From 32065d027c2c6604c9c909b25de20b3411678586 Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Wed, 24 Dec 2025 13:15:23 +0300 Subject: [PATCH] container: Allow to set eACL on container creation So that clients that create a container with extended access rules can do so in a single request. Closes #359. Signed-off-by: Leonard Lyubich Signed-off-by: Pavel Karpy --- container/service.proto | 17 +++++++++++++++++ proto-docs/container.md | 10 ++++++++++ 2 files changed, 27 insertions(+) diff --git a/container/service.proto b/container/service.proto index 3909167..f8ad373 100644 --- a/container/service.proto +++ b/container/service.proto @@ -70,6 +70,8 @@ service ContainerService { // the transport protocol (e.g. `grpc-timeout` header). If the deadline is // not set, server waits 15s after submitting the transaction. // + // Starting from 2.23 version, initial eACL is supported in Put request. + // // Statuses: // - **OK** (0, SECTION_SUCCESS): \ // container eACL successfully set; @@ -136,12 +138,27 @@ message PutRequest { // creation by `Container` smart contract. `ContainerID` is a SHA256 hash of // the stable-marshalled container strucutre, hence there is no need for // additional signature checks. + // + // Optional `eacl` field allows to set extended access rules for the + // container. It must be either set or unset along with `eacl_signature`. + // If session token is used for container creation with a non-empty initial + // eACL, it must be V2 versioned and it must be authorized for both + // CONTAINER_PUT and CONTAINER_SETEACL operations. message Body { // Container structure to register in NeoFS container.Container container = 1; // Signature of a stable-marshalled container according to RFC-6979. neo.fs.v2.refs.SignatureRFC6979 signature = 2; + + // Extended ACL for the container. + neo.fs.v2.acl.EACLTable eacl = 3; + + // N3 witness of stable-marshalled `eacl` field. The witness must + // authenticate either container owner or one of subjects in + // the `eacl_session_token` field if any. Signature according to + // `ECDSA_RFC6979_SHA256` scheme is also supported. + neo.fs.v2.refs.SignatureRFC6979 eacl_signature = 4; } // Body of container put request message. Body body = 1; diff --git a/proto-docs/container.md b/proto-docs/container.md index 1a1b3cc..e68606b 100644 --- a/proto-docs/container.md +++ b/proto-docs/container.md @@ -159,6 +159,8 @@ and waits for the transaction to be executed. Deadline is determined by the transport protocol (e.g. `grpc-timeout` header). If the deadline is not set, server waits 15s after submitting the transaction. +Starting from 2.23 version, initial eACL is supported in Put request. + Statuses: - **OK** (0, SECTION_SUCCESS): \ container eACL successfully set; @@ -524,11 +526,19 @@ creation by `Container` smart contract. `ContainerID` is a SHA256 hash of the stable-marshalled container strucutre, hence there is no need for additional signature checks. +Optional `eacl` field allows to set extended access rules for the +container. It must be either set or unset along with `eacl_signature`. +If session token is used for container creation with a non-empty initial +eACL, it must be V2 versioned and it must be authorized for both +CONTAINER_PUT and CONTAINER_SETEACL operations. + | Field | Type | Label | Description | | ----- | ---- | ----- | ----------- | | container | [Container](#neo.fs.v2.container.Container) | | Container structure to register in NeoFS | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of a stable-marshalled container according to RFC-6979. | +| eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL for the container. | +| eacl_signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | N3 witness of stable-marshalled `eacl` field. The witness must authenticate either container owner or one of subjects in the `eacl_session_token` field if any. Signature according to `ECDSA_RFC6979_SHA256` scheme is also supported. |