Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid behavior with numeric eacl rules #2785

Closed
evgeniiz321 opened this issue Mar 27, 2024 · 0 comments
Closed

Invalid behavior with numeric eacl rules #2785

evgeniiz321 opened this issue Mar 27, 2024 · 0 comments
Assignees
@cthulhu-rider
Labels
bug Something isn't working I4 No visible changes S4 Routine U1 Critically important to resolve quickly
Milestone
v0.41.0

Comments

@evgeniiz321
Copy link

  1. Get object before setting eacl, note numeric_value=1:
[MainThread] 2024-03-27 14:09:01 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml object get --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE' --oid 'DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs' --file 'TemporaryDir/TestObjectsDir/6a831f99-4104-4a37-a228-52932118158c' --no-progress
Success:
return code: 0
Output: [TemporaryDir/TestObjectsDir/6a831f99-4104-4a37-a228-52932118158c] Object successfully saved
ID: DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs
CID: FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE
Owner: NaanBGnLueT9XKbAe2nqbbyFVYoGbPBEmY
CreatedAt: 2
Size: 1000
HomoHash: 0f0e7802dcf9531f6360758fb5939e9f6c9c6923fb9f9e6474f9ea02772d6c1328a73f517e29b3574a3afa4497ac322c697ec331113eebcd6a343dcdb08b9c51
Checksum: cfb1afaa258ee2645c4e17715b77973779d39bcf33972a18adf047762c589000
Type: REGULAR
Attributes:
  numeric_value=1
  FileName=eb979069-f103-4c90-ab29-15714751ded1
  Timestamp=1711548539 (2024-03-27 14:08:59 +0000 UTC)
ID signature:
  public key: 02fcc6c7bbf9df0bb3ab13f58965cdeafa9d1e2dfde9410f34d4edf23a84ada121
  signature: 04d3c9f75fef144234a04e9376e67c347fa1a6ac91a764976c3d084b882a65714ccb957b63d17ddcb9629bfbe8a06c4e5cdf460e04fdfa21a81b660bf554efa654
  1. Set eacl with rule --rule 'deny get obj:numeric_value<0 user':
[MainThread] 2024-03-27 14:09:33 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml container get-eacl --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE'
Success:
return code: 0
Output: eACL:
{
  "version": {
    "major": 2,
    "minor": 13
  },
  "containerID": {
    "value": "0qP36XzpUj2eqdOsotUY+yMmxFWKmFO7FjkOPbkIXLc="
  },
  "records": [
    {
      "operation": "GET",
      "action": "DENY",
      "filters": [
        {
          "headerType": "OBJECT",
          "matchType": "NUM_LT",
          "key": "numeric_value",
          "value": "0"
        }
      ],
      "targets": [
        {
          "role": "USER",
          "keys": []
        }
      ]
    }
  ]
}
  1. Try to get object with numeric_value=1
[MainThread] 2024-03-27 14:09:33 [INFO] Command: neofs-cli --config /home/ezayats/neofs-testcases/wallet_config.yml object get --rpc-endpoint 'localhost:46681' --wallet '/home/ezayats/neofs-testcases/TemporaryDir/beefc0c3-5083-48fe-a29a-08b643d0a8c4.json' --cid 'FBFdbkXrC5a2Ppch4GtQGcCNE8qHvVB9cnwjvtruMGLE' --oid 'DnpbFksXtStw4xvvFwNu5vxnreZxz8Yxixktr3QtC9qs' --file 'TemporaryDir/TestObjectsDir/937f9170-ea3a-4ca4-9480-0d620e6e5ad9' --no-progress
Error:
return code: 2
Output: rpc error: init object reading on client: header: status: code = 2048 message = access to object operation denied: access to operation OBJECT_GET is denied by extended ACL check: denied by rule

Expected Behavior

Get object with numeric_value=1 should be allowed with --rule 'deny get obj:numeric_value<0 user'

Current Behavior

Get object with numeric_value=1 is not allowed with --rule 'deny get obj:numeric_value<0 user'
@evgeniiz321 evgeniiz321 added the bug Something isn't working label Mar 27, 2024
@cthulhu-rider cthulhu-rider self-assigned this Mar 27, 2024
@roman-khimov roman-khimov added U1 Critically important to resolve quickly S4 Routine I4 No visible changes labels Mar 27, 2024
@roman-khimov roman-khimov added this to the v0.41.0 milestone Mar 27, 2024
@cthulhu-rider cthulhu-rider mentioned this issue Mar 27, 2024
Merged
cthulhu-rider added a commit that referenced this issue Mar 27, 2024
@cthulhu-rider
node/eacl: Fix incorrect numeric rules' matching on access validation
1ebc474 
Previously, storage nodes calculated action for eACL with numeric rules
incorrectly. This was caused by inverted comparison of filter and object
header values. For example, if rule is applied only to 'attr < 0',
the rule was applied to objects with 'attr = 1' and not applied to
objects with 'attr = -1'.

Now condition is inverted and numeric rules are matched correctly.

Fixes #2785. Refs #2742.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
@cthulhu-rider cthulhu-rider mentioned this issue Mar 27, 2024
Closed
roman-khimov added a commit to nspcc-dev/neofs-sdk-go that referenced this issue Mar 27, 2024
@roman-khimov
Fix numeric eACL processing (#573)
bed3d59 
* nspcc-dev/neofs-node#2785
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cthulhu-rider cthulhu-rider

Labels
bug Something isn't working I4 No visible changes S4 Routine U1 Critically important to resolve quickly
Projects
None yet
Milestone
v0.41.0
Development

Successfully merging a pull request may close this issue.

Fix numeric eACL processing nspcc-dev/neofs-node
3 participants
@evgeniiz321 @roman-khimov @cthulhu-rider