Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eacl: Support new operators #2742

Merged
merged 4 commits into from
Feb 29, 2024
Merged

eacl: Support new operators #2742

merged 4 commits into from
Feb 29, 2024

Conversation

cthulhu-rider
Copy link
Contributor

@cthulhu-rider cthulhu-rider commented Feb 14, 2024

all ready, waiting for SDK merge

@cthulhu-rider cthulhu-rider force-pushed the feature/eacl-new-matchers branch 3 times, most recently from 857a08b to 30eeb6c Compare February 15, 2024 09:03
Copy link

codecov bot commented Feb 15, 2024

Codecov Report

Attention: Patch coverage is 79.41176% with 14 lines in your changes are missing coverage. Please review.

Project coverage is 28.71%. Comparing base (28b122a) to head (1c874e0).

Files Patch % Lines
cmd/neofs-cli/modules/util/acl.go 76.78% 13 Missing ⚠️
pkg/innerring/processors/container/process_eacl.go 91.66% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2742      +/-   ##
==========================================
- Coverage   29.05%   28.71%   -0.35%     
==========================================
  Files         414      427      +13     
  Lines       32448    33184     +736     
==========================================
+ Hits         9428     9528     +100     
- Misses      22168    22801     +633     
- Partials      852      855       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cthulhu-rider cthulhu-rider force-pushed the feature/eacl-new-matchers branch 4 times, most recently from 14a4a1c to df54b5b Compare February 22, 2024 06:15
@cthulhu-rider cthulhu-rider marked this pull request as ready for review February 22, 2024 06:21
@cthulhu-rider cthulhu-rider force-pushed the feature/eacl-new-matchers branch from df54b5b to 6f9457e Compare February 26, 2024 11:19
CHANGELOG.md Show resolved Hide resolved
for _, record := range t.Records() {
for _, target := range record.Targets() {
if target.Role() == eacl.RoleSystem {
return errors.New("it is prohibited to modify system access")
}
}
for _, f := range record.Filters() {
//nolint:exhaustive
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not two ifs or default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not two ifs cuz more than 2 values, not default cuz it'd be empty. IMO that's not the case where linter suggests smth meaningful

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not two ifs cuz more than 2 values

every case has return, still can be with ifs

not default cuz it'd be empty

more regular expression for a regular go reader (even more if a comment is just nolint without some real comment). both are one line long (deafult always shorter)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, can be merged, but i do not understand it (not disagree just don't understand why it is easier to do than one of my suggestion)

Copy link
Contributor Author

@cthulhu-rider cthulhu-rider Feb 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

more regular expression for a regular go reader

empty default is useless and always skipped, that's what i see as a regular Go reader

@@ -30,6 +32,9 @@ raw binaries. All binaries have OS in their names as well now, following
regular naming used throughout NSPCC, so instead of neofs-cli-amd64 you get
neofs-cli-linux-amd64 now.

CLI command `acl extended create` changed and extended input format for filters.
For example, `attr>=100` or `attr=` are now processed differently. See `-h` for details.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"See -h"? see help? use -h flag?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see help text

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-h prints help text that u can see

Copy link
Member

@carpawell carpawell Feb 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i mean i cant remember i saw somewhere "see -h". it is usually "see help" or "use -h flag for details"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i bet anybody will understand what is this about

cmd/neofs-cli/modules/util/acl.go Show resolved Hide resolved
NeoFS protocol was recently extended with NULL and numeric eACL
operators. Now storage nodes support corresponding filters in eACL
checks (indirectly covered by NeoFS SDK upgrade). IR validates format
of such filters according to the protocol.

Refs #2730.

Signed-off-by: Leonard Lyubich <[email protected]>
New ops are coming, with this it'll be easier to change the code. Also
add unit tests.

Refs #2730.

Signed-off-by: Leonard Lyubich <[email protected]>
NeoFS protocol was recently extended with NULL and numeric eACL
operators. Now `neofs-cli acl extended create` command:
 * treats input like `attr>=value` as numeric filter;
 * treats input like `obj:attr=` (empty value) as missing attribute filter.

The `print` command now also supports these ops. `NOT_PRESENT` matcher
is printed as `attr NULL`.

Refs #2730.

Signed-off-by: Leonard Lyubich <[email protected]>
@cthulhu-rider cthulhu-rider force-pushed the feature/eacl-new-matchers branch from 6f9457e to 1c874e0 Compare February 29, 2024 07:07
@cthulhu-rider cthulhu-rider merged commit e76e53d into master Feb 29, 2024
14 of 16 checks passed
@cthulhu-rider cthulhu-rider deleted the feature/eacl-new-matchers branch February 29, 2024 07:28
cthulhu-rider added a commit that referenced this pull request Mar 27, 2024
Previously, storage nodes calculated action for eACL with numeric rules
incorrectly. This was caused by inverted comparison of filter and object
header values. For example, if rule is applied only to 'attr < 0',
the rule was applied to objects with 'attr = 1' and not applied to
objects with 'attr = -1'.

Now condition is inverted and numeric rules are matched correctly.

Fixes #2785. Refs #2742.

Signed-off-by: Leonard Lyubich <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants