Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate System role in EACL #2531

Closed
roman-khimov opened this issue Aug 28, 2023 · 0 comments
Closed

Deprecate System role in EACL #2531

roman-khimov opened this issue Aug 28, 2023 · 0 comments
Assignees
@carpawell
Labels
config Configuration format update or breaking change enhancement Improving existing functionality neofs-cli NeoFS CLI application issues
Milestone
v0.38.0

Comments

@roman-khimov
Copy link
Member

Is your feature request related to a problem? Please describe.

I'm always frustrated when I'm looking at NeoFS ACL and EACL. In particular, system roles are problematic, especially when dealing with their use in EACL. ACLs can't be created with improper settings for system roles, while EACLs can.

Describe the solution you'd like

  1. Ignore rules with System role in EACL.
  2. Extend IR check of EACL with a check for system role use. Do not allow them.
  3. Extend neofs-cli with a similar check. Do not allow these EACLs unless forced.

I'd like to remove them completely, but we need this minimum first and then we could check current networks and decide if we can remove them completely.

We're not touching basic ACLs for now since they're less problematic and a bit harder to change.

Describe alternatives you've considered

Not a lot of them.

Additional context

https://http.fs.neo.org/HXSaMJXk2g8C14ht8HSi7BBaiYZ1HeWh2xnWPGQCg4H6/612-1693211417/index.html#suites/a6143bdccc5de4a5db4c836d1239fad4/981ab653ece9967a/
@roman-khimov roman-khimov added enhancement Improving existing functionality neofs-cli NeoFS CLI application issues config Configuration format update or breaking change labels Aug 28, 2023
@roman-khimov roman-khimov added this to the v0.38.0 milestone Aug 28, 2023
@roman-khimov roman-khimov mentioned this issue Aug 28, 2023
Closed
@carpawell carpawell self-assigned this Sep 4, 2023
vvarg229 added a commit to vvarg229/neofs-testcases that referenced this issue Sep 5, 2023
@vvarg229
Deprecate System role in EACL nspcc-dev#616
90ed242 
Removed the System role in EACL and removed the tests related to this role.
The System EACL role leads to a broken container and nothing else and will be
removed in the issue nspcc-dev/neofs-node#2531

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
@vvarg229 vvarg229 mentioned this issue Sep 5, 2023
Merged
@carpawell carpawell mentioned this issue Sep 7, 2023
Merged
roman-khimov added a commit to nspcc-dev/neofs-sdk-go that referenced this issue Sep 7, 2023
@roman-khimov
rm/Do not apply system role access modifications (#515)
4377f59 
See nspcc-dev/neofs-node#2531.
vvarg229 added a commit to vvarg229/neofs-testcases that referenced this issue Sep 7, 2023
@vvarg229
Deprecate System role in EACL nspcc-dev#616
d1484d7 
Removed the System role in EACL and removed the tests related to this role.
The System EACL role leads to a broken container and nothing else and will be
removed in the issue nspcc-dev/neofs-node#2531

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
@carpawell
cli: Do not allow eACL tables with modified SYSTEM role
8e05ab0 
Refs nspcc-dev#2531.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
@carpawell
ir: Do not allow eACL tables with modified SYSTEM role
c3b9483 
Refs nspcc-dev#2531.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
@carpawell
ir: Do not allow eACL tables with modified SYSTEM role
c82e461 
Closes nspcc-dev#2531.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
@carpawell
cli: Do not allow eACL tables with modified SYSTEM role
5c77fc5 
Refs nspcc-dev#2531.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
@cthulhu-rider cthulhu-rider mentioned this issue Sep 8, 2023
Merged
vvarg229 added a commit to vvarg229/neofs-testcases that referenced this issue Sep 14, 2023
@vvarg229
acl: Deprecate System role in eACL nspcc-dev#616
aa90b4d 
Removed changing the System role in EACL and changed the tests related
to this role.
The changing system eACL role leads to a broken container and
nothing else and will be removed in the issue
nspcc-dev/neofs-node#2531

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
vvarg229 added a commit to vvarg229/neofs-testcases that referenced this issue Sep 14, 2023
@vvarg229
acl: Deprecate System role in eACL nspcc-dev#616
d0fee6b 
Removed changing the System role in EACL and changed the tests related
to this role.
The changing system eACL role leads to a broken container and
nothing else and will be removed in the issue
nspcc-dev/neofs-node#2531

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carpawell carpawell

Labels
config Configuration format update or breaking change enhancement Improving existing functionality neofs-cli NeoFS CLI application issues
Projects
None yet
Milestone
v0.38.0
Development

No branches or pull requests
2 participants
@roman-khimov @carpawell