diff --git a/acl/types.proto b/acl/types.proto
index e9ea987..ec15021 100644
--- a/acl/types.proto
+++ b/acl/types.proto
@@ -6,6 +6,7 @@ option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl/grpc;ac
option csharp_namespace = "Neo.FileStorage.API.Acl";
import "refs/types.proto";
+import "ape/types.proto";
// Target role of the access control rule in access control list.
enum Role {
@@ -194,6 +195,8 @@ message BearerToken {
// container. If it contains `container_id` field, bearer token is only
// valid for this specific container. Otherwise, any container of the same
// owner is allowed.
+ //
+ // Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead.
EACLTable eacl_table = 1 [ json_name = "eaclTable" ];
// `OwnerID` defines to whom the token was issued. It must match the request
@@ -218,6 +221,23 @@ message BearerToken {
// AllowImpersonate flag to consider token signer as request owner.
// If this field is true extended ACL table in token body isn't processed.
bool allow_impersonate = 4 [ json_name = "allowImpersonate" ];
+
+ // APEOverride is the list of APE chains defined for a target.
+ // These chains are meant to serve as overrides to the already defined (or even undefined)
+ // APE chains for the target (see contract `Policy`).
+ //
+ // The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
+ // to override chains for the target, preventing unauthorized access through the APE mechanism.
+ message APEOverride {
+ // Target for which chains are applied.
+ frostfs.v2.ape.ChainTarget target = 1 [ json_name = "target" ];
+
+ // The list of APE chains.
+ repeated frostfs.v2.ape.Chain chains = 2 [ json_name = "chains" ];
+ }
+
+ // APE override for the target.
+ APEOverride ape_override = 5 [ json_name = "apeOverride" ];
}
// Bearer Token body
Body body = 1 [ json_name = "body" ];
diff --git a/apemanager/types.proto b/ape/types.proto
similarity index 89%
rename from apemanager/types.proto
rename to ape/types.proto
index c064627..3a97e60 100644
--- a/apemanager/types.proto
+++ b/ape/types.proto
@@ -1,8 +1,8 @@
syntax = "proto3";
-package frostfs.v2.apemanager;
+package frostfs.v2.ape;
-option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
+option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/ape/grpc;ape";
// TargetType is a type target to which a rule chain is defined.
enum TargetType {
diff --git a/apemanager/service.proto b/apemanager/service.proto
index 6b9da60..7ff23a7 100644
--- a/apemanager/service.proto
+++ b/apemanager/service.proto
@@ -2,7 +2,7 @@ syntax = "proto3";
package frostfs.v2.apemanager;
-import "apemanager/types.proto";
+import "ape/types.proto";
import "session/types.proto";
option go_package = "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/apemanager/grpc;apemanager";
@@ -52,10 +52,10 @@ service APEManagerService {
message AddChainRequest {
message Body {
// A target for which a rule chain is added.
- ChainTarget target = 1;
+ frostfs.v2.ape.ChainTarget target = 1;
// The chain to set for the target.
- Chain chain = 2;
+ frostfs.v2.ape.Chain chain = 2;
}
// The request's body.
@@ -95,7 +95,7 @@ message AddChainResponse {
message RemoveChainRequest {
message Body {
// Target for which a rule chain is removed.
- ChainTarget target = 1;
+ frostfs.v2.ape.ChainTarget target = 1;
// Chain ID assigned for the rule chain.
bytes chain_id = 2;
@@ -135,7 +135,7 @@ message RemoveChainResponse {
message ListChainsRequest {
message Body {
// Target for which rule chains are listed.
- ChainTarget target = 1;
+ frostfs.v2.ape.ChainTarget target = 1;
}
// The request's body.
@@ -154,7 +154,7 @@ message ListChainsRequest {
message ListChainsResponse {
message Body {
// The list of chains defined for the reqeusted target.
- repeated Chain chains = 1;
+ repeated frostfs.v2.ape.Chain chains = 1;
}
// The response's body.
diff --git a/proto-docs/acl.md b/proto-docs/acl.md
index 91fd36b..19c1a8d 100644
--- a/proto-docs/acl.md
+++ b/proto-docs/acl.md
@@ -8,6 +8,7 @@
- Messages
- [BearerToken](#neo.fs.v2.acl.BearerToken)
- [BearerToken.Body](#neo.fs.v2.acl.BearerToken.Body)
+ - [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride)
- [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime)
- [EACLRecord](#neo.fs.v2.acl.EACLRecord)
- [EACLRecord.Filter](#neo.fs.v2.acl.EACLRecord.Filter)
@@ -57,10 +58,30 @@ container owner with additional information preventing token abuse.
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
-| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. |
+| eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed.
+
+Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead. |
| owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. |
| lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) | | Token expiration and valid time period parameters |
| allow_impersonate | [bool](#bool) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |
+| ape_override | [BearerToken.Body.APEOverride](#neo.fs.v2.acl.BearerToken.Body.APEOverride) | | APE override for the target. |
+
+
+
+
+### Message BearerToken.Body.APEOverride
+APEOverride is the list of APE chains defined for a target.
+These chains are meant to serve as overrides to the already defined (or even undefined)
+APE chains for the target (see contract `Policy`).
+
+The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
+to override chains for the target, preventing unauthorized access through the APE mechanism.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which chains are applied. |
+| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of APE chains. |
diff --git a/proto-docs/ape.md b/proto-docs/ape.md
new file mode 100644
index 0000000..b101c83
--- /dev/null
+++ b/proto-docs/ape.md
@@ -0,0 +1,88 @@
+# Protocol Documentation
+
+
+## Table of Contents
+
+- [ape/types.proto](#ape/types.proto)
+
+ - Messages
+ - [Chain](#frostfs.v2.ape.Chain)
+ - [ChainTarget](#frostfs.v2.ape.ChainTarget)
+
+
+- [Scalar Value Types](#scalar-value-types)
+
+
+
+
+Top
+
+## ape/types.proto
+
+
+
+
+
+
+
+### Message Chain
+Chain is a chain of rules defined for a specific target.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| raw | [bytes](#bytes) | | Raw representation of a serizalized rule chain. |
+
+
+
+
+### Message ChainTarget
+ChainTarget is an object to which a rule chain is defined.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| type | [TargetType](#frostfs.v2.ape.TargetType) | | |
+| name | [string](#string) | | |
+
+
+
+
+
+
+### TargetType
+TargetType is a type target to which a rule chain is defined.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| UNDEFINED | 0 | |
+| NAMESPACE | 1 | |
+| CONTAINER | 2 | |
+| USER | 3 | |
+| GROUP | 4 | |
+
+
+
+
+
+
+## Scalar Value Types
+
+| .proto Type | Notes | C++ Type | Java Type | Python Type |
+| ----------- | ----- | -------- | --------- | ----------- |
+| double | | double | double | float |
+| float | | float | float | float |
+| int32 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
+| int64 | Uses variable-length encoding. Inefficient for encoding negative numbers - if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
+| uint32 | Uses variable-length encoding. | uint32 | int | int/long |
+| uint64 | Uses variable-length encoding. | uint64 | long | int/long |
+| sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
+| sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
+| fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
+| fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
+| sfixed32 | Always four bytes. | int32 | int | int |
+| sfixed64 | Always eight bytes. | int64 | long | int/long |
+| bool | | bool | boolean | boolean |
+| string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
+| bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str |
+
diff --git a/proto-docs/apemanager.md b/proto-docs/apemanager.md
index 303f7f1..5d0e2e6 100644
--- a/proto-docs/apemanager.md
+++ b/proto-docs/apemanager.md
@@ -22,13 +22,6 @@
- [RemoveChainResponse.Body](#frostfs.v2.apemanager.RemoveChainResponse.Body)
-- [apemanager/types.proto](#apemanager/types.proto)
-
- - Messages
- - [Chain](#frostfs.v2.apemanager.Chain)
- - [ChainTarget](#frostfs.v2.apemanager.ChainTarget)
-
-
- [Scalar Value Types](#scalar-value-types)
@@ -128,8 +121,8 @@ Statuses:
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | A target for which a rule chain is added. |
-| chain | [Chain](#frostfs.v2.apemanager.Chain) | | The chain to set for the target. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | A target for which a rule chain is added. |
+| chain | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | | The chain to set for the target. |
@@ -177,7 +170,7 @@ Statuses:
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | Target for which rule chains are listed. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which rule chains are listed. |
@@ -201,7 +194,7 @@ Statuses:
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
-| chains | [Chain](#frostfs.v2.apemanager.Chain) | repeated | The list of chains defined for the reqeusted target. |
+| chains | [frostfs.v2.ape.Chain](#frostfs.v2.ape.Chain) | repeated | The list of chains defined for the reqeusted target. |
@@ -225,7 +218,7 @@ Statuses:
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
-| target | [ChainTarget](#frostfs.v2.apemanager.ChainTarget) | | Target for which a rule chain is removed. |
+| target | [frostfs.v2.ape.ChainTarget](#frostfs.v2.ape.ChainTarget) | | Target for which a rule chain is removed. |
| chain_id | [bytes](#bytes) | | Chain ID assigned for the rule chain. |
@@ -255,58 +248,6 @@ operation could not be performed is an error returning to a client.
-
-Top
-
-## apemanager/types.proto
-
-
-
-
-
-
-
-### Message Chain
-Chain is a chain of rules defined for a specific target.
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| raw | [bytes](#bytes) | | Raw representation of a serizalized rule chain. |
-
-
-
-
-### Message ChainTarget
-ChainTarget is an object to which a rule chain is defined.
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| type | [TargetType](#frostfs.v2.apemanager.TargetType) | | |
-| name | [string](#string) | | |
-
-
-
-
-
-
-### TargetType
-TargetType is a type target to which a rule chain is defined.
-
-| Name | Number | Description |
-| ---- | ------ | ----------- |
-| UNDEFINED | 0 | |
-| NAMESPACE | 1 | |
-| CONTAINER | 2 | |
-| USER | 3 | |
-| GROUP | 4 | |
-
-
-
-
-
-
## Scalar Value Types
| .proto Type | Notes | C++ Type | Java Type | Python Type |