Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move EACL checks to SDK #36

Merged
merged 4 commits into from
Jan 19, 2022
Merged

Move EACL checks to SDK #36

merged 4 commits into from
Jan 19, 2022

Conversation

fyrchik
Copy link
Contributor

@fyrchik fyrchik commented Sep 13, 2021

Close #34 .

@alexvanin
Copy link
Contributor

@cthulhu-rider Can you check if this integrates with storage node?

alexvanin
alexvanin reviewed Oct 4, 2021
View reviewed changes
eacl/validator.go Outdated Show resolved Hide resolved
@alexvanin
Copy link
Contributor

Integration tests for EACL are failed with this branch. Looking into it.

alexvanin
alexvanin reviewed Oct 5, 2021
View reviewed changes
eacl/validator.go Outdated Show resolved Hide resolved
@carpawell
Copy link
Member

The original code version of this PR fails some integration tests:

  • Bearer Get object
  • Bearer Head object

All errors were in the form of access to operation GET is denied by extended ACL check

eACL was in the form:

...
{
       "operation":"GET",
       "action":"ALLOW",
       "filters":[
          {
             "headerType":"OBJECT",
             "matchType":"STRING_EQUAL",
             "key":"$Object:objectID",
             "value":"3WSwLZNRNB2Y8uk48qFLZBcxi9hV3ra1jFon77YsM5gx"
          }
       ],
       "targets":[
          {
             "role":"USER"
          }
       ]
},
...

That errors could be fixed in separate PR that would bring the original code.

carpawell
carpawell approved these changes Jan 14, 2022
View reviewed changes
Copy link
Member

@carpawell carpawell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current code passes integration eACL tests.

eacl/types.go Outdated Show resolved Hide resolved
@fyrchik
[nspcc-dev#36] eacl: add eACL checking algorithm from neofs-node
9d96444 
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
@fyrchik
[nspcc-dev#36] eacl: add tests for operation match
70ae4de 
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
@fyrchik
[nspcc-dev#36] eacl: add tests for filter match
beb1792 
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
@fyrchik
[nspcc-dev#36] eacl: add eACL table to ValidationUnit
d163178 
Improve SDK usability a bit:
1. Replace bearer and storage with a single eACL table. This way
   caller can implement it's own behaviour for missing eACL.
2. Remove logging. SDK library shouldn't be dependent on a specific
   logger.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
@alexvanin alexvanin merged commit f83ff62 into nspcc-dev:master Jan 19, 2022
@alexvanin alexvanin mentioned this pull request Feb 1, 2022
Closed
@carpawell carpawell mentioned this pull request Jan 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexvanin alexvanin alexvanin approved these changes

@carpawell carpawell carpawell approved these changes

@realloc realloc Awaiting requested review from realloc

@cthulhu-rider cthulhu-rider Awaiting requested review from cthulhu-rider cthulhu-rider is a code owner

Assignees

@fyrchik fyrchik

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ExtendedACL table engine
3 participants
@fyrchik @alexvanin @carpawell