nspcc-dev · cthulhu-rider · Dec 24, 2025
@@ -70,6 +70,8 @@ service ContainerService {
   // the transport protocol (e.g. `grpc-timeout` header). If the deadline is
   // not set, server waits 15s after submitting the transaction.
   //
+  // Starting from 2.23 version, initial eACL is supported in Put request.
+  //
   // Statuses:
   // - **OK** (0, SECTION_SUCCESS): \
   //   container eACL successfully set;
@@ -136,12 +138,27 @@ message PutRequest {
   // creation by `Container` smart contract. `ContainerID` is a SHA256 hash of
   // the stable-marshalled container strucutre, hence there is no need for
   // additional signature checks.
+  //
+  // Optional `eacl` field allows to set extended access rules for the
+  // container. It must be either set or unset along with `eacl_signature`.
+  // If session token is used for container creation with a non-empty initial
+  // eACL, it must be V2 versioned and it must be authorized for both
+  // CONTAINER_PUT and CONTAINER_SETEACL operations.
   message Body {
     // Container structure to register in NeoFS
     container.Container container = 1;
 
     // Signature of a stable-marshalled container according to RFC-6979.
     neo.fs.v2.refs.SignatureRFC6979 signature = 2;
+
+    // Extended ACL for the container.
+    neo.fs.v2.acl.EACLTable eacl = 3;
+
+    // N3 witness of stable-marshalled `eacl` field. The witness must
+    // authenticate either container owner or one of subjects in
+    // the `eacl_session_token` field if any. Signature according to
+    // `ECDSA_RFC6979_SHA256` scheme is also supported.
+    neo.fs.v2.refs.SignatureRFC6979 eacl_signature = 4;
   }
   // Body of container put request message.
   Body body = 1;

@@ -159,6 +159,8 @@ and waits for the transaction to be executed. Deadline is determined by
 the transport protocol (e.g. `grpc-timeout` header). If the deadline is
 not set, server waits 15s after submitting the transaction.
 
+Starting from 2.23 version, initial eACL is supported in Put request.
+
 Statuses:
 - **OK** (0, SECTION_SUCCESS): \
   container eACL successfully set;
@@ -524,11 +526,19 @@ creation by `Container` smart contract. `ContainerID` is a SHA256 hash of
 the stable-marshalled container strucutre, hence there is no need for
 additional signature checks.
 
+Optional `eacl` field allows to set extended access rules for the
+container. It must be either set or unset along with `eacl_signature`.
+If session token is used for container creation with a non-empty initial
+eACL, it must be V2 versioned and it must be authorized for both
+CONTAINER_PUT and CONTAINER_SETEACL operations.
+
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | container | [Container](#neo.fs.v2.container.Container) |  | Container structure to register in NeoFS |
 | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) |  | Signature of a stable-marshalled container according to RFC-6979. |
+| eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) |  | Extended ACL for the container. |
+| eacl_signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) |  | N3 witness of stable-marshalled `eacl` field. The witness must authenticate either container owner or one of subjects in the `eacl_session_token` field if any. Signature according to `ECDSA_RFC6979_SHA256` scheme is also supported. |
 
 
 <a name="neo.fs.v2.container.PutResponse"></a>