Adding rules¶

To define a rule, you need to specify the Target and the rule Chain:

Target - the visibility scope within which the request is executed:

Namespace
Container
User
Group

Chain - a rule chain defined for a specific Target. Chains are strictly separated by protocol purpose: chains intended for the node (native protocol) do not intersect with chains for S3.

Example Chain:

{
   "ID": "",
   "Rules": [
      {
         "Status": "Allow",
         "Actions": {
            "Inverted": false,
            "Names": [
               "GetObject"
            ]
         },
         "Resources": {
            "Inverted": false,
            "Names": [
               "native:object/*"
            ]
         },
         "Any": false,
         "Condition": [
            {
               "Op": "StringEquals",
               "Object": "Resource",
               "Key": "Department",
               "Value": "HR"
            }
         ]
      }
   ],
   "MatchType": "DenyPriority"
}

Parameter	Description
ID	Chain ID. Unique within a single Target, but not unique across different Targets.
Rules	List of rules.
Rules.Status	Policy application status: Allow, AccessDenied, QuotaLimitReached, NoRuleFound
Rules.Actions	Information about the methods being checked.
Rules.Actions.Inverted	Method inversion flag. For example, if set to true, the action will not apply only to the methods specified in Rules.Actions.Name.
Rules.Actions.Name	Operations constants (see the list here).
Rules.Resources	Resources on which the action is performed.
Rules.Resources.Inverted	Resource inversion flag. For example, if set to true, the action will not apply only to the resources specified in Rules.Resources.Name.
Rules.Resources.Name	Resource names, strictly following the format specified in the scheme.
Rules.Any	Flag indicating that the rule triggers if at least one condition is met.
Rules.Condition	Conditions for triggering this rule. Define checks on request properties or properties of the resource passed in the request.
Rules.Condition.Op	Condition operators, such as StringEquals, NumericEquals, etc.
Rules.Condition.Object	The object of the check - what the condition is applied to(Request, Resource).
Rules.Condition.Key	Key for defining the condition.
Rules.Condition.Value	Value for defining the condition.
MatchType	Rule selection priority: whether APE should persistently iterate and encounter a Deny or return the status based on the first matching rule.
	- DenyPriority: Denies the request if `Deny` is specified. (Recommended)
	- FirstMatch: Returns the action of the first rule that matches the request.

Note

The rule will be applied after 1-2 blocks have passed.

Arguments:

Execution context
Method arguments, which includes:
- Target
- Chain
- Additional headers (optional)

Result:

Rule ID

GolangJavaC#

func AddObjectRules(ctx context.Context, p pool.Pool, cnrID cid.ID) {
    ch := chain.Chain{
        ID:    chain.ID(randomChainId()),
        Rules: PublicReadWriteRule(),
    }

    data, _ := ch.MarshalBinary()

    prmAddAPEChain := pool.PrmAddAPEChain{
        Target: ape.ChainTarget{
            TargetType: ape.TargetTypeContainer,
            Name:       cnrID.EncodeToString(),
        },
        Chain: ape.Chain{Raw: data},
    }

    p.AddAPEChain(ctx, prmAddAPEChain)
}

func randomChainId() string {
    id, err := uuid.NewUUID()
    if err != nil {
        panic(err)
    }
    return id.String()
}

func PublicReadWriteRule() []chain.Rule {
    return []chain.Rule{
        {
            Status: chain.Allow, Actions: chain.Actions{
                Inverted: false,
                Names: []string{
                    native.MethodPutObject,
                    native.MethodGetObject,
                    native.MethodHeadObject,
                    native.MethodDeleteObject,
                    native.MethodSearchObject,
                    native.MethodRangeObject,
                    native.MethodHashObject,
                    native.MethodPatchObject,
                },
            }, Resources: chain.Resources{
                Inverted: false,
                Names:    []string{native.ResourceFormatRootObjects},
            }, Any: false},
    }
}

public static void addObjectRules(FrostFSClient frostFSClient, ContainerId containerId, CallContext callContext) {
    frostFSClient.addChain(generatePrmApeChainAdd(containerId), callContext);
}

private static PrmApeChainAdd generatePrmApeChainAdd(ContainerId containerId) {
    var chainTarget = new ChainTarget(containerId.getValue(), TargetType.CONTAINER);
    var resources = new Resources(false, new String[]{"native:object/*"});
    var actions = new Actions(false, new String[]{"*"});
    var rule = new Rule();
    rule.setStatus(RuleStatus.ALLOW);
    rule.setResources(resources);
    rule.setActions(actions);
    rule.setAny(false);
    rule.setConditions(new Condition[]{});


    var chain = new Chain();
    chain.setId(ArrayUtils.toObject("chain-id-test".getBytes(StandardCharsets.UTF_8)));
    chain.setRules(new Rule[]{rule});
    chain.setMatchType(RuleMatchType.DENY_PRIORITY);

    return new PrmApeChainAdd(chain, chainTarget);
}

public static async Task AddObjectRules(
    IFrostFSClient client,
    FrostFsContainerId containerId)
{
    var addChainPrm = new PrmApeChainAdd(
       new FrostFsChainTarget(FrostFsTargetType.Container, containerId.GetValue()),
       new FrostFsChain
       {
           ID = Encoding.ASCII.GetBytes("chain-id-test"),
           Rules = [
                new FrostFsRule
                    {
                        Status = RuleStatus.Allow,
                        Actions = new Actions(inverted: false, names: ["*"]),
                        Resources = new FrostFsResources (
                            inverted: false,
                            names: [$"native:object/*"]),
                        Any = false,
                        Conditions = []
                    }
           ],
           MatchType = RuleMatchType.DenyPriority
       }
   );

    await client.AddChainAsync(addChainPrm, default);
}