diff --git a/Makefile b/Makefile
index 84583ff..9b02a6e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-PROTO_VERSION=v0.5.0
+PROTO_VERSION=v0.6.0
PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz
B=\033[0;1m
diff --git a/acl/types.pb.go b/acl/types.pb.go
new file mode 100644
index 0000000..bcbd199
Binary files /dev/null and b/acl/types.pb.go differ
diff --git a/acl/types.proto b/acl/types.proto
new file mode 100644
index 0000000..f20423f
--- /dev/null
+++ b/acl/types.proto
@@ -0,0 +1,27 @@
+syntax = "proto3";
+package acl;
+option go_package = "github.com/nspcc-dev/neofs-api-go/acl";
+option csharp_namespace = "NeoFS.API.Acl";
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+option (gogoproto.stable_marshaler_all) = true;
+
+// Target of the access control rule in access control list.
+enum Target {
+ // Unknown target, default value.
+ Unknown = 0;
+
+ // User target rule is applied if sender is the owner of the container.
+ User = 1;
+
+ // System target rule is applied if sender is the storage node within the
+ // container or inner ring node.
+ System = 2;
+
+ // Others target rule is applied if sender is not user or system target.
+ Others = 3;
+
+ // PubKey target rule is applied if sender has public key provided in
+ // extended ACL.
+ PubKey = 4;
+}
diff --git a/container/service.go b/container/service.go
index 8eb9ba6..2f36dc1 100644
--- a/container/service.go
+++ b/container/service.go
@@ -31,9 +31,11 @@ func (m *PutRequest) PrepareData() ([]byte, error) {
err error
buf = new(bytes.Buffer)
capBytes = make([]byte, 8)
+ aclBytes = make([]byte, 4)
)
binary.BigEndian.PutUint64(capBytes, m.Capacity)
+ binary.BigEndian.PutUint32(capBytes, m.BasicACL)
if _, err = buf.Write(m.MessageID.Bytes()); err != nil {
return nil, errors.Wrap(err, "could not write message id")
@@ -45,6 +47,8 @@ func (m *PutRequest) PrepareData() ([]byte, error) {
return nil, errors.Wrap(err, "could not marshal placement")
} else if _, err = buf.Write(data); err != nil {
return nil, errors.Wrap(err, "could not write placement")
+ } else if _, err = buf.Write(aclBytes); err != nil {
+ return nil, errors.Wrap(err, "could not write basic acl")
}
return buf.Bytes(), nil
diff --git a/container/service.pb.go b/container/service.pb.go
index 8698925..6131254 100644
Binary files a/container/service.pb.go and b/container/service.pb.go differ
diff --git a/container/service.proto b/container/service.proto
index bccf924..7df2c66 100644
--- a/container/service.proto
+++ b/container/service.proto
@@ -42,8 +42,8 @@ message PutRequest {
// Rules define storage policy for the object inside the container.
netmap.PlacementRule rules = 4 [(gogoproto.nullable) = false];
- // Container ACL.
- AccessGroup Group = 5 [(gogoproto.nullable) = false];
+ // BasicACL of the container.
+ uint32 BasicACL = 5;
// RequestMetaHeader contains information about request meta headers (should be embedded into message)
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
diff --git a/container/types.go b/container/types.go
index 21fc0d1..e358e6d 100644
--- a/container/types.go
+++ b/container/types.go
@@ -11,19 +11,6 @@ import (
"github.com/pkg/errors"
)
-// AccessMode is a container access mode type.
-type AccessMode uint32
-
-const (
- // AccessModeRead is a read access mode.
- AccessModeRead AccessMode = 1 << iota
- // AccessModeWrite is a write access mode.
- AccessModeWrite
-)
-
-// AccessModeReadWrite is a read/write container access mode.
-const AccessModeReadWrite = AccessModeRead | AccessModeWrite
-
var (
_ internal.Custom = (*Container)(nil)
@@ -31,8 +18,8 @@ var (
emptyOwner = (OwnerID{}).Bytes()
)
-// New creates new user container based on capacity, OwnerID and PlacementRules.
-func New(cap uint64, owner OwnerID, rules netmap.PlacementRule) (*Container, error) {
+// New creates new user container based on capacity, OwnerID, ACL and PlacementRules.
+func New(cap uint64, owner OwnerID, acl uint32, rules netmap.PlacementRule) (*Container, error) {
if bytes.Equal(owner[:], emptyOwner) {
return nil, refs.ErrEmptyOwner
} else if cap == 0 {
@@ -49,6 +36,7 @@ func New(cap uint64, owner OwnerID, rules netmap.PlacementRule) (*Container, err
Salt: UUID(salt),
Capacity: cap,
Rules: rules,
+ BasicACL: acl,
}, nil
}
@@ -90,7 +78,7 @@ func NewTestContainer() (*Container, error) {
if err != nil {
return nil, err
}
- return New(100, owner, netmap.PlacementRule{
+ return New(100, owner, 0xFFFFFFFF, netmap.PlacementRule{
ReplFactor: 2,
SFGroups: []netmap.SFGroup{
{
diff --git a/container/types.pb.go b/container/types.pb.go
index bfb7fa7..391656c 100644
Binary files a/container/types.pb.go and b/container/types.pb.go differ
diff --git a/container/types.proto b/container/types.proto
index a0d035d..dc79bd3 100644
--- a/container/types.proto
+++ b/container/types.proto
@@ -18,18 +18,7 @@ message Container {
uint64 Capacity = 3;
// Rules define storage policy for the object inside the container.
netmap.PlacementRule Rules = 4 [(gogoproto.nullable) = false];
- // Container ACL.
- AccessControlList List = 5 [(gogoproto.nullable) = false];
-}
-
-message AccessGroup {
- // Group access mode.
- uint32 AccessMode = 1;
- // Group members.
- repeated bytes UserGroup = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
-}
-
-message AccessControlList {
- // List of access groups.
- repeated AccessGroup List = 1 [(gogoproto.nullable) = false];
+ // BasicACL with access control rules for owner, system, others and
+ // permission bits for bearer token and extended ACL.
+ uint32 BasicACL = 5;
}
diff --git a/container/types_test.go b/container/types_test.go
index 1ccc00b..fddccb3 100644
--- a/container/types_test.go
+++ b/container/types_test.go
@@ -36,7 +36,7 @@ func TestCID(t *testing.T) {
owner, err := refs.NewOwnerID(&key.PublicKey)
require.NoError(t, err)
- c1, err := New(10, owner, rules)
+ c1, err := New(10, owner, 0xDEADBEEF, rules)
require.NoError(t, err)
data, err := proto.Marshal(c1)
@@ -55,23 +55,3 @@ func TestCID(t *testing.T) {
require.Equal(t, cid1, cid2)
})
}
-
-func TestAccessMode(t *testing.T) {
- t.Run("read access to read/write mode", func(t *testing.T) {
- require.Equal(t, AccessModeRead, AccessModeReadWrite&AccessModeRead)
- })
-
- t.Run("write access to read/write mode", func(t *testing.T) {
- require.Equal(t, AccessModeWrite, AccessModeReadWrite&AccessModeWrite)
- })
-
- t.Run("read(write) access to write(read) mode", func(t *testing.T) {
- require.Zero(t, AccessModeRead&AccessModeWrite)
- })
-
- t.Run("access to same mode", func(t *testing.T) {
- require.Equal(t, AccessModeWrite, AccessModeWrite&AccessModeWrite)
- require.Equal(t, AccessModeRead, AccessModeRead&AccessModeRead)
- require.Equal(t, AccessModeReadWrite, AccessModeReadWrite&AccessModeReadWrite)
- })
-}
diff --git a/docs/acl.md b/docs/acl.md
new file mode 100644
index 0000000..38f328b
--- /dev/null
+++ b/docs/acl.md
@@ -0,0 +1,62 @@
+# Protocol Documentation
+
+
+## Table of Contents
+
+- [acl/types.proto](#acl/types.proto)
+
+
+
+- [Scalar Value Types](#scalar-value-types)
+
+
+
+
+Top
+
+## acl/types.proto
+
+
+
+
+
+
+
+
+
+### Target
+Target of the access control rule in access control list.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| Unknown | 0 | Unknown target, default value. |
+| User | 1 | User target rule is applied if sender is the owner of the container. |
+| System | 2 | System target rule is applied if sender is the storage node within the container or inner ring node. |
+| Others | 3 | Others target rule is applied if sender is not user or system target. |
+| PubKey | 4 | PubKey target rule is applied if sender has public key provided in extended ACL. |
+
+
+
+
+
+
+## Scalar Value Types
+
+| .proto Type | Notes | C++ Type | Java Type | Python Type |
+| ----------- | ----- | -------- | --------- | ----------- |
+| double | | double | double | float |
+| float | | float | float | float |
+| int32 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
+| int64 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
+| uint32 | Uses variable-length encoding. | uint32 | int | int/long |
+| uint64 | Uses variable-length encoding. | uint64 | long | int/long |
+| sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
+| sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
+| fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
+| fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
+| sfixed32 | Always four bytes. | int32 | int | int |
+| sfixed64 | Always eight bytes. | int64 | long | int/long |
+| bool | | bool | boolean | boolean |
+| string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
+| bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str |
+
diff --git a/docs/container.md b/docs/container.md
index 6693980..f0188ca 100644
--- a/docs/container.md
+++ b/docs/container.md
@@ -21,8 +21,6 @@
- [container/types.proto](#container/types.proto)
- Messages
- - [AccessControlList](#container.AccessControlList)
- - [AccessGroup](#container.AccessGroup)
- [Container](#container.Container)
@@ -166,7 +164,7 @@ via consensus in inner ring nodes
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
| OwnerID | [bytes](#bytes) | | OwnerID is a wallet address |
| rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
-| Group | [AccessGroup](#container.AccessGroup) | | Container ACL. |
+| BasicACL | [uint32](#uint32) | | BasicACL of the container. |
| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) | | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) | | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
@@ -196,29 +194,6 @@ via consensus in inner ring nodes
-
-
-### Message AccessControlList
-
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| List | [AccessGroup](#container.AccessGroup) | repeated | List of access groups. |
-
-
-
-
-### Message AccessGroup
-
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| AccessMode | [uint32](#uint32) | | Group access mode. |
-| UserGroup | [bytes](#bytes) | repeated | Group members. |
-
-
### Message Container
@@ -231,7 +206,7 @@ The Container service definition.
| Salt | [bytes](#bytes) | | Salt is a nonce for unique container id calculation. |
| Capacity | [uint64](#uint64) | | Capacity defines amount of data that can be stored in the container (doesn't used for now). |
| Rules | [netmap.PlacementRule](#netmap.PlacementRule) | | Rules define storage policy for the object inside the container. |
-| List | [AccessControlList](#container.AccessControlList) | | Container ACL. |
+| BasicACL | [uint32](#uint32) | | BasicACL with access control rules for owner, system, others and permission bits for bearer token and extended ACL. |