cmd/frostfs-cli/docs/policy.md

@@ -30,6 +30,9 @@ Actions is a regular operations upon FrostFS containers/objects. Like `Object.Pu
 
 In status section it is possible to use `allow`, `deny` or `deny:QuotaLimitReached` actions.
 
+If a statement does not contain lexeme `any`, field `Any` is set to `false` by default. Otherwise, it is set
+to `true`. Optionally, `all` can be used - it also sets `Any=false`.
+
 It is prohibited to mix operation under FrostFS container and object in one rule.
 The same statement is equal for conditions and resources - one rule is for one type of items.
 

cmd/frostfs-cli/modules/util/ape.go

@@ -100,6 +100,8 @@ func ParseAPEChain(chain *apechain.Chain, rules []string) error {
 // deny:QuotaLimitReached Object.Put *
 // allow Object.Put *
 // allow Object.Get Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get any Object.Resource:Department=HR Object.Request:Actor=ownerA *
+// allow Object.Get all Object.Resource:Department=HR Object.Request:Actor=ownerA *
 //
 //nolint:godot
 func ParseAPERule(r *apechain.Rule, rule string) error {
@@ -123,6 +125,12 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 
 	var isObject *bool
 	for i, lexeme := range lexemes[1:] {
+		anyExpr, anyErr := parseAnyAll(lexeme)
+		if anyErr == nil {
+			r.Any = anyExpr
+			continue
+		}
+
 		var name string
 		var actionType bool
 		name, actionType, err = parseAction(lexeme)
@@ -158,6 +166,17 @@ func parseRuleLexemes(r *apechain.Rule, lexemes []string) error {
 	return nil
 }
 
+func parseAnyAll(lexeme string) (bool, error) {
+	switch strings.ToLower(lexeme) {
+	case "any":
+		return true, nil
+	case "all":
+		return false, nil
+	default:
+		return false, fmt.Errorf("any/all is not parsed")
+	}
+}
+
 func parseStatus(lexeme string) (apechain.Status, error) {
 	action, expression, found := strings.Cut(lexeme, ":")
 	switch strings.ToLower(action) {