object/acl: Cache storage policy execution results

TBD

Signed-off-by: Leonard Lyubich <[email protected]>

Author: cthulhu-rider

cmd/neofs-node/object.go

@@ -329,7 +329,7 @@ func initObjectService(c *cfg) {
 		},
 	)
 
-	aclSvc := v2.New(
+	aclSvc := v2.New(c,
 		v2.WithLogger(c.log),
 		v2.WithIRFetcher(newCachedIRFetcher(irFetcher)),
 		v2.WithNetmapSource(c.netMapSource),
@@ -676,3 +676,27 @@ func (x *containerStoragePolicy) StorageNodesForObject(obj oid.ID) ([][]netmapsd
 
 	return nodeLists, x.cnrNodes.primaryNodesNums, nil
 }
+
+// TODO: docs
+func (c *cfg) AuthContainerNode(bPubKey []byte, cnr cid.ID, storagePolicy netmapsdk.PlacementPolicy) (bool, error) {
+	cnrNodes, networkMap, _, err := c.cfgObject.containerNodesBuilder._getForEpochAndPolicy(cnr, 0, &storagePolicy)
+	if err != nil {
+		return false, err
+	}
+
+	if cnrNodes.hasNodeWithPublicKey(bPubKey) {
+		return true, nil
+	}
+
+	curEpoch := networkMap.Epoch()
+	if curEpoch > 0 {
+		cnrNodes, _, _, err = c.cfgObject.containerNodesBuilder._getForEpochAndPolicy(cnr, curEpoch-1, &storagePolicy)
+		if err != nil {
+			return false, err
+		}
+
+		return cnrNodes.hasNodeWithPublicKey(bPubKey), nil
+	}
+
+	return false, nil
+}

cmd/neofs-node/storage_policy.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"fmt"
 	"sync"
 
@@ -28,6 +29,18 @@ type containerNodes struct {
 	nodeSets [][]netmapsdk.NodeInfo
 }
 
+func (x containerNodes) hasNodeWithPublicKey(bPubKey []byte) bool {
+	for i := range x.nodeSets {
+		for j := range x.nodeSets[i] {
+			if bytes.Equal(x.nodeSets[i][j].PublicKey(), bPubKey) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 type containerNodesBuildRes struct {
 	mtx sync.RWMutex
 	val containerNodes
@@ -141,7 +154,7 @@ func (x *containerNodesBuilder) setCurrentEpoch(curEpoch uint64) {
 	x.curEpoch = curEpoch
 }
 
-func (x *containerNodesBuilder) _getForEpoch(cnrID cid.ID, epoch uint64) (containerNodes, *netmapsdk.NetMap, *containerNodesCacheItem, error) {
+func (x *containerNodesBuilder) _getForEpochAndPolicy(cnrID cid.ID, epoch uint64, storagePolicyOpt *netmapsdk.PlacementPolicy) (containerNodes, *netmapsdk.NetMap, *containerNodesCacheItem, error) {
 	var cache *containerNodesCache
 
 	x.curEpochMtx.RLock()
@@ -186,12 +199,17 @@ func (x *containerNodesBuilder) _getForEpoch(cnrID cid.ID, epoch uint64) (contai
 		}
 	}
 
-	cnr, err := x.containers.Get(cnrID)
-	if err != nil {
-		return containerNodes{}, nil, nil, fmt.Errorf("read container by ID: %w", err)
-	}
+	var storagePolicy netmapsdk.PlacementPolicy
+	if storagePolicyOpt != nil {
+		storagePolicy = *storagePolicyOpt
+	} else {
+		cnr, err := x.containers.Get(cnrID)
+		if err != nil {
+			return containerNodes{}, nil, nil, fmt.Errorf("read container by ID: %w", err)
+		}
 
-	storagePolicy := cnr.Value.PlacementPolicy()
+		storagePolicy = cnr.Value.PlacementPolicy()
+	}
 
 	if cached {
 		cache.lruMtx.Lock()
@@ -252,6 +270,9 @@ func (x *containerNodesBuilder) _getForEpoch(cnrID cid.ID, epoch uint64) (contai
 
 	return res, networkMap, cachedVal, nil
 }
+func (x *containerNodesBuilder) _getForEpoch(cnrID cid.ID, epoch uint64) (containerNodes, *netmapsdk.NetMap, *containerNodesCacheItem, error) {
+	return x._getForEpochAndPolicy(cnrID, epoch, nil)
+}
 
 func (x *containerNodesBuilder) getForEpoch(cnrID cid.ID, epoch uint64) (containerNodes, *netmapsdk.NetMap, error) {
 	cnrNodes, networkMap, _, err := x._getForEpoch(cnrID, epoch)

pkg/services/object/acl/v2/classifier.go

@@ -3,18 +3,16 @@ package v2
 import (
 	"bytes"
 
-	core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
 	"github.com/nspcc-dev/neofs-sdk-go/container"
 	"github.com/nspcc-dev/neofs-sdk-go/container/acl"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
-	"github.com/nspcc-dev/neofs-sdk-go/netmap"
 	"go.uber.org/zap"
 )
 
 type senderClassifier struct {
 	log       *zap.Logger
 	innerRing InnerRingFetcher
-	netmap    core.Source
+	node      Node
 }
 
 type classifyResult struct {
@@ -53,7 +51,7 @@ func (c senderClassifier) classify(
 		}, nil
 	}
 
-	isContainerNode, err := c.isContainerKey(ownerKey, idCnr, cnr)
+	isContainerNode, err := c.node.AuthContainerNode(ownerKey, idCnr, cnr.PlacementPolicy())
 	if err != nil {
 		// error might happen if request has `RoleOther` key and placement
 		// is not possible for previous epoch, so
@@ -89,48 +87,3 @@ func (c senderClassifier) isInnerRingKey(owner []byte) (bool, error) {
 
 	return false, nil
 }
-
-func (c senderClassifier) isContainerKey(
-	owner []byte, idCnr cid.ID,
-	cnr container.Container) (bool, error) {
-	nm, err := core.GetLatestNetworkMap(c.netmap) // first check current netmap
-	if err != nil {
-		return false, err
-	}
-
-	in, err := lookupKeyInContainer(nm, owner, idCnr, cnr)
-	if err != nil {
-		return false, err
-	} else if in {
-		return true, nil
-	}
-
-	// then check previous netmap, this can happen in-between epoch change
-	// when node migrates data from last epoch container
-	nm, err = core.GetPreviousNetworkMap(c.netmap)
-	if err != nil {
-		return false, err
-	}
-
-	return lookupKeyInContainer(nm, owner, idCnr, cnr)
-}
-
-func lookupKeyInContainer(
-	nm *netmap.NetMap,
-	owner []byte, idCnr cid.ID,
-	cnr container.Container) (bool, error) {
-	cnrVectors, err := nm.ContainerNodes(cnr.PlacementPolicy(), idCnr)
-	if err != nil {
-		return false, err
-	}
-
-	for i := range cnrVectors {
-		for j := range cnrVectors[i] {
-			if bytes.Equal(cnrVectors[i][j].PublicKey(), owner) {
-				return true, nil
-			}
-		}
-	}
-
-	return false, nil
-}

pkg/services/object/acl/v2/service.go

@@ -12,12 +12,21 @@ import (
 	apistatus "github.com/nspcc-dev/neofs-sdk-go/client/status"
 	"github.com/nspcc-dev/neofs-sdk-go/container/acl"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
+	netmapsdk "github.com/nspcc-dev/neofs-sdk-go/netmap"
 	oid "github.com/nspcc-dev/neofs-sdk-go/object/id"
 	sessionSDK "github.com/nspcc-dev/neofs-sdk-go/session"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
 	"go.uber.org/zap"
 )
 
+// Node represents local NeoFS storage node within which [Service] operates.
+type Node interface {
+	// AuthContainerNode authenticates storage node by binary-encoded public key and
+	// checks whether the node matches given storage policy of the referenced
+	// container.
+	AuthContainerNode(bPubKey []byte, cnrID cid.ID, storagePolicy netmapsdk.PlacementPolicy) (bool, error)
+}
+
 // Service checks basic ACL rules.
 type Service struct {
 	*cfg
@@ -78,7 +87,7 @@ func defaultCfg() *cfg {
 }
 
 // New is a constructor for object ACL checking service.
-func New(opts ...Option) Service {
+func New(node Node, opts ...Option) Service {
 	cfg := defaultCfg()
 
 	for i := range opts {
@@ -102,7 +111,7 @@ func New(opts ...Option) Service {
 		c: senderClassifier{
 			log:       cfg.log,
 			innerRing: cfg.irFetcher,
-			netmap:    cfg.nm,
+			node:      node,
 		},
 	}
 }