Skip to content

Commit

Permalink
Clean up GetPathByID
Browse files Browse the repository at this point in the history
  • Loading branch information
Jesse Geens committed Nov 29, 2024
1 parent d604057 commit 70234b6
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 15 deletions.
10 changes: 10 additions & 0 deletions changelog/unreleased/rootless-auth.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Enhancement: do not use root on EOS

Currently, the EOS drivers use root authentication for many different operations. This has now been changed to use one of the following:
* cbox, which is a sudo'er
* daemon, for read-only operations
* the user himselft

Note that home creation is excluded here as this will be tackled in a different PR.

https://github.com/cs3org/reva/pull/4977/
25 changes: 10 additions & 15 deletions pkg/storage/utils/eosfs/eosfs.go
Original file line number Diff line number Diff line change
Expand Up @@ -487,26 +487,24 @@ func (fs *eosfs) GetPathByID(ctx context.Context, id *provider.ResourceId) (stri
if err != nil {
return "", errors.Wrap(err, "eosfs: no user in ctx")
}

var auth eosclient.Authorization
if utils.IsLightweightUser(u) {
daemonAuth := utils.GetDaemonAuth()
eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, daemonAuth, fid)
auth = utils.GetDaemonAuth()
} else {
auth, err = fs.getUserAuth(ctx, u, "")
if err != nil {
return "", errors.Wrap(err, "eosfs: error getting file info by inode")
}
if perm := fs.permissionSet(ctx, eosFileInfo, nil); perm.GetPath {
return fs.unwrap(ctx, eosFileInfo.File)
return "", err
}
return "", errtypes.PermissionDenied("eosfs: getting path for id not allowed")
}

userAuth, err := fs.getUserAuth(ctx, u, "")
eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, auth, fid)
if err != nil {
return "", err
return "", errors.Wrap(err, "eosfs: error getting file info by inode")
}

eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, userAuth, fid)
if err != nil {
return "", errors.Wrap(err, "eosfs: error getting file info by inode")
if perm := fs.permissionSet(ctx, eosFileInfo, nil); !perm.GetPath {
return "", errtypes.PermissionDenied("eosfs: getting path for id not allowed")
}

return fs.unwrap(ctx, eosFileInfo.File)
Expand Down Expand Up @@ -1168,7 +1166,6 @@ func (fs *eosfs) ListGrants(ctx context.Context, ref *provider.Reference) ([]*pr
}

// Now we get the real info, I know, it's ugly
// TODO(jgeens): use cbox here, or can daemon also read attrs?
cboxAuth := utils.GetEmptyAuth()

attrs, err := fs.c.GetAttrs(ctx, cboxAuth, fn)
Expand Down Expand Up @@ -1389,7 +1386,6 @@ func (fs *eosfs) GetQuota(ctx context.Context, ref *provider.Reference) (uint64,
return 0, 0, err
}

// TODO(jgeens): empty auth
cboxAuth := utils.GetEmptyAuth()

qi, err := fs.c.GetQuota(ctx, auth.Role.UID, cboxAuth, fs.conf.QuotaNode)
Expand Down Expand Up @@ -1423,7 +1419,6 @@ func (fs *eosfs) createShadowHome(ctx context.Context) error {

for _, sf := range shadowFolders {
fn := path.Join(home, sf)
// TODO(jgeens): daemon auth
_, err = fs.c.GetFileInfoByPath(ctx, daemonAuth, fn)
if err != nil {
if _, ok := err.(errtypes.IsNotFound); !ok {
Expand Down

0 comments on commit 70234b6

Please sign in to comment.