2024-09-04 19:51:07 +00:00
16 changed files with 1203 additions and 577 deletions
--- a/cmd/frostfs-adm/internal/commonflags/flags.go
+++ b/cmd/frostfs-adm/internal/commonflags/flags.go
@ -36,4 +36,5 @@ const (
 	HomomorphicHashDisabledInitFlag = "network.homomorphic_hash_disabled"
 	CustomZoneFlag                  = "domain"
 	AlphabetSizeFlag                = "size"
+	AllFlag                         = "all"
 )
--- a/cmd/frostfs-adm/internal/modules/morph/ape/ape.go
+++ b/cmd/frostfs-adm/internal/modules/morph/ape/ape.go
@ -114,8 +114,9 @@ func initRemoveRuleChainCmd() {
 	removeRuleChainCmd.Flags().String(targetNameFlag, "", targetNameDesc)
 	_ = removeRuleChainCmd.MarkFlagRequired(targetNameFlag)
 	removeRuleChainCmd.Flags().String(chainIDFlag, "", chainIDDesc)
-	_ = removeRuleChainCmd.MarkFlagRequired(chainIDFlag)
 	removeRuleChainCmd.Flags().String(chainNameFlag, ingress, chainNameFlagDesc)
+	removeRuleChainCmd.Flags().Bool(commonflags.AllFlag, false, "Remove all chains for target")
+	removeRuleChainCmd.MarkFlagsMutuallyExclusive(commonflags.AllFlag, chainIDFlag)
 }

 func initListRuleChainsCmd() {
@ -157,14 +158,23 @@ func addRuleChain(cmd *cobra.Command, _ []string) {
 }

 func removeRuleChain(cmd *cobra.Command, _ []string) {
-	chainID := parseChainID(cmd)
 	target := parseTarget(cmd)
 	pci, ac := newPolicyContractInterface(cmd)
-	h, vub, err := pci.RemoveMorphRuleChain(parseChainName(cmd), target, chainID)
-	cmd.Println("Waiting for transaction to persist...")
-	_, err = ac.Wait(h, vub, err)
-	commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
-	cmd.Println("Rule chain removed successfully")
+	removeAll, _ := cmd.Flags().GetBool(commonflags.AllFlag)
+	if removeAll {
+		h, vub, err := pci.RemoveMorphRuleChainsByTarget(parseChainName(cmd), target)
+		cmd.Println("Waiting for transaction to persist...")
+		_, err = ac.Wait(h, vub, err)
+		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+		cmd.Println("All chains for target removed successfully")
+	} else {
+		chainID := parseChainID(cmd)
+		h, vub, err := pci.RemoveMorphRuleChain(parseChainName(cmd), target, chainID)
+		cmd.Println("Waiting for transaction to persist...")
+		_, err = ac.Wait(h, vub, err)
+		commonCmd.ExitOnErr(cmd, "remove rule chain error: %w", err)
+		cmd.Println("Rule chain removed successfully")
+	}
 }

 func listRuleChains(cmd *cobra.Command, _ []string) {
--- a/cmd/frostfs-cli/modules/control/remove_rule.go
+++ b/cmd/frostfs-cli/modules/control/remove_rule.go
@ -2,6 +2,7 @@ package control

 import (
 	"encoding/hex"
+	"errors"

 	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/rpc/client"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-cli/internal/key"
@ -13,21 +14,48 @@ import (
 const (
 	chainIDFlag    = "chain-id"
 	chainIDHexFlag = "chain-id-hex"
+	allFlag        = "all"
 )

-var removeRuleCmd = &cobra.Command{
-	Use:   "remove-rule",
-	Short: "Remove local override",
-	Long:  "Remove local APE override of the node",
-	Run:   removeRule,
-}
+var (
+	errEmptyChainID = errors.New("chain id cannot be empty")
+
+	removeRuleCmd = &cobra.Command{
+		Use:   "remove-rule",
+		Short: "Remove local override",
+		Long:  "Remove local APE override of the node",
+		Run:   removeRule,
+	}
+)

 func removeRule(cmd *cobra.Command, _ []string) {
 	pk := key.Get(cmd)
+	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
+	removeAll, _ := cmd.Flags().GetBool(allFlag)
+	if removeAll {
+		req := &control.RemoveChainLocalOverridesByTargetRequest{
+			Body: &control.RemoveChainLocalOverridesByTargetRequest_Body{
+				Target: parseTarget(cmd),
+			},
+		}
+		signRequest(cmd, pk, req)
+		cli := getClient(cmd, pk)
+		var resp *control.RemoveChainLocalOverridesByTargetResponse
+		var err error
+		err = cli.ExecRaw(func(client *client.Client) error {
+			resp, err = control.RemoveChainLocalOverridesByTarget(client, req)
+			return err
+		})
+		commonCmd.ExitOnErr(cmd, "rpc error: %w", err)
+		verifyResponse(cmd, resp.GetSignature(), resp.GetBody())
+		cmd.Println("All rules have been removed.")
+		return
+	}

 	chainID, _ := cmd.Flags().GetString(chainIDFlag)
-	hexEncoded, _ := cmd.Flags().GetBool(chainIDHexFlag)
-
+	if chainID == "" {
+		commonCmd.ExitOnErr(cmd, "read chain id error: %w", errEmptyChainID)
+	}
 	chainIDRaw := []byte(chainID)

 	if hexEncoded {
@ -69,4 +97,6 @@ func initControlRemoveRuleCmd() {
 	_ = removeRuleCmd.MarkFlagRequired(targetTypeFlag)
 	ff.String(chainIDFlag, "", "Chain id")
 	ff.Bool(chainIDHexFlag, false, "Flag to parse chain ID as hex")
+	ff.Bool(allFlag, false, "Remove all chains")
+	removeRuleCmd.MarkFlagsMutuallyExclusive(allFlag, chainIDFlag)
 }
--- a/dev/empty_pass.yml
+++ b/dev/empty_pass.yml
@ -1 +1 @@
-password: ""
+password: ""
--- a/docs/evacuation.md
+++ b/docs/evacuation.md
@ -96,9 +96,9 @@ Shard IDs: 54Y8aot9uc7BSadw2XtYr3. Evacuated 618 objects out of 618, failed to e
 ### Start trees evacuation and await it completes
 ```bash
 frostfs-cli control shards evacuation start --id FxR6QujButNCHn7jjdhxGP --endpoint s01.frostfs.devenv:8081 --wallet ./../frostfs-dev-env/services/storage/wallet01.json --await --scope trees
-Enter password > 
+Enter password >
 Shard evacuation has been successfully started.
 Progress will be reported every 5 seconds.
 Shard evacuation has been completed.
 Shard IDs: FxR6QujButNCHn7jjdhxGP. Evacuated 0 objects out of 0, failed to evacuate: 0, skipped: 0; evacuated 2 trees out of 2, failed to evacuate: 0. Started at: 2024-02-08T08:44:17Z UTC. Duration: 00:00:00.
-```
+```
--- a/docs/shard-modes.md
+++ b/docs/shard-modes.md
@ -51,4 +51,4 @@ Shard can automatically switch to a `degraded-read-only` mode in 3 cases:

 To detach a shard use `frostfs-cli control shards detach` command. This command removes the shards from the storage
 engine and closes all resources associated with the shards.
-Limitation: `SIGHUP` or storage node restart lead to detached shard will be again online.
+Limitation: `SIGHUP` or storage node restart lead to detached shard will be again online.
--- a/go.mod
+++ b/go.mod
@ -5,11 +5,11 @@ go 1.20
 require (
 	code.gitea.io/sdk/gitea v0.17.1
 	git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240215124401-634e24aba715
-	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20240115082915-f2a82aa635aa
+	git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240304151211-839f22e1a36d
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240307151106-2ec958cbfdfd
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/cheggaaa/pb v1.0.29
--- a/go.sum
+++ b/go.sum
@ -2,8 +2,8 @@ code.gitea.io/sdk/gitea v0.17.1 h1:3jCPOG2ojbl8AcfaUCRYLT5MUcBMFwS0OSK2mA5Zok8=
 code.gitea.io/sdk/gitea v0.17.1/go.mod h1:aCnBqhHpoEWA180gMbaCtdX9Pl6BWBAuuP2miadoTNM=
 git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240215124401-634e24aba715 h1:EDtL9OJcdeevV/jmNMtHugulAQprdOnknNPvLB3LRgE=
 git.frostfs.info/TrueCloudLab/frostfs-api-go/v2 v2.16.1-0.20240215124401-634e24aba715/go.mod h1:uY0AYmCznjZdghDnAk7THFIe1Vlg531IxUcus7ZfUJI=
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20240115082915-f2a82aa635aa h1:uuN90s74idThHXi/jF/IlTdFimOIs+IBU44rdTE/Zdo=
-git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20240115082915-f2a82aa635aa/go.mod h1:F/fe1OoIDKr5Bz99q4sriuHDuf3aZefZy9ZsCqEtgxc=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0 h1:FzurjElUwC7InY9v5rzXReKbfBL5yRJKSWJPq6BKhH0=
+git.frostfs.info/TrueCloudLab/frostfs-contract v0.19.0/go.mod h1:F/fe1OoIDKr5Bz99q4sriuHDuf3aZefZy9ZsCqEtgxc=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
 git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65 h1:PaZ8GpnUoXxUoNsc1qp36bT2u7FU+neU4Jn9cl8AWqI=
@ -12,8 +12,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240301150205-6fe4e2541d0b/go.mod h1:XcgrbZ88XfvhAMxmZCQJ0dv6FyRSq6Mg2J7nN8uuO0k=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240304151211-839f22e1a36d h1:y7KP7vrX5Cbx9R2nzCFj7Ljjsa/KkWZS4nQIXHEeKdw=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240304151211-839f22e1a36d/go.mod h1:YVL7yFaT0QNSpA0z+RHudLvrLwT+lsFYGyBSVc1ustI=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240307151106-2ec958cbfdfd h1:pyIl9f4nIr7ekJ73W9keLIQ5dpoKb8o6xNmodsXY5+o=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240307151106-2ec958cbfdfd/go.mod h1:H/AW85RtYxVTbcgwHW76DqXeKlsiCIOeNXHPqyDBrfQ=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
--- a/pkg/ape/chainbase/boltdb.go
+++ b/pkg/ape/chainbase/boltdb.go
@ -100,7 +100,7 @@ func (cs *boltLocalOverrideStorage) Close() error {
 	return err
 }

-func getTargetBucket(tx *bbolt.Tx, name chain.Name, target policyengine.Target) (*bbolt.Bucket, error) {
+func getTypeBucket(tx *bbolt.Tx, name chain.Name, target policyengine.Target) (*bbolt.Bucket, error) {
 	cbucket := tx.Bucket(chainBucket)
 	if cbucket == nil {
 		return nil, ErrRootBucketNotFound
@ -110,16 +110,25 @@ func getTargetBucket(tx *bbolt.Tx, name chain.Name, target policyengine.Target)
 	if nbucket == nil {
 		return nil, fmt.Errorf("%w: %w: %s", policyengine.ErrChainNotFound, ErrGlobalNamespaceBucketNotFound, name)
 	}
+	return nbucket.Bucket([]byte{byte(target.Type)}), nil
+}

-	typeBucket := nbucket.Bucket([]byte{byte(target.Type)})
+func normalizeTargetName(target *policyengine.Target) {
+	if target.Type == policyengine.Namespace && target.Name == "" {
+		target.Name = "root"
+	}
+}
+
+func getTargetBucket(tx *bbolt.Tx, name chain.Name, target policyengine.Target) (*bbolt.Bucket, error) {
+	typeBucket, err := getTypeBucket(tx, name, target)
+	if err != nil {
+		return nil, err
+	}
 	if typeBucket == nil {
 		return nil, fmt.Errorf("%w: %w: %c", policyengine.ErrChainNotFound, ErrTargetTypeBucketNotFound, target.Type)
 	}

-	if target.Type == policyengine.Namespace && target.Name == "" {
-		target.Name = "root"
-	}
-
+	normalizeTargetName(&target)
 	rbucket := typeBucket.Bucket([]byte(target.Name))
 	if rbucket == nil {
 		return nil, fmt.Errorf("%w: %w: %s", policyengine.ErrChainNotFound, ErrTargetNameBucketNotFound, target.Name)
@ -151,10 +160,7 @@ func getTargetBucketCreateIfEmpty(tx *bbolt.Tx, name chain.Name, target policyen
 		}
 	}

-	if target.Type == policyengine.Namespace && target.Name == "" {
-		target.Name = "root"
-	}
-
+	normalizeTargetName(&target)
 	rbucket := typeBucket.Bucket([]byte(target.Name))
 	if rbucket == nil {
 		var err error
@ -220,6 +226,17 @@ func (cs *boltLocalOverrideStorage) RemoveOverride(name chain.Name, target polic
 	})
 }

+func (cs *boltLocalOverrideStorage) RemoveOverridesByTarget(name chain.Name, target policyengine.Target) error {
+	return cs.db.Update(func(tx *bbolt.Tx) error {
+		typeBucket, err := getTypeBucket(tx, name, target)
+		if err != nil {
+			return err
+		}
+		normalizeTargetName(&target)
+		return typeBucket.DeleteBucket([]byte(target.Name))
+	})
+}
+
 func (cs *boltLocalOverrideStorage) ListOverrides(name chain.Name, target policyengine.Target) ([]*chain.Chain, error) {
 	var serializedChains [][]byte
 	var serializedChain []byte
--- a/pkg/morph/client/actor.go
+++ b/pkg/morph/client/actor.go
@ -1,11 +1,13 @@
 package client

 import (
+	"github.com/google/uuid"
 	"github.com/nspcc-dev/neo-go/pkg/config/netmode"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 )

 type actorProvider interface {
@ -118,3 +120,15 @@ func (a *SwitchRPCGuardedActor) Sign(tx *transaction.Transaction) error {
 func (a *SwitchRPCGuardedActor) SignAndSend(tx *transaction.Transaction) (util.Uint256, uint32, error) {
 	return a.actorProvider.GetActor().SignAndSend(tx)
 }
+
+func (a *SwitchRPCGuardedActor) CallAndExpandIterator(contract util.Uint160, method string, maxItems int, params ...any) (*result.Invoke, error) {
+	return a.actorProvider.GetActor().CallAndExpandIterator(contract, method, maxItems, params...)
+}
+
+func (a *SwitchRPCGuardedActor) TerminateSession(sessionID uuid.UUID) error {
+	return a.actorProvider.GetActor().TerminateSession(sessionID)
+}
+
+func (a *SwitchRPCGuardedActor) TraverseIterator(sessionID uuid.UUID, iterator *result.Iterator, num int) ([]stackitem.Item, error) {
+	return a.actorProvider.GetActor().TraverseIterator(sessionID, iterator, num)
+}
--- a/pkg/services/control/rpc.go
+++ b/pkg/services/control/rpc.go
@ -8,26 +8,27 @@ import (
 const serviceName = "control.ControlService"

 const (
-	rpcHealthCheck                = "HealthCheck"
-	rpcSetNetmapStatus            = "SetNetmapStatus"
-	rpcDropObjects                = "DropObjects"
-	rpcListShards                 = "ListShards"
-	rpcSetShardMode               = "SetShardMode"
-	rpcSynchronizeTree            = "SynchronizeTree"
-	rpcEvacuateShard              = "EvacuateShard"
-	rpcStartShardEvacuation       = "StartShardEvacuation"
-	rpcGetShardEvacuationStatus   = "GetShardEvacuationStatus"
-	rpcResetShardEvacuationStatus = "ResetShardEvacuationStatus"
-	rpcStopShardEvacuation        = "StopShardEvacuation"
-	rpcFlushCache                 = "FlushCache"
-	rpcDoctor                     = "Doctor"
-	rpcAddChainLocalOverride      = "AddChainLocalOverride"
-	rpcGetChainLocalOverride      = "GetChainLocalOverride"
-	rpcListChainLocalOverrides    = "ListChainLocalOverrides"
-	rpcRemoveChainLocalOverride   = "RemoveChainLocalOverride"
-	rpcSealWriteCache             = "SealWriteCache"
-	rpcListTargetsLocalOverrides  = "ListTargetsLocalOverrides"
-	rpcDetachShards               = "DetachShards"
+	rpcHealthCheck                       = "HealthCheck"
+	rpcSetNetmapStatus                   = "SetNetmapStatus"
+	rpcDropObjects                       = "DropObjects"
+	rpcListShards                        = "ListShards"
+	rpcSetShardMode                      = "SetShardMode"
+	rpcSynchronizeTree                   = "SynchronizeTree"
+	rpcEvacuateShard                     = "EvacuateShard"
+	rpcStartShardEvacuation              = "StartShardEvacuation"
+	rpcGetShardEvacuationStatus          = "GetShardEvacuationStatus"
+	rpcResetShardEvacuationStatus        = "ResetShardEvacuationStatus"
+	rpcStopShardEvacuation               = "StopShardEvacuation"
+	rpcFlushCache                        = "FlushCache"
+	rpcDoctor                            = "Doctor"
+	rpcAddChainLocalOverride             = "AddChainLocalOverride"
+	rpcGetChainLocalOverride             = "GetChainLocalOverride"
+	rpcListChainLocalOverrides           = "ListChainLocalOverrides"
+	rpcRemoveChainLocalOverride          = "RemoveChainLocalOverride"
+	rpcRemoveChainLocalOverridesByTarget = "RemoveChainLocalOverridesByTarget"
+	rpcSealWriteCache                    = "SealWriteCache"
+	rpcListTargetsLocalOverrides         = "ListTargetsLocalOverrides"
+	rpcDetachShards                      = "DetachShards"
 )

 // HealthCheck executes ControlService.HealthCheck RPC.
@ -295,6 +296,19 @@ func RemoveChainLocalOverride(cli *client.Client, req *RemoveChainLocalOverrideR
 	return wResp.message, nil
 }

+// RemoveChainLocalOverridesByTarget executes ControlService.RemoveChainLocalOverridesByTarget RPC.
+func RemoveChainLocalOverridesByTarget(cli *client.Client, req *RemoveChainLocalOverridesByTargetRequest, opts ...client.CallOption) (*RemoveChainLocalOverridesByTargetResponse, error) {
+	wResp := newResponseWrapper[RemoveChainLocalOverridesByTargetResponse]()
+	wReq := &requestWrapper{m: req}
+
+	err := client.SendUnary(cli, common.CallMethodInfoUnary(serviceName, rpcRemoveChainLocalOverridesByTarget), wReq, wResp, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return wResp.message, nil
+}
+
 // SealWriteCache executes ControlService.SealWriteCache RPC.
 func SealWriteCache(cli *client.Client, req *SealWriteCacheRequest, opts ...client.CallOption) (*SealWriteCacheResponse, error) {
 	wResp := newResponseWrapper[SealWriteCacheResponse]()
--- a/pkg/services/control/server/policy_engine.go
+++ b/pkg/services/control/server/policy_engine.go
@ -174,6 +174,31 @@ func (s *Server) RemoveChainLocalOverride(_ context.Context, req *control.Remove
 	return resp, nil
 }

+func (s *Server) RemoveChainLocalOverridesByTarget(_ context.Context, req *control.RemoveChainLocalOverridesByTargetRequest) (*control.RemoveChainLocalOverridesByTargetResponse, error) {
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	target, err := apeTarget(req.GetBody().GetTarget())
+	if err != nil {
+		return nil, err
+	}
+
+	if err = s.localOverrideStorage.LocalStorage().RemoveOverridesByTarget(apechain.Ingress, target); err != nil {
+		if code := getCodeByLocalStorageErr(err); code != codes.NotFound {
+			return nil, status.Error(code, err.Error())
+		}
+	}
+	resp := &control.RemoveChainLocalOverridesByTargetResponse{
+		Body: &control.RemoveChainLocalOverridesByTargetResponse_Body{},
+	}
+	err = SignMessage(s.key, resp)
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+	return resp, nil
+}
+
 func (s *Server) ListTargetsLocalOverrides(_ context.Context, req *control.ListTargetsLocalOverridesRequest) (*control.ListTargetsLocalOverridesResponse, error) {
 	if err := s.isValidRequest(req); err != nil {
 		return nil, status.Error(codes.PermissionDenied, err.Error())
--- a/pkg/services/control/service.pb.go
+++ b/pkg/services/control/service.pb.go
--- a/pkg/services/control/service.proto
+++ b/pkg/services/control/service.proto
@ -60,6 +60,9 @@ service ControlService {
    // Remove local access policy engine overrides stored in the node by chaind id.
    rpc RemoveChainLocalOverride (RemoveChainLocalOverrideRequest) returns (RemoveChainLocalOverrideResponse);

+    // Remove local access policy engine overrides stored in the node by chaind id.
+    rpc RemoveChainLocalOverridesByTarget (RemoveChainLocalOverridesByTargetRequest) returns (RemoveChainLocalOverridesByTargetResponse);
+
    // List targets of the local APE overrides stored in the node.
    rpc ListTargetsLocalOverrides (ListTargetsLocalOverridesRequest) returns (ListTargetsLocalOverridesResponse);

@ -592,6 +595,26 @@ message RemoveChainLocalOverrideResponse {
    Signature signature = 2;
 }

+message RemoveChainLocalOverridesByTargetRequest {
+    message Body {
+        // Target for which the overrides are applied.
+        ChainTarget target = 1;
+    }
+
+    Body body = 1;
+
+    Signature signature = 2;
+}
+
+message     RemoveChainLocalOverridesByTargetResponse {
+    message Body {
+    }
+
+    Body body = 1;
+
+    Signature signature = 2;
+}
+
 message SealWriteCacheRequest {
    // Request body structure.
    message Body {
--- a/pkg/services/control/service_frostfs.pb.go
+++ b/pkg/services/control/service_frostfs.pb.go
@ -3085,6 +3085,169 @@ func (x *RemoveChainLocalOverrideResponse) SetSignature(sig *Signature) {
 	x.Signature = sig
 }

+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemoveChainLocalOverridesByTargetRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Target)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemoveChainLocalOverridesByTargetRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Target)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemoveChainLocalOverridesByTargetRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemoveChainLocalOverridesByTargetRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemoveChainLocalOverridesByTargetRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemoveChainLocalOverridesByTargetRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemoveChainLocalOverridesByTargetRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemoveChainLocalOverridesByTargetResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemoveChainLocalOverridesByTargetResponse_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemoveChainLocalOverridesByTargetResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemoveChainLocalOverridesByTargetResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemoveChainLocalOverridesByTargetResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemoveChainLocalOverridesByTargetResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemoveChainLocalOverridesByTargetResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
 // StableSize returns the size of x in protobuf format.
 //
 // Structures with the same field values have the same binary size.
--- a/pkg/services/control/service_grpc.pb.go
+++ b/pkg/services/control/service_grpc.pb.go
@ -19,26 +19,27 @@ import (
 const _ = grpc.SupportPackageIsVersion7

 const (
-	ControlService_HealthCheck_FullMethodName                = "/control.ControlService/HealthCheck"
-	ControlService_SetNetmapStatus_FullMethodName            = "/control.ControlService/SetNetmapStatus"
-	ControlService_DropObjects_FullMethodName                = "/control.ControlService/DropObjects"
-	ControlService_ListShards_FullMethodName                 = "/control.ControlService/ListShards"
-	ControlService_SetShardMode_FullMethodName               = "/control.ControlService/SetShardMode"
-	ControlService_SynchronizeTree_FullMethodName            = "/control.ControlService/SynchronizeTree"
-	ControlService_EvacuateShard_FullMethodName              = "/control.ControlService/EvacuateShard"
-	ControlService_StartShardEvacuation_FullMethodName       = "/control.ControlService/StartShardEvacuation"
-	ControlService_GetShardEvacuationStatus_FullMethodName   = "/control.ControlService/GetShardEvacuationStatus"
-	ControlService_ResetShardEvacuationStatus_FullMethodName = "/control.ControlService/ResetShardEvacuationStatus"
-	ControlService_StopShardEvacuation_FullMethodName        = "/control.ControlService/StopShardEvacuation"
-	ControlService_FlushCache_FullMethodName                 = "/control.ControlService/FlushCache"
-	ControlService_Doctor_FullMethodName                     = "/control.ControlService/Doctor"
-	ControlService_AddChainLocalOverride_FullMethodName      = "/control.ControlService/AddChainLocalOverride"
-	ControlService_GetChainLocalOverride_FullMethodName      = "/control.ControlService/GetChainLocalOverride"
-	ControlService_ListChainLocalOverrides_FullMethodName    = "/control.ControlService/ListChainLocalOverrides"
-	ControlService_RemoveChainLocalOverride_FullMethodName   = "/control.ControlService/RemoveChainLocalOverride"
-	ControlService_ListTargetsLocalOverrides_FullMethodName  = "/control.ControlService/ListTargetsLocalOverrides"
-	ControlService_SealWriteCache_FullMethodName             = "/control.ControlService/SealWriteCache"
-	ControlService_DetachShards_FullMethodName               = "/control.ControlService/DetachShards"
+	ControlService_HealthCheck_FullMethodName                       = "/control.ControlService/HealthCheck"
+	ControlService_SetNetmapStatus_FullMethodName                   = "/control.ControlService/SetNetmapStatus"
+	ControlService_DropObjects_FullMethodName                       = "/control.ControlService/DropObjects"
+	ControlService_ListShards_FullMethodName                        = "/control.ControlService/ListShards"
+	ControlService_SetShardMode_FullMethodName                      = "/control.ControlService/SetShardMode"
+	ControlService_SynchronizeTree_FullMethodName                   = "/control.ControlService/SynchronizeTree"
+	ControlService_EvacuateShard_FullMethodName                     = "/control.ControlService/EvacuateShard"
+	ControlService_StartShardEvacuation_FullMethodName              = "/control.ControlService/StartShardEvacuation"
+	ControlService_GetShardEvacuationStatus_FullMethodName          = "/control.ControlService/GetShardEvacuationStatus"
+	ControlService_ResetShardEvacuationStatus_FullMethodName        = "/control.ControlService/ResetShardEvacuationStatus"
+	ControlService_StopShardEvacuation_FullMethodName               = "/control.ControlService/StopShardEvacuation"
+	ControlService_FlushCache_FullMethodName                        = "/control.ControlService/FlushCache"
+	ControlService_Doctor_FullMethodName                            = "/control.ControlService/Doctor"
+	ControlService_AddChainLocalOverride_FullMethodName             = "/control.ControlService/AddChainLocalOverride"
+	ControlService_GetChainLocalOverride_FullMethodName             = "/control.ControlService/GetChainLocalOverride"
+	ControlService_ListChainLocalOverrides_FullMethodName           = "/control.ControlService/ListChainLocalOverrides"
+	ControlService_RemoveChainLocalOverride_FullMethodName          = "/control.ControlService/RemoveChainLocalOverride"
+	ControlService_RemoveChainLocalOverridesByTarget_FullMethodName = "/control.ControlService/RemoveChainLocalOverridesByTarget"
+	ControlService_ListTargetsLocalOverrides_FullMethodName         = "/control.ControlService/ListTargetsLocalOverrides"
+	ControlService_SealWriteCache_FullMethodName                    = "/control.ControlService/SealWriteCache"
+	ControlService_DetachShards_FullMethodName                      = "/control.ControlService/DetachShards"
 )

 // ControlServiceClient is the client API for ControlService service.
@ -80,6 +81,8 @@ type ControlServiceClient interface {
 	ListChainLocalOverrides(ctx context.Context, in *ListChainLocalOverridesRequest, opts ...grpc.CallOption) (*ListChainLocalOverridesResponse, error)
 	// Remove local access policy engine overrides stored in the node by chaind id.
 	RemoveChainLocalOverride(ctx context.Context, in *RemoveChainLocalOverrideRequest, opts ...grpc.CallOption) (*RemoveChainLocalOverrideResponse, error)
+	// Remove local access policy engine overrides stored in the node by chaind id.
+	RemoveChainLocalOverridesByTarget(ctx context.Context, in *RemoveChainLocalOverridesByTargetRequest, opts ...grpc.CallOption) (*RemoveChainLocalOverridesByTargetResponse, error)
 	// List targets of the local APE overrides stored in the node.
 	ListTargetsLocalOverrides(ctx context.Context, in *ListTargetsLocalOverridesRequest, opts ...grpc.CallOption) (*ListTargetsLocalOverridesResponse, error)
 	// Flush objects from write-cache and move it to degraded read only mode.
@ -249,6 +252,15 @@ func (c *controlServiceClient) RemoveChainLocalOverride(ctx context.Context, in
 	return out, nil
 }

+func (c *controlServiceClient) RemoveChainLocalOverridesByTarget(ctx context.Context, in *RemoveChainLocalOverridesByTargetRequest, opts ...grpc.CallOption) (*RemoveChainLocalOverridesByTargetResponse, error) {
+	out := new(RemoveChainLocalOverridesByTargetResponse)
+	err := c.cc.Invoke(ctx, ControlService_RemoveChainLocalOverridesByTarget_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *controlServiceClient) ListTargetsLocalOverrides(ctx context.Context, in *ListTargetsLocalOverridesRequest, opts ...grpc.CallOption) (*ListTargetsLocalOverridesResponse, error) {
 	out := new(ListTargetsLocalOverridesResponse)
 	err := c.cc.Invoke(ctx, ControlService_ListTargetsLocalOverrides_FullMethodName, in, out, opts...)
@ -315,6 +327,8 @@ type ControlServiceServer interface {
 	ListChainLocalOverrides(context.Context, *ListChainLocalOverridesRequest) (*ListChainLocalOverridesResponse, error)
 	// Remove local access policy engine overrides stored in the node by chaind id.
 	RemoveChainLocalOverride(context.Context, *RemoveChainLocalOverrideRequest) (*RemoveChainLocalOverrideResponse, error)
+	// Remove local access policy engine overrides stored in the node by chaind id.
+	RemoveChainLocalOverridesByTarget(context.Context, *RemoveChainLocalOverridesByTargetRequest) (*RemoveChainLocalOverridesByTargetResponse, error)
 	// List targets of the local APE overrides stored in the node.
 	ListTargetsLocalOverrides(context.Context, *ListTargetsLocalOverridesRequest) (*ListTargetsLocalOverridesResponse, error)
 	// Flush objects from write-cache and move it to degraded read only mode.
@ -378,6 +392,9 @@ func (UnimplementedControlServiceServer) ListChainLocalOverrides(context.Context
 func (UnimplementedControlServiceServer) RemoveChainLocalOverride(context.Context, *RemoveChainLocalOverrideRequest) (*RemoveChainLocalOverrideResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RemoveChainLocalOverride not implemented")
 }
+func (UnimplementedControlServiceServer) RemoveChainLocalOverridesByTarget(context.Context, *RemoveChainLocalOverridesByTargetRequest) (*RemoveChainLocalOverridesByTargetResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemoveChainLocalOverridesByTarget not implemented")
+}
 func (UnimplementedControlServiceServer) ListTargetsLocalOverrides(context.Context, *ListTargetsLocalOverridesRequest) (*ListTargetsLocalOverridesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListTargetsLocalOverrides not implemented")
 }
@ -705,6 +722,24 @@ func _ControlService_RemoveChainLocalOverride_Handler(srv interface{}, ctx conte
 	return interceptor(ctx, in, info, handler)
 }

+func _ControlService_RemoveChainLocalOverridesByTarget_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemoveChainLocalOverridesByTargetRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).RemoveChainLocalOverridesByTarget(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ControlService_RemoveChainLocalOverridesByTarget_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).RemoveChainLocalOverridesByTarget(ctx, req.(*RemoveChainLocalOverridesByTargetRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _ControlService_ListTargetsLocalOverrides_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ListTargetsLocalOverridesRequest)
 	if err := dec(in); err != nil {
@ -834,6 +869,10 @@ var ControlService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "RemoveChainLocalOverride",
 			Handler:    _ControlService_RemoveChainLocalOverride_Handler,
 		},
+		{
+			MethodName: "RemoveChainLocalOverridesByTarget",
+			Handler:    _ControlService_RemoveChainLocalOverridesByTarget_Handler,
+		},
 		{
 			MethodName: "ListTargetsLocalOverrides",
 			Handler:    _ControlService_ListTargetsLocalOverrides_Handler,