From bcc6f68eda3cfda7e2e512eaef898127114f4ce4 Mon Sep 17 00:00:00 2001
From: Stanislav Bogatyrev <stanislav@nspcc.ru>
Date: Tue, 20 Oct 2020 22:44:00 +0300
Subject: [PATCH] [#75] Add clarification for BearerToken.body.owner_id

Signed-off-by: Stanislav Bogatyrev <stanislav@nspcc.ru>
---
 acl/types.proto | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/acl/types.proto b/acl/types.proto
index ba81439..6af62db 100644
--- a/acl/types.proto
+++ b/acl/types.proto
@@ -149,6 +149,9 @@ message EACLTable {
 // like [JWT](https://jwt.io), it has a limited lifetime and scope, hence can be
 // used in the similar use cases, like providing authorisation to externally
 // authenticated party.
+//
+// BearerToken can be issued only by container's owner and must be signed using
+// the key associated with container's `OwnerID`.
 message BearerToken {
   // Bearer Token body structure contains Extended ACL table issued by container
   // owner with additional information preventing token's abuse.
@@ -157,8 +160,8 @@ message BearerToken {
     // container
     EACLTable eacl_table = 1 [json_name="eaclTable"];
 
-    // `OwnerID` to whom the token was issued. MUST match with the request
-    // originator's `OwnerID`
+    // `OwnerID` to whom the token was issued. Must match the request
+    // originator's `OwnerID`. If empty, any token bearer will be accepted.
     neo.fs.v2.refs.OwnerID owner_id = 2 [json_name="ownerID"];
 
     // Lifetime parameters of the token. Filed names taken from