* APE-overrides are optional for bearer. So, it should validate only set override;
* Bearer can set overrides for containers, not only the one container - validation
expects for any target type for set override. Basically, APE-overrides for all
container must be set for namespace target;
* Add unit-test cases to check bearer token validation.
Change-Id: I6b8e19eb73d24f8cd8799bf99b6c551287da67d9
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Background trees sync creates grpc connection with
`grpc.WithDefaultCallOptions(grpc.WaitForReady(true))` option. When grpc
connection created with this option, client will wait until a connection
becomes available or the RPC's deadline is reached. As background sync
has no timeout in context, so in case of client is in TRANSIENT_FAILURE
RPC call will hang forever.
Change-Id: I17c8c1d2779bb81c541f47dd0e558e0b8ed2e7c1
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
* The bearer token must always be validated, regardless of whether it has been impersonated;
* Fix unit-tests for tree service which check verification with bearer token.
Close#1721
Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Allows updating the list of public keys authorized to invoke
'Tree service' operations without restarting the node.
Change-Id: I01b6e05875b7ae3f3218062eb12bf9755e87f2a3
Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com>
See https://go-critic.com/overview#elseif for details.
Change-Id: I8fd3edfacaeea2b0a83917575d545af7e7ab4d13
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
* Make `verifyClient`, `checkAPE` receive `treeID` from request body;
* Make `newAPERequest` set `$Tree:ID` property
* Add unit-test to check if a rule for `$Tree:ID` works
Close#1701
Change-Id: I834fed366e8adfd4b5c07bf50aac09af6239991b
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This dialer supports source-based routing and is already used in cache.
Change-Id: Ic7852edd2faea4e5d8667221e6f681cc82bb143a
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
There are two problems with the current approach:
1. For TLS connections we need different transport credentials.
2. grpc.NewClient() considers scheme from `URIAddr()` as a scheme for a
resolver. `grpcs://` scheme doesn't exist, though, so the default one
is picked. The default resolver (`dns://`) is in turn unable to parse the
5edab9e554/internal/resolver/dns/dns_resolver.go (L405)
The error is `grpcs://192.168.198.248:8081:443: too many colons in address`.
Both problems don't exist in the SDK code, take it from there.
Change-Id: Ia1212050f539162a560796685efdc3f9cfbf80a0
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
They connect to the same endpoints, the only difference is that
connection for synchronization is limited in lifetime and is closed
after the sync is finished. This is probably not intentional, as
synchronization was implemented before cache was introduced.
However, reusing dialTreeService() in sync.go has possible perfomance
implications, so is avoided for now.
Change-Id: I2e37befd783b4d873ff833969f932deded1195be
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Tree sync is too much different from GC and rebuild to use the same tag for GC and tree sync.
Change-Id: Ib44d5fa9a88daff507d759d0b0410cc9272e236f
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
By default, gRPC fetches TXT report while resolving a domain.
0914bba6c5/internal/resolver/dns/dns_resolver.go (L336)
This leads to a hanging dial if DNS is unavailable, even though the host
may be specified in `/etc/hosts` (hello, localhost!).
SDK client for the main API uses these options by default.
Refs TrueCloudLab/frostfs-sdk-go#342
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
If applyOperationStream() exits prematurely, other goroutines will block
on send and errgroup will never finish waiting. In this commit we also
check whether context is cancelled.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Use `zap.Error` instead of `zap.String` for logging errors: change all expressions like
`zap.String("error", err.Error())` or `zap.String("err", err.Error())` to `zap.Error(err)`.
Leave similar expressions with other messages unchanged, for example,
`zap.String("last_error", lastErr.Error())` or `zap.String("reason", ctx.Err().Error())`.
This change was made by applying the following patch:
```diff
@@
var err expression
@@
-zap.String("error", err.Error())
+zap.Error(err)
@@
var err expression
@@
-zap.String("err", err.Error())
+zap.Error(err)
```
Signed-off-by: Aleksey Savchuk <a.savchuk@yadro.com>
Concurrent Apply can lead to child node applies before parent, so
undo/redo operations will perform. This leads to performance degradation
in case of tree with many sublevels.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
Previous release was EACL-compatible.
Starting from now all EACL should've been migrated to APE chains.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
* Update version within go.mod;
* Fix deprecated frostfs-api-go/v2 package and use frostfs-sdk-go/api
instead.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
`slices.SortFunc` doesn't use reflection and is a bit faster.
I have done some micro-benchmarks for `[]NodeInfo`:
```
$ benchstat -col "/func" out
goos: linux
goarch: amd64
pkg: git.frostfs.info/TrueCloudLab/frostfs-node/pkg/local_object_storage/pilorama
cpu: 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
│ sort.Slice │ slices.SortFunc │
│ sec/op │ sec/op vs base │
Sort-8 2.130µ ± 2% 1.253µ ± 2% -41.20% (p=0.000 n=10)
```
Haven't included them, though, as they I don't see them being used a
lot.
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
Created grpc connection should be established, so perform Healthcheck request
to check connection is ok.
Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
