Skip to content

Commit

Permalink
acl: do not check EACL for system role
Browse files Browse the repository at this point in the history 
EACL can not have any rules for system role since 0.38.0 (ab909a3),
so performing these checks is not very helpful. Of course one can still ban
the node by key, but that would make a lot of regular operations fail and
broken container is not very helpful.

This fixes #2972 as much as possible (containers can be cached for a longer
period of time).

Signed-off-by: Roman Khimov <roman@nspcc.ru>
  • Loading branch information
@roman-khimov
roman-khimov committed Nov 13, 2024
1 parent b7714ae commit 08aefce
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 12 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ attribute, which is used for container domain name in NNS contracts (#2954)
- Pprof and metrics services stop at the end of SN's application lifecycle (#2976)
- Reject configuration with unknown fields (#2981)
- Log sampling is disabled by default now (#3011)
- EACL is no longer considered for system role (#2972)

### Removed
- Support for node.key configuration (#2959)
Expand Down
28 changes: 16 additions & 12 deletions pkg/services/object/acl/acl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,22 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
return nil
}

var eaclRole eaclSDK.Role
switch op := reqInfo.RequestRole(); op {
default:
eaclRole = eaclSDK.Role(op)
case acl.RoleOwner:
eaclRole = eaclSDK.RoleUser
case acl.RoleInnerRing, acl.RoleContainer:
eaclRole = eaclSDK.RoleSystem
case acl.RoleOthers:
eaclRole = eaclSDK.RoleOthers

Check warning on line 141 in pkg/services/object/acl/acl.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/acl.go#L132-L141 

Added lines #L132 - L141 were not covered by tests
}

if eaclRole == eaclSDK.RoleSystem {
return nil // Controlled by BasicACL, EACL can not contain any rules for system role since 0.38.0.
}

Check warning on line 146 in pkg/services/object/acl/acl.go

View check run for this annotation

Codecov / codecov/patch

pkg/services/object/acl/acl.go#L144-L146 

Added lines #L144 - L146 were not covered by tests

// if bearer token is not allowed, then ignore it
if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
reqInfo.CleanBearer()
Expand Down Expand Up @@ -182,18 +198,6 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
return fmt.Errorf("can't parse headers: %w", err)
}

var eaclRole eaclSDK.Role
switch op := reqInfo.RequestRole(); op {
default:
eaclRole = eaclSDK.Role(op)
case acl.RoleOwner:
eaclRole = eaclSDK.RoleUser
case acl.RoleInnerRing, acl.RoleContainer:
eaclRole = eaclSDK.RoleSystem
case acl.RoleOthers:
eaclRole = eaclSDK.RoleOthers
}

vu := new(eaclSDK.ValidationUnit).
WithRole(eaclRole).
WithOperation(eaclSDK.Operation(reqInfo.Operation())).
Expand Down

0 comments on commit 08aefce

Please sign in to comment.