[#306] Use zero basic acl to mark APE containers

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-02-14 15:55:12 +03:00
parent c452d58ce2
commit bac1b3fb2d
6 changed files with 13 additions and 28 deletions

View file

@ -1608,7 +1608,6 @@ func createBucketOldACL(hc *handlerContext, bktName string, box *accessbox.Box)
cnr, err := hc.tp.Container(hc.Context(), cnrID) cnr, err := hc.tp.Container(hc.Context(), cnrID)
require.NoError(hc.t, err) require.NoError(hc.t, err)
cnr.SetBasicACL(acl.PublicRWExtended) cnr.SetBasicACL(acl.PublicRWExtended)
cnr.SetAttribute(layer.AttributeAPEEnabled, "false")
hc.tp.SetContainer(cnrID, cnr) hc.tp.SetContainer(cnrID, cnr)
table := eacl.NewTable() table := eacl.NewTable()
table.SetCID(cnrID) table.SetCID(cnrID)

View file

@ -770,6 +770,7 @@ func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
p := &layer.CreateBucketParams{ p := &layer.CreateBucketParams{
Name: reqInfo.BucketName, Name: reqInfo.BucketName,
Namespace: reqInfo.Namespace, Namespace: reqInfo.Namespace,
APEEnabled: true,
} }
if err := checkBucketName(reqInfo.BucketName); err != nil { if err := checkBucketName(reqInfo.BucketName); err != nil {

View file

@ -12,6 +12,7 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
@ -28,7 +29,6 @@ type (
const ( const (
attributeLocationConstraint = ".s3-location-constraint" attributeLocationConstraint = ".s3-location-constraint"
AttributeAPEEnabled = ".s3-APE-enabled"
AttributeLockEnabled = "LockEnabled" AttributeLockEnabled = "LockEnabled"
) )
@ -63,6 +63,7 @@ func (n *layer) containerInfo(ctx context.Context, idCnr cid.ID) (*data.BucketIn
info.Created = container.CreatedAt(cnr) info.Created = container.CreatedAt(cnr)
info.LocationConstraint = cnr.Attribute(attributeLocationConstraint) info.LocationConstraint = cnr.Attribute(attributeLocationConstraint)
info.HomomorphicHashDisabled = container.IsHomomorphicHashingDisabled(cnr) info.HomomorphicHashDisabled = container.IsHomomorphicHashingDisabled(cnr)
info.APEEnabled = cnr.BasicACL().Bits() == 0
attrLockEnabled := cnr.Attribute(AttributeLockEnabled) attrLockEnabled := cnr.Attribute(AttributeLockEnabled)
if len(attrLockEnabled) > 0 { if len(attrLockEnabled) > 0 {
@ -75,17 +76,6 @@ func (n *layer) containerInfo(ctx context.Context, idCnr cid.ID) (*data.BucketIn
} }
} }
APEEnabled := cnr.Attribute(AttributeAPEEnabled)
if len(APEEnabled) > 0 {
info.APEEnabled, err = strconv.ParseBool(APEEnabled)
if err != nil {
log.Error(logs.CouldNotParseContainerAPEEnabledAttribute,
zap.String("ape_enabled", APEEnabled),
zap.Error(err),
)
}
}
zone, _ := n.features.FormContainerZone(reqInfo.Namespace) zone, _ := n.features.FormContainerZone(reqInfo.Namespace)
if zone != info.Zone { if zone != info.Zone {
return nil, fmt.Errorf("ns '%s' and zone '%s' are mismatched for container '%s'", zone, info.Zone, idCnr) return nil, fmt.Errorf("ns '%s' and zone '%s' are mismatched for container '%s'", zone, info.Zone, idCnr)
@ -131,12 +121,11 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
Created: TimeNow(ctx), Created: TimeNow(ctx),
LocationConstraint: p.LocationConstraint, LocationConstraint: p.LocationConstraint,
ObjectLockEnabled: p.ObjectLockEnabled, ObjectLockEnabled: p.ObjectLockEnabled,
APEEnabled: true, APEEnabled: p.APEEnabled,
} }
attributes := [][2]string{ attributes := [][2]string{
{attributeLocationConstraint, p.LocationConstraint}, {attributeLocationConstraint, p.LocationConstraint},
{AttributeAPEEnabled, "true"},
} }
if p.ObjectLockEnabled { if p.ObjectLockEnabled {
@ -145,6 +134,11 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
}) })
} }
basicACL := acl.PublicRWExtended
if p.APEEnabled {
basicACL = 0
}
res, err := n.frostFS.CreateContainer(ctx, PrmContainerCreate{ res, err := n.frostFS.CreateContainer(ctx, PrmContainerCreate{
Creator: bktInfo.Owner, Creator: bktInfo.Owner,
Policy: p.Policy, Policy: p.Policy,
@ -153,6 +147,7 @@ func (n *layer) createContainer(ctx context.Context, p *CreateBucketParams) (*da
SessionToken: p.SessionContainerCreation, SessionToken: p.SessionContainerCreation,
CreationTime: bktInfo.Created, CreationTime: bktInfo.Created,
AdditionalAttributes: attributes, AdditionalAttributes: attributes,
BasicACL: basicACL,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("create container: %w", err) return nil, fmt.Errorf("create container: %w", err)

View file

@ -173,8 +173,6 @@ type FrostFS interface {
// It sets 'Timestamp' attribute to the current time. // It sets 'Timestamp' attribute to the current time.
// It returns the ID of the saved container. // It returns the ID of the saved container.
// //
// Created container is public with enabled ACL extension.
//
// It returns exactly one non-zero value. It returns any error encountered which // It returns exactly one non-zero value. It returns any error encountered which
// prevented the container from being created. // prevented the container from being created.
CreateContainer(context.Context, PrmContainerCreate) (*ContainerCreateResult, error) CreateContainer(context.Context, PrmContainerCreate) (*ContainerCreateResult, error)

View file

@ -178,6 +178,7 @@ type (
SessionContainerCreation *session.Container SessionContainerCreation *session.Container
LocationConstraint string LocationConstraint string
ObjectLockEnabled bool ObjectLockEnabled bool
APEEnabled bool
} }
// PutBucketACLParams stores put bucket acl request parameters. // PutBucketACLParams stores put bucket acl request parameters.
PutBucketACLParams struct { PutBucketACLParams struct {

View file

@ -14,7 +14,6 @@ import (
errorsFrost "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors" errorsFrost "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/acl"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
@ -101,16 +100,8 @@ func (x *FrostFS) Container(ctx context.Context, idCnr cid.ID) (*container.Conta
return &res, nil return &res, nil
} }
var basicACLZero acl.Basic
// CreateContainer implements frostfs.FrostFS interface method. // CreateContainer implements frostfs.FrostFS interface method.
//
// If prm.BasicACL is zero, 'eacl-public-read-write' is used.
func (x *FrostFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreate) (*layer.ContainerCreateResult, error) { func (x *FrostFS) CreateContainer(ctx context.Context, prm layer.PrmContainerCreate) (*layer.ContainerCreateResult, error) {
if prm.BasicACL == basicACLZero {
prm.BasicACL = acl.PublicRWExtended
}
var cnr container.Container var cnr container.Container
cnr.Init() cnr.Init()
cnr.SetPlacementPolicy(prm.Policy) cnr.SetPlacementPolicy(prm.Policy)