From 89599627020ca65c1ae780362990b044af9ca18f Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Wed, 9 Apr 2025 13:53:01 +0400 Subject: [PATCH 1/4] layer: Use cache for get bucket tagging Signed-off-by: Evgenii Baidakov --- api/layer/tagging.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/api/layer/tagging.go b/api/layer/tagging.go index 51b52487..023aeaa8 100644 --- a/api/layer/tagging.go +++ b/api/layer/tagging.go @@ -233,6 +233,10 @@ func (n *layer) GetBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) owner = n.Owner(ctx) ) + if tags := n.cache.GetTagging(owner, bucketTaggingCacheKey(bktInfo.CID)); tags != nil { + return tags, nil + } + id, err := n.searchBucketMetaObjects(ctx, bktInfo, s3headers.TypeBucketTags) if err != nil { return nil, fmt.Errorf("search: %w", err) From 2788868f738a83f227f09d40229b71c6c5ad6236 Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Wed, 9 Apr 2025 13:53:20 +0400 Subject: [PATCH 2/4] layer: Use cache for get bucket notification configuration Signed-off-by: Evgenii Baidakov --- api/layer/notifications.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/api/layer/notifications.go b/api/layer/notifications.go index 49e76013..71055cad 100644 --- a/api/layer/notifications.go +++ b/api/layer/notifications.go @@ -45,6 +45,11 @@ func (n *layer) PutBucketNotificationConfiguration(ctx context.Context, p *PutBu } func (n *layer) GetBucketNotificationConfiguration(ctx context.Context, bktInfo *data.BucketInfo) (*data.NotificationConfiguration, error) { + owner := n.Owner(ctx) + if conf := n.cache.GetNotificationConfiguration(owner, bktInfo); conf != nil { + return conf, nil + } + var ( err error conf data.NotificationConfiguration From f15d8e4b6a653e8642d47ce6630167c27b31d600 Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Wed, 9 Apr 2025 13:55:20 +0400 Subject: [PATCH 3/4] layer: Bucket settings cache is available for everyone Signed-off-by: Evgenii Baidakov --- api/layer/cache.go | 12 ++---------- api/layer/system_object.go | 9 +++++---- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/api/layer/cache.go b/api/layer/cache.go index 431e96d8..56fe3130 100644 --- a/api/layer/cache.go +++ b/api/layer/cache.go @@ -187,25 +187,17 @@ func (c *Cache) PutLockInfo(owner user.ID, key string, lockInfo *data.LockInfo) } } -func (c *Cache) GetSettings(owner user.ID, bktInfo *data.BucketInfo) *data.BucketSettings { +func (c *Cache) GetSettings(bktInfo *data.BucketInfo) *data.BucketSettings { key := bktInfo.Name + bktInfo.SettingsObjectName() - if !c.accessCache.Get(owner, key) { - return nil - } - return c.systemCache.GetSettings(key) } -func (c *Cache) PutSettings(owner user.ID, bktInfo *data.BucketInfo, settings *data.BucketSettings) { +func (c *Cache) PutSettings(bktInfo *data.BucketInfo, settings *data.BucketSettings) { key := bktInfo.Name + bktInfo.SettingsObjectName() if err := c.systemCache.PutSettings(key, settings); err != nil { c.logger.Warn("couldn't cache bucket settings", zap.String("bucket", bktInfo.Name), zap.Error(err)) } - - if err := c.accessCache.Put(owner, key); err != nil { - c.logger.Warn("couldn't cache access control operation", zap.Error(err)) - } } func (c *Cache) GetCORS(owner user.ID, bkt *data.BucketInfo) *data.CORSConfiguration { diff --git a/api/layer/system_object.go b/api/layer/system_object.go index 9366b0d2..2c8f6010 100644 --- a/api/layer/system_object.go +++ b/api/layer/system_object.go @@ -275,8 +275,7 @@ func lockObjectKey(objVersion *ObjectVersion) string { } func (n *layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo) (*data.BucketSettings, error) { - owner := n.Owner(ctx) - if settings := n.cache.GetSettings(owner, bktInfo); settings != nil { + if settings := n.cache.GetSettings(bktInfo); settings != nil { return settings, nil } @@ -291,6 +290,8 @@ func (n *layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo) } if id.IsZero() { + n.cache.PutSettings(bktInfo, &settings) + return &settings, nil } @@ -316,7 +317,7 @@ func (n *layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo) settings.LockConfiguration = &olc - n.cache.PutSettings(owner, bktInfo, &settings) + n.cache.PutSettings(bktInfo, &settings) return &settings, nil } @@ -344,7 +345,7 @@ func (n *layer) PutBucketSettings(ctx context.Context, p *PutSettingsParams) err return fmt.Errorf("create bucket settings object: %w", err) } - n.cache.PutSettings(n.Owner(ctx), p.BktInfo, p.Settings) + n.cache.PutSettings(p.BktInfo, p.Settings) return nil } From 4bb79aa5b3852f0782068881c1d3df4e48f5ba23 Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Wed, 9 Apr 2025 18:01:56 +0400 Subject: [PATCH 4/4] handler: Return correct error on access denied The bucket settings isn't lock to bucket owner in cache. Now we should check incorrect access on object put. Signed-off-by: Evgenii Baidakov --- api/handler/put.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/api/handler/put.go b/api/handler/put.go index e63062a7..3a7b52b9 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -25,6 +25,7 @@ import ( "github.com/nspcc-dev/neofs-s3-gw/api/s3errors" "github.com/nspcc-dev/neofs-s3-gw/creds/accessbox" "github.com/nspcc-dev/neofs-s3-gw/internal/models" + apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status" "github.com/nspcc-dev/neofs-sdk-go/eacl" "github.com/nspcc-dev/neofs-sdk-go/session" "go.uber.org/zap" @@ -288,6 +289,11 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) { if err != nil { _, err2 := io.Copy(io.Discard, r.Body) err3 := r.Body.Close() + if errors.Is(err, apistatus.ErrObjectAccessDenied) { + h.logAndSendError(w, "could not upload object", reqInfo, s3errors.GetAPIError(s3errors.ErrAccessDenied), zap.Error(err)) + return + } + h.logAndSendError(w, "could not upload object", reqInfo, err, zap.Errors("body close errors", []error{err2, err3})) return }