go.mod

@@ -9,7 +9,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20231101111734-b3ad3335ff65
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20240531132048-ebd8fcd1685f
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240513163744-1f6f4163d40d
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240712081403-2628f6184984
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20240124114243-cb2e66427d02
 	github.com/cheggaaa/pb v1.0.29

pkg/services/object/ape/checker.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	objectV2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
+	session "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/ape/router"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
 	frostfsidcore "git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/frostfsid"
@@ -76,6 +77,9 @@ type Prm struct {
 
 	// The request's bearer token. It is used in order to check APE overrides with the token.
 	BearerToken *bearer.Token
+
+	// XHeaders from the request's header.
+	XHeaders []session.XHeader
 }
 
 var (

pkg/services/object/ape/request.go

@@ -138,6 +138,10 @@ func (c *checkerImpl) newAPERequest(ctx context.Context, prm Prm) (aperequest.Re
 		}
 	}
 
+	for _, xhdr := range prm.XHeaders {
+		reqProps[fmt.Sprintf(commonschema.PropertyKeyFrostFSXHeader, xhdr.GetKey())] = xhdr.GetValue()
+	}
+
 	return aperequest.NewRequest(
 		prm.Method,
 		aperequest.NewResource(

pkg/services/object/ape/service.go

@@ -111,6 +111,7 @@ func (g *getStreamBasicChecker) Send(resp *objectV2.GetResponse) error {
 			Role:           g.role,
 			SoftAPECheck:   g.softAPECheck,
 			BearerToken:    g.bearerToken,
+			XHeaders:       resp.GetMetaHeader().GetXHeaders(),
 		}
 
 		if err := g.apeChecker.CheckAPE(g.Context(), prm); err != nil {
@@ -154,6 +155,7 @@ func (c *Service) Get(request *objectV2.GetRequest, stream objectSvc.GetObjectSt
 		SoftAPECheck:         reqCtx.SoftAPECheck,
 		WithoutHeaderRequest: true,
 		BearerToken:          reqCtx.BearerToken,
+		XHeaders:             request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return toStatusErr(err)
@@ -199,6 +201,7 @@ func (p *putStreamBasicChecker) Send(ctx context.Context, request *objectV2.PutR
 			Role:           nativeSchemaRole(reqCtx.Role),
 			SoftAPECheck:   reqCtx.SoftAPECheck,
 			BearerToken:    reqCtx.BearerToken,
+			XHeaders:       request.GetMetaHeader().GetXHeaders(),
 		}
 
 		if err := p.apeChecker.CheckAPE(ctx, prm); err != nil {
@@ -244,6 +247,7 @@ func (c *Service) Head(ctx context.Context, request *objectV2.HeadRequest) (*obj
 		SoftAPECheck:         reqCtx.SoftAPECheck,
 		WithoutHeaderRequest: true,
 		BearerToken:          reqCtx.BearerToken,
+		XHeaders:             request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return nil, toStatusErr(err)
@@ -284,6 +288,7 @@ func (c *Service) Head(ctx context.Context, request *objectV2.HeadRequest) (*obj
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return nil, toStatusErr(err)
@@ -313,6 +318,7 @@ func (c *Service) Search(request *objectV2.SearchRequest, stream objectSvc.Searc
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return toStatusErr(err)
@@ -342,6 +348,7 @@ func (c *Service) Delete(ctx context.Context, request *objectV2.DeleteRequest) (
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return nil, toStatusErr(err)
@@ -376,6 +383,7 @@ func (c *Service) GetRange(request *objectV2.GetRangeRequest, stream objectSvc.G
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	})
 	if err != nil {
 		return toStatusErr(err)
@@ -405,6 +413,7 @@ func (c *Service) GetRangeHash(ctx context.Context, request *objectV2.GetRangeHa
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	}
 
 	if err = c.apeChecker.CheckAPE(ctx, prm); err != nil {
@@ -444,6 +453,7 @@ func (c *Service) PutSingle(ctx context.Context, request *objectV2.PutSingleRequ
 		ContainerOwner: reqCtx.ContainerOwner,
 		SoftAPECheck:   reqCtx.SoftAPECheck,
 		BearerToken:    reqCtx.BearerToken,
+		XHeaders:       request.GetMetaHeader().GetXHeaders(),
 	}
 
 	if err = c.apeChecker.CheckAPE(ctx, prm); err != nil {