realloc/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Releases Packages Activity

[#919] ape: Improve error messages in ape service

Browse source 
* Wrap all APE middleware errors in apeErr that
  makes errors more explicit with status AccessDenied.
* Use denyingRuleErr for denying status from chain router.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
Airat Arifullin 2024-01-18 14:35:52 +03:00 committed by Evgenii Stratonikov
parent f526f49995
commit f2f3294fc3
4 changed files with 32 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

11
pkg/services/object/ape/checker.go
View file

@ -5,7 +5,6 @@ import (
"fmt"
objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
apistatus "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/client/status"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
@ -70,13 +69,5 @@ func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
return nil
}
return apeErr(prm.Method, status)
}
const accessDeniedAPEReasonFmt = "access to operation %s is denied by access policy engine: %s"
func apeErr(op string, status apechain.Status) error {
errAccessDenied := &apistatus.ObjectAccessDenied{}
errAccessDenied.WriteReason(fmt.Sprintf(accessDeniedAPEReasonFmt, op, status.String()))
return errAccessDenied
return fmt.Errorf("found denying rule for %s: %s", prm.Method, status)
}