From 97781ce06da6a40bea0c113adea6d29c0670e9c3 Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Fri, 2 Feb 2024 13:34:47 +0400 Subject: [PATCH] object: Support numeric comparisons in access rules Previously, protocol did not support numeric comparisons in access rules except `==` and `!=`. This may be needed for system attributes such as payload size or creation epoch, and for user ones if required by the client application. New values of `MatchType` enumeration are added: `>`, `>=`, `<`, `<=`. Being set in the `EACLRecord.Filter`, these operators will allow user to apply access rules with any decimal attributes. While only base-10 numbers are allowed, additional bases may be supported in the future without new enumerations. Closes #255. Refs #265. Signed-off-by: Leonard Lyubich --- acl/types.proto | 18 +++++++++++++++++- proto-docs/acl.md | 10 +++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/acl/types.proto b/acl/types.proto index eefa508..e359c94 100644 --- a/acl/types.proto +++ b/acl/types.proto @@ -36,6 +36,18 @@ enum MatchType { // Absence of attribute NOT_PRESENT = 3; + + // Numeric 'greater than' + NUM_GT = 4; + + // Numeric 'greater or equal than' + NUM_GE = 5; + + // Numeric 'less than' + NUM_LT = 6; + + // Numeric 'less or equal than' + NUM_LE = 7; } // Request's operation type to match if the rule is applicable to a particular @@ -106,7 +118,8 @@ message EACLRecord { // Filter to check particular properties of the request or the object. // // The `value` field must be empty if `match_type` is an unary operator - // (e.g. `NOT_PRESENT`). + // (e.g. `NOT_PRESENT`). If `match_type` field is numeric (e.g. `NUM_GT`), + // the `value` field must be a base-10 integer. // // By default `key` field refers to the corresponding object's `Attribute`. // Some Object's header fields can also be accessed by adding `$Object:` @@ -132,6 +145,9 @@ message EACLRecord { // * $Object:homomorphicHash \ // homomorphic_hash // + // Numeric `match_type` field can only be used with `$Object:creationEpoch` + // and `$Object:payloadLength` system attributes. + // // Please note, that if request or response does not have object's headers of // full object (Range, RangeHash, Search, Delete), it will not be possible to // filter by object header fields or user attributes. From the well-known list diff --git a/proto-docs/acl.md b/proto-docs/acl.md index cf76d3d..fbf1d77 100644 --- a/proto-docs/acl.md +++ b/proto-docs/acl.md @@ -96,7 +96,8 @@ Describes a single eACL rule. Filter to check particular properties of the request or the object. The 'value' field must be empty if 'match_type' is an unary operator -(e.g. 'NOT_PRESENT'). +(e.g. 'NOT_PRESENT'). If `match_type` field is numeric (e.g. 'NUM_GT'), +the `value` field must be a base-10 integer. By default `key` field refers to the corresponding object's `Attribute`. Some Object's header fields can also be accessed by adding `$Object:` @@ -122,6 +123,9 @@ prefix to the name. For such attributes, field 'match_type' must not be * $Object:homomorphicHash \ homomorphic_hash +Numeric 'match_type' field can only be used with '$Object:creationEpoch' +and '$Object:payloadLength' system attributes. + Please note, that if request or response does not have object's headers of full object (Range, RangeHash, Search, Delete), it will not be possible to filter by object header fields or user attributes. From the well-known list @@ -207,6 +211,10 @@ MatchType is an enumeration of match types. | STRING_EQUAL | 1 | Return true if strings are equal | | STRING_NOT_EQUAL | 2 | Return true if strings are different | | NOT_PRESENT | 3 | Absence of attribute | +| NUM_GT | 4 | Numeric 'greater than' | +| NUM_GE | 5 | Numeric 'greater or equal than' | +| NUM_LT | 6 | Numeric 'less than' | +| NUM_LE | 7 | Numeric 'less or equal than' |