eacl: Support new operators #2742
Conversation
cthulhu-rider
force-pushed
the
feature/eacl-new-matchers
branch
3 times, most recently
from
857a08b
to
30eeb6c
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2742 +/- ##
==========================================
- Coverage 29.05% 28.71% -0.35%
==========================================
Files 414 427 +13
Lines 32448 33184 +736
==========================================
+ Hits 9428 9528 +100
- Misses 22168 22801 +633
- Partials 852 855 +3 ☔ View full report in Codecov by Sentry. |
cthulhu-rider
force-pushed
the
feature/eacl-new-matchers
branch
4 times, most recently
from
14a4a1c
to
df54b5b
Compare
cthulhu-rider
requested review from
roman-khimov and
carpawell
as code owners
cthulhu-rider
force-pushed
the
feature/eacl-new-matchers
branch
from
df54b5b
to
6f9457e
Compare
| for _, record := range t.Records() { | ||
| for _, target := range record.Targets() { | ||
| if target.Role() == eacl.RoleSystem { | ||
| return errors.New("it is prohibited to modify system access") | ||
| } | ||
| } | ||
| for _, f := range record.Filters() { | ||
| //nolint:exhaustive |
There was a problem hiding this comment.
not two ifs cuz more than 2 values, not default cuz it'd be empty. IMO that's not the case where linter suggests smth meaningful
There was a problem hiding this comment.
not two ifs cuz more than 2 values
every case has return, still can be with ifs
not default cuz it'd be empty
more regular expression for a regular go reader (even more if a comment is just nolint without some real comment). both are one line long (deafult always shorter)
There was a problem hiding this comment.
well, can be merged, but i do not understand it (not disagree just don't understand why it is easier to do than one of my suggestion)
There was a problem hiding this comment.
more regular expression for a regular go reader
empty default is useless and always skipped, that's what i see as a regular Go reader
| @@ -30,6 +32,9 @@ raw binaries. All binaries have OS in their names as well now, following | |||
| regular naming used throughout NSPCC, so instead of neofs-cli-amd64 you get | |||
| neofs-cli-linux-amd64 now. | |||
|
|
|||
| CLI command `acl extended create` changed and extended input format for filters. | |||
| For example, `attr>=100` or `attr=` are now processed differently. See `-h` for details. | |||
There was a problem hiding this comment.
"See -h"? see help? use -h flag?
There was a problem hiding this comment.
see help text
There was a problem hiding this comment.
-h prints help text that u can see
There was a problem hiding this comment.
i mean i cant remember i saw somewhere "see -h". it is usually "see help" or "use -h flag for details"
There was a problem hiding this comment.
i bet anybody will understand what is this about
Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
NeoFS protocol was recently extended with NULL and numeric eACL operators. Now storage nodes support corresponding filters in eACL checks (indirectly covered by NeoFS SDK upgrade). IR validates format of such filters according to the protocol. Refs #2730. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
New ops are coming, with this it'll be easier to change the code. Also add unit tests. Refs #2730. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
NeoFS protocol was recently extended with NULL and numeric eACL operators. Now `neofs-cli acl extended create` command: * treats input like `attr>=value` as numeric filter; * treats input like `obj:attr=` (empty value) as missing attribute filter. The `print` command now also supports these ops. `NOT_PRESENT` matcher is printed as `attr NULL`. Refs #2730. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
cthulhu-rider
force-pushed
the
feature/eacl-new-matchers
branch
from
6f9457e
to
1c874e0
Compare
Previously, storage nodes calculated action for eACL with numeric rules incorrectly. This was caused by inverted comparison of filter and object header values. For example, if rule is applied only to 'attr < 0', the rule was applied to objects with 'attr = 1' and not applied to objects with 'attr = -1'. Now condition is inverted and numeric rules are matched correctly. Fixes #2785. Refs #2742. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
all ready, waiting for SDK merge