forked from TrueCloudLab/frostfs-node
[#1249] object: Remove all APE pre-checks in handlers
* Methods `Head`, `Get`, `GetRangeHash` should no longer use APE pre-checks as that leads only to incorrect rule chain processing for requests: 1. Immediate return with `NoRuleFound` may be unexpected as some `Allow` rule is actually defined but can't be matched yet as it gets no object attributes; 2. Immdediate return with `Allow` may be incorrect as some `Deny` rule is actually defined but can't bet matched yet as it gets no object attirbutes; 3. Pre-check breaks compatibility for converted EACL-tables. Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
5e5ee545b6
commit
eadcea8df0
1 changed files with 0 additions and 43 deletions
|
@ -134,33 +134,11 @@ func requestContext(ctx context.Context) (*objectSvc.RequestContext, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectStream) error {
|
func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectStream) error {
|
||||||
cnrID, objID, err := getAddressParamsSDK(request.GetBody().GetAddress().GetContainerID(), request.GetBody().GetAddress().GetObjectID())
|
|
||||||
if err != nil {
|
|
||||||
return toStatusErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
reqCtx, err := requestContext(stream.Context())
|
reqCtx, err := requestContext(stream.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return toStatusErr(err)
|
return toStatusErr(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.apeChecker.CheckAPE(stream.Context(), Prm{
|
|
||||||
Namespace: reqCtx.Namespace,
|
|
||||||
Container: cnrID,
|
|
||||||
Object: objID,
|
|
||||||
Method: nativeschema.MethodGetObject,
|
|
||||||
Role: nativeSchemaRole(reqCtx.Role),
|
|
||||||
SenderKey: hex.EncodeToString(reqCtx.SenderKey),
|
|
||||||
ContainerOwner: reqCtx.ContainerOwner,
|
|
||||||
SoftAPECheck: reqCtx.SoftAPECheck,
|
|
||||||
WithoutHeaderRequest: true,
|
|
||||||
BearerToken: reqCtx.BearerToken,
|
|
||||||
XHeaders: request.GetMetaHeader().GetXHeaders(),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return toStatusErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return c.next.Get(request, &getStreamBasicChecker{
|
return c.next.Get(request, &getStreamBasicChecker{
|
||||||
GetObjectStream: stream,
|
GetObjectStream: stream,
|
||||||
apeChecker: c.apeChecker,
|
apeChecker: c.apeChecker,
|
||||||
|
@ -237,23 +215,6 @@ func (c *Service) Head(ctx context.Context, request *objectV2.HeadRequest) (*obj
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.apeChecker.CheckAPE(ctx, Prm{
|
|
||||||
Namespace: reqCtx.Namespace,
|
|
||||||
Container: cnrID,
|
|
||||||
Object: objID,
|
|
||||||
Method: nativeschema.MethodHeadObject,
|
|
||||||
Role: nativeSchemaRole(reqCtx.Role),
|
|
||||||
SenderKey: hex.EncodeToString(reqCtx.SenderKey),
|
|
||||||
ContainerOwner: reqCtx.ContainerOwner,
|
|
||||||
SoftAPECheck: reqCtx.SoftAPECheck,
|
|
||||||
WithoutHeaderRequest: true,
|
|
||||||
BearerToken: reqCtx.BearerToken,
|
|
||||||
XHeaders: request.GetMetaHeader().GetXHeaders(),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return nil, toStatusErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := c.next.Head(ctx, request)
|
resp, err := c.next.Head(ctx, request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -417,10 +378,6 @@ func (c *Service) GetRangeHash(ctx context.Context, request *objectV2.GetRangeHa
|
||||||
XHeaders: request.GetMetaHeader().GetXHeaders(),
|
XHeaders: request.GetMetaHeader().GetXHeaders(),
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = c.apeChecker.CheckAPE(ctx, prm); err != nil {
|
|
||||||
return nil, toStatusErr(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := c.next.GetRangeHash(ctx, request)
|
resp, err := c.next.GetRangeHash(ctx, request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
Loading…
Reference in a new issue