Skip to content

Container+EACL#369

Open
cthulhu-rider wants to merge 1 commit intomasterfrom
container+eacl
Open

Container+EACL#369
cthulhu-rider wants to merge 1 commit intomasterfrom
container+eacl

Conversation

@cthulhu-rider
Copy link
Copy Markdown
Contributor

@cthulhu-rider cthulhu-rider commented Dec 24, 2025

No description provided.

@carpawell
Copy link
Copy Markdown
Member

carpawell commented Mar 25, 2026

Can we open it?

@cthulhu-rider
Copy link
Copy Markdown
Contributor Author

cthulhu-rider commented Mar 26, 2026

Can we open it?

sure! Could u pls assist me?

@carpawell
Copy link
Copy Markdown
Member

carpawell commented Mar 26, 2026
edited
Loading

@roman-khimov, @cthulhu-rider, i suggest:

  1. drop session token V1 support, this PR is an extension, i think it is ok to use only v2 token
  2. merge fields into a single optional message

As a more radical approach to 1.: do not use an additional token in this API at all: it is only needed for IRs to understand that it is allowed for signer to make this operation, i think it is ok to treat CONTAINER_PUT as a one-time initial CONTAINER_SETEACL

@roman-khimov
Copy link
Copy Markdown
Member

roman-khimov commented Mar 26, 2026

  1. For this feature yes, sv1 can be omitted. Any clients using it are API 2.23+ and they all can use sv2. Real clients are almost all converted as well, it's just a matter of a little time.
  2. We can require sv2 used in this case to have both PUT and SETEACL verbs, that'd be logically correct and practically acceptable, so additional token field can be avoided completely.

@cthulhu-rider @carpawell
container: Allow to set eACL on container creation
32065d0 
So that clients that create a container with extended access rules can
do so in a single request.

Closes #359.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
carpawell added a commit to nspcc-dev/neofs-sdk-go that referenced this pull request Mar 27, 2026
@carpawell
client/container: support initial eACL for container
9a614ed 
Refs nspcc-dev/neofs-api#369.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
@carpawell carpawell mentioned this pull request Mar 27, 2026
Draft
@carpawell
Copy link
Copy Markdown
Member

carpawell commented Mar 27, 2026

I have a PoC with the updated version, but i'm still not sure whether we need to complicate session things and have an additional signature field. They are used to ensure that setting eACL is an authorized operation, but if a user is already able to create a container, why not just allow him to change eACL in the same operation? I would treat eACL as a container attribute/field, this would simplify API and server validation. I cannot imagine cases when we have some policies that must allow container creation, but not changing its eACL, even with N3 signatures and complex validation logic.

@carpawell carpawell marked this pull request as ready for review March 27, 2026 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carpawell carpawell Awaiting requested review from carpawell carpawell is a code owner

@roman-khimov roman-khimov Awaiting requested review from roman-khimov roman-khimov is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@carpawell carpawell

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cthulhu-rider @carpawell @roman-khimov