain router cheking the bearer token. If there are no bearer
  token rules, then defaul chain router is used.
* Fix unit-tests.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-05 18:26:48 +00:00
Airat Arifullin
f3a861806e [#1218] object: Fix bearer token validation 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-03 07:22:11 +00:00
Airat Arifullin
a378ff9cf6 [#1218] object: Pass container owner for backward get method check 
* `getStreamBasicChecker` must define `containerOwner` for backward checks,
  otherwise bearer token cannot be validated for the token issuer.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-07-03 07:22:11 +00:00
Airat Arifullin
0b87388c18 [#1190] object: GroupIDs must also be target of APE checks 
* Also add new test case for ape middleware in container service.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-06-25 08:49:20 +00:00
Airat Arifullin
04a3f891fd [#1157] object: Make APE checker use Bearer-token's APE overrides 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-06-07 12:11:11 +00:00
Airat Arifullin
482c5129ac [#1142] object: Fill APE-request with source IP property 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-05-27 10:17:17 +00:00
Airat Arifullin
952d13cd2b [#1124] cli: Improve APE rule parsing 
* Make APE rule parser to read condition's kind in unambiguous using lexemes
`ResourceCondition`, `RequestCondition` instead confusing `Object.Request`, `Object.Resource`.
* Fix unit-tests.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-05-14 12:23:26 +03:00
Dmitrii Stepanov
0144117cc9 [#1125] objectSvc: Add EC header APE check 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2024-05-08 16:25:55 +03:00
aarifullin
b60a51b862 [#1117] ape: Introduce FormFrostfsIDRequestProperties method 
* `FormFrostfsIDRequestProperties` gets user claim tags and group id and sets them
  as ape request properties.
* Make tree, container and object service use the method.
* Fix unit-tests.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-05-07 10:01:21 +00:00
aarifullin
6c76c9b457 [#1117] core: Introduce SubjectProvider interface for FrostfsID 
* Make tree, object and container services use SubjectProvider interface.
* Fix unit-tests.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-05-07 10:01:21 +00:00
Airat Arifullin
c21d72ac23 [#1096] object: Make ape middleware fill request with user claim tags 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-04-16 15:12:44 +03:00
Evgenii Stratonikov
91e79c98ba [#1089] ape: Provide request actor as an additional target 
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
 2024-04-16 11:03:50 +00:00
aarifullin
f4dcb418f2 [#1090] ape: Move ape request and resource implementations to common package 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-04-15 07:45:45 +00:00
Dmitrii Stepanov
e74bdaa5d5 [#1080] ape: Use value for APE request 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2024-04-09 18:42:03 +03:00
Dmitrii Stepanov
338d8cbebd [#1080] ape: Do not read object headers before Head/Get 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2024-04-09 15:27:40 +03:00
aarifullin
6959e617c4 [#1047] object: Set container owner ID property to ape request 
* Introduce ContainerOwner field in RequestContext.
* Set ContainerOwner in aclv2 middleware.
* Set PropertyKeyContainerOwnerID for object ape request.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-03-18 15:39:50 +00:00
aarifullin
d7be70e93f [#1040] object: Wrap CheckAPE errors to status errors 
* All methods should wrap CheckAPE error, if it occurs, to
  status error.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-03-14 07:34:03 +00:00
Airat Arifullin
5c252c9193 [#1039] object: Skip APE check for certain request roles 
* Skip APE check if a role is Container.
* Skip APE check if a role is IR and methods are get-like.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-03-12 16:15:20 +03:00
Dmitrii Stepanov
d433b49265 [#973] node: Resolve perfsprint linter 
`fmt.Errorf can be replaced with errors.New` and `fmt.Sprintf can be replaced with string addition`

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2024-03-11 17:55:50 +03:00
Dmitrii Stepanov
d6534fd755 [#1016] frostfs-node: Fix gopls issues 
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
 2024-03-01 12:13:43 +03:00
Airat Arifullin
7cc368e188 [#986] object: Introduce soft ape checks 
* Soft APE check means that APE should allow request even
  it gets status NoRuleFound for a request. Otherwise,
  it is interpreted as Deny.
* Soft APE check is performed if basic ACL mask is not set.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-02-28 19:05:57 +00:00
Anton Nikiforov
b6fc3321c5 [#876] Fix linters 
Signed-off-by: Anton Nikiforov <an.nikiforov@yadro.com>
 2024-01-25 20:26:13 +03:00
Airat Arifullin
f2f3294fc3 [#919] ape: Improve error messages in ape service 
* Wrap all APE middleware errors in apeErr that
  makes errors more explicit with status AccessDenied.
* Use denyingRuleErr for denying status from chain router.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-01-23 08:11:24 +00:00
Airat Arifullin
96b020626f [#915] ape: Fix method name in getStreamBasicChecker 
* Replace incorrect MethodGetContainer by MethodGetObject constant.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-01-16 23:52:37 +03:00
Airat Arifullin
c8baf76fae [#872] object: Introduce APE middlewar for object service 
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
 2024-01-12 18:41:35 +03:00