Default bearer rules contain mutually opposite rules #387

New issue

Closed

opened 2025-12-28 17:37:12 +00:00 by sami · 0 comments

sami commented 2025-12-28 17:37:12 +00:00

Owner

Copy link

Originally created by @cthulhu-rider on GitHub (Sep 13, 2023).

Originally assigned to: @smallhive on GitHub.

according to Authmate docs, it generates following bearer access rules:

{
    "records": [
       {"operation": "GET", "action": "ALLOW", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},

       {"operation": "GET", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "HEAD", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "PUT", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "DELETE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "SEARCH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "GETRANGE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
       {"operation": "GETRANGEHASH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}
    ]
}

as we can see, first two rules are similar and have opposite actions. According to the NeoFS protocol, only the 1st record will be processed, and the 2nd will always be ignored (so it's redundant).

Code matches docs
nspcc-dev/neofs-s3-gw@49d12472ae/authmate/authmate.go (L315-L344)

i propose to get rid of no-op record

Originally created by @cthulhu-rider on GitHub (Sep 13, 2023). Originally assigned to: @smallhive on GitHub. according to Authmate [docs](https://github.com/nspcc-dev/neofs-s3-gw/blob/v0.28.2/docs/authmate.md#bearer-tokens), it generates following bearer access rules: ```json { "records": [ {"operation": "GET", "action": "ALLOW", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "GET", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "HEAD", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "PUT", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "DELETE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "SEARCH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "GETRANGE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}, {"operation": "GETRANGEHASH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]} ] } ``` as we can see, first two rules are similar and have opposite actions. According to the NeoFS protocol, only the 1st record will be processed, and the 2nd will always be ignored (so it's redundant). Code matches docs https://github.com/nspcc-dev/neofs-s3-gw/blob/49d12472aeaeecd4db1ee44dc5c8bac42dd9f940/authmate/authmate.go#L315-L344 i propose to get rid of no-op record

sami 2025-12-28 17:37:12 +00:00

• closed this issue
• added the
  bug
  auth-mate
  U4
  I4
  S3
  labels

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

1255-session-token-v2

new-get

logger

experimental/unsigned-responses

experimental/get-perf

debugprint

ezayats/bump-s3-tests

955-after-a-parallel-deletion-of-versioned-objects-list-objects-returns-info-about-them

v0.42.0

v0.41.5

v0.41.4

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.1

v0.36.0

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.1

v0.30.0

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.0

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.17.0-rc.1

v0.16.0

v0.15.1-pre

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0-rc.3

v0.12.0-rc.2

v0.12.0-rc.1

Labels

Clear labels   

I2

  

I2

  

I3

  

I4

  

S2

  

S3

  

S4

  

S4

  

U0

  

U1

  

U2

  

U2

  

U3

  

U4

  

U4

  

auth-mate

  

blocked

  

bug

  

config

  

dependencies

  

discussion

  

documentation

  

enhancement

  

epic

  

feature

  

go

  

good first issue

  

help wanted

  

performance

  

question

  

security

  

test

  

tree-service

  

tree-service

No labels

I2

I2

I3

I4

S2

S3

S4

S4

U0

U1

U2

U2

U3

U4

U4

auth-mate

blocked

bug

config

dependencies

discussion

documentation

enhancement

epic

feature

go

good first issue

help wanted

performance

question

security

test

tree-service

tree-service

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nspcc-dev/neofs-s3-gw#387

No description provided.