You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After split V2 scheme adoption, every big object PUT requires to HEAD the first part. If it is denied by container policy, the whole PUT fails. However, this operation does not look like smth strange and the system should allow this behaviour.
Expected Behavior
PUT big object through a non-container node to a container with HEAD denied to others should work OK.
Current Behavior
Returns 2048 error (access denied).
Possible Solution
Do not check ACL objects if a node is not expected to store an object (does not belong to a container). Even for session cases it splits and signs an object and tries to PUT it to a container node. If it does not pass ACL checks, then it is what it is, return error it gets.
Also, re-checks, that if an object is signed (completed, PUT-without-session case), it is just forwarded to a container node; this code does not work usually (or maybe not used at all since it was written).
nspcc-dev/neofs-s3-gw#969 PUTs objects via SDK's Pool. It uses every node it has, however only 3/4 nodes belong to the test container, so every time part it PUT to a non-container node, the test fails.
Regression
Yes, split V2.
The text was updated successfully, but these errors were encountered:
Only when you can't check it (pieces of a big object)
OK, can be done, just did not want to treat some objects differently (it complicates code for not that often cases) compared to others (however, I do agree that it something can be done faster it should).
After split V2 scheme adoption, every big object PUT requires to HEAD the first part. If it is denied by container policy, the whole PUT fails. However, this operation does not look like smth strange and the system should allow this behaviour.
Expected Behavior
PUT big object through a non-container node to a container with HEAD denied to others should work OK.
Current Behavior
Returns 2048 error (access denied).
Possible Solution
Do not check ACL objects if a node is not expected to store an object (does not belong to a container). Even for session cases it splits and signs an object and tries to PUT it to a container node. If it does not pass ACL checks, then it is what it is, return error it gets.
Also, re-checks, that if an object is signed (completed, PUT-without-session case), it is just forwarded to a container node; this code does not work usually (or maybe not used at all since it was written).
Steps to Reproduce (for bugs)
Run nspcc-dev/neofs-s3-gw#969 test case, see errors.
Context
nspcc-dev/neofs-s3-gw#969 PUTs objects via SDK's Pool. It uses every node it has, however only 3/4 nodes belong to the test container, so every time part it PUT to a non-container node, the test fails.
Regression
Yes, split V2.
The text was updated successfully, but these errors were encountered: