From 56b50f2075eb0593ea1f030866e0b21a677dabcb Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Mon, 19 Feb 2024 11:45:18 +0300 Subject: [PATCH] [#306] Remove flag to disable policy contract Signed-off-by: Denis Kirillov --- api/handler/api.go | 16 +-- cmd/s3-gw/app.go | 36 ++---- cmd/s3-gw/app_settings.go | 2 - config/config.env | 2 - config/config.yaml | 2 - docs/configuration.md | 8 +- internal/frostfs/policy/contract/inmemory.go | 128 ------------------- 7 files changed, 15 insertions(+), 179 deletions(-) delete mode 100644 internal/frostfs/policy/contract/inmemory.go diff --git a/api/handler/api.go b/api/handler/api.go index f058b83a..087af677 100644 --- a/api/handler/api.go +++ b/api/handler/api.go @@ -61,8 +61,6 @@ type ( GetBucketPolicy(ns string, cnrID cid.ID) ([]byte, error) SaveACLChains(ns string, chains []*chain.Chain) error } - - frostfsIDDisabled struct{} ) var _ api.Handler = (*handler)(nil) @@ -76,10 +74,8 @@ func New(log *zap.Logger, obj layer.Client, notificator Notificator, cfg Config, return nil, errors.New("empty logger") case storage == nil: return nil, errors.New("empty policy storage") - } - - if ffsid == nil { - ffsid = frostfsIDDisabled{} + case ffsid == nil: + return nil, errors.New("empty frostfsid") } if !cfg.NotificatorEnabled() { @@ -98,14 +94,6 @@ func New(log *zap.Logger, obj layer.Client, notificator Notificator, cfg Config, }, nil } -func (f frostfsIDDisabled) GetUserAddress(_, _ string) (string, error) { - return "", errors.New("frostfsid disabled") -} - -func (f frostfsIDDisabled) GetUserKey(account, name string) (string, error) { - return "", errors.New("frostfsid disabled") -} - // pickCopiesNumbers chooses the return values following this logic: // 1) array of copies numbers sent in request's header has the highest priority. // 2) array of copies numbers with corresponding location constraint provided in the config file. diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go index 9b098774..222a7ac0 100644 --- a/cmd/s3-gw/app.go +++ b/cmd/s3-gw/app.go @@ -466,23 +466,14 @@ func (a *App) initFrostfsID(ctx context.Context) { } func (a *App) initPolicyStorage(ctx context.Context) { - var ( - err error - policyContract policy.Contract - ) - - if a.cfg.GetBool(cfgPolicyEnabled) { - policyContract, err = contract.New(ctx, contract.Config{ - RPCAddress: a.cfg.GetString(cfgRPCEndpoint), - Contract: a.cfg.GetString(cfgPolicyContract), - ProxyContract: a.cfg.GetString(cfgProxyContract), - Key: a.key, - }) - if err != nil { - a.log.Fatal(logs.InitPolicyContractFailed, zap.Error(err)) - } - } else { - policyContract = contract.NewInMemoryContract() + policyContract, err := contract.New(ctx, contract.Config{ + RPCAddress: a.cfg.GetString(cfgRPCEndpoint), + Contract: a.cfg.GetString(cfgPolicyContract), + ProxyContract: a.cfg.GetString(cfgProxyContract), + Key: a.key, + }) + if err != nil { + a.log.Fatal(logs.InitPolicyContractFailed, zap.Error(err)) } a.policyStorage = policy.NewStorage(policy.StorageConfig{ @@ -960,16 +951,9 @@ func getMorphPolicyCacheConfig(v *viper.Viper, l *zap.Logger) *cache.Config { } func (a *App) initHandler() { - var ( - err error - ffsid handler.FrostFSID - ) + var err error - if a.frostfsid != nil { - ffsid = a.frostfsid - } - - a.api, err = handler.New(a.log, a.obj, a.nc, a.settings, a.policyStorage, ffsid) + a.api, err = handler.New(a.log, a.obj, a.nc, a.settings, a.policyStorage, a.frostfsid) if err != nil { a.log.Fatal(logs.CouldNotInitializeAPIHandler, zap.Error(err)) } diff --git a/cmd/s3-gw/app_settings.go b/cmd/s3-gw/app_settings.go index e7b656d1..cc2dd5c4 100644 --- a/cmd/s3-gw/app_settings.go +++ b/cmd/s3-gw/app_settings.go @@ -217,7 +217,6 @@ const ( // Settings. cfgFrostfsIDValidationEnabled = "frostfsid.validation.enabled" // Policy. - cfgPolicyEnabled = "policy.enabled" cfgPolicyContract = "policy.contract" // Proxy. @@ -729,7 +728,6 @@ func newSettings() *viper.Viper { // policy v.SetDefault(cfgPolicyContract, "policy.frostfs") - v.SetDefault(cfgPolicyEnabled, true) // proxy v.SetDefault(cfgProxyContract, "proxy.frostfs") diff --git a/config/config.env b/config/config.env index 01febc3a..3fff17ab 100644 --- a/config/config.env +++ b/config/config.env @@ -205,8 +205,6 @@ S3_GW_FROSTFSID_CONTRACT=frostfsid.frostfs S3_GW_FROSTFSID_VALIDATION_ENABLED=true # Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set. -# Enables using policies from Policy contract. -S3_GW_POLICY_ENABLED=true # Policy contract hash (LE) or name in NNS. S3_GW_POLICY_CONTRACT=policy.frostfs diff --git a/config/config.yaml b/config/config.yaml index 7f78ba7b..fe16150f 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -243,8 +243,6 @@ frostfsid: # Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set. policy: - # Enables using policies from Policy contract. - enabled: true # Policy contract hash (LE) or name in NNS. contract: policy.frostfs diff --git a/docs/configuration.md b/docs/configuration.md index 98c6e721..c3327ff5 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -675,14 +675,12 @@ Policy contract configuration. To enable this functionality the `rpc_endpoint` p ```yaml policy: - enabled: false contract: policy.frostfs ``` -| Parameter | Type | SIGHUP reload | Default value | Description | -|------------|----------|---------------|----------------|-------------------------------------------------------------------| -| `enabled` | `bool` | no | true | Enables using policies from Policy contract to check permissions. | -| `contract` | `string` | no | policy.frostfs | Policy contract hash (LE) or name in NNS. | +| Parameter | Type | SIGHUP reload | Default value | Description | +|------------|----------|---------------|----------------|-------------------------------------------| +| `contract` | `string` | no | policy.frostfs | Policy contract hash (LE) or name in NNS. | # `proxy` section diff --git a/internal/frostfs/policy/contract/inmemory.go b/internal/frostfs/policy/contract/inmemory.go deleted file mode 100644 index 2b6c637f..00000000 --- a/internal/frostfs/policy/contract/inmemory.go +++ /dev/null @@ -1,128 +0,0 @@ -package contract - -import ( - "errors" - "strings" - "sync" - - policycontract "git.frostfs.info/TrueCloudLab/frostfs-contract/policy" - "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/policy" - "github.com/nspcc-dev/neo-go/pkg/util" -) - -type InMemoryContract struct { - iamChains *syncedMap - containerChains *syncedMap - namespaceChains *syncedMap -} - -type syncedMap struct { - mu sync.RWMutex - data map[string][]byte -} - -var _ policy.Contract = (*InMemoryContract)(nil) - -var ErrChainNotFound = errors.New("chain not found") - -// NewInMemoryContract creates new inmemory Policy contract wrapper. -func NewInMemoryContract() *InMemoryContract { - return &InMemoryContract{ - iamChains: &syncedMap{data: map[string][]byte{}}, - containerChains: &syncedMap{data: map[string][]byte{}}, - namespaceChains: &syncedMap{data: map[string][]byte{}}, - } -} - -func (c *InMemoryContract) AddChain(kind policycontract.Kind, entity string, name []byte, chain []byte) (util.Uint256, uint32, error) { - syncMap := c.getMap(kind) - syncMap.mu.Lock() - syncMap.data[entity+string(name)] = chain - syncMap.mu.Unlock() - - return util.Uint256{}, 0, nil -} - -func (c *InMemoryContract) GetChain(kind policycontract.Kind, entity string, name []byte) ([]byte, error) { - syncMap := c.getMap(kind) - syncMap.mu.RLock() - defer syncMap.mu.RUnlock() - - val, ok := syncMap.data[entity+string(name)] - if !ok { - return nil, ErrChainNotFound - } - return val, nil -} - -func (c *InMemoryContract) RemoveChain(kind policycontract.Kind, entity string, name []byte) (util.Uint256, uint32, error) { - syncMap := c.getMap(kind) - syncMap.mu.Lock() - delete(syncMap.data, entity+string(name)) - syncMap.mu.Unlock() - - return util.Uint256{}, 0, nil -} - -func (c *InMemoryContract) ListChains(kind policycontract.Kind, entity string, name []byte) ([][]byte, error) { - syncMap := c.getMap(kind) - syncMap.mu.RLock() - defer syncMap.mu.RUnlock() - - var res [][]byte - for key, val := range syncMap.data { - if strings.HasPrefix(key, entity+string(name)) { - res = append(res, val) - } - } - - return res, nil -} - -func (c *InMemoryContract) Wait(_ util.Uint256, _ uint32, err error) error { - return err -} - -func (c *InMemoryContract) StartTx() policy.MultiTransaction { - return &inMemoryTx{operations: make([]func(*InMemoryContract), 0)} -} - -func (c *InMemoryContract) SendTx(tx policy.MultiTransaction) error { - for _, operation := range tx.(*inMemoryTx).operations { - operation(c) - } - return nil -} - -func (c *InMemoryContract) getMap(kind policycontract.Kind) *syncedMap { - switch kind { - case policycontract.IAM: - return c.iamChains - case policycontract.Container: - return c.containerChains - case policycontract.Namespace: - return c.namespaceChains - default: - return &syncedMap{data: map[string][]byte{}} - } -} - -type inMemoryTx struct { - operations []func(contract *InMemoryContract) -} - -func (t *inMemoryTx) AddChain(kind policycontract.Kind, entity string, name []byte, chain []byte) { - t.operations = append(t.operations, func(c *InMemoryContract) { - _, _, _ = c.AddChain(kind, entity, name, chain) - }) -} - -func (t *inMemoryTx) RemoveChain(kind policycontract.Kind, entity string, name []byte) { - t.operations = append(t.operations, func(c *InMemoryContract) { - _, _, _ = c.RemoveChain(kind, entity, name) - }) -} - -func (t *inMemoryTx) Scripts() ([][]byte, error) { - return nil, nil -}