2023-12-22 10:27:07 +00:00 · 2023-12-21 12:09:29 +00:00
16 changed files with 117 additions and 81 deletions
--- a/api/middleware/auth.go
+++ b/api/middleware/auth.go
@ -71,11 +71,11 @@ func Auth(center Center, log *zap.Logger) Func {
 	}
 }

-type FrostFSID interface {
+type FrostFSIDValidator interface {
 	ValidatePublicKey(key *keys.PublicKey) error
 }

-func FrostfsIDValidation(frostfsID FrostFSID, log *zap.Logger) Func {
+func FrostfsIDValidation(frostfsID FrostFSIDValidator, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
@ -97,7 +97,7 @@ func FrostfsIDValidation(frostfsID FrostFSID, log *zap.Logger) Func {
 	}
 }

-func validateBearerToken(frostfsID FrostFSID, bt *bearer.Token) error {
+func validateBearerToken(frostfsID FrostFSIDValidator, bt *bearer.Token) error {
 	m := new(acl.BearerToken)
 	bt.WriteToV2(m)

--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@ -11,8 +11,10 @@ import (
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
 	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/resource/testutil"
+	"git.frostfs.info/TrueCloudLab/policy-engine/schema/common"
 	"git.frostfs.info/TrueCloudLab/policy-engine/schema/s3"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"go.uber.org/zap"
 )

@ -21,12 +23,16 @@ type PolicySettings interface {
 	PolicyDenyByDefault() bool
 }

-func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []string, log *zap.Logger) Func {
+type FrostFSIDInformer interface {
+	GetUserGroupIDs(userHash util.Uint160) ([]string, error)
+}
+
+func PolicyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()

-			st, err := policyCheck(storage, settings, domains, r)
+			st, err := policyCheck(storage, frostfsid, settings, domains, r)
 			if err == nil {
 				if st != chain.Allow && (st != chain.NoRuleFound || settings.PolicyDenyByDefault()) {
 					err = apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
@ -43,8 +49,8 @@ func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []
 	}
 }

-func policyCheck(storage engine.ChainRouter, settings PolicySettings, domains []string, r *http.Request) (chain.Status, error) {
-	req, err := getPolicyRequest(r, domains)
+func policyCheck(storage engine.ChainRouter, frostfsid FrostFSIDInformer, settings PolicySettings, domains []string, r *http.Request) (chain.Status, error) {
+	req, err := getPolicyRequest(r, frostfsid, domains)
 	if err != nil {
 		return 0, err
 	}
@ -63,8 +69,12 @@ func policyCheck(storage engine.ChainRouter, settings PolicySettings, domains []
 	return st, nil
 }

-func getPolicyRequest(r *http.Request, domains []string) (*testutil.Request, error) {
-	var owner string
+func getPolicyRequest(r *http.Request, frostfsid FrostFSIDInformer, domains []string) (*testutil.Request, error) {
+	var (
+		owner  string
+		groups []string
+	)
+
 	ctx := r.Context()
 	bd, err := GetBoxData(ctx)
 	if err == nil && bd.Gate.BearerToken != nil {
@ -73,12 +83,20 @@ func getPolicyRequest(r *http.Request, domains []string) (*testutil.Request, err
 			return nil, fmt.Errorf("parse pubclic key from btoken: %w", err)
 		}
 		owner = pk.Address()
+
+		groups, err = frostfsid.GetUserGroupIDs(pk.GetScriptHash())
+		if err != nil {
+			return nil, fmt.Errorf("get group ids: %w", err)
+		}
 	}

 	op, res := determineOperationAndResource(r, domains)

 	return testutil.NewRequest(op, testutil.NewResource(res, nil),
-		map[string]string{s3.PropertyKeyOwner: owner},
+		map[string]string{
+			s3.PropertyKeyOwner:                owner,
+			common.PropertyKeyFrostFSIDGroupID: chain.FormCondSliceContainsValue(groups),
+		},
 	), nil
 }

--- a/api/router.go
+++ b/api/router.go
@ -96,6 +96,11 @@ type Settings interface {
 	s3middleware.MetricsSettings
 }

+type FrostFSID interface {
+	s3middleware.FrostFSIDValidator
+	s3middleware.FrostFSIDInformer
+}
+
 type Config struct {
 	Throttle middleware.ThrottleOpts
 	Handler  Handler
@ -108,8 +113,9 @@ type Config struct {
 	// Domains optional. If empty no virtual hosted domains will be attached.
 	Domains []string

-	// FrostfsID optional. If nil middleware.FrostfsIDValidation won't be attached.
-	FrostfsID s3middleware.FrostFSID
+	FrostfsID FrostFSID
+
+	FrostFSIDValidation bool

 	PolicyChecker engine.ChainRouter
 }
@ -126,13 +132,11 @@ func NewRouter(cfg Config) *chi.Mux {
 		s3middleware.Auth(cfg.Center, cfg.Log),
 	)

-	if cfg.FrostfsID != nil {
+	if cfg.FrostFSIDValidation {
 		api.Use(s3middleware.FrostfsIDValidation(cfg.FrostfsID, cfg.Log))
 	}

-	if cfg.PolicyChecker != nil {
-		api.Use(s3middleware.PolicyCheck(cfg.PolicyChecker, cfg.MiddlewareSettings, cfg.Domains, cfg.Log))
-	}
+	api.Use(s3middleware.PolicyCheck(cfg.PolicyChecker, cfg.FrostfsID, cfg.MiddlewareSettings, cfg.Domains, cfg.Log))

 	defaultRouter := chi.NewRouter()
 	defaultRouter.Mount(fmt.Sprintf("/{%s}", s3middleware.BucketURLPrm), bucketRouter(cfg.Handler, cfg.Log))
--- a/cmd/s3-gw/app.go
+++ b/cmd/s3-gw/app.go
@ -84,12 +84,13 @@ type (
 	}

 	appSettings struct {
-		logLevel           zap.AtomicLevel
-		maxClient          maxClientsConfig
-		defaultMaxAge      int
-		notificatorEnabled bool
-		resolveZoneList    []string
-		isResolveListAllow bool // True if ResolveZoneList contains allowed zones
+		logLevel            zap.AtomicLevel
+		maxClient           maxClientsConfig
+		defaultMaxAge       int
+		notificatorEnabled  bool
+		resolveZoneList     []string
+		isResolveListAllow  bool // True if ResolveZoneList contains allowed zones
+		frostfsidValidation bool

 		mu                            sync.RWMutex
 		namespaces                    Namespaces
@ -192,10 +193,11 @@ func (a *App) initLayer(ctx context.Context) {

 func newAppSettings(log *Logger, v *viper.Viper, key *keys.PrivateKey) *appSettings {
 	settings := &appSettings{
-		logLevel:           log.lvl,
-		maxClient:          newMaxClients(v),
-		defaultMaxAge:      fetchDefaultMaxAge(v, log.logger),
-		notificatorEnabled: v.GetBool(cfgEnableNATS),
+		logLevel:            log.lvl,
+		maxClient:           newMaxClients(v),
+		defaultMaxAge:       fetchDefaultMaxAge(v, log.logger),
+		notificatorEnabled:  v.GetBool(cfgEnableNATS),
+		frostfsidValidation: v.GetBool(cfgFrostfsIDValidationEnabled),
 	}

 	settings.resolveZoneList = v.GetStringSlice(cfgResolveBucketAllow)
@ -434,10 +436,6 @@ func (a *App) initMetrics() {
 }

 func (a *App) initFrostfsID(ctx context.Context) {
-	if !a.cfg.GetBool(cfgFrostfsIDEnabled) {
-		return
-	}
-
 	var err error
 	a.frostfsid, err = frostfsid.New(ctx, frostfsid.Config{
 		RPCAddress: a.cfg.GetString(cfgRPCEndpoint),
@ -673,12 +671,9 @@ func (a *App) Serve(ctx context.Context) {

 		MiddlewareSettings: a.settings,
 		PolicyChecker:      a.policyStorage,
-	}

-	// We cannot make direct assignment if frostfsid.FrostFSID is nil
-	// because in that case the interface won't be nil, it will just contain nil value.
-	if a.frostfsid != nil {
-		cfg.FrostfsID = a.frostfsid
+		FrostfsID:           a.frostfsid,
+		FrostFSIDValidation: a.settings.frostfsidValidation,
 	}

 	chiRouter := api.NewRouter(cfg)
--- a/cmd/s3-gw/app_settings.go
+++ b/cmd/s3-gw/app_settings.go
@ -206,8 +206,8 @@ const ( // Settings.
 	cfgPolicyDenyByDefault = "features.policy.deny_by_default"

 	// FrostfsID.
-	cfgFrostfsIDEnabled  = "frostfsid.enabled"
-	cfgFrostfsIDContract = "frostfsid.contract"
+	cfgFrostfsIDContract          = "frostfsid.contract"
+	cfgFrostfsIDValidationEnabled = "frostfsid.validation.enabled"

 	// Policy.
 	cfgPolicyEnabled  = "policy.enabled"
@ -697,7 +697,6 @@ func newSettings() *viper.Viper {

 	// frostfsid
 	v.SetDefault(cfgFrostfsIDContract, "frostfsid.frostfs")
-	v.SetDefault(cfgFrostfsIDEnabled, true)

 	// policy
 	v.SetDefault(cfgPolicyContract, "policy.frostfs")
--- a/config/config.env
+++ b/config/config.env
@ -193,10 +193,10 @@ S3_GW_WEB_WRITE_TIMEOUT=0
 S3_GW_WEB_IDLE_TIMEOUT=30s

 # FrostfsID contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
-# Enables check that allow requests only users that is registered in FrostfsID contract.
-S3_GW_FROSTFSID_ENABLED=true
 # FrostfsID contract hash (LE) or name in NNS.
 S3_GW_FROSTFSID_CONTRACT=frostfsid.frostfs
+# Enables a check to only allow requests to users registered in the FrostfsID contract.
+S3_GW_FROSTFSID_VALIDATION_ENABLED=true

 # Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
 # Enables using policies from Policy contract.
--- a/config/config.yaml
+++ b/config/config.yaml
@ -163,7 +163,7 @@ cors:
 frostfs:
  # Numbers of the object copies (for each replica) to consider PUT to FrostFS successful.
  # `[0]` or empty list means that object will be processed according to the container's placement policy
-  set_copies_number: [0]
+  set_copies_number: [ 0 ]
  # This flag enables client side object preparing.
  client_cut: false
  # Sets max buffer size for read payload in put operations.
@ -228,10 +228,11 @@ web:

 # FrostfsID contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
 frostfsid:
-  # Enables check that allow requests only users that is registered in FrostfsID contract.
-  enabled: true
  # FrostfsID contract hash (LE) or name in NNS.
  contract: frostfsid.frostfs
+  validation:
+    # Enables a check to only allow requests to users registered in the FrostfsID contract.
+    enabled: true

 # Policy contract configuration. To enable this functionality the `rpc_endpoint` param must be also set.
 policy:
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -637,14 +637,15 @@ FrostfsID contract configuration. To enable this functionality the `rpc_endpoint

 ```yaml
 frostfsid:
-  enabled: false
  contract: frostfsid.frostfs
+  validation: 
+   enabled: false
 ```

-| Parameter  | Type     | SIGHUP reload | Default value     | Description                                                                            |
-|------------|----------|---------------|-------------------|----------------------------------------------------------------------------------------|
-| `enabled`  | `bool`   | no            | true              | Enables check that allow requests only users that is registered in FrostfsID contract. |
-| `contract` | `string` | no            | frostfsid.frostfs | FrostfsID contract hash (LE) or name in NNS.                                           |
+| Parameter            | Type     | SIGHUP reload | Default value       | Description                                                                           |
+|----------------------|----------|---------------|---------------------|---------------------------------------------------------------------------------------|
+| `contract`           | `string` | no            | `frostfsid.frostfs` | FrostfsID contract hash (LE) or name in NNS.                                          |
+| `validation.enabled` | `bool`   | no            | `false`             | Enables a check to only allow requests to users registered in the FrostfsID contract. |

 # `policy` section

@ -697,4 +698,3 @@ To override config values for default namespaces use namespace names that are pr
  }
 }
 ```
-
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.18.1-0.20231129062201-a1b61d394958
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231107114540-ab75edd70939
-	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231220070831-3128352693fc
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231221111352-06e9c910142d
 	git.frostfs.info/TrueCloudLab/zapjournald v0.0.0-20231018083019-2b6d84de9a3d
 	github.com/aws/aws-sdk-go v1.44.6
 	github.com/bluele/gcache v0.0.2
--- a/go.sum
+++ b/go.sum
@ -48,8 +48,8 @@ git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231107114540-ab75edd70939
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231107114540-ab75edd70939/go.mod h1:t1akKcUH7iBrFHX8rSXScYMP17k2kYQXMbZooiL5Juw=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231220070831-3128352693fc h1:ZBZkWBbDmqSdMoq7igIg4EYMIgbyFaLGcpHcU3urDnI=
-git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231220070831-3128352693fc/go.mod h1:v43imcuSmDwSNrePe4UTQh8jaE8FmsiKN3FcaEzmRzc=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231221111352-06e9c910142d h1:mIq3GcGDoiSTBN4lYqQkLP3NgGK6izNuyvAysR2G/LI=
+git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231221111352-06e9c910142d/go.mod h1:ps6oKO0mxaPJzK3admTB3iwoBXKkHnS73n4PCrqpHBg=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0 h1:M2KR3iBj7WpY3hP10IevfIB9MURr4O9mwVfJ+SjT3HA=
 git.frostfs.info/TrueCloudLab/rfc6979 v0.4.0/go.mod h1:okpbKfVYf/BpejtfFTfhZqFP+sZ8rsHrP8Rr/jYPNRc=
 git.frostfs.info/TrueCloudLab/tzhash v1.8.0 h1:UFMnUIk0Zh17m8rjGHJMqku2hCgaXDqjqZzS4gsb4UA=
--- a/internal/frostfs/frostfsid/frostfsid.go
+++ b/internal/frostfs/frostfsid/frostfsid.go
@ -3,15 +3,17 @@ package frostfsid
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"

 	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/handler"
-	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/authmate"
 	frostfsutil "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/util"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
+	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 )

@ -32,9 +34,9 @@ type Config struct {
 }

 var (
-	_ middleware.FrostFSID = (*FrostFSID)(nil)
-	_ authmate.FrostFSID   = (*FrostFSID)(nil)
-	_ handler.FrostFSID    = (*FrostFSID)(nil)
+	_ api.FrostFSID      = (*FrostFSID)(nil)
+	_ authmate.FrostFSID = (*FrostFSID)(nil)
+	_ handler.FrostFSID  = (*FrostFSID)(nil)
 )

 // New creates new FrostfsID contract wrapper that implements auth.FrostFSID interface.
@ -88,3 +90,20 @@ func (f *FrostFSID) GetUserAddress(namespace, name string) (string, error) {

 	return key.Address(), nil
 }
+
+func (f *FrostFSID) GetUserGroupIDs(userHash util.Uint160) ([]string, error) {
+	subjExt, err := f.cli.GetSubjectExtended(userHash)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	res := make([]string, len(subjExt.Groups))
+	for i, group := range subjExt.Groups {
+		res[i] = strconv.FormatInt(group.ID, 10)
+	}
+
+	return res, nil
+}
--- a/pkg/service/control/client/client.go
+++ b/pkg/service/control/client/client.go
@ -94,7 +94,7 @@ func (c *Client) RemovePolicies(ctx context.Context, policies []PolicyInfo) erro
 	for i := range policies {
 		chainInfos[i] = &control.RemovePoliciesRequest_ChainInfo{
 			Namespace: policies[i].Namespace,
-			ChainID:   string(policies[i].ChainID),
+			ChainID:   []byte(policies[i].ChainID),
 		}
 	}

@ -116,7 +116,7 @@ func (c *Client) GetPolicy(ctx context.Context, namespace string, chainID chain.
 	req := &control.GetPolicyRequest{
 		Body: &control.GetPolicyRequest_Body{
 			Namespace: namespace,
-			ChainID:   string(chainID),
+			ChainID:   []byte(chainID),
 		},
 	}

--- a/pkg/service/control/server/server.go
+++ b/pkg/service/control/server/server.go
@ -185,7 +185,7 @@ func (s *Server) removePolicy(info *control.RemovePoliciesRequest_ChainInfo) err
 // If request is unsigned or signed by disallowed key, permission error returns.
 func (s *Server) GetPolicy(_ context.Context, req *control.GetPolicyRequest) (*control.GetPolicyResponse, error) {
 	s.log.Info(logs.ControlAPIGetPolicy, zap.String("namespace", req.GetBody().GetNamespace()),
-		zap.String("chainId", req.GetBody().GetChainID()), zap.String("key", hex.EncodeToString(req.Signature.Key)))
+		zap.Binary("chainId", req.GetBody().GetChainID()), zap.String("key", hex.EncodeToString(req.Signature.Key)))

 	// verify request
 	if err := s.isValidRequest(req); err != nil {
@ -219,9 +219,9 @@ func (s *Server) ListPolicies(_ context.Context, req *control.ListPoliciesReques
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}

-	res := make([]string, len(chains))
+	res := make([][]byte, len(chains))
 	for i := range chains {
-		res[i] = string(chains[i].ID)
+		res[i] = []byte(chains[i].ID)
 	}

 	return &control.ListPoliciesResponse{Body: &control.ListPoliciesResponse_Body{ChainIDs: res}}, nil
--- a/pkg/service/control/service.pb.go
+++ b/pkg/service/control/service.pb.go
@ -939,7 +939,7 @@ type RemovePoliciesRequest_ChainInfo struct {
 	// Namespace.
 	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
 	// Chain id to remove.
-	ChainID string `protobuf:"bytes,2,opt,name=chainID,proto3" json:"chainID,omitempty"`
+	ChainID []byte `protobuf:"bytes,2,opt,name=chainID,proto3" json:"chainID,omitempty"`
 }

 func (x *RemovePoliciesRequest_ChainInfo) Reset() {
@ -981,11 +981,11 @@ func (x *RemovePoliciesRequest_ChainInfo) GetNamespace() string {
 	return ""
 }

-func (x *RemovePoliciesRequest_ChainInfo) GetChainID() string {
+func (x *RemovePoliciesRequest_ChainInfo) GetChainID() []byte {
 	if x != nil {
 		return x.ChainID
 	}
-	return ""
+	return nil
 }

 type RemovePoliciesRequest_Body struct {
@ -1081,7 +1081,7 @@ type GetPolicyRequest_Body struct {
 	// Namespace.
 	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
 	// Chain id to remove.
-	ChainID string `protobuf:"bytes,2,opt,name=chainID,proto3" json:"chainID,omitempty"`
+	ChainID []byte `protobuf:"bytes,2,opt,name=chainID,proto3" json:"chainID,omitempty"`
 }

 func (x *GetPolicyRequest_Body) Reset() {
@ -1123,11 +1123,11 @@ func (x *GetPolicyRequest_Body) GetNamespace() string {
 	return ""
 }

-func (x *GetPolicyRequest_Body) GetChainID() string {
+func (x *GetPolicyRequest_Body) GetChainID() []byte {
 	if x != nil {
 		return x.ChainID
 	}
-	return ""
+	return nil
 }

 type GetPolicyResponse_Body struct {
@ -1232,7 +1232,7 @@ type ListPoliciesResponse_Body struct {
 	unknownFields protoimpl.UnknownFields

 	// Chain ids.
-	ChainIDs []string `protobuf:"bytes,1,rep,name=chainIDs,proto3" json:"chainIDs,omitempty"`
+	ChainIDs [][]byte `protobuf:"bytes,1,rep,name=chainIDs,proto3" json:"chainIDs,omitempty"`
 }

 func (x *ListPoliciesResponse_Body) Reset() {
@ -1267,7 +1267,7 @@ func (*ListPoliciesResponse_Body) Descriptor() ([]byte, []int) {
 	return file_pkg_service_control_service_proto_rawDescGZIP(), []int{10, 0}
 }

-func (x *ListPoliciesResponse_Body) GetChainIDs() []string {
+func (x *ListPoliciesResponse_Body) GetChainIDs() [][]byte {
 	if x != nil {
 		return x.ChainIDs
 	}
@ -1345,7 +1345,7 @@ var file_pkg_service_control_service_proto_rawDesc = []byte{
 	0x0a, 0x09, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x6e,
 	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
 	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x68, 0x61,
-	0x69, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x68, 0x61, 0x69,
+	0x69, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x68, 0x61, 0x69,
 	0x6e, 0x49, 0x44, 0x1a, 0x55, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x4d, 0x0a, 0x0a, 0x63,
 	0x68, 0x61, 0x69, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
 	0x2d, 0x2e, 0x73, 0x33, 0x67, 0x77, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2e, 0x52,
@ -1372,7 +1372,7 @@ var file_pkg_service_control_service_proto_rawDesc = []byte{
 	0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x1a, 0x3e, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79,
 	0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x18,
-	0x0a, 0x07, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x07, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52,
 	0x07, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x22, 0xa2, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74,
 	0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38,
 	0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x73,
@ -1405,7 +1405,7 @@ var file_pkg_service_control_service_proto_rawDesc = []byte{
 	0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65,
 	0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x1a, 0x22, 0x0a, 0x04, 0x42,
 	0x6f, 0x64, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x73, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x73, 0x2a,
+	0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x08, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x49, 0x44, 0x73, 0x2a,
 	0x57, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
 	0x1b, 0x0a, 0x17, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
 	0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08,
--- a/pkg/service/control/service.proto
+++ b/pkg/service/control/service.proto
@ -104,7 +104,7 @@ message RemovePoliciesRequest {
    // Namespace.
    string namespace = 1;
    // Chain id to remove.
-    string chainID = 2;
+    bytes chainID = 2;
  }

  message Body {
@ -133,7 +133,7 @@ message GetPolicyRequest {
    // Namespace.
    string namespace = 1;
    // Chain id to remove.
-    string chainID = 2;
+    bytes chainID = 2;
  }

  Body body = 1;
@ -171,7 +171,7 @@ message ListPoliciesRequest {
 message ListPoliciesResponse {
  message Body {
    // Chain ids.
-    repeated string chainIDs = 1;
+    repeated bytes chainIDs = 1;
  }

  Body body = 1;
--- a/pkg/service/control/service_frostfs.pb.go
+++ b/pkg/service/control/service_frostfs.pb.go
@ -408,7 +408,7 @@ func (x *RemovePoliciesRequest_ChainInfo) StableSize() (size int) {
 		return 0
 	}
 	size += proto.StringSize(1, x.Namespace)
-	size += proto.StringSize(2, x.ChainID)
+	size += proto.BytesSize(2, x.ChainID)
 	return size
 }

@ -429,7 +429,7 @@ func (x *RemovePoliciesRequest_ChainInfo) StableMarshal(buf []byte) []byte {
 	}
 	var offset int
 	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
-	offset += proto.StringMarshal(2, buf[offset:], x.ChainID)
+	offset += proto.BytesMarshal(2, buf[offset:], x.ChainID)
 	return buf
 }

@ -608,7 +608,7 @@ func (x *GetPolicyRequest_Body) StableSize() (size int) {
 		return 0
 	}
 	size += proto.StringSize(1, x.Namespace)
-	size += proto.StringSize(2, x.ChainID)
+	size += proto.BytesSize(2, x.ChainID)
 	return size
 }

@ -629,7 +629,7 @@ func (x *GetPolicyRequest_Body) StableMarshal(buf []byte) []byte {
 	}
 	var offset int
 	offset += proto.StringMarshal(1, buf[offset:], x.Namespace)
-	offset += proto.StringMarshal(2, buf[offset:], x.ChainID)
+	offset += proto.BytesMarshal(2, buf[offset:], x.ChainID)
 	return buf
 }

@ -867,7 +867,7 @@ func (x *ListPoliciesResponse_Body) StableSize() (size int) {
 	if x == nil {
 		return 0
 	}
-	size += proto.RepeatedStringSize(1, x.ChainIDs)
+	size += proto.RepeatedBytesSize(1, x.ChainIDs)
 	return size
 }

@ -887,7 +887,7 @@ func (x *ListPoliciesResponse_Body) StableMarshal(buf []byte) []byte {
 		buf = make([]byte, x.StableSize())
 	}
 	var offset int
-	offset += proto.RepeatedStringMarshal(1, buf[offset:], x.ChainIDs)
+	offset += proto.RepeatedBytesMarshal(1, buf[offset:], x.ChainIDs)
 	return buf
 }