forked from TrueCloudLab/frostfs-node
[#2040] node: Do not attach tokens in the assembly process
A container node is expected to have full "get" access to assemble the object. A non-container node is expected to forward any request to a container node. Any token is expected to be issued for an original request sender not for a node so any new request is invalid by design with that token. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
fd61bdadcb
commit
d5a14041e0
3 changed files with 23 additions and 0 deletions
|
@ -27,6 +27,7 @@ Changelog for NeoFS Node
|
||||||
- Malformed request errors' reasons in the responses (#2028)
|
- Malformed request errors' reasons in the responses (#2028)
|
||||||
- Session token's IAT and NBF checks in ACL service (#2028)
|
- Session token's IAT and NBF checks in ACL service (#2028)
|
||||||
- Losing meta information on request forwarding (#2040)
|
- Losing meta information on request forwarding (#2040)
|
||||||
|
- Assembly process triggered by a request with a bearer token (#2040)
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
### Updated
|
### Updated
|
||||||
|
|
|
@ -13,6 +13,19 @@ func (exec *execCtx) assemble() {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Any access tokens are not expected to be used in the assembly process:
|
||||||
|
// - there is no requirement to specify child objects in session/bearer
|
||||||
|
// token for `GET`/`GETRANGE`/`RANGEHASH` requests in the API protocol,
|
||||||
|
// and, therefore, their missing in the original request should not be
|
||||||
|
// considered as error; on the other hand, without session for every child
|
||||||
|
// object, it is impossible to attach bearer token in the new generated
|
||||||
|
// requests correctly because the token has not been issued for that node's
|
||||||
|
// key;
|
||||||
|
// - the assembly process is expected to be handled on a container node
|
||||||
|
// only since the requests forwarding mechanism presentation; such the
|
||||||
|
// node should have enough rights for getting any child object by design.
|
||||||
|
exec.prm.common.ForgetTokens()
|
||||||
|
|
||||||
// Do not use forwarding during assembly stage.
|
// Do not use forwarding during assembly stage.
|
||||||
// Request forwarding closure inherited in produced
|
// Request forwarding closure inherited in produced
|
||||||
// `execCtx` so it should be disabled there.
|
// `execCtx` so it should be disabled there.
|
||||||
|
|
|
@ -98,6 +98,15 @@ func (p *CommonPrm) SetNetmapLookupDepth(v uint64) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ForgetTokens forgets all the tokens read from the request's
|
||||||
|
// meta information before.
|
||||||
|
func (p *CommonPrm) ForgetTokens() {
|
||||||
|
if p != nil {
|
||||||
|
p.token = nil
|
||||||
|
p.bearer = nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func CommonPrmFromV2(req interface {
|
func CommonPrmFromV2(req interface {
|
||||||
GetMetaHeader() *session.RequestMetaHeader
|
GetMetaHeader() *session.RequestMetaHeader
|
||||||
}) (*CommonPrm, error) {
|
}) (*CommonPrm, error) {
|
||||||
|
|
Loading…
Reference in a new issue