Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

getrangehash doesn't work with a bearer token created via cli #2541

Closed
evgeniiz321 opened this issue Sep 1, 2023 · 0 comments · Fixed by #2557
Closed

getrangehash doesn't work with a bearer token created via cli #2541

evgeniiz321 opened this issue Sep 1, 2023 · 0 comments · Fixed by #2557
Assignees
Labels
bug Something isn't working neofs-cli NeoFS CLI application issues
Milestone

Comments

@evgeniiz321
Copy link

evgeniiz321 commented Sep 1, 2023

Related to nspcc-dev/neofs-testcases#621

Current Behavior

  1. Create bearer token via cli with acl for all possible operations (including getrange and getrangehash)
COMMAND: neofs-cli --config /home/runner/work/neofs-node/neofs-node/neofs-testcases/wallet_config.yml acl extended create --cid 'HMVBh53JLaPF38Ztca3TQKfgjPwvFhBto1bSeREjfyiy' --out '/home/runner/work/neofs-node/neofs-node/neofs-testcases/TemporaryDir/TestFilesDir/eacl_table_82a063fd-c6af-4a9c-905f-979d1de560ec.json' --rule 'allow put  user' --rule 'allow get  user' --rule 'allow head  user' --rule 'allow getrange  user' --rule 'allow getrangehash  user' --rule 'allow search  user' --rule 'allow delete  user'
RETCODE: 0

STDOUT:

STDERR:

Start / End / Elapsed	 20:52:03.805656 / 20:52:03.819742 / 0:00:00.014086
COMMAND: neofs-cli --config /home/runner/work/neofs-node/neofs-node/neofs-testcases/wallet_config.yml bearer create --issued-at 1 --not-valid-before 1 --owner 'NhZpLSTpJpEaANA9xHSLRMmnWJKYWnR9z9' --out '/home/runner/work/neofs-node/neofs-node/neofs-testcases/TemporaryDir/TestFilesDir/bearer_token_e95282b4-3ab9-4db3-8f86-1dd8a64694d6' --rpc-endpoint 's01.neofs.devenv:8080' --eacl '/home/runner/work/neofs-node/neofs-node/neofs-testcases/TemporaryDir/TestFilesDir/eacl_table_82a063fd-c6af-4a9c-905f-979d1de560ec.json' --expire-at 9
RETCODE: 0

STDOUT:

STDERR:

Start / End / Elapsed	 20:52:03.820697 / 20:52:03.831152 / 0:00:00.010455
  1. Try to issue getrangehash:
COMMAND: neofs-cli --config /home/runner/work/neofs-node/neofs-node/neofs-testcases/wallet_config.yml object hash --rpc-endpoint 's01.neofs.devenv:8080' --wallet '/home/runner/work/neofs-node/neofs-node/neofs-testcases/TemporaryDir/e768c827-812f-4a8c-9090-c52a3b7047ed.json' --cid 'HMVBh53JLaPF38Ztca3TQKfgjPwvFhBto1bSeREjfyiy' --oid '27wMEkckZ2VUAEtu3bLWymTabDn7Rw6BANvKss5jwt2r' --bearer '/home/runner/work/neofs-node/neofs-node/neofs-testcases/TemporaryDir/TestFilesDir/bearer_token_e95282b4-3ab9-4db3-8f86-1dd8a64694d6' --range '0:10'
RETCODE: 1

STDOUT:
rpc error: read payload hashes via client: status: code = 2049 message = object not found

STDERR:

Start / End / Elapsed	 20:52:08.234392 / 20:52:08.751591 / 0:00:00.517199

In logs there are the following entries at the time of the failure:

2023-08-30T20:51:54.306Z	debug	get/get.go:87	serving request...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.306Z	debug	get/local.go:25	local get failed	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "status: code = 2049 message = object not found"}
2023-08-30T20:51:54.306Z	debug	get/get.go:108	operation finished with error	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "status: code = 2049 message = object not found"}
2023-08-30T20:51:54.306Z	debug	get/container.go:18	trying to execute in container...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "netmap lookup depth": 0}
2023-08-30T20:51:54.306Z	debug	get/container.go:46	process epoch	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "number": 7}
2023-08-30T20:51:54.306Z	debug	get/remote.go:13	processing node...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.311Z	debug	get/container.go:87	completing the operation	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.311Z	debug	get/get.go:99	operation finished successfully	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.787Z	debug	get/get.go:87	serving request...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.787Z	debug	get/local.go:25	local get failed	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "status: code = 2049 message = object not found"}
2023-08-30T20:51:54.787Z	debug	get/get.go:108	operation finished with error	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "status: code = 2049 message = object not found"}
2023-08-30T20:51:54.787Z	debug	get/container.go:18	trying to execute in container...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "netmap lookup depth": 0}
2023-08-30T20:51:54.787Z	debug	get/container.go:46	process epoch	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "number": 7}
2023-08-30T20:51:54.787Z	debug	get/remote.go:13	processing node...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.792Z	debug	get/remote.go:29	remote call failed	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "init object reading: header: status: code = 2048 message = access to object operation denied"}
2023-08-30T20:51:54.792Z	debug	get/remote.go:13	processing node...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.826Z	debug	get/remote.go:29	remote call failed	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "init object reading: header: status: code = 2048 message = access to object operation denied"}
2023-08-30T20:51:54.826Z	debug	get/remote.go:13	processing node...	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.836Z	debug	get/remote.go:29	remote call failed	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "init object reading: header: status: code = 2048 message = access to object operation denied"}
2023-08-30T20:51:54.836Z	debug	get/container.go:63	no more nodes, abort placement iteration	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true}
2023-08-30T20:51:54.836Z	debug	get/get.go:108	operation finished with error	{"component": "Object.Get service", "request": "GET_RANGE", "address": "AT95KqvYRw3AC1cCmPJdxwYAcXDJGFLv89rZaZKsmJk3/CdrUYtHAuDDzFF8iw4mAgN2qqb8SDKPo8Gpyg12Ree2k", "raw": false, "local": false, "with session": false, "with bearer": true, "error": "status: code = 2049 message = object not found"}

Expected Behavior

The command should work with this bearer token. All other operations work ok.

Steps to Reproduce

  1. Allure, test_bearer_token_expiration - allure.tar.gz

Regression

(No)

Your Environment

Run on current latest master of neofs-node - 9871712

@roman-khimov roman-khimov added bug Something isn't working neofs-cli NeoFS CLI application issues and removed triage labels Sep 1, 2023
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 7, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
@roman-khimov roman-khimov added this to the v0.39.0 milestone Sep 12, 2023
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 14, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 21, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Sep 21, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to carpawell/neofs-node that referenced this issue Oct 23, 2023
Do it as it is already done for GET, HEAD, GETRANGE. In the case of a container
node that does not have an object locally, the node spawns GETRANGE request in
order to hash it. That is not allowed operation in the NeoFS. Even with nspcc-dev#1884,
GET may fail because the node may not be a container part. Moreover, attached
bearer token is not allowed for the node's key usage so that is another way to
get unexpected results. Forwarding requests is the only sane fix for the nspcc-dev#2541.
The code smells but this is not this commit's responsibility: it is hard to fix
that bug nicely without a get service refactor.
Closes nspcc-dev#2541.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working neofs-cli NeoFS CLI application issues
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants