UBERF-12032 Readonly storage config (#9412)

Signed-off-by: Alexander Onnikov <[email protected]>

Author: aonnikov

server/core/src/types.ts

@@ -521,6 +521,7 @@ export interface StorageConfig {
   kind: string
   endpoint: string
   port?: number
+  readonly?: string
 }
 
 export class NoSuchKeyError extends Error {

server/server-storage/src/readonly.ts

@@ -0,0 +1,98 @@
+//
+// Copyright © 2025 Hardcore Engineering Inc.
+//
+// Licensed under the Eclipse Public License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License. You may
+// obtain a copy of the License at https://www.eclipse.org/legal/epl-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+import type { WorkspaceIds, Blob, MeasureContext } from '@hcengineering/core'
+import type { BlobStorageIterator, BucketInfo, StorageAdapter, UploadedObjectInfo } from '@hcengineering/storage'
+import { type Readable } from 'stream'
+
+class ReadonlyError extends Error {
+  constructor () {
+    super('Readonly mode')
+    this.name = 'ReadonlyError'
+  }
+}
+
+export class ReadonlyStorageAdapter implements StorageAdapter {
+  constructor (private readonly adapter: StorageAdapter) {}
+
+  async initialize (ctx: MeasureContext, wsIds: WorkspaceIds): Promise<void> {
+    await this.adapter.initialize(ctx, wsIds)
+  }
+
+  async close (): Promise<void> {
+    await this.adapter.close()
+  }
+
+  async exists (ctx: MeasureContext, wsIds: WorkspaceIds): Promise<boolean> {
+    return await this.adapter.exists(ctx, wsIds)
+  }
+
+  async make (ctx: MeasureContext, wsIds: WorkspaceIds): Promise<void> {
+    throw new ReadonlyError()
+  }
+
+  async listBuckets (ctx: MeasureContext): Promise<BucketInfo[]> {
+    return await this.adapter.listBuckets(ctx)
+  }
+
+  async delete (ctx: MeasureContext, wsIds: WorkspaceIds): Promise<void> {
+    throw new ReadonlyError()
+  }
+
+  async remove (ctx: MeasureContext, wsIds: WorkspaceIds, objectNames: string[]): Promise<void> {
+    throw new ReadonlyError()
+  }
+
+  async listStream (ctx: MeasureContext, wsIds: WorkspaceIds): Promise<BlobStorageIterator> {
+    return await this.adapter.listStream(ctx, wsIds)
+  }
+
+  async stat (ctx: MeasureContext, wsIds: WorkspaceIds, objectName: string): Promise<Blob | undefined> {
+    return await this.adapter.stat(ctx, wsIds, objectName)
+  }
+
+  async get (ctx: MeasureContext, wsIds: WorkspaceIds, objectName: string): Promise<Readable> {
+    return await this.adapter.get(ctx, wsIds, objectName)
+  }
+
+  async partial (
+    ctx: MeasureContext,
+    wsIds: WorkspaceIds,
+    objectName: string,
+    offset: number,
+    length?: number | undefined
+  ): Promise<Readable> {
+    return await this.adapter.partial(ctx, wsIds, objectName, offset, length)
+  }
+
+  async read (ctx: MeasureContext, wsIds: WorkspaceIds, objectName: string): Promise<Buffer[]> {
+    return await this.adapter.read(ctx, wsIds, objectName)
+  }
+
+  put (
+    ctx: MeasureContext,
+    wsIds: WorkspaceIds,
+    objectName: string,
+    stream: string | Readable | Buffer,
+    contentType: string,
+    size?: number | undefined
+  ): Promise<UploadedObjectInfo> {
+    throw new ReadonlyError()
+  }
+
+  async getUrl (ctx: MeasureContext, wsIds: WorkspaceIds, name: string): Promise<string> {
+    return await this.adapter.getUrl(ctx, wsIds, name)
+  }
+}

server/server-storage/src/starter.ts

@@ -3,6 +3,7 @@ import { CONFIG_KIND as MINIO_CONFIG_KIND, MinioConfig, MinioService, addMinioFa
 import { CONFIG_KIND as S3_CONFIG_KIND, S3Service, type S3Config } from '@hcengineering/s3'
 import { StorageAdapter, StorageConfiguration, type StorageConfig } from '@hcengineering/server-core'
 import { FallbackStorageAdapter, buildStorage } from './fallback'
+import { ReadonlyStorageAdapter } from './readonly'
 
 /*
 
@@ -76,28 +77,35 @@ export function parseStorageEnv (storageEnv: string, storageConfig: StorageConfi
 }
 
 export function createStorageFromConfig (config: StorageConfig): StorageAdapter {
+  let adapter: StorageAdapter
   const kind = config.kind
   if (kind === MINIO_CONFIG_KIND) {
     const c = config as MinioConfig
     if (c.endpoint == null || c.accessKey == null || c.secretKey == null) {
       throw new Error('One of endpoint/accessKey/secretKey values are not specified')
     }
-    return new MinioService(c)
+    adapter = new MinioService(c)
   } else if (kind === S3_CONFIG_KIND) {
     const c = config as S3Config
     if (c.endpoint == null || c.accessKey == null || c.secretKey == null) {
       throw new Error('One of endpoint/accessKey/secretKey values are not specified')
     }
-    return new S3Service(c)
+    adapter = new S3Service(c)
   } else if (kind === DATALAKE_CONFIG_KIND) {
     const c = config as DatalakeConfig
     if (c.endpoint == null) {
       throw new Error('Endpoint value is not specified')
     }
-    return new DatalakeService(c)
+    adapter = new DatalakeService(c)
   } else {
     throw new Error('Unsupported storage kind:' + kind)
   }
+
+  if (config.readonly === 'true') {
+    adapter = new ReadonlyStorageAdapter(adapter)
+  }
+
+  return adapter
 }
 
 export function buildStorageFromConfig (config: StorageConfiguration): FallbackStorageAdapter {

services/datalake/pod-datalake/src/config.ts

@@ -29,6 +29,7 @@ export interface Config {
   DbUrl: string
   Buckets: BucketConfig[]
   CleanupInterval: number
+  Readonly: boolean
 }
 
 const parseNumber = (str: string | undefined): number | undefined => (str !== undefined ? Number(str) : undefined)
@@ -77,7 +78,8 @@ const config: Config = (() => {
     Secret: process.env.SECRET,
     AccountsUrl: process.env.ACCOUNTS_URL,
     DbUrl: process.env.DB_URL,
-    Buckets: parseBucketsConfig(process.env.BUCKETS)
+    Buckets: parseBucketsConfig(process.env.BUCKETS),
+    Readonly: process.env.READONLY === 'true'
   }
 
   const missingEnv = (Object.keys(params) as Array<keyof Config>).filter((key) => params[key] === undefined)

services/datalake/pod-datalake/src/middleware.ts

@@ -13,11 +13,11 @@
 // limitations under the License.
 //
 
+import { systemAccountUuid } from '@hcengineering/core'
 import { extractToken } from '@hcengineering/server-client'
+import { Token } from '@hcengineering/server-token'
 import { type Response, type Request, type NextFunction, RequestHandler } from 'express'
 import { ApiError } from './error'
-import { Token } from '@hcengineering/server-token'
-import { systemAccountUuid } from '@hcengineering/core'
 
 export interface KeepAliveOptions {
   timeout: number
@@ -106,3 +106,12 @@ export const withBlob = (req: RequestWithAuth, res: Response, next: NextFunction
 
   next()
 }
+
+export const withReadonly = (req: RequestWithAuth, res: Response, next: NextFunction): void => {
+  if (req.method === 'GET' || req.method === 'HEAD') {
+    next()
+    return
+  }
+
+  next(new ApiError(403, 'Service is in read-only mode'))
+}

services/datalake/pod-datalake/src/server.ts

@@ -28,7 +28,14 @@ import onHeaders from 'on-headers'
 import { cacheControl } from './const'
 import { createDb } from './datalake/db'
 import { ApiError } from './error'
-import { keepAlive, withAdminAuthorization, withAuthorization, withBlob, withWorkspace } from './middleware'
+import {
+  keepAlive,
+  withAdminAuthorization,
+  withAuthorization,
+  withBlob,
+  withWorkspace,
+  withReadonly
+} from './middleware'
 import {
   handleBlobDelete,
   handleBlobDeleteList,
@@ -152,6 +159,10 @@ export async function createServer (
 
   app.use(morgan('short', { stream: new LogStream() }))
 
+  if (config.Readonly) {
+    app.use(withReadonly)
+  }
+
   app.get(
     '/stats/:workspace',
     withAdminAuthorization,