CHANGELOG.md

@@ -41,6 +41,7 @@ This document outlines major changes between releases.
 - Add `X-Amz-Content-Sha256` header validation (#218)
 - Support frostfsid contract. See `frostfsid` config section (#260)
 - Support per namespace placement policies configuration (see `namespaces.config` config param) (#266)
+- Support control api to manage policies. See `control` config section (#258)
 
 ### Changed
 - Update prometheus to v1.15.0 (#94)

Makefile

@@ -151,10 +151,16 @@ clean:
 
 # Generate code from .proto files
 protoc:
+	# Install specific version for protobuf lib
+	@GOBIN=$(abspath $(BINDIR)) go install -mod=mod -v git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/protogen
 	@for f in `find . -type f -name '*.proto' -not -path './vendor/*'`; do \
 		echo "⇒ Processing $$f "; \
 		protoc \
-			--go_out=paths=source_relative:. $$f; \
+			--go_out=paths=source_relative:. \
+            --plugin=protoc-gen-go-frostfs=$(BINDIR)/protogen \
+            --go-frostfs_out=. --go-frostfs_opt=paths=source_relative \
+            --go-grpc_opt=require_unimplemented_servers=false \
+            --go-grpc_out=. --go-grpc_opt=paths=source_relative $$f; \
 	done
 	rm -rf vendor
 

cmd/s3-gw/app.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"encoding/hex"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"os/signal"
@@ -33,11 +35,15 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/version"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/wallet"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control"
+	controlSvc "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control/server"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/tree"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
 	treepool "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool/tree"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/spf13/viper"
@@ -63,8 +69,12 @@ type (
 
 		frostfsid *frostfsid.FrostFSID
 
+		policyStorage engine.LocalOverrideEngine
+
 		servers []Server
 
+		controlAPI *grpc.Server
+
 		metrics        *metrics.AppMetrics
 		bucketResolver *resolver.BucketResolver
 		services       []*Service
@@ -91,6 +101,7 @@ type (
 		md5Enabled                    bool
 		namespaceHeader               string
 		defaultNamespaces             []string
+		authorizedControlAPIKeys      [][]byte
 	}
 
 	maxClientsConfig struct {
@@ -121,7 +132,7 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App {
 		webDone: make(chan struct{}, 1),
 		wrkDone: make(chan struct{}, 1),
 
-		settings: newAppSettings(log, v),
+		settings: newAppSettings(log, v, key),
 	}
 
 	app.init(ctx)
@@ -132,6 +143,7 @@ func newApp(ctx context.Context, log *Logger, v *viper.Viper) *App {
 func (a *App) init(ctx context.Context) {
 	a.setRuntimeParameters()
 	a.initAPI(ctx)
+	a.initControlAPI()
 	a.initMetrics()
 	a.initFrostfsID(ctx)
 	a.initServers(ctx)
@@ -177,7 +189,7 @@ func (a *App) initLayer(ctx context.Context) {
 	}
 }
 
-func newAppSettings(log *Logger, v *viper.Viper) *appSettings {
+func newAppSettings(log *Logger, v *viper.Viper, key *keys.PrivateKey) *appSettings {
 	settings := &appSettings{
 		logLevel:           log.lvl,
 		maxClient:          newMaxClients(v),
@@ -199,6 +211,7 @@ func newAppSettings(log *Logger, v *viper.Viper) *appSettings {
 	settings.initPlacementPolicy(log.logger, v)
 	settings.setBufferMaxSizeForPut(v.GetUint64(cfgBufferMaxSizeForPut))
 	settings.setMD5Enabled(v.GetBool(cfgMD5Enabled))
+	settings.setAuthorizedControlAPIKeys(append(fetchAuthorizedKeys(log.logger, v), key.PublicKey()))
 
 	return settings
 }
@@ -355,11 +368,42 @@ func (s *appSettings) setDefaultNamespaces(namespaces []string) {
 	s.mu.Unlock()
 }
 
+func (s *appSettings) FetchRawKeys() [][]byte {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.authorizedControlAPIKeys
+}
+
+func (s *appSettings) setAuthorizedControlAPIKeys(keys keys.PublicKeys) {
+	rawPubs := make([][]byte, len(keys))
+	for i := range keys {
+		rawPubs[i] = keys[i].Bytes()
+	}
+
+	s.mu.Lock()
+	s.authorizedControlAPIKeys = rawPubs
+	s.mu.Unlock()
+}
+
 func (a *App) initAPI(ctx context.Context) {
 	a.initLayer(ctx)
 	a.initHandler()
 }
 
+func (a *App) initControlAPI() {
+	a.policyStorage = inmemory.NewInMemoryLocalOverrides()
+
+	svc := controlSvc.New(
+		controlSvc.WithAuthorizedKeysFetcher(a.settings),
+		controlSvc.WithLogger(a.log),
+		controlSvc.WithChainStorage(a.policyStorage),
+	)
+
+	a.controlAPI = grpc.NewServer()
+
+	control.RegisterControlServiceServer(a.controlAPI, svc)
+}
+
 func (a *App) initMetrics() {
 	a.metrics = metrics.NewAppMetrics(a.log, frostfs.NewPoolStatistic(a.pool), a.cfg.GetBool(cfgPrometheusEnabled))
 	a.metrics.State().SetHealth(metrics.HealthStatusStarting)
@@ -608,6 +652,16 @@ func (a *App) Serve(ctx context.Context) {
 		}(i)
 	}
 
+	go func() {
+		address := a.cfg.GetString(cfgControlGRPCEndpoint)
+		a.log.Info(logs.StartingControlAPI, zap.String("address", address))
+		if listener, err := net.Listen("tcp", address); err != nil {
+			a.log.Fatal(logs.ListenAndServe, zap.Error(err))
+		} else if err = a.controlAPI.Serve(listener); err != nil {
+			a.log.Fatal(logs.ListenAndServe, zap.Error(err))
+		}
+	}()
+
 	sigs := make(chan os.Signal, 1)
 	signal.Notify(sigs, syscall.SIGHUP)
 
@@ -626,6 +680,7 @@ LOOP:
 
 	a.log.Info(logs.StoppingServer, zap.Error(srv.Shutdown(ctx)))
 
+	a.stopControlAPI()
 	a.metrics.Shutdown()
 	a.stopServices()
 	a.shutdownTracing()
@@ -637,6 +692,25 @@ func shutdownContext() (context.Context, context.CancelFunc) {
 	return context.WithTimeout(context.Background(), defaultShutdownTimeout)
 }
 
+func (a *App) stopControlAPI() {
+	ctx, cancel := shutdownContext()
+	defer cancel()
+
+	go func() {
+		a.controlAPI.GracefulStop()
+		cancel()
+	}()
+
+	<-ctx.Done()
+
+	if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+		a.log.Info(logs.ControlAPICannotShutdownGracefully)
+		a.controlAPI.Stop()
+	}
+
+	a.log.Info(logs.ControlAPIServiceStopped)
+}
+
 func (a *App) configReload(ctx context.Context) {
 	a.log.Info(logs.SIGHUPConfigReloadStarted)
 
@@ -687,6 +761,7 @@ func (a *App) updateSettings() {
 	a.settings.setBufferMaxSizeForPut(a.cfg.GetUint64(cfgBufferMaxSizeForPut))
 	a.settings.setMD5Enabled(a.cfg.GetBool(cfgMD5Enabled))
 	a.settings.setDefaultNamespaces(a.cfg.GetStringSlice(cfgKludgeDefaultNamespaces))
+	a.settings.setAuthorizedControlAPIKeys(append(fetchAuthorizedKeys(a.log, a.cfg), a.key.PublicKey()))
 }
 
 func (a *App) startServices() {

cmd/s3-gw/app_settings.go

@@ -21,6 +21,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/pool"
 	"git.frostfs.info/TrueCloudLab/zapjournald"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"github.com/ssgreg/journald"
@@ -79,6 +80,10 @@ const ( // Settings.
 	cfgTLSKeyFile  = "tls.key_file"
 	cfgTLSCertFile = "tls.cert_file"
 
+	// Control API.
+	cfgControlAuthorizedKeys = "control.authorized_keys"
+	cfgControlGRPCEndpoint   = "control.grpc.endpoint"
+
 	// Pool config.
 	cfgConnectTimeout     = "connect_timeout"
 	cfgStreamTimeout      = "stream_timeout"
@@ -585,6 +590,23 @@ func fetchServers(v *viper.Viper) []ServerInfo {
 	return servers
 }
 
+func fetchAuthorizedKeys(l *zap.Logger, v *viper.Viper) keys.PublicKeys {
+	strKeys := v.GetStringSlice(cfgControlAuthorizedKeys)
+	pubs := make(keys.PublicKeys, 0, len(strKeys))
+
+	for i := range strKeys {
+		pub, err := keys.NewPublicKeyFromString(strKeys[i])
+		if err != nil {
+			l.Warn(logs.FailedToParsePublicKey, zap.String("key", strKeys[i]))
+			continue
+		}
+
+		pubs = append(pubs, pub)
+	}
+
+	return pubs
+}
+
 func newSettings() *viper.Viper {
 	v := viper.New()
 
@@ -641,6 +663,8 @@ func newSettings() *viper.Viper {
 	v.SetDefault(cfgPProfAddress, "localhost:8085")
 	v.SetDefault(cfgPrometheusAddress, "localhost:8086")
 
+	v.SetDefault(cfgControlGRPCEndpoint, "localhost:8083")
+
 	// frostfs
 	v.SetDefault(cfgBufferMaxSizeForPut, 1024*1024) // 1mb
 

config/config.env

@@ -33,6 +33,12 @@ S3_GW_SERVER_1_TLS_ENABLED=true
 S3_GW_SERVER_1_TLS_CERT_FILE=/path/to/tls/cert
 S3_GW_SERVER_1_TLS_KEY_FILE=/path/to/tls/key
 
+# Control API
+# List of hex-encoded public keys that have rights to use the Control Service
+S3_GW_CONTROL_AUTHORIZED_KEYS=035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+# Endpoint that is listened by the Control Service
+S3_GW_CONTROL_GRPC_ENDPOINT=localhost:8083
+
 # Domains to be able to use virtual-hosted-style access to bucket.
 S3_GW_LISTEN_DOMAINS=s3dev.frostfs.devenv
 

config/config.yaml

@@ -37,6 +37,15 @@ server:
       cert_file: /path/to/cert
       key_file: /path/to/key
 
+control:
+  # List of hex-encoded public keys that have rights to use the Control Service
+  authorized_keys:
+    - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
+    - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+  grpc:
+    # Endpoint that is listened by the Control Service
+    endpoint: localhost:8083
+
 # Domains to be able to use virtual-hosted-style access to bucket.
 listen_domains:
   - s3dev.frostfs.devenv

docs/configuration.md

@@ -175,6 +175,7 @@ There are some custom types used for brevity:
 | `peers`            | [Nodes configuration](#peers-section)                          |
 | `placement_policy` | [Placement policy configuration](#placement_policy-section)    |
 | `server`           | [Server configuration](#server-section)                        |
+| `control`          | [Control API configuration](#control-section)                  |
 | `logger`           | [Logger configuration](#logger-section)                        |
 | `cache`            | [Cache configuration](#cache-section)                          |
 | `nats`             | [NATS configuration](#nats-section)                            |
@@ -352,6 +353,24 @@ server:
 | `tls.cert_file` | `string` | yes           |                | Path to the TLS certificate.                  |
 | `tls.key_file`  | `string` | yes           |                | Path to the key.                              |
 
+### `control` section
+
+Control API parameters.
+
+```yaml
+control:
+  authorized_keys:  
+    - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
+    - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
+  grpc:
+    endpoint: localhost:8083 
+```
+
+| Parameter         | Type       | SIGHUP reload | Default value    | Description                                                                  |
+|-------------------|------------|---------------|------------------|------------------------------------------------------------------------------|
+| `authorized_keys` | `[]string` | yes           |                  | List of hex-encoded public keys that have rights to use the Control Service. |
+| `grpc.endpoint`   | `string`   |               | `localhost:8083` | Endpoint that is listened by the Control Service.                            |
+
 ### `logger` section
 
 ```yaml

go.mod

@@ -7,6 +7,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231109143925-dd5919348da9
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231003164722-60463871dbc2
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231121084541-5fa9d91903ba
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20231018083019-2b6d84de9a3d
 	github.com/aws/aws-sdk-go v1.44.6
 	github.com/bluele/gcache v0.0.2
@@ -29,7 +30,7 @@ require (
 	go.uber.org/zap v1.26.0
 	golang.org/x/crypto v0.14.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
-	google.golang.org/grpc v1.57.0
+	google.golang.org/grpc v1.58.3
 	google.golang.org/protobuf v1.31.0
 )
 
@@ -91,7 +92,7 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -48,6 +48,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231003164722-60463871dbc2
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231003164722-60463871dbc2/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231121084541-5fa9d91903ba h1:VL3Nyz+C9Cwc+h3xAFUQBS62gneyGTULGTh+8NPP21g=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231121084541-5fa9d91903ba/go.mod h1:ekrDiIySdYhji5rBNAkxYMztFWMXyC9Q8LVz6gGVDu0=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
@@ -618,8 +620,8 @@ google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e h1:xIXmWJ303kJCuogpj0bHq+dcjcZHU+XFyc1I0Yl9cRg=
 google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 h1:eSaPbMR4T7WfH9FvABk36NBMacoTUKdWCvV0dx+KfOg=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5/go.mod h1:zBEcrKX2ZOcEkHWxBPAIvYUWOKKMIhYcmNiUIu2ji3I=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -642,8 +644,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
+google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

internal/logs/logs.go

@@ -21,6 +21,7 @@ const (
 	ApplicationFinished                                  = "application finished"                                                                              // Info in ../../cmd/s3-gw/app.go
 	FetchDomainsPrepareToUseAPI                          = "fetch domains, prepare to use API"                                                                 // Info in ../../cmd/s3-gw/app.go
 	StartingServer                                       = "starting server"                                                                                   // Info in ../../cmd/s3-gw/app.go
+	StartingControlAPI                                   = "starting control API server"                                                                       // Info in ../../cmd/s3-gw/app.go
 	StoppingServer                                       = "stopping server"                                                                                   // Info in ../../cmd/s3-gw/app.go
 	SIGHUPConfigReloadStarted                            = "SIGHUP config reload started"                                                                      // Info in ../../cmd/s3-gw/app.go
 	FailedToReloadConfigBecauseItsMissed                 = "failed to reload config because it's missed"                                                       // Warn in ../../cmd/s3-gw/app.go
@@ -32,6 +33,8 @@ const (
 	FailedToAddServer                                    = "failed to add server"                                                                              // Warn in ../../cmd/s3-gw/app.go
 	AddServer                                            = "add server"                                                                                        // Info in ../../cmd/s3-gw/app.go
 	ResolverNNSWontBeUsedSinceRPCEndpointIsntProvided    = "resolver 'nns' won't be used since 'rpc_endpoint' isn't provided"                                  // Warn in ../../cmd/s3-gw/app.go
+	ControlAPICannotShutdownGracefully                   = "control API cannot shutdown gracefully, forcing stop"                                              // Info in ../../cmd/s3-gw/app.go
+	ControlAPIServiceStopped                             = "control API service stopped"                                                                       // Info in ../../cmd/s3-gw/app.go
 	InvalidLifetimeUsingDefaultValue                     = "invalid lifetime, using default value (in seconds)"                                                // Error in ../../cmd/s3-gw/app_settings.go
 	InvalidCacheSizeUsingDefaultValue                    = "invalid cache size, using default value"                                                           // Error in ../../cmd/s3-gw/app_settings.go
 	FailedToParseDefaultLocationConstraint               = "failed to parse 'default' location constraint, default one will be used"                           // Warn in cmd/s3-gw/app_settings.go
@@ -40,6 +43,7 @@ const (
 	FailedToParseLocationConstraint                      = "failed to parse location constraint, it cannot be used"                                            // Warn in cmd/s3-gw/app_settings.go
 	FailedToParseDefaultCopiesNumbers                    = "failed to parse 'default' copies numbers, default one will be used"                                // Warn in cmd/s3-gw/app_settings.go
 	FailedToParseCopiesNumbers                           = "failed to parse copies numbers, skip"                                                              // Warn in cmd/s3-gw/app_settings.go
+	FailedToParsePublicKey                               = "failed to parse public key, skip"                                                                  // Warn in cmd/s3-gw/app_settings.go
 	DefaultNamespacesCannotBeEmpty                       = "default namespaces cannot be empty, defaults will be used"                                         // Warn in cmd/s3-gw/app_settings.go
 	FailedToParseNamespacesConfig                        = "failed to unmarshal namespaces config"                                                             // Warn in cmd/s3-gw/app_settings.go
 	DefaultNamespaceConfigValuesBeOverwritten            = "default namespace config value be overwritten by values from 'namespaces.config'"                  // Warn in cmd/s3-gw/app_settings.go
@@ -124,4 +128,9 @@ const (
 	AnonRequestSkipFrostfsIDValidation                   = "anon request, skip FrostfsID validation"                                                           // Debug in ../../api/middleware/auth.go
 	FrostfsIDValidationFailed                            = "FrostfsID validation failed"                                                                       // Error in ../../api/middleware/auth.go
 	InitFrostfsIDContractFailed                          = "init frostfsid contract failed"                                                                    // Fatal in ../../cmd/s3-gw/app.go
+	ControlAPIHealthcheck                                = "healthcheck request"
+	ControlAPIPutPolicies                                = "put policies request"
+	ControlAPIRemovePolicies                             = "remove policies request"
+	ControlAPIGetPolicy                                  = "get policy request"
+	ControlAPIListPolicies                               = "list policies request"
 )

pkg/service/control/client/client.go

@@ -0,0 +1,162 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control"
+	controlSvc "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control/server"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+type Client struct {
+	svc control.ControlServiceClient
+	key *keys.PrivateKey
+}
+
+type Config struct {
+	Logger *zap.Logger
+}
+
+type PolicyData struct {
+	Namespace string
+	Chain     *chain.Chain
+}
+
+type PolicyInfo struct {
+	Namespace string
+	ChainID   chain.ID
+}
+
+func New(ctx context.Context, addr string, key *keys.PrivateKey) (*Client, error) {
+	conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to dial s3 gw control api: %w", err)
+	}
+
+	svc := control.NewControlServiceClient(conn)
+
+	cli := &Client{
+		svc: svc,
+		key: key,
+	}
+
+	return cli, cli.Healthcheck(ctx)
+}
+
+func (c *Client) Healthcheck(ctx context.Context) error {
+	req := &control.HealthCheckRequest{}
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return err
+	}
+
+	res, err := c.svc.HealthCheck(ctx, req)
+	if err != nil {
+		return err
+	}
+
+	if res.Body.HealthStatus != control.HealthStatus_READY {
+		return fmt.Errorf("service isn't ready, status: %s", res.Body.HealthStatus)
+	}
+
+	return nil
+}
+
+func (c *Client) PutPolicies(ctx context.Context, policies []PolicyData) error {
+	chainDatas := make([]*control.PutPoliciesRequest_ChainData, len(policies))
+	for i := range policies {
+		chainDatas[i] = &control.PutPoliciesRequest_ChainData{
+			Namespace: policies[i].Namespace,
+			Chain:     policies[i].Chain.Bytes(),
+		}
+	}
+
+	req := &control.PutPoliciesRequest{
+		Body: &control.PutPoliciesRequest_Body{
+			ChainDatas: chainDatas,
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return err
+	}
+
+	_, err := c.svc.PutPolicies(ctx, req)
+	return err
+}
+
+func (c *Client) RemovePolicies(ctx context.Context, policies []PolicyInfo) error {
+	chainInfos := make([]*control.RemovePoliciesRequest_ChainInfo, len(policies))
+	for i := range policies {
+		chainInfos[i] = &control.RemovePoliciesRequest_ChainInfo{
+			Namespace: policies[i].Namespace,
+			ChainID:   string(policies[i].ChainID),
+		}
+	}
+
+	req := &control.RemovePoliciesRequest{
+		Body: &control.RemovePoliciesRequest_Body{
+			ChainInfos: chainInfos,
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return err
+	}
+
+	_, err := c.svc.RemovePolicies(ctx, req)
+	return err
+}
+
+func (c *Client) GetPolicy(ctx context.Context, namespace string, chainID chain.ID) (*chain.Chain, error) {
+	req := &control.GetPolicyRequest{
+		Body: &control.GetPolicyRequest_Body{
+			Namespace: namespace,
+			ChainID:   string(chainID),
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.svc.GetPolicy(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	var policyChain chain.Chain
+	if err = policyChain.DecodeBytes(resp.GetBody().GetChain()); err != nil {
+		return nil, err
+	}
+
+	return &policyChain, nil
+}
+
+func (c *Client) ListPolicies(ctx context.Context, namespace string) ([]chain.ID, error) {
+	req := &control.ListPoliciesRequest{
+		Body: &control.ListPoliciesRequest_Body{
+			Namespace: namespace,
+		},
+	}
+
+	if err := controlSvc.SignMessage(&c.key.PrivateKey, req); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.svc.ListPolicies(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	res := make([]chain.ID, len(resp.GetBody().GetChainIDs()))
+	for i, chainID := range resp.GetBody().GetChainIDs() {
+		res[i] = chain.ID(chainID)
+	}
+
+	return res, nil
+}

pkg/service/control/server/server.go

@@ -0,0 +1,316 @@
+package server
+
+import (
+	"bytes"
+	"context"
+	"crypto/ecdsa"
+	"encoding/hex"
+	"errors"
+	"fmt"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/refs"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control"
+	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
+	frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
+	"go.uber.org/zap"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type Server struct {
+	*cfg
+}
+
+type AuthorizedKeysFetcher interface {
+	FetchRawKeys() [][]byte
+}
+
+type emptyKeysFetcher struct{}
+
+func (f emptyKeysFetcher) FetchRawKeys() [][]byte { return nil }
+
+// Option of the Server's constructor.
+type Option func(*cfg)
+
+type cfg struct {
+	log *zap.Logger
+
+	keysFetcher AuthorizedKeysFetcher
+
+	chainStorage engine.LocalOverrideEngine
+}
+
+func defaultCfg() *cfg {
+	return &cfg{
+		log:          zap.NewNop(),
+		keysFetcher:  emptyKeysFetcher{},
+		chainStorage: inmemory.NewInMemoryLocalOverrides(),
+	}
+}
+
+// New creates, initializes and returns new Server instance.
+func New(opts ...Option) *Server {
+	c := defaultCfg()
+
+	for _, opt := range opts {
+		opt(c)
+	}
+
+	c.log = c.log.With(zap.String("service", "control API"))
+
+	return &Server{
+		cfg: c,
+	}
+}
+
+// WithAuthorizedKeysFetcher returns option to add list of public
+// keys that have rights to use Control service.
+func WithAuthorizedKeysFetcher(fetcher AuthorizedKeysFetcher) Option {
+	return func(c *cfg) {
+		c.keysFetcher = fetcher
+	}
+}
+
+// WithLogger returns option to set logger.
+func WithLogger(log *zap.Logger) Option {
+	return func(c *cfg) {
+		c.log = log
+	}
+}
+
+// WithChainStorage returns option to set logger.
+func WithChainStorage(chainStorage engine.LocalOverrideEngine) Option {
+	return func(c *cfg) {
+		c.chainStorage = chainStorage
+	}
+}
+
+// HealthCheck returns health status of the local node.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) HealthCheck(_ context.Context, req *control.HealthCheckRequest) (*control.HealthCheckResponse, error) {
+	s.log.Info(logs.ControlAPIHealthcheck, zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	resp := &control.HealthCheckResponse{
+		Body: &control.HealthCheckResponse_Body{
+			HealthStatus: control.HealthStatus_READY,
+		},
+	}
+
+	return resp, nil
+}
+
+// PutPolicies replaces existing policies.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) PutPolicies(_ context.Context, req *control.PutPoliciesRequest) (*control.PutPoliciesResponse, error) {
+	s.log.Info(logs.ControlAPIPutPolicies, zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	for _, data := range req.GetBody().GetChainDatas() {
+		if err := s.putPolicy(data); err != nil {
+			return nil, err
+		}
+	}
+
+	return &control.PutPoliciesResponse{}, nil
+}
+
+func (s *Server) putPolicy(data *control.PutPoliciesRequest_ChainData) error {
+	var overrideChain chain.Chain
+	if err := overrideChain.DecodeBytes(data.GetChain()); err != nil {
+		return status.Error(codes.InvalidArgument, fmt.Sprintf("failed to parse body: %s", err.Error()))
+	}
+
+	if overrideChain.ID == "" {
+		return status.Error(codes.InvalidArgument, "missing chain id")
+	}
+
+	err := s.chainStorage.LocalStorage().RemoveOverride(chain.Ingress, data.GetNamespace(), overrideChain.ID)
+	if err != nil && !isNotFoundError(err) {
+		return status.Error(codes.Internal, err.Error())
+	}
+
+	if _, err = s.chainStorage.LocalStorage().AddOverride(chain.Ingress, data.GetNamespace(), &overrideChain); err != nil {
+		return status.Error(codes.Internal, err.Error())
+	}
+
+	return nil
+}
+
+// RemovePolicies removes existing policies.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) RemovePolicies(_ context.Context, req *control.RemovePoliciesRequest) (*control.RemovePoliciesResponse, error) {
+	s.log.Info(logs.ControlAPIRemovePolicies, zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	for _, info := range req.GetBody().GetChainInfos() {
+		if err := s.removePolicy(info); err != nil {
+			return nil, err
+		}
+	}
+
+	return &control.RemovePoliciesResponse{}, nil
+}
+
+func (s *Server) removePolicy(info *control.RemovePoliciesRequest_ChainInfo) error {
+	err := s.chainStorage.LocalStorage().RemoveOverride(chain.Ingress, info.GetNamespace(), chain.ID(info.GetChainID()))
+	if err != nil {
+		if isNotFoundError(err) {
+			return status.Error(codes.NotFound, err.Error())
+		}
+		return status.Error(codes.InvalidArgument, err.Error())
+	}
+	return nil
+}
+
+// GetPolicy returns existing policy.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) GetPolicy(_ context.Context, req *control.GetPolicyRequest) (*control.GetPolicyResponse, error) {
+	s.log.Info(logs.ControlAPIGetPolicy, zap.String("namespace", req.GetBody().GetNamespace()),
+		zap.String("chainId", req.GetBody().GetChainID()), zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	overrideChain, err := s.chainStorage.LocalStorage().GetOverride(chain.Ingress, req.GetBody().GetNamespace(), chain.ID(req.GetBody().GetChainID()))
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	return &control.GetPolicyResponse{Body: &control.GetPolicyResponse_Body{Chain: overrideChain.Bytes()}}, nil
+}
+
+// ListPolicies lists existing policies.
+//
+// If request is unsigned or signed by disallowed key, permission error returns.
+func (s *Server) ListPolicies(_ context.Context, req *control.ListPoliciesRequest) (*control.ListPoliciesResponse, error) {
+	s.log.Info(logs.ControlAPIListPolicies, zap.String("namespace", req.GetBody().GetNamespace()),
+		zap.String("key", hex.EncodeToString(req.Signature.Key)))
+
+	// verify request
+	if err := s.isValidRequest(req); err != nil {
+		return nil, status.Error(codes.PermissionDenied, err.Error())
+	}
+
+	chains, err := s.chainStorage.LocalStorage().ListOverrides(chain.Ingress, req.GetBody().GetNamespace())
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	res := make([]string, len(chains))
+	for i := range chains {
+		res[i] = string(chains[i].ID)
+	}
+
+	return &control.ListPoliciesResponse{Body: &control.ListPoliciesResponse_Body{ChainIDs: res}}, nil
+}
+
+// SignedMessage is an interface of Control service message.
+type SignedMessage interface {
+	ReadSignedData([]byte) ([]byte, error)
+	GetSignature() *control.Signature
+	SetSignature(*control.Signature)
+}
+
+var errDisallowedKey = errors.New("key is not in the allowed list")
+var errMissingSignature = errors.New("missing signature")
+var errInvalidSignature = errors.New("invalid signature")
+
+func (s *Server) isValidRequest(req SignedMessage) error {
+	sign := req.GetSignature()
+	if sign == nil {
+		return errMissingSignature
+	}
+
+	var (
+		key     = sign.GetKey()
+		allowed = false
+	)
+
+	// check if key is allowed
+	for _, authKey := range s.keysFetcher.FetchRawKeys() {
+		if allowed = bytes.Equal(authKey, key); allowed {
+			break
+		}
+	}
+
+	if !allowed {
+		return errDisallowedKey
+	}
+
+	// verify signature
+	binBody, err := req.ReadSignedData(nil)
+	if err != nil {
+		return fmt.Errorf("marshal request body: %w", err)
+	}
+
+	var sigV2 refs.Signature
+	sigV2.SetKey(sign.GetKey())
+	sigV2.SetSign(sign.GetSign())
+	sigV2.SetScheme(refs.ECDSA_SHA512)
+
+	var sig frostfscrypto.Signature
+	if err := sig.ReadFromV2(sigV2); err != nil {
+		return fmt.Errorf("can't read signature: %w", err)
+	}
+
+	if !sig.Verify(binBody) {
+		return errInvalidSignature
+	}
+
+	return nil
+}
+
+// SignMessage signs Control service message with private key.
+func SignMessage(key *ecdsa.PrivateKey, msg SignedMessage) error {
+	binBody, err := msg.ReadSignedData(nil)
+	if err != nil {
+		return fmt.Errorf("marshal request body: %w", err)
+	}
+
+	var sig frostfscrypto.Signature
+
+	err = sig.Calculate(frostfsecdsa.Signer(*key), binBody)
+	if err != nil {
+		return fmt.Errorf("calculate signature: %w", err)
+	}
+
+	var sigV2 refs.Signature
+	sig.WriteToV2(&sigV2)
+
+	var sigControl control.Signature
+	sigControl.Key = sigV2.GetKey()
+	sigControl.Sign = sigV2.GetSign()
+
+	msg.SetSignature(&sigControl)
+
+	return nil
+}
+
+func isNotFoundError(err error) bool {
+	return errors.Is(err, engine.ErrChainNameNotFound) ||
+		errors.Is(err, engine.ErrChainNotFound) ||
+		errors.Is(err, engine.ErrResourceNotFound)
+}

pkg/service/control/service.proto

@@ -0,0 +1,180 @@
+syntax = "proto3";
+
+package s3gw.control;
+
+option go_package = "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/service/control";
+
+// `ControlService` provides an interface for internal work with the storage node.
+service ControlService {
+  // Performs health check of the storage node.
+  rpc HealthCheck (HealthCheckRequest) returns (HealthCheckResponse);
+
+  rpc PutPolicies (PutPoliciesRequest) returns (PutPoliciesResponse);
+
+  rpc RemovePolicies (RemovePoliciesRequest) returns (RemovePoliciesResponse);
+
+  rpc GetPolicy (GetPolicyRequest) returns (GetPolicyResponse);
+
+  rpc ListPolicies (ListPoliciesRequest) returns (ListPoliciesResponse);
+}
+
+// Signature of some message.
+message Signature {
+  // Public key used for signing.
+  bytes key = 1 [json_name = "key"];
+
+  // Binary signature.
+  bytes sign = 2 [json_name = "signature"];
+}
+
+// Health check request.
+message HealthCheckRequest {
+  message Body {
+  }
+
+  // Body of health check request message.
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Health check response.
+message HealthCheckResponse {
+  // Health check response body
+  message Body {
+    // Health status of storage node application.
+    HealthStatus health_status = 1;
+  }
+
+  // Body of health check response message.
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+
+// Health status of the storage node application.
+enum HealthStatus {
+  // Undefined status, default value.
+  HEALTH_STATUS_UNDEFINED = 0;
+
+  // Storage node application is starting.
+  STARTING = 1;
+
+  // Storage node application is started and serves all services.
+  READY = 2;
+
+  // Storage node application is shutting down.
+  SHUTTING_DOWN = 3;
+}
+
+// Put policies request.
+message PutPoliciesRequest {
+  message ChainData {
+    // Namespace.
+    string namespace = 1;
+    // Chain rules.
+    bytes chain = 2;
+  }
+
+  message Body {
+    repeated ChainData chainDatas = 1;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Put policies response.
+message PutPoliciesResponse {
+  message Body {
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+// Remove policies request.
+message RemovePoliciesRequest {
+  message ChainInfo {
+    // Namespace.
+    string namespace = 1;
+    // Chain id to remove.
+    string chainID = 2;
+  }
+
+  message Body {
+    repeated ChainInfo chainInfos = 1;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Remove policies response.
+message RemovePoliciesResponse {
+  message Body {
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+// Get policy request.
+message GetPolicyRequest {
+  message Body {
+    // Namespace.
+    string namespace = 1;
+    // Chain id to remove.
+    string chainID = 2;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// Get policy response.
+message GetPolicyResponse {
+  message Body {
+    // Chain rules.
+    bytes chain = 1;
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
+}
+
+// List policies request.
+message ListPoliciesRequest {
+  message Body {
+    // Namespace.
+    string namespace = 1;
+  }
+
+  Body body = 1;
+
+  // Body signature.
+  Signature signature = 2;
+}
+
+// List policies response.
+message ListPoliciesResponse {
+  message Body {
+    // Chain ids.
+    repeated string chainIDs = 1;
+  }
+
+  Body body = 1;
+
+  Signature signature = 2;
+}

pkg/service/control/service_frostfs.pb.go

@@ -0,0 +1,947 @@
+// Code generated by protoc-gen-go-frostfs. DO NOT EDIT.
+
+package control
+
+import "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/util/proto"
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *Signature) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.BytesSize(1, x.Key)
+	size += proto.BytesSize(2, x.Sign)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *Signature) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.BytesMarshal(1, buf[offset:], x.Key)
+	offset += proto.BytesMarshal(2, buf[offset:], x.Sign)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckRequest_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *HealthCheckRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *HealthCheckRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *HealthCheckRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.EnumSize(1, int32(x.HealthStatus))
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckResponse_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.EnumMarshal(1, buf[offset:], int32(x.HealthStatus))
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *HealthCheckResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *HealthCheckResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *HealthCheckResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *HealthCheckResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *HealthCheckResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPoliciesRequest_ChainData) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.BytesSize(2, x.Chain)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPoliciesRequest_ChainData) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.BytesMarshal(2, buf[offset:], x.Chain)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPoliciesRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	for i := range x.ChainDatas {
+		size += proto.NestedStructureSize(1, x.ChainDatas[i])
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPoliciesRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	for i := range x.ChainDatas {
+		offset += proto.NestedStructureMarshal(1, buf[offset:], x.ChainDatas[i])
+	}
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPoliciesRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPoliciesRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *PutPoliciesRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *PutPoliciesRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *PutPoliciesRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPoliciesResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPoliciesResponse_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *PutPoliciesResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *PutPoliciesResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *PutPoliciesResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *PutPoliciesResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *PutPoliciesResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePoliciesRequest_ChainInfo) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.StringSize(2, x.ChainID)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePoliciesRequest_ChainInfo) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.StringMarshal(2, buf[offset:], x.ChainID)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePoliciesRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	for i := range x.ChainInfos {
+		size += proto.NestedStructureSize(1, x.ChainInfos[i])
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePoliciesRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	for i := range x.ChainInfos {
+		offset += proto.NestedStructureMarshal(1, buf[offset:], x.ChainInfos[i])
+	}
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePoliciesRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePoliciesRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemovePoliciesRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemovePoliciesRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemovePoliciesRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePoliciesResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePoliciesResponse_Body) StableMarshal(buf []byte) []byte {
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *RemovePoliciesResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *RemovePoliciesResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *RemovePoliciesResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *RemovePoliciesResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *RemovePoliciesResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *GetPolicyRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	size += proto.StringSize(2, x.ChainID)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *GetPolicyRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	offset += proto.StringMarshal(2, buf[offset:], x.ChainID)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *GetPolicyRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *GetPolicyRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *GetPolicyRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *GetPolicyRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *GetPolicyRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *GetPolicyResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.BytesSize(1, x.Chain)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *GetPolicyResponse_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.BytesMarshal(1, buf[offset:], x.Chain)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *GetPolicyResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *GetPolicyResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *GetPolicyResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *GetPolicyResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *GetPolicyResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *ListPoliciesRequest_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.StringSize(1, x.Namespace)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *ListPoliciesRequest_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *ListPoliciesRequest) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *ListPoliciesRequest) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *ListPoliciesRequest) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *ListPoliciesRequest) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *ListPoliciesRequest) SetSignature(sig *Signature) {
+	x.Signature = sig
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *ListPoliciesResponse_Body) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.RepeatedStringSize(1, x.ChainIDs)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *ListPoliciesResponse_Body) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.RepeatedStringMarshal(1, buf[offset:], x.ChainIDs)
+	return buf
+}
+
+// StableSize returns the size of x in protobuf format.
+//
+// Structures with the same field values have the same binary size.
+func (x *ListPoliciesResponse) StableSize() (size int) {
+	if x == nil {
+		return 0
+	}
+	size += proto.NestedStructureSize(1, x.Body)
+	size += proto.NestedStructureSize(2, x.Signature)
+	return size
+}
+
+// StableMarshal marshals x in protobuf binary format with stable field order.
+//
+// If buffer length is less than x.StableSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same binary format.
+func (x *ListPoliciesResponse) StableMarshal(buf []byte) []byte {
+	if x == nil {
+		return []byte{}
+	}
+	if buf == nil {
+		buf = make([]byte, x.StableSize())
+	}
+	var offset int
+	offset += proto.NestedStructureMarshal(1, buf[offset:], x.Body)
+	offset += proto.NestedStructureMarshal(2, buf[offset:], x.Signature)
+	return buf
+}
+
+// ReadSignedData fills buf with signed data of x.
+// If buffer length is less than x.SignedDataSize(), new buffer is allocated.
+//
+// Returns any error encountered which did not allow writing the data completely.
+// Otherwise, returns the buffer in which the data is written.
+//
+// Structures with the same field values have the same signed data.
+func (x *ListPoliciesResponse) SignedDataSize() int {
+	return x.GetBody().StableSize()
+}
+
+// SignedDataSize returns size of the request signed data in bytes.
+//
+// Structures with the same field values have the same signed data size.
+func (x *ListPoliciesResponse) ReadSignedData(buf []byte) ([]byte, error) {
+	return x.GetBody().StableMarshal(buf), nil
+}
+
+func (x *ListPoliciesResponse) SetSignature(sig *Signature) {
+	x.Signature = sig
+}

pkg/service/control/service_grpc.pb.go

@@ -0,0 +1,249 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v3.21.9
+// source: pkg/service/control/service.proto
+
+package control
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// ControlServiceClient is the client API for ControlService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type ControlServiceClient interface {
+	// Performs health check of the storage node.
+	HealthCheck(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error)
+	PutPolicies(ctx context.Context, in *PutPoliciesRequest, opts ...grpc.CallOption) (*PutPoliciesResponse, error)
+	RemovePolicies(ctx context.Context, in *RemovePoliciesRequest, opts ...grpc.CallOption) (*RemovePoliciesResponse, error)
+	GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*GetPolicyResponse, error)
+	ListPolicies(ctx context.Context, in *ListPoliciesRequest, opts ...grpc.CallOption) (*ListPoliciesResponse, error)
+}
+
+type controlServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewControlServiceClient(cc grpc.ClientConnInterface) ControlServiceClient {
+	return &controlServiceClient{cc}
+}
+
+func (c *controlServiceClient) HealthCheck(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error) {
+	out := new(HealthCheckResponse)
+	err := c.cc.Invoke(ctx, "/s3gw.control.ControlService/HealthCheck", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlServiceClient) PutPolicies(ctx context.Context, in *PutPoliciesRequest, opts ...grpc.CallOption) (*PutPoliciesResponse, error) {
+	out := new(PutPoliciesResponse)
+	err := c.cc.Invoke(ctx, "/s3gw.control.ControlService/PutPolicies", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlServiceClient) RemovePolicies(ctx context.Context, in *RemovePoliciesRequest, opts ...grpc.CallOption) (*RemovePoliciesResponse, error) {
+	out := new(RemovePoliciesResponse)
+	err := c.cc.Invoke(ctx, "/s3gw.control.ControlService/RemovePolicies", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlServiceClient) GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*GetPolicyResponse, error) {
+	out := new(GetPolicyResponse)
+	err := c.cc.Invoke(ctx, "/s3gw.control.ControlService/GetPolicy", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlServiceClient) ListPolicies(ctx context.Context, in *ListPoliciesRequest, opts ...grpc.CallOption) (*ListPoliciesResponse, error) {
+	out := new(ListPoliciesResponse)
+	err := c.cc.Invoke(ctx, "/s3gw.control.ControlService/ListPolicies", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ControlServiceServer is the server API for ControlService service.
+// All implementations should embed UnimplementedControlServiceServer
+// for forward compatibility
+type ControlServiceServer interface {
+	// Performs health check of the storage node.
+	HealthCheck(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error)
+	PutPolicies(context.Context, *PutPoliciesRequest) (*PutPoliciesResponse, error)
+	RemovePolicies(context.Context, *RemovePoliciesRequest) (*RemovePoliciesResponse, error)
+	GetPolicy(context.Context, *GetPolicyRequest) (*GetPolicyResponse, error)
+	ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error)
+}
+
+// UnimplementedControlServiceServer should be embedded to have forward compatible implementations.
+type UnimplementedControlServiceServer struct {
+}
+
+func (UnimplementedControlServiceServer) HealthCheck(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method HealthCheck not implemented")
+}
+func (UnimplementedControlServiceServer) PutPolicies(context.Context, *PutPoliciesRequest) (*PutPoliciesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PutPolicies not implemented")
+}
+func (UnimplementedControlServiceServer) RemovePolicies(context.Context, *RemovePoliciesRequest) (*RemovePoliciesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemovePolicies not implemented")
+}
+func (UnimplementedControlServiceServer) GetPolicy(context.Context, *GetPolicyRequest) (*GetPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetPolicy not implemented")
+}
+func (UnimplementedControlServiceServer) ListPolicies(context.Context, *ListPoliciesRequest) (*ListPoliciesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListPolicies not implemented")
+}
+
+// UnsafeControlServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ControlServiceServer will
+// result in compilation errors.
+type UnsafeControlServiceServer interface {
+	mustEmbedUnimplementedControlServiceServer()
+}
+
+func RegisterControlServiceServer(s grpc.ServiceRegistrar, srv ControlServiceServer) {
+	s.RegisterService(&ControlService_ServiceDesc, srv)
+}
+
+func _ControlService_HealthCheck_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(HealthCheckRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).HealthCheck(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/s3gw.control.ControlService/HealthCheck",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).HealthCheck(ctx, req.(*HealthCheckRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ControlService_PutPolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PutPoliciesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).PutPolicies(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/s3gw.control.ControlService/PutPolicies",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).PutPolicies(ctx, req.(*PutPoliciesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ControlService_RemovePolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemovePoliciesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).RemovePolicies(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/s3gw.control.ControlService/RemovePolicies",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).RemovePolicies(ctx, req.(*RemovePoliciesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ControlService_GetPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetPolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).GetPolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/s3gw.control.ControlService/GetPolicy",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).GetPolicy(ctx, req.(*GetPolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ControlService_ListPolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListPoliciesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServiceServer).ListPolicies(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/s3gw.control.ControlService/ListPolicies",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServiceServer).ListPolicies(ctx, req.(*ListPoliciesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ControlService_ServiceDesc is the grpc.ServiceDesc for ControlService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ControlService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "s3gw.control.ControlService",
+	HandlerType: (*ControlServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "HealthCheck",
+			Handler:    _ControlService_HealthCheck_Handler,
+		},
+		{
+			MethodName: "PutPolicies",
+			Handler:    _ControlService_PutPolicies_Handler,
+		},
+		{
+			MethodName: "RemovePolicies",
+			Handler:    _ControlService_RemovePolicies_Handler,
+		},
+		{
+			MethodName: "GetPolicy",
+			Handler:    _ControlService_GetPolicy_Handler,
+		},
+		{
+			MethodName: "ListPolicies",
+			Handler:    _ControlService_ListPolicies_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "pkg/service/control/service.proto",
+}