diff --git a/cloud/filestore/config/server.proto b/cloud/filestore/config/server.proto index 0ed9ae3c0ed..291f9e3d82e 100644 --- a/cloud/filestore/config/server.proto +++ b/cloud/filestore/config/server.proto @@ -52,6 +52,9 @@ message TServerConfig // Unix-socket details. optional string UnixSocketPath = 17; optional uint32 UnixSocketBacklog = 18; + + // List of actions served by the server without authorization. + repeated string ActionsNoAuth = 19; } //////////////////////////////////////////////////////////////////////////////// diff --git a/cloud/filestore/libs/daemon/server/bootstrap.cpp b/cloud/filestore/libs/daemon/server/bootstrap.cpp index ff5c2ef0b03..13b891ac9b6 100644 --- a/cloud/filestore/libs/daemon/server/bootstrap.cpp +++ b/cloud/filestore/libs/daemon/server/bootstrap.cpp @@ -141,7 +141,8 @@ void TBootstrapServer::InitKikimrService() Service = CreateAuthService( std::move(Service), - CreateKikimrAuthProvider(ActorSystem)); + CreateKikimrAuthProvider(ActorSystem), + Configs->ServerConfig->GetActionsNoAuth()); STORAGE_INFO("AuthService initialized"); } diff --git a/cloud/filestore/libs/endpoint/service_auth.cpp b/cloud/filestore/libs/endpoint/service_auth.cpp index 0de8e866a37..9c83e3c7e5e 100644 --- a/cloud/filestore/libs/endpoint/service_auth.cpp +++ b/cloud/filestore/libs/endpoint/service_auth.cpp @@ -72,7 +72,7 @@ class TAuthService final { const auto& headers = request->GetHeaders(); const auto& internal = headers.GetInternal(); - auto permissions = GetRequestPermissions(*request); + auto permissions = GetRequestPermissions(*request, {}); bool needAuth = AuthProvider->NeedAuth( internal.GetRequestSource(), diff --git a/cloud/filestore/libs/server/config.cpp b/cloud/filestore/libs/server/config.cpp index 0cf32aa38a3..a6bdfcab145 100644 --- a/cloud/filestore/libs/server/config.cpp +++ b/cloud/filestore/libs/server/config.cpp @@ -36,6 +36,8 @@ constexpr TDuration Seconds(int s) xxx(Certs, TVector, {} )\ xxx(UnixSocketPath, TString, {} )\ xxx(UnixSocketBacklog, ui32, 16 )\ + \ + xxx(ActionsNoAuth, TVector, {} )\ // FILESTORE_SERVER_CONFIG #define FILESTORE_SERVER_DECLARE_CONFIG(name, type, value) \ @@ -71,6 +73,17 @@ TVector ConvertValue( return v; } +template <> +TVector ConvertValue( + const google::protobuf::RepeatedPtrField& value) +{ + TVector v; + for (const auto& x : value) { + v.push_back(x); + } + return v; +} + template bool IsEmpty(const T& t) { @@ -105,6 +118,17 @@ void DumpImpl(const TVector& value, IOutputStream& os) } } +template <> +void DumpImpl(const TVector& value, IOutputStream& os) +{ + for (size_t i = 0; i < value.size(); ++i) { + if (i) { + os << ","; + } + os << value[i]; + } +} + } // namespace //////////////////////////////////////////////////////////////////////////////// diff --git a/cloud/filestore/libs/server/config.h b/cloud/filestore/libs/server/config.h index d9474a087bc..f59228d0181 100644 --- a/cloud/filestore/libs/server/config.h +++ b/cloud/filestore/libs/server/config.h @@ -55,6 +55,8 @@ class TServerConfig TString GetUnixSocketPath() const; ui32 GetUnixSocketBacklog() const; + TVector GetActionsNoAuth() const; + const NProto::TServerConfig& GetProto() const { return ProtoConfig; diff --git a/cloud/filestore/libs/service/auth_scheme.cpp b/cloud/filestore/libs/service/auth_scheme.cpp index 9195c3ad3dd..d2ea01b3c35 100644 --- a/cloud/filestore/libs/service/auth_scheme.cpp +++ b/cloud/filestore/libs/service/auth_scheme.cpp @@ -99,7 +99,8 @@ TPermissionList GetRequestPermissions(EFileStoreRequest requestType) } TPermissionList GetRequestPermissions( - const NProto::TExecuteActionRequest& request) + const NProto::TExecuteActionRequest& request, + const TVector& actionsNoAuth) { TString action = request.GetAction(); action.to_lower(); @@ -108,6 +109,10 @@ TPermissionList GetRequestPermissions( return std::pair {name, std::move(lst)}; }; + if (!!FindPtr(actionsNoAuth, action)) { + return TPermissionList(); + } + static const THashMap actions = { // Get perms("getstorageconfigfields", CreatePermissionList({EPermission::Get})), diff --git a/cloud/filestore/libs/service/auth_scheme.h b/cloud/filestore/libs/service/auth_scheme.h index ff8249eae85..4c7ae0d2ee0 100644 --- a/cloud/filestore/libs/service/auth_scheme.h +++ b/cloud/filestore/libs/service/auth_scheme.h @@ -14,13 +14,15 @@ namespace NCloud::NFileStore { TPermissionList GetRequestPermissions(EFileStoreRequest requestType); template -TPermissionList GetRequestPermissions(const T& request) +TPermissionList GetRequestPermissions( + const T& request, + const TVector& actionsNoAuth) { - Y_UNUSED(request); + Y_UNUSED(request, actionsNoAuth); return GetRequestPermissions(GetFileStoreRequest()); } TPermissionList GetRequestPermissions( - const NProto::TExecuteActionRequest& request); + const NProto::TExecuteActionRequest& request, const TVector& actionsNoAuth); } // namespace NCloud::NFileStore diff --git a/cloud/filestore/libs/service/service_auth.cpp b/cloud/filestore/libs/service/service_auth.cpp index b1ac2157b47..c163a51d337 100644 --- a/cloud/filestore/libs/service/service_auth.cpp +++ b/cloud/filestore/libs/service/service_auth.cpp @@ -22,13 +22,16 @@ class TAuthService final private: const IFileStoreServicePtr Service; const IAuthProviderPtr AuthProvider; + const TVector ActionsNoAuth; public: TAuthService( IFileStoreServicePtr service, - IAuthProviderPtr authProvider) + IAuthProviderPtr authProvider, + TVector actionsNoAuth) : Service(std::move(service)) , AuthProvider(std::move(authProvider)) + , ActionsNoAuth(std::move(actionsNoAuth)) {} void Start() override @@ -78,7 +81,7 @@ class TAuthService final { const auto& headers = request->GetHeaders(); const auto& internal = headers.GetInternal(); - auto permissions = GetRequestPermissions(*request); + auto permissions = GetRequestPermissions(*request, ActionsNoAuth); bool needAuth = AuthProvider->NeedAuth( internal.GetRequestSource(), @@ -149,11 +152,13 @@ class TAuthService final IFileStoreServicePtr CreateAuthService( IFileStoreServicePtr service, - IAuthProviderPtr authProvider) + IAuthProviderPtr authProvider, + const TVector& actionsNoAuth) { return std::make_shared( std::move(service), - std::move(authProvider)); + std::move(authProvider), + actionsNoAuth); } } // namespace NCloud::NFileStore diff --git a/cloud/filestore/libs/service/service_auth.h b/cloud/filestore/libs/service/service_auth.h index e36970ad925..a2bd5ba72d6 100644 --- a/cloud/filestore/libs/service/service_auth.h +++ b/cloud/filestore/libs/service/service_auth.h @@ -2,12 +2,15 @@ #include "public.h" +#include + namespace NCloud::NFileStore { //////////////////////////////////////////////////////////////////////////////// IFileStoreServicePtr CreateAuthService( IFileStoreServicePtr service, - IAuthProviderPtr authProvider); + IAuthProviderPtr authProvider, + const TVector& actionsNoAuth); } // namespace NCloud::NFileStore diff --git a/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp b/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp index 12b88994e3b..6b22ee4f185 100644 --- a/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp +++ b/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp @@ -101,7 +101,8 @@ Y_UNIT_TEST_SUITE(TKikimrAuthProviderTest) auto service = CreateAuthService( testService, - CreateKikimrAuthProvider(actorSystem)); + CreateKikimrAuthProvider(actorSystem), + {}); // When requiring authorization and failing it, we fail the request. { @@ -185,7 +186,8 @@ Y_UNIT_TEST_SUITE(TKikimrAuthProviderTest) auto service = CreateAuthService( std::make_shared(), - CreateKikimrAuthProvider(actorSystem)); + CreateKikimrAuthProvider(actorSystem), + {}); auto request = std::make_shared(); auto& headers = *request->MutableHeaders();