From 70234b6f88326a5debb6bac0e9a4097b5e9c1829 Mon Sep 17 00:00:00 2001 From: Jesse Geens Date: Fri, 29 Nov 2024 09:55:28 +0100 Subject: [PATCH] Clean up GetPathByID --- changelog/unreleased/rootless-auth.md | 10 ++++++++++ pkg/storage/utils/eosfs/eosfs.go | 25 ++++++++++--------------- 2 files changed, 20 insertions(+), 15 deletions(-) create mode 100644 changelog/unreleased/rootless-auth.md diff --git a/changelog/unreleased/rootless-auth.md b/changelog/unreleased/rootless-auth.md new file mode 100644 index 0000000000..09a907f62d --- /dev/null +++ b/changelog/unreleased/rootless-auth.md @@ -0,0 +1,10 @@ +Enhancement: do not use root on EOS + +Currently, the EOS drivers use root authentication for many different operations. This has now been changed to use one of the following: +* cbox, which is a sudo'er +* daemon, for read-only operations +* the user himselft + +Note that home creation is excluded here as this will be tackled in a different PR. + +https://github.com/cs3org/reva/pull/4977/ \ No newline at end of file diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go index 60bc5f6813..4436262d91 100644 --- a/pkg/storage/utils/eosfs/eosfs.go +++ b/pkg/storage/utils/eosfs/eosfs.go @@ -487,26 +487,24 @@ func (fs *eosfs) GetPathByID(ctx context.Context, id *provider.ResourceId) (stri if err != nil { return "", errors.Wrap(err, "eosfs: no user in ctx") } + + var auth eosclient.Authorization if utils.IsLightweightUser(u) { - daemonAuth := utils.GetDaemonAuth() - eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, daemonAuth, fid) + auth = utils.GetDaemonAuth() + } else { + auth, err = fs.getUserAuth(ctx, u, "") if err != nil { - return "", errors.Wrap(err, "eosfs: error getting file info by inode") - } - if perm := fs.permissionSet(ctx, eosFileInfo, nil); perm.GetPath { - return fs.unwrap(ctx, eosFileInfo.File) + return "", err } - return "", errtypes.PermissionDenied("eosfs: getting path for id not allowed") } - userAuth, err := fs.getUserAuth(ctx, u, "") + eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, auth, fid) if err != nil { - return "", err + return "", errors.Wrap(err, "eosfs: error getting file info by inode") } - eosFileInfo, err := fs.c.GetFileInfoByInode(ctx, userAuth, fid) - if err != nil { - return "", errors.Wrap(err, "eosfs: error getting file info by inode") + if perm := fs.permissionSet(ctx, eosFileInfo, nil); !perm.GetPath { + return "", errtypes.PermissionDenied("eosfs: getting path for id not allowed") } return fs.unwrap(ctx, eosFileInfo.File) @@ -1168,7 +1166,6 @@ func (fs *eosfs) ListGrants(ctx context.Context, ref *provider.Reference) ([]*pr } // Now we get the real info, I know, it's ugly - // TODO(jgeens): use cbox here, or can daemon also read attrs? cboxAuth := utils.GetEmptyAuth() attrs, err := fs.c.GetAttrs(ctx, cboxAuth, fn) @@ -1389,7 +1386,6 @@ func (fs *eosfs) GetQuota(ctx context.Context, ref *provider.Reference) (uint64, return 0, 0, err } - // TODO(jgeens): empty auth cboxAuth := utils.GetEmptyAuth() qi, err := fs.c.GetQuota(ctx, auth.Role.UID, cboxAuth, fs.conf.QuotaNode) @@ -1423,7 +1419,6 @@ func (fs *eosfs) createShadowHome(ctx context.Context) error { for _, sf := range shadowFolders { fn := path.Join(home, sf) - // TODO(jgeens): daemon auth _, err = fs.c.GetFileInfoByPath(ctx, daemonAuth, fn) if err != nil { if _, ok := err.(errtypes.IsNotFound); !ok {