From 08aefceb24016a097ff79459d034fedc37aa8974 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Wed, 13 Nov 2024 21:56:15 +0300 Subject: [PATCH] acl: do not check EACL for system role EACL can not have any rules for system role since 0.38.0 (ab909a371b069c9fcc728f617b1e29aeaf135ab2), so performing these checks is not very helpful. Of course one can still ban the node by key, but that would make a lot of regular operations fail and broken container is not very helpful. This fixes #2972 as much as possible (containers can be cached for a longer period of time). Signed-off-by: Roman Khimov --- CHANGELOG.md | 1 + pkg/services/object/acl/acl.go | 28 ++++++++++++++++------------ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 771f8cdbe5..72b1ae84b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ attribute, which is used for container domain name in NNS contracts (#2954) - Pprof and metrics services stop at the end of SN's application lifecycle (#2976) - Reject configuration with unknown fields (#2981) - Log sampling is disabled by default now (#3011) +- EACL is no longer considered for system role (#2972) ### Removed - Support for node.key configuration (#2959) diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 071b3d66fa..12c27dfb10 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -129,6 +129,22 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { return nil } + var eaclRole eaclSDK.Role + switch op := reqInfo.RequestRole(); op { + default: + eaclRole = eaclSDK.Role(op) + case acl.RoleOwner: + eaclRole = eaclSDK.RoleUser + case acl.RoleInnerRing, acl.RoleContainer: + eaclRole = eaclSDK.RoleSystem + case acl.RoleOthers: + eaclRole = eaclSDK.RoleOthers + } + + if eaclRole == eaclSDK.RoleSystem { + return nil // Controlled by BasicACL, EACL can not contain any rules for system role since 0.38.0. + } + // if bearer token is not allowed, then ignore it if !basicACL.AllowedBearerRules(reqInfo.Operation()) { reqInfo.CleanBearer() @@ -182,18 +198,6 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error { return fmt.Errorf("can't parse headers: %w", err) } - var eaclRole eaclSDK.Role - switch op := reqInfo.RequestRole(); op { - default: - eaclRole = eaclSDK.Role(op) - case acl.RoleOwner: - eaclRole = eaclSDK.RoleUser - case acl.RoleInnerRing, acl.RoleContainer: - eaclRole = eaclSDK.RoleSystem - case acl.RoleOthers: - eaclRole = eaclSDK.RoleOthers - } - vu := new(eaclSDK.ValidationUnit). WithRole(eaclRole). WithOperation(eaclSDK.Operation(reqInfo.Operation())).