Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bearer token issuer key to owner transformation #483

Closed
alexvanin opened this issue Jun 1, 2022 · 3 comments
Closed

Bearer token issuer key to owner transformation #483

alexvanin opened this issue Jun 1, 2022 · 3 comments
Labels
blocked Can't be done because of something bug Something isn't working I3 Minimal impact S3 Minimally significant U4 Nothing urgent

Comments

@alexvanin
Copy link
Contributor

alexvanin commented Jun 1, 2022
edited
Loading

Kudos to @cthulhu-rider

S3 Gateway uses Issuer() public key of bearer token to obtain user ID of the token owner. This token owner is set as owner of all produced objects. The same way Issuer() public key of session token is used to create new bucket. Meanwhile, NeoFS supports (at least partially) public key binding with owner, see neofsid contract.

Object

Consider owner with key X which produces Foo user ID and bound key Y which produces Bar user ID. Bearer token may be issued with the key Y. Then all produced object will have Bar in owner field. We need to decide if this is expected behavior for S3 Gateway.
Additionally:

  • owner field is mostly informative in objects and doesn't involve in any ACL checks; it is only checked when container has sticky bit in basic ACL
  • object owner field is not processed by S3 (check?), so while ACLs on NeoFS side are okay, then we don't care about owner field from S3 point of view.

Possible solutions:

  • ignore it and keep setting Bar user ID in produced objects
  • find original user ID from Issuer key (how?)

Container

The same can happen with session token to create new bucket/container. It is a bit more complicated, because container owner is involved in ACL checks.

Questions there: how we expect NeoFS to process container ownership when it is created with a session token signed by Y key. I see two options there:

  • at container creation stage client should set Foo as owner and Alphabet nodes check connection between Foo user ID and Y key; if they are related, approve container,
  • create container with Bar owner and check ownership during ACL checks.
@alexvanin alexvanin mentioned this issue Jun 1, 2022
Open
@alexvanin
Copy link
Contributor Author

We can discuss and make a decision there. However the issue is going to be blocked until NeoFS fully supports bound keys.

@cthulhu-rider
Copy link
Contributor

Seems like we can do nothing with it in multi-bucket operations (like ListBuckets): bearer token doesn't contain specific issuer ID, so we can only resolve it from signing key.

@roman-khimov roman-khimov added bug Something isn't working U4 Nothing urgent S3 Minimally significant I3 Minimal impact and removed triage labels Dec 20, 2023
@roman-khimov
Copy link
Member

Obsoleted by nspcc-dev/neofs-api#266 (which is already in the protocol). And nspcc-dev/neofs-api#305 will make it totally irrelevant.

@roman-khimov roman-khimov closed this as not planned Won't fix, can't repro, duplicate, stale Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked Can't be done because of something bug Something isn't working I3 Minimal impact S3 Minimally significant U4 Nothing urgent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexvanin @roman-khimov @cthulhu-rider