From ee584f325caa9652a8a30d7455577c59d4c08fee Mon Sep 17 00:00:00 2001
From: Leonard Lyubich <leonard@nspcc.ru>
Date: Thu, 18 Jun 2020 15:01:25 +0300
Subject: [PATCH] Update to neofs-api v1.1.0

---
 Makefile                |   2 +-
 container/service.pb.go | Bin 60767 -> 97427 bytes
 container/service.proto |  45 ++++++++++++++++++++
 container/types.go      |  20 +++++++++
 container/types_test.go |  20 +++++++++
 docs/container.md       |  90 ++++++++++++++++++++++++++++++++++++++++
 docs/service.md         |  55 ++++++++++++++++++++++++
 service/bearer.go       |  30 ++++++++++++++
 service/bearer_test.go  |  24 +++++++++++
 service/meta.go         |  15 +++++++
 service/meta.pb.go      | Bin 15863 -> 27975 bytes
 service/meta.proto      |  17 ++++++++
 service/meta_test.go    |  28 +++++++++++++
 service/verify.go       |   5 +++
 service/verify.pb.go    | Bin 40916 -> 55921 bytes
 service/verify.proto    |  26 ++++++++++++
 service/verify_test.go  |  13 ++++++
 17 files changed, 389 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 3dcd690..159c7e3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-PROTO_VERSION=v1.0.0
+PROTO_VERSION=v1.1.0
 PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz
 
 B=\033[0;1m
diff --git a/container/service.pb.go b/container/service.pb.go
index 61312544df1ea6372eb29365f4944017c1401917..f49f79fe3cf389e9a31cf20aa425ee4e7ded81e1 100644
GIT binary patch
delta 10579
zcmb_iTWlQF8J3-dVh7tX$R-YUGInluaO|1AubTi?LW2`G#1KMB2zYjP7HsUbvtA3E
zkStLf6;(nd995+)sz69oX_W%ns;wg0g6Kmpk+`WsiWDHKR5els=>wvu5A>YxJGN)e
z*a1Xe#<Tx9=f8gcWoG>T`DNnM6)&BSwwGonJ?qw)l2^!ix&9r4d%Rg|s#KiLmaL<-
zHNCx-m~6Xw*}zUqd{UPbz4eyZSO5L`-~lmiwQLEJjvlj))#j%QS*vs0GS<Xv_RS`T
zBMoa!QbY5;*3_}urP-Wl-)Ww??EJ<gwYNr0(oo|Xll0u?UX$dk-eQtgb%sc%*0+~^
zrXO&}roEs8Z<SuPvTm_B;!RnZk%C*CwTj+k(VOxLCATy(QLrZRR_Q^{D!G|4PyO(8
zJS=szI6dY~)z*N`p~IQkl4lK17AHy*ndy9Ahx{$9`ucm+ayQ7)4r_F3qR`g?(!}^k
z$s3<6&2|hUoOg~qP;g7rMQ>guFwT#7V>xSTZn3sze&178^R|FEZ>l@eJuzA8F1X{~
z_W6B=@Oioz-_R{q+7C4tUJ@5u)@(Is-jc9UeicI-ZwYZZvS!^XlZ%khS({!8ItY=F
z;0f^>TJ_ry&1#K?X!{y(2+^M1Y=>w=(HldwhRz$q`kq?fD(=0ero%L(%i86YRD3$S
zEQVeT*R}0Zl-inOwKYXgMzUZPM#f~CEShdG7HsAN65!Q4PhNx}YQvpUgN5=S`mb&J
zx~dU#fPP5cmnMRU9Vz4|isOK`#O=aic}_Iex0U5zjh1e2JmckL<=HN2bGTKv1S_*?
zPL$`*ilt=mNH9Tyh&`}b<!DF&9Gp`DKPtmrW7YMB{rj3MCrG-(J2LG}m4eU>ZV{)N
zzF{)D(6rGcy;gH~n_~xXYw&rbeNR)6q@@d4`IcCb1#pQKRR@FI#D~`>OwwB`9h2m)
zHc3zQcAA?~Ezg*wx{d87scKELNm|#i%Os7i*<_M>oNu)`&Xt_?--bc+(C$@#FiF=m
z_L-!C#txHoqBUufelHt~;l0PAAyQ9U_ex(1{6F%i<MZ=}&{f4_A^U`aZjiJnbc0*O
zbJjq>0EJs)3ve3=gu>YINc-MveX96D8{9d!qCmU&iUMtL1)w!Z3bY1Efi_4|pbb*Q
zPwSc!s_B0Dnj`A!+dCGT@Iqyiw7Ie(Z^eu2TEuWm$rN0-aYMk(&c>F&Z<Q2=t|}=E
z5|Sc%rAVlxFb=7tFi0vX43bI;gQSweAgQD<NGd4|Qcv54%K7M~YB3sX?)Bk90=uhI
zcC)T-t0Oxhr=yXASL_LH5NBd7Q6CAV`pT!UMV&MAwJH`WfNNuxxvM{RgGstS)^6I=
z7;g&%tS7!c@Ovn}Ht_r7__NEB$*6cbQ79+6Eqf-LQP+g0t~uPt65X{m_KXu#q-b1S
zW4Pwi>fUwKHG-`?ki@E+RP;2M#&YUD7sY<uyIFOgjDQk{fN~T<W02!=#Z~Jzcst-1
zNhwMO^qj5kv)~$sOdD5f;X+OfJEe}w1RDa<IOcE}2jaLd(*_&zBe=$)MFbY6AU_5c
zd92zvMlYna1n|}*C`NW!s2zne>AX_g!%nK5z<oJ_KWSLYds-f$g*I$RLIJ8r9(f##
zAQ*96GjMu_@*$b*5;P6;ECP^Y7$CBo%|k*OJo0opI3?hKI4Bvq0q0!U<6wUTJ9D6<
zc!iuib-^AT1{Vuau*gs)<;n6)g8qTD7$soYfrT;hz<nHhZ19fJw~QoBh#)cqaf%8c
zl1WIW%oO&}Nnlr=p_j5)$bw&j{(%-zTqQgelp=5g70V-_IjR8(9`0>QBW_8D3v*N(
zhD2dVn)Wl5T#sSEIU+p?esVzqCyjd=ZDS9e9tXc9_+@aPf?fn&2IhD$Crcy|C23ft
z4wNM*VLCw+#eEDK69683n1U8b(6g|Fe%8FPM`np~QU+Ty#1rHYB|1&1Fb=qKkCac~
z*wC9vndC9p%%C$!GLlL{%BK=xm4~5p01aW`$S@?>ABWrGL>SCeStaEs`GY=WRU+P*
zV;<}wN+VPf4sgLc&rsr;0!3>9nJj(;V;VS@Zc`?(ilv?IvI;JI62W>B_rxI~>wunv
zl393_uA-bg?D3!%ONK)yF{%luO0TkTFmZECoFwGi(4JL^r8bUZEV2YNs~cnJus0;2
z5?w{q5hdCjBF1M9(<%xRm`SqSDEqUJPup0)C5DujT&Uq8i)?UWPhkntSpqHCS-77V
z&d@P%9*bBK_d0}02#ChZ=qAi4hJgi-g#eP72N^1fJq}iLJO!*W_t_^{tYzm=Cg`RC
zquE$!0uMxO$d58gkid4u43wdi?nzMsSa`VR;alCJ>9G{lPJ$6zF)_sapfh-7;h<CF
zF~}!Cb&e4kfU>M2%7z3;G}?iZOi+z$tkU&#603Lu8qrQ-m}5i)fyu)($1Oub46aPU
zxoPmzPJ}%?L6<P}QJiLeP#TLOF_Z*1S@5LuWRQR)q+=4InG-3nh?L=6mf8q&7V_B%
zWr9i`aY7lZI=i7)7INeOqa-l6HY9MIVk$@B1~z+^5)Vw7J=rp}BsA$O7rE@<%HAL`
zq$IHHF&z_#4<nXG2E?Eq%K=%$=uW80taG3Xi$5ndy9|Y8_lFJ0kSKU-Ct}%yp}H*+
z%0wm{!}88Lt@{L=%96=ba*q;_fvRjNRKCofqH6;rlT#KvQj`Wc)I$3ZJ6ZOV*drkX
z6W}+xiWMyf3h~DD(JUaKoPcdi9NydD$9~OH%V5M=SUC}7;7YcCW?+sALsgbT0)V3}
z1#qZj9*{$sElRaQnP~J9%QcbC8Z1*?E@yoqjzgLUEyzg^2XKswRoy4xbB-J`la-S=
z!64DfGZ;f=m^m!wEZ_;KM98qDN(V?SSW!5ZaGcV>;A$2UbcF`ei9<p>4HI;D6t>DU
zlt5`*;8e@JX8lYchRkRg3}pkei0z73He1$UK1q;88j6ultP+42Qp+=XgrT*NBXe9y
z;P|d<1}(ud%OP`|uID@{p9WNrkTD$9*;t8E27t4u%ugji4Rvz<U}s~Gq7AyuBa|LO
zPskEDEOi{PIEyhe^l%SrWvN#ZV)(%Vq0s<#x*p3_DW97nD0{k$qH^%rhoNT}s2A;#
z38f?uN*)d~eK_K?W)n{wusDC|XCh>Yny;jM&h2UBA@RW>&5lq4_cDutcU=^ifv}JP
z<$%K+k1|vY2@@I=mNn+2%$VA;v>^^h6D%AgG@@~uR_PWA@3BvD=3+T!jUhhiBz82}
zWtEed(5%567+JsNldzh9_z0?>P2qa>Xl4epj*elC;qb(vK^9ykfmMW#=78bAZNwIz
zRTxi3k4nm66!Kwb3NiE#8w8XrO$apGADo!Ml>-KwCfh%I8Xqs|PCk`WJLaJtQQ$~9
zsw??!1`_f>Km>Xd*R1TsKHnOoef=nho$NR)@085e&1a%C_Q)QiOvrNpgtasw$@z=^
zVMnCX`4FR@z#x+&2lwdmio(hgD7(LsARnfsJ^BR#9H!G3rs*P&J$i(5Fn_U(vupDK
zjTykA$gI~;V)5bA0H1Ucki!<m)~#(L0H8c!;0FUub`tAQv)~e$hsp+O$pUJpD{t;h
zuXt);`R?HBW-I%kTX;ZzRP_8GMvCfl;oKL+`Il(&gI@4uurm;P_4U^74d#2Uk8WGN
z%lEELez#N~oW7t$<E5W75PU(V#09rh{xfi4xp-x8wW-DzQ+DOxI`g1C7<z3#J~$e9
z5BK?Mi5tGz5jdi_1~nJsgSS`yw)axCj8Zx1>8}!{P8B~H-JTu%+ih(LGS{!myR6QI
zg%$XYFJ$QaAEv)b=oV2UXueMk|3dYS!OEGT<IBYF?p$w1#u;c9FYaHl`Sb0eISu>w
zm@E$OPnltu<LcL9$KVp`$(QjB`}g`ITWP-Ql^Su=!Fp5Fi+BCdBn=#xHc77?$e5(Y
z`;K%5P3+8;X1ZlGj`a9qMjKDxz1uYC_Jcq6D=01<oC*AP4|###N?y=-zr5gzIDPlF
z%G>w-qDq{;|2k9gy~ClG-aop3y{Vqs6=Yf&AAYp`+C~29<HYg5n*UDmvRgDs|9<$7
z;<K@<#b+Z|iB}7oMbGHz&?ofAj-LyELYKTk8!tcnr>$dNp>w=v{wsHvb(3YQ|7@ul
zv9@lvj8$>!NK@^?UeP{r<9=gHS67!hymhO*=K4$hhei%t+hxCTBKUwllGi-dH~K||
zsRbox1$HPAbrgZ$U0q^kw%-iKh0(W7($C#lgH%~{^klX8G_x}7oQua>MSbpAwG$B^
zWtvQ%>s9f~(Jq6fm_7cENt&E|#3Wsw{5SwYrEU-v;%xCz|CV`OucV8?Lg`|Vlr9G8
z^5i)QpzD_OfwXdC<<f~wD;LA4^Y}pZz)tbOw<F@!lXryh)PM4}>wU4Rtx?e?phUy>
zw#fSsq9j-Xn@*U%+w%B6(+3}Xd#m{H@vFinaG_2d{?2)mP2b5q;?3_K^!r#W$(kGt
z$Mu~YT1=wy#NJB76TiAgeDM5oL)FTgPh6}rXyVw}Lnf*Jg%>Kf{Ghp748L@^a{Gn9
zSA`^jQ^?_up1n6jJ9Y7A%T=mW-gxrr>elfdbuazyPEN{yVUww@ejn<y4|iMQ<>#90
zo}M0+uqq03d$+59m_ZGwshOkcf3G=uOg#HihZq!1;?>G63;zTKVVit)#4mBaU@VC3
z3y7WHU~Lb|_ASgS@cd)HHvj3Q^5-Z1S!G82{dYpm<|k*)n4W**$(D-!^e3SpRh>R0
zCf;2!XK5%NV(wsgMINn8y!-ms423HD{&Fd#<hFBJbK84o`>OpgrEvxrm2n2?%Na)v
qgDj+m|Eltf7TeC{1Ha!pyI*{G=3v<7CB0FpI^9=YdHo;HT=hTu&%?n0

delta 3611
zcmYk9y{aZf5Qf=3uCRIw25zz#EI7YCGglzqfS^Y6o9Ho8_`qNU@d^%VVs2od_zB*G
zn3-&%iJ)jMW>!B>FK*Jz>94!qs<+;%u5<VAgI}NCeD}1y{_@u2`*(l6^Z89brMpkx
z{ow4Lyjoq>C9i4E>(=JATc5o2u)5Uzyz@ir_mqF$x4bT6UJt&9BY)TI^mG1Btj(Ig
zr#i1)%4?6cu?OJngyvMusfK$i-y=7=9ve6|iqPbp8DGLue6Q?Je0NpeNeu|?kpCET
z04GNb%^W>fqDpMFc(MC42n)Ve;H+G(uwC<OS|o`>GYB%-Nq|9dVI<57Cv~_Lf7c}r
zi7#eD<jn@c!p}4IHVI&DadpGQK%8D4*gx1=y^A@$8%WqnP-kG0Xl!)c>rDyw25@%C
z;6`Gn!uy7pCvYabo8e-I)RDET0q8Nk;zs>HVdo`rN{SPn8E3+((fX@m*tmRvoD{$e
zg7Q_d9@33+h;SMLF##}tUMlQK{eeBH-^rm|H2ZTTZ5%4fFd2lt;P9YJ1l6#!5c6n~
zz*los{yr}v?3D<3**}+{)f8h-OTGA5syTUZtAY}}s7cR;Um}l&u<=93wG4Ac!Rsql
zTWnY|3m&i7s1%eZLEbqZZbxx#&%~XTB)Kz3TS7OVwff*f&6;8-@JId_uwmpA?&((t
zj`g|NGt{qbC)<cd#A-#UdX?mUPt0O=WZQ0#eGL2xC+$;FL^+0@v|2emwmZm}xUDh{
zC>bOgN@i}g=td=#K)5wRZFC*V4P}G^&)l0ps95!W!N$O9^IM?dV5e0|AlvY4mL;|X
z!VIewM-$%`>j;dc)QsRC<jQuf$F}-~{Z09@iWVi7W3WIE+|Zs{S*4qBb$ElGkq}A|
zLsc}39KTJ$XiLf1GxW8AXmveF1M#SC9bTc>nsn`r8J<V<q&y11K?qxWX8Ej~@<z*9
zUl3cQ^l0@Uk^~uw#BN|yG|tvDEeJlHHEu8bU^r%bTf|5E3yj&K6_-t}22IIMq-4a<
zV4{;mKT}tPGocb6O7VSCXKBEf*>dZ_w?KDT(0i*pFms|0L?o!qq*pQ6u+>&vwy#LE
zRadDYL|1!;)F*6q!GA{ZEuL&LCWCK>g9)5czwVRn1FNNFVb1}=#O&OPmy3E+4Jgy>
z*-?%YZx*cD%vRVl4GT7G5VDXk@%%dxtu`Y_dW{=pUJw&kHR_DiK#At+(^kh(Syd$^
z0eBbVR7P+JP-8`z*luys(liiD)+x-oQMWdZO`X|FPSs%BYjMM&!m~BRZ0sNC(E4zm
z>rEAD*sy0i6wR@~jvjAG4#CdpYF1C9l08R()><|y=qXK(ozg!{1DNH7@Bx)K12GNG
zG}7RVR@xEfPP4Ir6a6r^V{FgF=J?}q5Z#DGb5EiNh^cWy^@!<XQsxNGca*Hna^l-I
zdHTwgxyX4^Ut{J7XRPkt+vLhORjot|$PSZG-yIu~t;CM*;1yF?oD5ax5Tt}>H0B>G
zl%O5xonDpC4uW;)5K!d7euLbN-1Z*n%m_ZtCfX<35Nv*S8p{2=$etBt4370m%<<UH
z;K>-UKmdA1pHkw}Sza8;<BX5CZ{Waw`JW`G?Y#JhBa||XI5UFtq`n^9Q<=VUW#~pR
zF<S+>wj%|o&|+SRegC0yMrssKd7?vNuSH!OiKULEGPj{Xf32FkZ*O0DR3>wdN@bKo
z_SK|R>H7EW^x*pChd;e={r%%V?|=Wv?alS|&%S<m{p0SNd)GI<c>mG$&7U8?e0}e?
OAKw1)pO5Z+_2Pdg1eeeN

diff --git a/container/service.proto b/container/service.proto
index 7df2c66..b174052 100644
--- a/container/service.proto
+++ b/container/service.proto
@@ -27,6 +27,12 @@ service Service {
 
     // List returns all user's containers
     rpc List(ListRequest) returns (ListResponse);
+
+    // SetExtendedACL changes extended ACL rules of the container
+    rpc SetExtendedACL(SetExtendedACLRequest) returns (SetExtendedACLResponse);
+
+    // GetExtendedACL returns extended ACL rules of the container
+    rpc GetExtendedACL(GetExtendedACLRequest) returns (GetExtendedACLResponse);
 }
 
 message PutRequest {
@@ -99,3 +105,42 @@ message ListResponse {
     // CID (container id) is list of SHA256 hashes of the container structures
     repeated bytes CID = 1 [(gogoproto.customtype) = "CID", (gogoproto.nullable) = false];
 }
+
+message ExtendedACLKey {
+    // ID (container id) is a SHA256 hash of the container structure
+    bytes ID = 1 [(gogoproto.customtype) = "CID", (gogoproto.nullable) = false];
+}
+
+message ExtendedACLValue {
+    // EACL carries binary representation of the table of extended ACL rules
+    bytes EACL      = 1;
+    // Signature carries EACL field signature
+    bytes Signature = 2;
+}
+
+message SetExtendedACLRequest {
+    // Key carries key to extended ACL information
+    ExtendedACLKey Key                       = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+    // Value carries extended ACL information
+    ExtendedACLValue Value                   = 2 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+    // RequestMetaHeader contains information about request meta headers (should be embedded into message)
+    service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+    // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
+    service.RequestVerificationHeader Verify = 99 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+}
+
+message SetExtendedACLResponse {}
+
+message GetExtendedACLRequest {
+    // Key carries key to extended ACL information
+    ExtendedACLKey Key                       = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+    // RequestMetaHeader contains information about request meta headers (should be embedded into message)
+    service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+    // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
+    service.RequestVerificationHeader Verify = 99 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+}
+
+message GetExtendedACLResponse {
+    // ACL carries extended ACL information
+    ExtendedACLValue ACL = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+}
diff --git a/container/types.go b/container/types.go
index f340aa5..38bdcff 100644
--- a/container/types.go
+++ b/container/types.go
@@ -158,3 +158,23 @@ func (m ListRequest) GetOwnerID() OwnerID {
 func (m *ListRequest) SetOwnerID(owner OwnerID) {
 	m.OwnerID = owner
 }
+
+// GetID is an ID field getter.
+func (m ExtendedACLKey) GetID() CID {
+	return m.ID
+}
+
+// SetID is an ID field setter.
+func (m *ExtendedACLKey) SetID(v CID) {
+	m.ID = v
+}
+
+// SetEACL is an EACL field setter.
+func (m *ExtendedACLValue) SetEACL(v []byte) {
+	m.EACL = v
+}
+
+// SetSignature is a Signature field setter.
+func (m *ExtendedACLValue) SetSignature(sig []byte) {
+	m.Signature = sig
+}
diff --git a/container/types_test.go b/container/types_test.go
index cc171cb..76bbe1c 100644
--- a/container/types_test.go
+++ b/container/types_test.go
@@ -140,3 +140,23 @@ func TestListRequestGettersSetters(t *testing.T) {
 		require.Equal(t, owner, m.GetOwnerID())
 	})
 }
+
+func TestExtendedACLKey(t *testing.T) {
+	s := new(ExtendedACLKey)
+
+	id := CID{1, 2, 3}
+	s.SetID(id)
+	require.Equal(t, id, s.GetID())
+}
+
+func TestExtendedACLValue(t *testing.T) {
+	s := new(ExtendedACLValue)
+
+	acl := []byte{1, 2, 3}
+	s.SetEACL(acl)
+	require.Equal(t, acl, s.GetEACL())
+
+	sig := []byte{4, 5, 6}
+	s.SetSignature(sig)
+	require.Equal(t, sig, s.GetSignature())
+}
diff --git a/docs/container.md b/docs/container.md
index f0188ca..fd89acd 100644
--- a/docs/container.md
+++ b/docs/container.md
@@ -10,12 +10,18 @@
   - Messages
     - [DeleteRequest](#container.DeleteRequest)
     - [DeleteResponse](#container.DeleteResponse)
+    - [ExtendedACLKey](#container.ExtendedACLKey)
+    - [ExtendedACLValue](#container.ExtendedACLValue)
+    - [GetExtendedACLRequest](#container.GetExtendedACLRequest)
+    - [GetExtendedACLResponse](#container.GetExtendedACLResponse)
     - [GetRequest](#container.GetRequest)
     - [GetResponse](#container.GetResponse)
     - [ListRequest](#container.ListRequest)
     - [ListResponse](#container.ListResponse)
     - [PutRequest](#container.PutRequest)
     - [PutResponse](#container.PutResponse)
+    - [SetExtendedACLRequest](#container.SetExtendedACLRequest)
+    - [SetExtendedACLResponse](#container.SetExtendedACLResponse)
     
 
 - [container/types.proto](#container/types.proto)
@@ -46,6 +52,8 @@ rpc Put(PutRequest) returns (PutResponse);
 rpc Delete(DeleteRequest) returns (DeleteResponse);
 rpc Get(GetRequest) returns (GetResponse);
 rpc List(ListRequest) returns (ListResponse);
+rpc SetExtendedACL(SetExtendedACLRequest) returns (SetExtendedACLResponse);
+rpc GetExtendedACL(GetExtendedACLRequest) returns (GetExtendedACLResponse);
 
 ```
 
@@ -80,6 +88,20 @@ List returns all user's containers
 | Name | Input | Output |
 | ---- | ----- | ------ |
 | List | [ListRequest](#container.ListRequest) | [ListResponse](#container.ListResponse) |
+#### Method SetExtendedACL
+
+SetExtendedACL changes extended ACL rules of the container
+
+| Name | Input | Output |
+| ---- | ----- | ------ |
+| SetExtendedACL | [SetExtendedACLRequest](#container.SetExtendedACLRequest) | [SetExtendedACLResponse](#container.SetExtendedACLResponse) |
+#### Method GetExtendedACL
+
+GetExtendedACL returns extended ACL rules of the container
+
+| Name | Input | Output |
+| ---- | ----- | ------ |
+| GetExtendedACL | [GetExtendedACLRequest](#container.GetExtendedACLRequest) | [GetExtendedACLResponse](#container.GetExtendedACLResponse) |
  <!-- end services -->
 
 
@@ -104,6 +126,53 @@ via consensus in inner ring nodes
 
 
 
+<a name="container.ExtendedACLKey"></a>
+
+### Message ExtendedACLKey
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| ID | [bytes](#bytes) |  | ID (container id) is a SHA256 hash of the container structure |
+
+
+<a name="container.ExtendedACLValue"></a>
+
+### Message ExtendedACLValue
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| EACL | [bytes](#bytes) |  | EACL carries binary representation of the table of extended ACL rules |
+| Signature | [bytes](#bytes) |  | Signature carries EACL field signature |
+
+
+<a name="container.GetExtendedACLRequest"></a>
+
+### Message GetExtendedACLRequest
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Key | [ExtendedACLKey](#container.ExtendedACLKey) |  | Key carries key to extended ACL information |
+| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
+| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
+
+
+<a name="container.GetExtendedACLResponse"></a>
+
+### Message GetExtendedACLResponse
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| ACL | [ExtendedACLValue](#container.ExtendedACLValue) |  | ACL carries extended ACL information |
+
+
 <a name="container.GetRequest"></a>
 
 ### Message GetRequest
@@ -179,6 +248,27 @@ via consensus in inner ring nodes
 | ----- | ---- | ----- | ----------- |
 | CID | [bytes](#bytes) |  | CID (container id) is a SHA256 hash of the container structure |
 
+
+<a name="container.SetExtendedACLRequest"></a>
+
+### Message SetExtendedACLRequest
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Key | [ExtendedACLKey](#container.ExtendedACLKey) |  | Key carries key to extended ACL information |
+| Value | [ExtendedACLValue](#container.ExtendedACLValue) |  | Value carries extended ACL information |
+| Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
+| Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
+
+
+<a name="container.SetExtendedACLResponse"></a>
+
+### Message SetExtendedACLResponse
+
+
+
  <!-- end messages -->
 
  <!-- end enums -->
diff --git a/docs/service.md b/docs/service.md
index 0765f04..223ddd1 100644
--- a/docs/service.md
+++ b/docs/service.md
@@ -6,6 +6,8 @@
 - [service/meta.proto](#service/meta.proto)
 
   - Messages
+    - [RequestExtendedHeader](#service.RequestExtendedHeader)
+    - [RequestExtendedHeader.KV](#service.RequestExtendedHeader.KV)
     - [RequestMetaHeader](#service.RequestMetaHeader)
     - [ResponseMetaHeader](#service.ResponseMetaHeader)
     
@@ -13,6 +15,8 @@
 - [service/verify.proto](#service/verify.proto)
 
   - Messages
+    - [BearerTokenMsg](#service.BearerTokenMsg)
+    - [BearerTokenMsg.Info](#service.BearerTokenMsg.Info)
     - [RequestVerificationHeader](#service.RequestVerificationHeader)
     - [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature)
     - [Token](#service.Token)
@@ -39,6 +43,29 @@
  <!-- end services -->
 
 
+<a name="service.RequestExtendedHeader"></a>
+
+### Message RequestExtendedHeader
+RequestExtendedHeader contains extended headers of request
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Headers | [RequestExtendedHeader.KV](#service.RequestExtendedHeader.KV) | repeated | Headers carries list of key-value headers |
+
+
+<a name="service.RequestExtendedHeader.KV"></a>
+
+### Message RequestExtendedHeader.KV
+KV contains string key-value pair
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| K | [string](#string) |  | K carries extended header key |
+| V | [string](#string) |  | V carries extended header value |
+
+
 <a name="service.RequestMetaHeader"></a>
 
 ### Message RequestMetaHeader
@@ -52,6 +79,7 @@ RequestMetaHeader contains information about request meta headers
 | Epoch | [uint64](#uint64) |  | Epoch for user can be empty, because node sets epoch to the actual value |
 | Version | [uint32](#uint32) |  | Version defines protocol version TODO: not used for now, should be implemented in future |
 | Raw | [bool](#bool) |  | Raw determines whether the request is raw or not |
+| ExtendedHeader | [RequestExtendedHeader](#service.RequestExtendedHeader) |  | ExtendedHeader carries extended headers of the request |
 
 
 <a name="service.ResponseMetaHeader"></a>
@@ -81,6 +109,32 @@ ResponseMetaHeader contains meta information based on request processing by serv
  <!-- end services -->
 
 
+<a name="service.BearerTokenMsg"></a>
+
+### Message BearerTokenMsg
+BearerTokenMsg carries information about request ACL rules with limited lifetime
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| TokenInfo | [BearerTokenMsg.Info](#service.BearerTokenMsg.Info) |  | TokenInfo is a grouped information about token |
+| OwnerKey | [bytes](#bytes) |  | OwnerKey is a public key of the token owner |
+| Signature | [bytes](#bytes) |  | Signature is a signature of token information |
+
+
+<a name="service.BearerTokenMsg.Info"></a>
+
+### Message BearerTokenMsg.Info
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| ACLRules | [bytes](#bytes) |  | ACLRules carries a binary representation of the table of extended ACL rules |
+| OwnerID | [bytes](#bytes) |  | OwnerID is an owner of token |
+| ValidUntil | [uint64](#uint64) |  | ValidUntil carries a last epoch of token lifetime |
+
+
 <a name="service.RequestVerificationHeader"></a>
 
 ### Message RequestVerificationHeader
@@ -92,6 +146,7 @@ RequestVerificationHeader is a set of signatures of every NeoFS Node that proces
 | ----- | ---- | ----- | ----------- |
 | Signatures | [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature) | repeated | Signatures is a set of signatures of every passed NeoFS Node |
 | Token | [Token](#service.Token) |  | Token is a token of the session within which the request is sent |
+| Bearer | [BearerTokenMsg](#service.BearerTokenMsg) |  | Bearer is a Bearer token of the request |
 
 
 <a name="service.RequestVerificationHeader.Signature"></a>
diff --git a/service/bearer.go b/service/bearer.go
index bc8aaa5..6013e03 100644
--- a/service/bearer.go
+++ b/service/bearer.go
@@ -94,3 +94,33 @@ func copyBearerTokenSignedData(buf []byte, token BearerTokenInfo) {
 	tokenEndianness.PutUint64(buf[off:], token.ExpirationEpoch())
 	off += 8
 }
+
+// SetACLRules is an ACLRules field setter.
+func (m *BearerTokenMsg_Info) SetACLRules(v []byte) {
+	m.ACLRules = v
+}
+
+// SetValidUntil is a ValidUntil field setter.
+func (m *BearerTokenMsg_Info) SetValidUntil(v uint64) {
+	m.ValidUntil = v
+}
+
+// GetOwnerID if an OwnerID field getter.
+func (m BearerTokenMsg_Info) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *BearerTokenMsg_Info) SetOwnerID(v OwnerID) {
+	m.OwnerID = v
+}
+
+// SetOwnerKey is an OwnerKey field setter.
+func (m *BearerTokenMsg) SetOwnerKey(v []byte) {
+	m.OwnerKey = v
+}
+
+// SetSignature is a Signature field setter.
+func (m *BearerTokenMsg) SetSignature(v []byte) {
+	m.Signature = v
+}
diff --git a/service/bearer_test.go b/service/bearer_test.go
index da359f2..9ece9c8 100644
--- a/service/bearer_test.go
+++ b/service/bearer_test.go
@@ -170,3 +170,27 @@ func TestSignVerifyBearerToken(t *testing.T) {
 		require.NoError(t, VerifySignatureWithKey(pk, verifiedToken))
 	}
 }
+
+func TestBearerTokenMsg_Setters(t *testing.T) {
+	s := new(BearerTokenMsg)
+
+	aclRules := []byte{1, 2, 3}
+	s.SetACLRules(aclRules)
+	require.Equal(t, aclRules, s.GetACLRules())
+
+	validUntil := uint64(6)
+	s.SetValidUntil(validUntil)
+	require.Equal(t, validUntil, s.GetValidUntil())
+
+	ownerID := OwnerID{1, 2, 3}
+	s.SetOwnerID(ownerID)
+	require.Equal(t, ownerID, s.GetOwnerID())
+
+	ownerKey := []byte{4, 5, 6}
+	s.SetOwnerKey(ownerKey)
+	require.Equal(t, ownerKey, s.GetOwnerKey())
+
+	sig := []byte{7, 8, 9}
+	s.SetSignature(sig)
+	require.Equal(t, sig, s.GetSignature())
+}
diff --git a/service/meta.go b/service/meta.go
index f1b4613..e838cec 100644
--- a/service/meta.go
+++ b/service/meta.go
@@ -69,3 +69,18 @@ func (s extHdrSrcWrapper) ReadSignedData(p []byte) (int, error) {
 
 	return sz, nil
 }
+
+// SetK is a K field setter.
+func (m *RequestExtendedHeader_KV) SetK(v string) {
+	m.K = v
+}
+
+// SetV is a V field setter.
+func (m *RequestExtendedHeader_KV) SetV(v string) {
+	m.V = v
+}
+
+// SetHeaders is a Headers field setter.
+func (m *RequestExtendedHeader) SetHeaders(v []RequestExtendedHeader_KV) {
+	m.Headers = v
+}
diff --git a/service/meta.pb.go b/service/meta.pb.go
index 25a54690ce276ae62f01f677ad59b35daf4d81d1..0d630774ff46662c326df5e1cdae3055baef51a9 100644
GIT binary patch
literal 27975
zcmeHQ{c{>e(*7C#iaAx~3eE_F(0A-q<znZ~rNq8U9961ZdYuIZX<x%G@3P2J9RKh4
z^wTrTvMdN}DR<T@S84;h)89SaJu|)N@niE{+_&c3Mm7mj+c({7Gfv_(?rr1V_IZ3B
zH_fwG=H;u`=J~T1ubb7!kIf{WCOvy>CN{YYd-n0jra_ZX)#^Cty$jB*e^#xAqj8+1
zrdF*CMyc7tWvg0wYqrkA^kUj=_TtfFq4JpU-RXee_yyzm|H9Z|5S`CP`;lR6w!#=7
zqaeL7TXJ<@-gd)uqIVw4$E|9;DpLGp2R5-$&l+WMV$#@5rsHv9Clh0nBu*wK9GLXN
zUYj7XCW=!N<6H7RoLDoR*nYEm86@Vdd8#^V{um^ai(r`Dg|N-%f@qN462_V@q5)ZW
zeG!7h!~_Ov7>7f<orWW8f(bO6hH)eu*=RBa@$@1{alzo3tp<P)NpMr(gEZ_8t$7c{
z3e(Dy@dgP~8P~O8bndD3O>iEB(Ill+zje2P29znk@id2FWX&*qXNT8jWP@m8uHgd!
z7+;&1DiS`_TApBJZJ#>rLRsU!cvrL9i$N}@v44rL{Y!o3#pKi`6A<qhK{m93sCj&z
z1n|%Wft(HhZ)zv$k8r?$S_~7GqEuuuVKj&nXj_B{y74qMiREAjkOt<0!zaRaZE_J$
zhj4vs?5Jz|eN2Neg6c<b1o(2jnqH4B{G~{1k|xt$YCcpe!1DU_4`wula6mH*l5_9^
zn?>e#o5T$R?e}dj5s?JBv6nWvHZN`b{m<qlW?;1<@KccO?3mxENX&)fE%+DiHQJ4M
zoHn9hWS?SOgU>r#=6@$~bi5^Z;!&8|(Kx-{`i<N?AIH550}Y6uLMvc|;$cJspLzjq
z!=a(riN)-&91f91%|S1n219ch45#2rF$rh;yCt0M%sAu70&jY+$ept@R5E~LP1JFE
zF=(m-s6t;odv(l7CsU2GMDhEEnOO_-c4$X7lDGw(4yGw)O10v#FV$ve#<Lq+;M(6U
z^8Hir9z3Tu8IkSx7goXnmFArbb1cCqC?4UWS`mnD49OO4x;x_nqY50zog($;SE-HQ
zoZi!eBnhEB>u!6Ob`#ROJ9tpXEr913>RzXI(%75vGe6X^*6@?#>HK5whK0NE!(V^>
z_3g{}m*}0nw*4RApb6Z{=&bqh(fp?FyDcs&L#I(<d+~V`{tkQc-<vaG4Ihg`Cm7QU
zdT>_%PiM~j(2v#XU>fyIZDjtoFnjBm(D40Q-D5Bx%-==`<qIRh>c^Fceoiq-&w&Y|
zNqGGL-NO|l_3P$$5}SMJYkQTtk)wKsv5YYW#UC~JD1RS317*XX*-0-6$7!5ka7}gA
zFmKMFlDY&Z$Bbl)+0eJae&_IT|G*w}cRRa#2R#Szq4lxqiIuBOO!Z4N(o|RLf{+-g
z?lQ)V-l&-yRbK<C%bpp^MmE>NNgDPzk8%PsLs7sktk!*V+zZCFZvCuUi5kL;IeuzJ
zJ|(}7e-^j;`*eV$k5SbMGP?}=%Tp7DLs6606TT9@TKSmi4%nl!hKyWC4vXktn<PDF
ze`iUudUbX6)}<8`0rA@fXKVgQ=n>*v(pyJsA{XoqW9Mu=YU=GZxP2B*dO_01EJbvU
zfC;L&nacvyNH}GUb0erz$_qs8BnpO3Iiif!v-KY~MWO?LF06x1m~d2Lz)=$e^VVw#
zbE_f&a5GUk>_~L0uyg39_+3g_kAF9KQyNGbz|VBEihm5tV;%&<i4_f@h(Smkqe8P~
z1r^Jtd{xzDF@y3dafKDik{+U#gg`7KWOZPZjS8#<;+iYO8es0bX@Yt^bybsP$pY$*
z&P|0%u7uK}WWI>fd&QLN3~|SWN|u4-gL7}>JTjQC0&}&NW2{g$_`7prlxAU7>^ez!
z{TzIA3NG4rMGh_wEhgdO^SW`l^;5I(BEr>acyatJxndT6b{=jQ^6(<P+epOaSiitb
zyhM<VQgIQ-s$5(gTQ_2k4U%y=f<j(hl8uY7%>vk}bX<g8Ganbh>gJY{W+?#|&^|9~
zGOuy%KEFhn?G>Oh=gKO-gmOu3ZtY)ypUY0VD#K2UTb2z`w8~Npi=S;Sr9JX$#Sfi}
z`)|%%EjUl)?a66A6X;T{-AL?Mw*wrmLLzW?{mN=#5tfDjITrY(xYSx$m1POxX4pw_
znU<x9m9Qn%+PqR$<c$(L7gI;ckk8H@r8rk7kW!G_%^^F598ya1Hqyva#9v@0SuV>)
z$)p6$s(ey1eB+d|6h|RFEXgV*;F~0t67V&1O9>>?i;H52{wspxs+EpIkYDZS5?)p%
z2&~y=G2)@DT4u3&9E8b=&@WMWF8ZHjalepD1ZTB!;<tu!MZFK@+0O1sA&8$W>;Qt}
z@=ZU#S$nz|SGnOP!p*HHlz4tYQ6PRgPyD}V5mDkTFvn&o0RU@c1)}}=7B=_hvlr2B
zoEr#r%juzEN_YE8*uA49L7@cq{m2tDaXvRy0MmxqBBQ;*8f4j25{rCt&JflMz^m3H
z<ve_P=Aa(1HaS7saAAE_ia5z9hpnx$ox+mo0Q{%x;Xhr1Ka4^-djM<P=4t+9&#_>z
z$!i=n)@mi&{552*dc$nVb{7ua0YJ^ocIvjUsl5c(!rE#PS#ih;Y$X<}FCr`%wHZz^
z<XUK(C#S&d7Y$yq&V#&OzsKoE%`5M*>}6`l!dAoFa4;fgHQd_1VH^%2bZMl!m7V<^
z?1JK8O%{QHIsZKzk8!Rge9WRavp}`dx@r#)i?0s5a%~;*+FE(tk*5Pf$=OZo>ZmQ(
zF0Y4HKKBE;?zS2vKy-)ua;tqL*H(vD0vz%F&Mxl|EFdepywfGI9kO*uV!MR3d&IU&
z0$oMHTLS{L2po`bo7WvaJ>b(euK~%oc)v@wc1dRcKu}u}>$Q~tAM}XGlDh*{R9}Yf
z5?GbcB5;p)I?Aa^#*voFY4Nklv~xrP0kyfS!V*P4XO$!J(&e?IvT{s^O!SFvkJkb3
z9}u=n@?b)2&>`1He9$3Bhsu{4il`3=ta2Q3<bcFlys9)k-rptE9@#yzByd1&s@(%V
z-skmzd?~ORP)#~edl2<L)ivN%J!+r4AF7l+60qb~O|66W$jd%;x~IIW0y(lr<?QL_
zoZeN{hqUE@PuqtiFvxjsKtzh7%lpcaCBG`uE+yU}6Y3gA$|A?_@Tp4K+fxZtUpmpK
zoDQ#`4=+-__V~F?U`vJUaeQB4X{Q}B(dTE?0cMOC`H<*Zq`%8Sht%T{b&c5wGJE{2
z=yW!8NUY8KN?48G=bbKbVm8o=Xv}>TjaQw?1Clu)VV%9|<86*tvpdJ7G&?E{pQ^w0
z4@jV|K1-cysOV9SmJ;J<H}(0sOCAF%N@eY<G|H$dkRt=Nf%6s>mi!*kb9DL~k-U1n
zx`R%!K&_(E5K86Vr%GF77p_4Ys3Y>0M$>%~)9J2}r>!WcijGb_67CYJLkx!s#m~DO
z11k!Fmihw$EQM7c(7>k=MwI}!gTW8zl!{`H##Dxsl^r!N<vUOUf!cs%4)|DOy~ZEa
zwc4OdFjboRn|ghZu)CD<fY@}#9Q7%Ii{^a1%b_ZPa&$nQ2FkT+Tot0S65SEU>=0Ic
zOlML{-BhQB24R<>sM&p$iNHFyJ5-U%(IZ21cj!NQXP_!lH&q|k38G%FSM?T+wfpq(
z9hy!h(~z#_RsT^&`$~rL!HQyJov|Hq+NBaSL3W5#Q(!*usTtKy3fos7Q`e+2HTYXM
z(KsnIi>be>G)FYJ&Iz4dYHIbm19IA@8Z}60&T!L{?6x%ND=+R!qiJqxk$`F($qx?N
zqD%mj&j9w-)RNX2zg)vPSO44eTUYpK+r_LeL$-gl3q#i=)d~lrEhBhmvjZ|2h0^uL
zrVW98b1b9JHf`Tf&{+q^%4Ps3+v_+l8U)4OH3f_lmhFqexjvgEJtuSQuczMmrWNYW
zH`^4s2}RFC8<A(IM|x7jYDL;phteCOcZS+C(UkSw+`fLU3nnz%ifObk40tQj@<}3Z
z!eeyAlnz4Q3~JztXeif-Q+m8n-k+no3dPPPeLB8T2hIv#!w}G`kZqyJ&ri`d+e3Hb
zDcdJyjYOW&huPo(`~GfC#@0aqz~T0`y5^hk40>x_?F3FyXqAv9nvP(<Nz>n=FDpP>
zcrX@i6das;(vl|`JjL=P@JL9bg{A4c3}A(pk^>hv3Xs8x6pq6@h4$f$0=pZeRc0gn
zgj$9@$3NO_HpUH@C76|MH<>b*Hrrx5w|krG<teUP>*gNCrlrFDiNR?F4?klH`Ifpb
zDmvZetjo=d+n;rt&5e>Rn0qxnR>}7#&XCn?e94nUqVK5rPkmLQZoYBpLtZNgU-qA0
z`Jy8?X4|yCb`QTnx^bVkw>2|LE?p=L9R4>%d3JL}fMmDOy9=x?V`No<W?l@Ig2q(_
z@@<XO>T3gsg7rZqpVqHXAV~Vgf9ocy5-;Ia^*u^gH;DM3osxNFf5C+{TwiA;PCWg5
z%$4k?bvWiijn2DkdA`TJq&92s_?l7&o|H0iQpyDHZotGzeF+noduz?R(h53Ts>Xu>
zUjLA_QNvuiMM2g^?;c9vh%dQ(xP(m7@GK!upH?dp2QLl6T>HtB0|q$O-}+cq64J|i
zSiAfyHh>1^4=gMWTcR4k0O$apbm*f;l&BmS04~G`c`VFx#V;q^>;wp1OsL3ks#J?a
zE-q80)G<#NUUJYXWy$hzuAYy~BM4|7WttG7uzq5fy;#VvVhYvHa=2_+;UO2+Kg(g=
z&^%qgAS00a=McId`4h7F<2(OiL?xp!T$F7n_*o>bS}7BQ&V%AGRg1G*RM<^ftf+6t
zZ2u_(6ot>flJTiJDoG``<K1en(vs#a_7h}!CwRfw!hhT#tz5*VZ00<bo88Bi2Y2R0
zB^qLi`)pqlNquzZEEr~q=EgaL89f7+tRv}aBk()Wmk;4rS(MMkM>j`n@?JLI6mR}u
zBZRlBKiYK!hW)yEj7aUG?j-)5$zT;GPtAqN+Ld|o!~oa-_>Cvox)TCOo!^-K4zk=$
zuX)Yhqnlf0bE8$fbLi`Ec`QozwK<~vtX6*lOGy2V_uF6KHBuJu94Q$I`-Ja9yk@Rk
z<Bq^hF2X@7xaDrGRsY(2?d~BZXu=Z%>o8<AeQ#=3ia$@17g74^(k6pp{9ZH%#4;}`
z0;XI7Oxel`_%N1t=6{Lo)!6p%YVY$`-)CT5;f8rq7Yjrs(n<=gR4Bq9$}d#hmBjmf
zT?{}T9pSEd!c?piyVAv5+3!3BVQvuGVgKcHB(xxSXQxKIuvQ1kB@yY;aF6xjUxD#J
zo<cAg%>hWee3L8_ZT5QrwJo-49523YdQ5n}agLsJbDqT0v3vO$zsDfoq>X}F1g(tM
zCw_0wR}1UW3Wq~`9t=$yoSU!uMuj2quln^Z>5WibG{}`FJi%`a$m``^QQ}rTDURC5
z_%x@3Y|n9(65b~<8Wd-G6IR3lNkHDL2Pgii@Sr}#3IxFlUcSD+mOHFhTDiw6xl*6?
zfJ>a#L6*6#&QkT;ii+Yq7Y<kExkA6-x-;KZLgKx&!_HmUf%U}_OK9zJPi&#Wtd1j_
zSfg_n)^L^Z5_|ZP`kq+Ci*tK3WcMy?f~82QJtVze>M`7x9;q%3Y#`;pXM`w(J6W{h
zrG5M|M(vVkM-tW<y7tNpv*U8LtJX?#+v*fjdiJ=~RHMl`3gG);FDJ__7!B#iAw&5z
zZx5zTyyO=4Q9Pfg7jvcFIG&{Q1t;oi#UzOvXlElf!#oH2joF}%1f=!95K-zIx!<ms
zm7B*Iqi3jv1wroIJgaYTU*ys<mz6kv9?I(gPw=BR!E~6aoBQXkCKtfTJ9LU(X9wr<
zm5YuXA3PWr&8@`)Ds-ZhvUdZ!0ewwtbnN{Q0V?Uw#;}o@7P|`&Gy?R|Mt$r*755$R
zdm+*yLY|L#eWZM!HJeSAjZPfw>QNqO8&*OuhNx1XdG=hODJ|;&<9Bw7zX!6owezrc
z^K+rB2v#e7xofwgz3+7Kwn*$tSiL>08gjc2o2(k{WDWPQYFOA2TGJ*EX<HBPS7pX*
zW2Tsz|I5>M$zFQhJY??soViO(ey7R1l-{3_zdv{B>`uWR7R%_N#y_kS*4TuVVfSXS
zJUa=^Exw#vH2eX^{3$z5B0qf8C0A~x?O@(ub0ybSw%tB^SZ#~LJgm0MPX1P`wo76v
zkH8-?_x;V>C#QFqrUm(zkdsfAW@G)u1MI@iPV(12%9j|lc$V+?x}KLF=Ib`6K)U_2
z*>S!HEZsx%4q7SO6`DI5ok?^n2XYmhUFc7`h?4Y#zn0PPDQj-fW}BYbRxgorfA^6b
zC1gaUjDWso<2J)T2kN&gv(4uv%I0SDsCj~Qn95qqZIx!6xNT*>C!O1~UVf<jx#i{Q
zgDZdPj>P|KS3dnzSAN*XxsUrea-fr)lDQsl-v_NnX*eo#Z|<&Ym+RXx{(1`1LTT&V
z-L%Q!jg|7`%BWqITHPKT09VEPvea5~;8Js)iru<l7u)6ybG|jpr&IZ^xFnytX0dEg
z)-2ZI5$L*&hO4WSr8-=rKv}Lv4=fqcb!x#Jv($;D>wGWa(uOS87^mgHQ-k;T@{L;T
z!{^EQ?KU0UsaDF|Yp!y`G9SGF(k~({ulS=2rT!&$U2{jpAzY}JyqL>65VSN!&#EHu
zy4SWW&UhM^MNZZiq>%tEoP{%UC6;SXjry+!|B$}SxvmF-%X{T>T`k`JySSfEM6(H9
z(%RxzB-sr5s$VFYBv52=B2&){DZ|U6b{tqyQoqA5%<3!G?ws6L^h+j;`<X2KrLQu2
z{+B7Ani3HsG@+*9CH``f`ph7nqW85w<*#y1{T~~_uUJa&>te9<xDASe6729kD}RqE
ezSK@+hh&)z%aKg8hGe{&-<Kct^3AyQ>c0W*_t`E0

delta 1650
zcmZXUy^0i35QSNF7G_)wHd7JDP+8&j?c0C&1I9jqiO}8CErKwK!JufH83_yh00u^8
zLdV7;zJXvU_y&R?Sob@#I=B-Qcj{KvId!UTfBL%j^ZAEvc5(UtuUW63MBn&$c5l3X
z>3Dp*IGBF#|2RLsI-HHquD%<;ERWCnJQ*Kedo*<ZXz4Zy*4ObIx@i3hTOTdvZqqhg
zwEwPGSv<Er9))5<6+NpEttZQuL{i!l-x8A)(LdxKgpz-y2yowF>pVu~+*UeMyAlE(
zMS2)@L~bqB>H+|{?2nb(UPpSvrc7~>U2zWNtvI(X-llY(a(0wx@s!Bcl^|q0$wH8-
zPO?b=NhMD_4<|w+dY?qJa7xcUfDn*U*FiN9NwX4~YzI}-*2+0bJ0b;80h7m=VUwYx
z{fUFt;FRs4;i!?4Q6f?xp@B;#t4PM(6E7iC6!99EL`wLRkd|7x!EIDSQhInN^ya}7
zZ!dWmcSDSr)*1lTMiN`-N!G-aobRM%j6wKu0}VfiQlLh*qg#Vwj@y#nOpAz6)0U%Z
zU>g$BO1i2^>qu)Us?AjA+FP;6jH%&QBv(9*Ov_r)gI<H^C19@b$2{8-@Fi8pIR&jo
zwhAsCw1r%dWzRjfpbfC(!76ps-VT?33M!Rkr0S3X=;dk|QalAX8gWZxszIx00~wJF
z!0bNU%7d@gd$C|X4&HWc?6gV+tEVTHsRw<O>}gn#lI`N}S<hDzDp?Y$w4^eB>|dcO
z(Su_eMwMFFH#@|(pEo9^k6Bz|E5Y>i4z<tvG)gLcL_}U$wtx}9`+*i2UrQ%itL>Xb
zj2!#`raNVOkYyYC*B8KKiwGH05+$bxby8ySVzKC_D>rVRnJ(Y_cy9Vu{@NRxI}gV7
ag~RFft%JSk``!2R>FND9^XYT{a{mvA-kr1n

diff --git a/service/meta.proto b/service/meta.proto
index 093f118..8171980 100644
--- a/service/meta.proto
+++ b/service/meta.proto
@@ -19,6 +19,8 @@ message RequestMetaHeader {
     uint32 Version = 3;
     // Raw determines whether the request is raw or not
     bool Raw       = 4;
+    // ExtendedHeader carries extended headers of the request
+    RequestExtendedHeader ExtendedHeader = 5 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
 }
 
 // ResponseMetaHeader contains meta information based on request processing by server
@@ -30,3 +32,18 @@ message ResponseMetaHeader {
     // TODO: not used for now, should be implemented in future
     uint32 Version = 2;
 }
+
+// RequestExtendedHeader contains extended headers of request
+message RequestExtendedHeader {
+    // KV contains string key-value pair
+    message KV {
+        // K carries extended header key
+        string K = 1;
+
+        // V carries extended header value
+        string V = 2;
+    }
+
+    // Headers carries list of key-value headers
+    repeated KV Headers = 1 [(gogoproto.nullable) = false];
+}
diff --git a/service/meta_test.go b/service/meta_test.go
index a0b85ef..7c3853a 100644
--- a/service/meta_test.go
+++ b/service/meta_test.go
@@ -23,3 +23,31 @@ func TestCutRestoreMeta(t *testing.T) {
 		require.Equal(t, item(), v1)
 	}
 }
+
+func TestRequestExtendedHeader_KV_Setters(t *testing.T) {
+	s := new(RequestExtendedHeader_KV)
+
+	key := "key"
+	s.SetK(key)
+	require.Equal(t, key, s.GetK())
+
+	val := "val"
+	s.SetV(val)
+	require.Equal(t, val, s.GetV())
+}
+
+func TestRequestExtendedHeader_SetHeaders(t *testing.T) {
+	s := new(RequestExtendedHeader)
+
+	hdr := RequestExtendedHeader_KV{}
+	hdr.SetK("key")
+	hdr.SetV("val")
+
+	hdrs := []RequestExtendedHeader_KV{
+		hdr,
+	}
+
+	s.SetHeaders(hdrs)
+
+	require.Equal(t, hdrs, s.GetHeaders())
+}
diff --git a/service/verify.go b/service/verify.go
index 62db2f5..0673a01 100644
--- a/service/verify.go
+++ b/service/verify.go
@@ -67,6 +67,11 @@ func (m *RequestVerificationHeader) SetToken(token *Token) {
 	m.Token = token
 }
 
+// SetBearer is a Bearer field setter.
+func (m *RequestVerificationHeader) SetBearer(v *BearerTokenMsg) {
+	m.Bearer = v
+}
+
 // testCustomField for test usage only.
 type testCustomField [8]uint32
 
diff --git a/service/verify.pb.go b/service/verify.pb.go
index d198302b4ca428e96b4d5b34089043bf8d99a369..02f3f39c2ef444cc1361ae9ac0ba34ff0b1d7ba6 100644
GIT binary patch
delta 6174
zcmaJ_U2Ggz6_%YQuxm(SLL96(&Dd^S+gaN)`@eRRCTXgWl9Z4pQIimwnb|w(QhV*}
zuIZ+cH39KLO9agod80HhNPR#c7EuW)0#!vqfS{G&g%?_hHw5DE36R3M-#5EnkC)_O
zGQL0OeCM3+{OtVhr~QBb(Uu=Po!B;gZuuou)t^rs59j8rW6G_mnpLS=Zu`Aq_O0c>
zYP_hdn!3KK>WyR~I%sY9H_cT@JYBzLU0tayH<rECV1CTI(NOhNCbhiMNLAe>b%;k(
zIFT8%zF1#QROiRIst2vqHcHm_69*qLulm8n%oh2-wLLkpRSyh}?VGYrs0J@gPFXSC
z`kUMLZR2KZbjQV!;f`?~biP}wRa9MnIJ9davdcR9)G4dBx~S^b%az89)?#I;(okjj
zKTwUzl1esitf<H_Z8`e>(BbXW)Ly!?=Zb!9e_m(ze@a&q1NtBPXY{2#`}LRi9P7*I
zclW##JFm|?J{-e;bIn>y2CG%ynq1ms+v|@%8Iy2l_|e#k{=(>)k<421|4X?ya6EqJ
zx5ID8mmcg&=Qmn6ds@}5smZ03Rj>I|4^i;?C+FhQu8&X0m)z-1OKZCi#83U<v1cXd
ziTLuj_nr?oqI=<FHCVRljoPZ;ux=(35_bveS;RDoxNzI6RNdMQq4P>j)m63OHY&><
zk~ds$Q5nXoW<yoW68{b@l8KJ6%U2Ait*iR29eYo;SG)NvbnYxK8y+pKG;WMt1*Ffu
zTvfG`$B}5F*ZhSPLoWV&B+w%ho_=-Tfd1OVPvSOz&w4c5!{&!E22RnNX``Ld@woVl
zqvs#Xq%8X()S)=x&#oRgw2-Lhx-coOYsdKho=1ByXK{QJncf_q>v>z~6U$KmM!jf9
zL?0QN_-N;k(H*-CyLw4$O&@%sU;imJG_%pxsmW?(aVlkv)m80F6<^J6+}0nahU3;g
zNDaj_%o?(4f96|T^0}h^&&;*3loi)Eb9nk?^PX4cSvDbQ=G;^=VK*Jy{NZ9FkBxM}
ztQ7KC$1@X{_cGQ4Jj*_IJ)Fcd3k6h`&YATvmxBf$0Nk`$D`BTtH1BELaIxZGH;ZSH
z@7N_&8|NL@+{!uT=>m0zCZtQ)zy%K*1!G9qEKwe|^FUd`?J^`OygRUjHoMTHV6Bf`
z!D5`0htUeMvk>P|1TGW2#|sdVGbh7l0e{%=p+kS-LKcD?_&no5L$S+-G|dHg53uuq
z<l#bqlM3P#aAhHsyAJLK=A_sU--<Y6gNqvl$Z#O91dq{sHtZ>2ov`!JQ^ZP^L4xce
z-l;Q--ExU0Km^4V#KKTQj2qOW@Lpg@fH=cI({gHnh|(sEqQ{s}AV?TOPI?ezwAoF*
zm+@|k+eE)Zia}3-1R%u`tH>(QQ_{d_$U=j{QUFLUOr(3rdh#ZKIeB0qV`+|XQm_=M
zpS0r9LKzw|%pySY0fw|9$IAe016~voXs}@?Z6huZCw*93WFYfUU_-Q|RcP`AHYnUC
zyGbYoXRs*HG0b<Or=28}2MInxl2gz?DhKo-BMAT$ZCr0Red=fa20)pCBxXYnR^=&z
z6{Vd3$Tv8h)rw`pfm8<<e7u(!NrVdd9u<W$R-}{|`*V=ZYQfSV70PH}X$XiL+E^`F
zx-yXA0utHCtY<d35b8062zLhVp@dQa3bL8d_<{Lo6DzdYIGcvw@^DGE%K;<+DNzIp
z7G;H7Hddqr8WYHdGI(f1bQXs^tON@BS(f<}WP*rJw_&r}6+=470aBqGvVpK+Vh&Dc
zAwqd+G5}==@?lO9`g4)7(68`Eo+1!*3KFg$47gE-8ypx%)|KI050@2eqlP^6kN^Zs
zENP%)j|p%$EA|@=He@qH^3XsYvNRR2!hYZ*-1MQ_MGOUbQHV)Q7$S0vf((u-TqbPR
z=3>a;!om{p(UKyZPTZ88hlnDwgf=j51dGw&(Qh!FoXi1I30_SDl8wtz24bZgVw+xN
zsf*}KmcX~-d1!ze*c;f#TwIo#C5$OTe*_F1VyUB@3=*-hGNd6o8$yrNY@;E745AF6
zt%y@>vuubAXp}`bpQUEn1N%MPWljV%f$fcb$79L@d{{yvusauUn}wArLzEd7P(Woh
zNHZs(nL!c?853k+5@*npX}m`l0FV8sfS7a22w7fPO!L5!13cPH57Q$#_6C|x5-~yP
zBo>_Rw#?4XmP#i%5Y14@;3Y^yHV1lDL>L>SEXxjIuq{Vr4E$u}APv}k7^<kHz$HY)
zPD~nbbdmf7lb`@qFKlL*tt{Gf0K&(>Fc|bII}|gMgd%vlhg~^x5>u982)dZT(UZ)8
z&%>q<#B3V$62ri9<dPD2Qk)c7V?#8sF>$+s&OEf?XjblMR7Fm3gr>=8@?kRzud-jW
z>`VPJ8kjj{z~czP%wa%_kVmIS0|A_8W1S&kKje%?Zb!Y5Lx8D}GXIp|A0`F)&IvDS
z$fzP5#sj#4GDvIoKn~qLDUMtbb6^6N$P!j%h0wE>nOZ9PSy-7G0h~d^e5cKv7Z^zf
zEXRzNu~N9|;u@<MD?58St2OIt)b~)VsKAWpqTh^Rf`Ziz)xrTt$$A7DA!cM)8#!FF
zPh@e8z;bYp0vR|*L~er@_zQ>Q3MGh9$xs5#nTs<Y3pKkoCCNM`@K`2jr_Z_qkep|u
zLJa*SJZZmF0Am6p!%E1bbdppqGyjl*tV--Y?6uTP8nSoN!#;>sK*o9;y4m14$8av8
zKbZ%tpZpO;@GL>{v&QIW*(X^eozURIw=y0Z8|X6pW@>U)CO<M=C5_=>f1}W-bKs1R
z%;1caMpj9{rbWL@??wYd$zMGzrsOzRY)5}%VPsq&8;?OCQ-(c1Y650%Z2e}T(jR>a
z)K46?+OO{6dws5c;kmu7Pak%7eWJ%_wg(HpivNVaezX=_YPnCB`}!SMzkBjtpQ8sq
zGaUPk&yOYU;W0gM;yba+`uiu|>v?>$o;xRht?!?4^<Pf?Vz3fei>f-gG~4-r5k9kf
z{cFbGj_vMzrkc|4otf58KC^9o`~9bmwBGvMVE+Mrv9LxDS@J2vd@D;VT8FHqS+37M
zS9wKEPU-j0-O|q<J<xK_y|cBKm%<Atdz$de3$~tn{<uE)d{Y1M{N0{s=FXj7$93!6
zy#Duvh1S)JXOnvFrLDU5mEHQy+L3m^cHSOtt$p>+eW%+9twZa`6N&XzYhvTKn44>2
zS^^L8oT}BV`E@gO-|FSo&gut!`u5pjZ4G{`^|pE~)5Fl#&n|t?7mwc?*DlAGX0Cj<
zr>%tluT3KU+fe$A@KWpJx9|3Mo89{H>a9m&!dnZk{I$R1vDVJpAL$=yb3j7puB^!S
k%5GlFe|>WO^JmOm?TdQ0IVp-Swf-6YzP~kg_lJr90oH8x7XSbN

delta 3591
zcmY+HxvFJF6o%>B4%`c(Vj!a6F))#f?0FD6a!906)EC&Jh+?bJj(Ue;VA3ZxGB9o2
z9oyh5XskYfh`xbU-&aC=gJPc=*1v{-{Z;p$2RDCxcya&j%jZx3|9kDDJD)C}pHAm@
zFW)-9{>nG!ySHCFe!KenvE$8W-g)Wx?u|choL|0m?`GZh=Lfew-rMT>lx=kx$7+pZ
z!<ZM$<kwf1*_N|uVPVSR!o;%UGRB#l)wzw|a~{XOW2{-_yYMX5G9dSA2BBfD>f_#q
zy^Rh`ac0#?W(vOtb}}<yX`16q4MK}YE8k-SfNnQzEm<C;llwMvZqj4$GrniG8uP-8
zdnV#su)Pp%z==tknG&HhRZVosKub)lrU95ShPH1#KOAd(X)x5|<idf)B(1=;OSGzE
zD+lIBW=w;Jb8#>+;F0N>*uTcreal#$M`CCRx+ldgsc%VfP7y0+2EL89V|An$1!%RY
zCt6EYfmT-lxLo5*DE(;<C37!U2W(W@GXWs1%;-^RR`I3cd(n#mgq)Og8X~rla0=#2
z#@@r?H~f%*)~W-!7nyMar)@#Vn97L36kC!WCkMir+0#%k4|mK<j7p>8S43`XomrA^
zIo=m6>vx75&dctCJ(&e%XDSj1E2CYdg?S}}nV6U5dJj}8`H@*Z&&hrJhd3><%ruks
zr}1mMCAZlGLWeWz%1Y=tW9mTJ*n(e}B~AyX2ahDEv=+Jduts|jtj~b+Ib(&xErARe
zvKY#jdvZdv4~GhT32OC}hRGNVak3|{r+~@N&@#c*2A4WQs6jTjBJ`Y9R~4lsD>A9h
z_GlwWR2T=mS4KS%*bwG>5E}3U1H(+HTNo9t)D2KCm7ed=Xi=2RUhM(Q3Dz)^H{h2b
zDCXK*nMtxs>Lsx;7gTSy46Bw%#_$O1<gH!Ou}9tv?5r?4EZ_%HhIlITX-5-7AV7>k
z>6Be|T7kWWO-5qBDNPeeQn(bzoc$&&V^t}g=N$xf+`h7)BQEvqHLatxVw3<4-{w<I
zFkuQ|NoNK@jUlM06>KQwK4Y<iplFYj*j%kFs}>4m=V8f6B_(EvKO!V&bQ0*2ZzaPN
zD!y{77htCjQd5u3mBk369SSoIASCY5X@=;Gnz`awPW8MMjM;9`^uTI{QGLn85Aq&k
zFo`BN6%n*#PhR7<MDrRM=^F`PaYvHsWm@x{xElI8#AAkMoY^z2GG?$|8rY3BgswR@
z;kU0N#Wy4-m`mMY2;M$&NJBN7RDUHa-9gOnlO*DYy*JVaI+@#6#1O<cCdu+Cb%r=m
zZVPIJ-gu@#U()jjb2EWh=Us)gSz8gbp-?H^=@Gy=6JtTO>Z3x3Rc@Kg184KqWXxfP
z5U5xe=^oxc^ro#b;h*-rYZ~~ebnB`G)eBSQe)}-J#k>}!ug$Fl^5#p=Q#AX(_n&n1
za`Mtj?^#N(4x}fs9gX*!2W+2;DtQ%a&O5MyXx;}ST_Ss6^}gBTN}!|<H&M)z?4BvE
zqS=y+nwbu(i#<*X2S#13VX|ct(|b|^hR`BF%yxKx6>yK&;5KsZ(Y?MKl|#KSHq*1>
zMM+fptF_ukw;b}nfk9CMAU&so^8w#0*Oy$<DK7_aJh)<~iJYDS9We|feT6rUJub-%
zXB4H$(Aeqi6X+iCTO3RJfx4)f;XxF$RDw{zgPBy>X{}|&J@;gMJF4G~vfAY3SPOC#
zbv0bkPX>f2pvQXqlZ)er_rH4X`2MqJFV0_l`N8?84_`g*-ue0Qqu3r^9)I2c<Hq^D
Vr(QUpp1%6=>u<~B_h0Tk@h_#Ek}3cI

diff --git a/service/verify.proto b/service/verify.proto
index a6619a6..a7e694f 100644
--- a/service/verify.proto
+++ b/service/verify.proto
@@ -23,6 +23,9 @@ message RequestVerificationHeader {
 
     // Token is a token of the session within which the request is sent
     Token Token = 2;
+
+    // Bearer is a Bearer token of the request
+    BearerTokenMsg Bearer = 3;
 }
 
 // User token granting rights for object manipulation
@@ -91,3 +94,26 @@ message TokenLifetime {
 //     uint32 Version = 2;
 //     bytes Data = 3;
 // }
+
+// BearerTokenMsg carries information about request ACL rules with limited lifetime
+message BearerTokenMsg {
+    message Info {
+        // ACLRules carries a binary representation of the table of extended ACL rules
+        bytes ACLRules = 1;
+
+        // OwnerID is an owner of token
+        bytes OwnerID = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
+
+        // ValidUntil carries a last epoch of token lifetime
+        uint64 ValidUntil = 3;
+    }
+
+    // TokenInfo is a grouped information about token
+    Info TokenInfo = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+
+    // OwnerKey is a public key of the token owner
+    bytes OwnerKey = 2;
+
+    // Signature is a signature of token information
+    bytes Signature = 3;
+}
diff --git a/service/verify_test.go b/service/verify_test.go
index e13f316..55ec65f 100644
--- a/service/verify_test.go
+++ b/service/verify_test.go
@@ -115,3 +115,16 @@ func TestRequestVerificationHeader_SetToken(t *testing.T) {
 
 	require.Equal(t, token, h.GetToken())
 }
+
+func TestRequestVerificationHeader_SetBearer(t *testing.T) {
+	aclRules := []byte{1, 2, 3}
+
+	token := new(BearerTokenMsg)
+	token.SetACLRules(aclRules)
+
+	h := new(RequestVerificationHeader)
+
+	h.SetBearer(token)
+
+	require.Equal(t, token, h.GetBearer())
+}