Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetObject: can't get object under not owner user even when correct ACL were set #902

Open
evgeniiz321 opened this issue Nov 9, 2023 · 6 comments
Open

GetObject: can't get object under not owner user even when correct ACL were set #902

evgeniiz321 opened this issue Nov 9, 2023 · 6 comments
Labels
blocked Can't be done because of something bug Something isn't working I4 No visible changes S4 Routine U3 Regular

Comments

@evgeniiz321
Copy link

test_object_copy_not_owned_object_bucket

Create bucket
Put object
Put object acl to allow access from a different user
Put bucket acl to allow access from a different user
Try to get object - access denied

2023-11-09T04:10:17.937Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "43e678ea-a540-4d91-9fc8-fb0db759ac1b", "method": "GetObjectACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "foo123bar", "description": "OK"}
2023-11-09T04:10:17.945Z	debug	layer/layer.go:480	get object	{"reqId": "87ec59d6-253d-444f-a9e6-d3a159bb17a4", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "cid": "B4P5iBZ981MvCc3vjuyyiVXZM8HAg4wLzq2MCpPiuTwC", "object": "foo123bar", "oid": "6MPjzkbWEM8SJbK4uU7wz5kQRymMUtTa2mGs3Erf1YPq"}
2023-11-09T04:10:18.964Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "87ec59d6-253d-444f-a9e6-d3a159bb17a4", "method": "PutObjectACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "foo123bar", "description": "OK"}
2023-11-09T04:10:18.982Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "64f2cb68-5aa5-425a-8e85-98234a54599a", "method": "GetBucketACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "", "description": "OK"}
2023-11-09T04:10:20.005Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "e789e26a-9aa7-4eff-a429-e5b327871712", "method": "PutBucketACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "", "description": "OK"}
2023-11-09T04:10:20.016Z	debug	layer/layer.go:480	get object	{"reqId": "8497ff94-c12e-438a-b868-922a4e445d91", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "cid": "B4P5iBZ981MvCc3vjuyyiVXZM8HAg4wLzq2MCpPiuTwC", "object": "foo123bar", "oid": "6MPjzkbWEM8SJbK4uU7wz5kQRymMUtTa2mGs3Erf1YPq"}
2023-11-09T04:10:20.016Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "8497ff94-c12e-438a-b868-922a4e445d91", "method": "GetObjectACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "foo123bar", "description": "OK"}
2023-11-09T04:10:20.026Z	warn	handler/acl.go:1397	invalid permissions	{"subject": "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a"}
2023-11-09T04:10:20.026Z	info	api/router.go:165	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "fd46f411-b712-4a5a-9397-eb4aae018234", "method": "GetBucketACL", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "", "description": "OK"}
2023-11-09T04:10:20.043Z	error	handler/util.go:29	call method	{"status": 403, "request_id": "e4d3cc9c-1de8-4d32-9cfb-7ca5069ccc2b", "method": "GetObject", "bucket": "yournamehere-j11jteqzoakk8cxr-1", "object": "foo123bar", "description": "could not find object", "error": "access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"}

Seems like object ACL was not set correctly, this is a response after we set the ACL and received 200 from it:

{'ResponseMetadata': {'RequestId': '8497ff94-c12e-438a-b868-922a4e445d91', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '8497ff94-c12e-438a-b868-922a4e445d91', 'date': 'Thu, 09 Nov 2023 04:10:20 GMT', 'content-length': '288', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': []}

This is a response from the bucket acl:

{'ResponseMetadata': {'RequestId': 'fd46f411-b712-4a5a-9397-eb4aae018234', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': 'fd46f411-b712-4a5a-9397-eb4aae018234', 'date': 'Thu, 09 Nov 2023 04:10:20 GMT', 'content-length': '567', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': [{'Grantee': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': '033212e20da1a1a36823ccc2d5e13e67e1a4ce4cc5bd1d2ef09beed63b3032e6c9', 'Type': 'CanonicalUser'}, 'Permission': 'WRITE'}]}
@evgeniiz321 evgeniiz321 added bug Something isn't working triage labels Nov 9, 2023
@roman-khimov roman-khimov added this to the v0.30.1 milestone Nov 9, 2023
@roman-khimov roman-khimov added U3 Regular S4 Routine I4 No visible changes labels Dec 20, 2023
@smallhive
Copy link
Contributor

The problem exists and it is interesting place - reading data from tree service. Right now I'm not sure what the problem can be with access and who got the error - requesting user in tree service or tree service from neofs RPC

access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule

@roman-khimov
Copy link
Member

Refs #863.

@smallhive smallhive self-assigned this Jun 19, 2024
@smallhive
Copy link
Contributor

I need an assistance for the issue. There is a log from the gate output for the test.
Note: logs from commands located before the command. I've separated with new line logs for setting EACL.

For me, EACL looks pretty good for successful object get, but the tree service has another opinion about this. The user with pub key 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508 trying to get service, it is not a bucket owner.

Code with log changes

2024-06-19T08:56:09.496+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "3e346396-f1ba-404e-8b83-e66642c32467", "method": "ListBuckets", "bucket": "", "object": "", "description": "OK"}
2024-06-19T08:56:09.517+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "47c996d4-d9b1-4183-b807-287d41a141f1", "method": "ListBuckets", "bucket": "", "object": "", "description": "OK"}
2024-06-19T08:56:09.535+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "1823c039-3c83-4725-9e3f-52fe51e915a6", "method": "ListBuckets", "bucket": "", "object": "", "description": "OK"}
2024-06-19T08:56:09.697+0400    debug   layer/layer.go:370      bucket not found        {"error": "nns get: invocation failed: at instruction 4214 (THROW): unhandled exception: \"token not found\""}
2024-06-19T08:56:11.725+0400    info    handler/put.go:737      bucket is created       {"reqId": "18f29f8a-082d-41a8-92be-f9529cd498c9", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "container_id": "E2VmyxahjX2fA6a4326q5nYdWJnY7fH6szEMAuZQdM6A"}
2024-06-19T08:56:11.725+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "18f29f8a-082d-41a8-92be-f9529cd498c9", "method": "CreateBucket", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "", "description": "OK"}
2024-06-19T08:56:11.779+0400    debug   layer/object.go:261     put object      {"reqId": "caee2fbb-2f29-4f0c-ac3c-650119b74892", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "cid": "E2VmyxahjX2fA6a4326q5nYdWJnY7fH6szEMAuZQdM6A", "object": "foo123bar", "oid": "FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz"}
2024-06-19T08:56:11.786+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "caee2fbb-2f29-4f0c-ac3c-650119b74892", "method": "PutObject", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "foo123bar", "description": "OK"}
2024-06-19T08:56:11.957+0400    debug   layer/layer.go:514      get object      {"reqId": "b1f0920d-d768-47e2-b69a-57d25e9b73fb", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "cid": "E2VmyxahjX2fA6a4326q5nYdWJnY7fH6szEMAuZQdM6A", "object": "foo123bar", "oid": "FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz"}
2024-06-19T08:56:11.957+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "b1f0920d-d768-47e2-b69a-57d25e9b73fb", "method": "GetObjectACL", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "foo123bar", "description": "OK"}
2024-06-19T08:56:11.961+0400    debug   layer/layer.go:514      get object      {"reqId": "f4c4fda0-c7d9-4971-8013-889f6b8eed03", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "cid": "E2VmyxahjX2fA6a4326q5nYdWJnY7fH6szEMAuZQdM6A", "object": "foo123bar", "oid": "FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz"}

2024-06-19T08:56:11.963+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "DELETE", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "PUT", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGEHASH", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGE", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "SEARCH", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "HEAD", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GET", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GET", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "HEAD", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "PUT", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "DELETE", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "SEARCH", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGE", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGEHASH", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee"]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GET", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "HEAD", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "PUT", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "DELETE", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "SEARCH", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GETRANGE", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:11.964+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GETRANGEHASH", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:12.979+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "f4c4fda0-c7d9-4971-8013-889f6b8eed03", "method": "PutObjectACL", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "foo123bar", "description": "OK"}

2024-06-19T08:56:13.058+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "103447cf-37d6-404d-ba23-e1694b535639", "method": "GetBucketACL", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "", "description": "OK"}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "DELETE", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "PUT", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGEHASH", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGE", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "SEARCH", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "HEAD", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GET", "filters": ["key: FilePath, val: foo123bar, from: OBJECT, match: STRING_EQUAL", "key: $Object:objectID, val: FfVjpsUYwEcNeViB85UtF9z3FkUKQPy39yAX7CboKLPz, from: OBJECT, match: STRING_EQUAL"], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GET", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "HEAD", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "PUT", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "DELETE", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "SEARCH", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGE", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "ALLOW", "operation": "GETRANGEHASH", "filters": [], "targets": ["role: ROLE_UNSPECIFIED, keys: 03e8d98e4c95005eec1897deffc584d9c75b65ec3a13108d73b6e85dae3d3b36ee, 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508"]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GET", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "HEAD", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "PUT", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "DELETE", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "SEARCH", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GETRANGE", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:13.065+0400    warn    handler/acl.go:319      set bucket eacl {"action": "DENY", "operation": "GETRANGEHASH", "filters": [], "targets": ["role: OTHERS, keys: "]}
2024-06-19T08:56:15.078+0400    info    api/router.go:182       call method     {"status": 200, "host": "localhost:43963", "request_id": "42d4dbce-1d66-4392-8159-5c7ae8b709b8", "method": "PutBucketACL", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "", "description": "OK"}

pub key requesting data from tree 03fdeb51f7785fb1681678dd7d4cafef375d70dd9c49e7eebb4e27633a94887508
2024-06-19T08:56:18.518+0400    error   handler/util.go:29      call method     {"status": 403, "request_id": "3834c2a2-92d4-4f87-97f3-9d1371bba944", "method": "GetObject", "bucket": "yournamehere-thy1e8bt7qnghib8-1", "object": "foo123bar", "description": "could not find object", "error": "access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"}

@roman-khimov
Copy link
Member

ROLE_UNSPECIFIED vs OTHERS.

@roman-khimov roman-khimov added the blocked Can't be done because of something label Jun 19, 2024
@roman-khimov
Copy link
Member

Tree service request is created by the gateway, so all ACLs go south immediately and we don't want to fix this.

@roman-khimov roman-khimov removed this from the v0.30.1 milestone Jun 19, 2024
@roman-khimov
Copy link
Member

We're likely to have a similar problem with nspcc-dev/neofs-node#2878 anyway. HEADs are required for proper meta processing and S3 gateways need to have access to this data. Potential solutions:

  • EACLs with gateway keys (which can grow and are not easy to manage)
  • separate per-container "service node list" that is treated the same way as container nodes (security?)
  • others?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked Can't be done because of something bug Something isn't working I4 No visible changes S4 Routine U3 Regular
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@evgeniiz321 @smallhive @roman-khimov