2020-04-01 15:48:49 +00:00
# Protocol Documentation
< a name = "top" > < / a >
## Table of Contents
- [acl/types.proto ](#acl/types.proto )
2020-07-08 07:22:07 +00:00
- Messages
2024-04-03 08:21:40 +00:00
- [BearerToken ](#neo.fs.v2.acl.BearerToken )
- [BearerToken.Body ](#neo.fs.v2.acl.BearerToken.Body )
2024-05-28 08:52:42 +00:00
- [BearerToken.Body.APEOverride ](#neo.fs.v2.acl.BearerToken.Body.APEOverride )
2024-04-03 08:21:40 +00:00
- [BearerToken.Body.TokenLifetime ](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime )
- [EACLRecord ](#neo.fs.v2.acl.EACLRecord )
- [EACLRecord.Filter ](#neo.fs.v2.acl.EACLRecord.Filter )
- [EACLRecord.Target ](#neo.fs.v2.acl.EACLRecord.Target )
- [EACLTable ](#neo.fs.v2.acl.EACLTable )
2024-09-02 12:03:58 +00:00
2020-04-01 15:48:49 +00:00
- [Scalar Value Types ](#scalar-value-types )
< a name = "acl/types.proto" > < / a >
< p align = "right" > < a href = "#top" > Top< / a > < / p >
## acl/types.proto
<!-- end services -->
2020-07-08 07:22:07 +00:00
2020-08-18 13:51:28 +00:00
< a name = "neo.fs.v2.acl.BearerToken" > < / a >
### Message BearerToken
2020-10-16 11:40:12 +00:00
BearerToken allows to attach signed Extended ACL rules to the request in
`RequestMetaHeader` . If container's Basic ACL rules allow, the attached rule
set will be checked instead of one attached to the container itself. Just
like [JWT ](https://jwt.io ), it has a limited lifetime and scope, hence can be
used in the similar use cases, like providing authorisation to externally
authenticated party.
2020-08-18 13:51:28 +00:00
2024-03-05 09:36:58 +00:00
BearerToken can be issued only by the container's owner and must be signed
using the key associated with the container's `OwnerID` .
2020-10-23 12:40:32 +00:00
2020-08-18 13:51:28 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| body | [BearerToken.Body ](#neo.fs.v2.acl.BearerToken.Body ) | | Bearer Token body |
| signature | [neo.fs.v2.refs.Signature ](#neo.fs.v2.refs.Signature ) | | Signature of BearerToken body |
< a name = "neo.fs.v2.acl.BearerToken.Body" > < / a >
### Message BearerToken.Body
2024-03-05 09:36:58 +00:00
Bearer Token body structure contains Extended ACL table issued by the
container owner with additional information preventing token abuse.
2020-08-18 13:51:28 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
2024-05-28 08:52:42 +00:00
| eacl_table | [EACLTable ](#neo.fs.v2.acl.EACLTable ) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed.
Deprecated: eACL tables are no longer relevant - `APEOverrides` should be used instead. |
2022-06-21 11:32:14 +00:00
| owner_id | [neo.fs.v2.refs.OwnerID ](#neo.fs.v2.refs.OwnerID ) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID` . If empty, any token bearer will be accepted. |
2020-08-18 13:51:28 +00:00
| lifetime | [BearerToken.Body.TokenLifetime ](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime ) | | Token expiration and valid time period parameters |
2023-02-21 08:18:35 +00:00
| allow_impersonate | [bool ](#bool ) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |
2024-05-28 08:52:42 +00:00
| ape_override | [BearerToken.Body.APEOverride ](#neo.fs.v2.acl.BearerToken.Body.APEOverride ) | | APE override for the target. |
< a name = "neo.fs.v2.acl.BearerToken.Body.APEOverride" > < / a >
### Message BearerToken.Body.APEOverride
APEOverride is the list of APE chains defined for a target.
These chains are meant to serve as overrides to the already defined (or even undefined)
APE chains for the target (see contract `Policy` ).
The server-side processing of the bearer token with set APE overrides must verify if a client is permitted
to override chains for the target, preventing unauthorized access through the APE mechanism.
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| target | [frostfs.v2.ape.ChainTarget ](#frostfs.v2.ape.ChainTarget ) | | Target for which chains are applied. |
| chains | [frostfs.v2.ape.Chain ](#frostfs.v2.ape.Chain ) | repeated | The list of APE chains. |
2020-08-18 13:51:28 +00:00
< a name = "neo.fs.v2.acl.BearerToken.Body.TokenLifetime" > < / a >
### Message BearerToken.Body.TokenLifetime
2020-12-11 07:20:21 +00:00
Lifetime parameters of the token. Field names taken from
2020-10-16 11:40:12 +00:00
[rfc7519 ](https://tools.ietf.org/html/rfc7519 ).
2020-08-18 13:51:28 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| exp | [uint64 ](#uint64 ) | | Expiration Epoch |
| nbf | [uint64 ](#uint64 ) | | Not valid before Epoch |
| iat | [uint64 ](#uint64 ) | | Issued at Epoch |
2020-08-13 16:18:53 +00:00
< a name = "neo.fs.v2.acl.EACLRecord" > < / a >
2020-07-08 07:22:07 +00:00
### Message EACLRecord
2020-10-16 11:40:12 +00:00
Describes a single eACL rule.
2020-07-08 07:22:07 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
2020-10-16 11:40:12 +00:00
| operation | [Operation ](#neo.fs.v2.acl.Operation ) | | NeoFS request Verb to match |
| action | [Action ](#neo.fs.v2.acl.Action ) | | Rule execution result. Either allows or denies access if filters match. |
| filters | [EACLRecord.Filter ](#neo.fs.v2.acl.EACLRecord.Filter ) | repeated | List of filters to match and see if rule is applicable |
| targets | [EACLRecord.Target ](#neo.fs.v2.acl.EACLRecord.Target ) | repeated | List of target subjects to apply ACL rule to |
2020-07-08 07:22:07 +00:00
2020-09-02 11:06:21 +00:00
< a name = "neo.fs.v2.acl.EACLRecord.Filter" > < / a >
2020-07-08 07:22:07 +00:00
2020-09-02 11:06:21 +00:00
### Message EACLRecord.Filter
2022-06-21 11:32:14 +00:00
Filter to check particular properties of the request or the object.
2020-07-08 07:22:07 +00:00
2020-10-23 12:40:32 +00:00
By default `key` field refers to the corresponding object's `Attribute` .
Some Object's header fields can also be accessed by adding `$Object:`
prefix to the name. Here is the list of fields available via this prefix:
* $Object:version \
version
2020-12-11 07:20:21 +00:00
* $Object:objectID \
object_id
2020-10-23 12:40:32 +00:00
* $Object:containerID \
container_id
* $Object:ownerID \
owner_id
* $Object:creationEpoch \
creation_epoch
* $Object:payloadLength \
payload_length
* $Object:payloadHash \
payload_hash
* $Object:objectType \
object_type
* $Object:homomorphicHash \
homomorphic_hash
2022-09-23 14:57:44 +00:00
Please note, that if request or response does not have object's headers of
2020-12-25 12:16:10 +00:00
full object (Range, RangeHash, Search, Delete), it will not be possible to
filter by object header fields or user attributes. From the well-known list
only `$Object:objectID` and `$Object:containerID` will be available, as
it's possible to take that information from the requested address.
2020-07-08 07:22:07 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
2020-10-16 11:40:12 +00:00
| header_type | [HeaderType ](#neo.fs.v2.acl.HeaderType ) | | Define if Object or Request header will be used |
| match_type | [MatchType ](#neo.fs.v2.acl.MatchType ) | | Match operation type |
2020-10-23 12:40:32 +00:00
| key | [string ](#string ) | | Name of the Header to use |
| value | [string ](#string ) | | Expected Header Value or pattern to match |
2020-07-08 07:22:07 +00:00
2020-09-02 11:06:21 +00:00
< a name = "neo.fs.v2.acl.EACLRecord.Target" > < / a >
2020-07-08 07:22:07 +00:00
2020-09-02 11:06:21 +00:00
### Message EACLRecord.Target
2020-10-16 11:40:12 +00:00
Target to apply ACL rule. Can be a subject's role class or a list of public
keys to match.
2020-07-08 07:22:07 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
2020-10-16 11:40:12 +00:00
| role | [Role ](#neo.fs.v2.acl.Role ) | | Target subject's role class |
2020-10-19 14:14:32 +00:00
| keys | [bytes ](#bytes ) | repeated | List of public keys to identify target subject |
2020-07-08 07:22:07 +00:00
2020-08-13 16:18:53 +00:00
< a name = "neo.fs.v2.acl.EACLTable" > < / a >
2020-07-08 07:22:07 +00:00
### Message EACLTable
2022-06-21 11:32:14 +00:00
Extended ACL rules table. A list of ACL rules defined additionally to Basic
ACL. Extended ACL rules can be attached to a container and can be updated
2020-10-16 11:40:12 +00:00
or may be defined in `BearerToken` structure. Please see the corresponding
2022-06-21 11:32:14 +00:00
NeoFS Technical Specification section for detailed description.
2020-07-08 07:22:07 +00:00
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
2022-06-21 11:32:14 +00:00
| version | [neo.fs.v2.refs.Version ](#neo.fs.v2.refs.Version ) | | eACL format version. Effectively, the version of API library used to create eACL Table. |
2020-10-16 11:40:12 +00:00
| container_id | [neo.fs.v2.refs.ContainerID ](#neo.fs.v2.refs.ContainerID ) | | Identifier of the container that should use given access control rules |
| records | [EACLRecord ](#neo.fs.v2.acl.EACLRecord ) | repeated | List of Extended ACL rules |
2020-07-08 07:22:07 +00:00
2020-04-01 15:48:49 +00:00
<!-- end messages -->
2020-08-14 19:04:56 +00:00
< a name = "neo.fs.v2.acl.Action" > < / a >
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
### Action
2020-10-16 11:40:12 +00:00
Rule execution result action. Either allows or denies access if the rule's
filters match.
2020-07-08 07:22:07 +00:00
| Name | Number | Description |
| ---- | ------ | ----------- |
2020-10-16 11:40:12 +00:00
| ACTION_UNSPECIFIED | 0 | Unspecified action, default value |
2020-08-13 16:18:53 +00:00
| ALLOW | 1 | Allow action |
| DENY | 2 | Deny action |
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
< a name = "neo.fs.v2.acl.HeaderType" > < / a >
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
### HeaderType
2020-10-16 11:40:12 +00:00
Enumeration of possible sources of Headers to apply filters.
2020-07-08 07:22:07 +00:00
| Name | Number | Description |
| ---- | ------ | ----------- |
2020-08-13 16:18:53 +00:00
| HEADER_UNSPECIFIED | 0 | Unspecified header, default value. |
| REQUEST | 1 | Filter request headers |
| OBJECT | 2 | Filter object headers |
2021-10-14 15:27:45 +00:00
| SERVICE | 3 | Filter service headers. These are not processed by NeoFS nodes and exist for service use only. |
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
< a name = "neo.fs.v2.acl.MatchType" > < / a >
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
### MatchType
2020-07-08 07:22:07 +00:00
MatchType is an enumeration of match types.
| Name | Number | Description |
| ---- | ------ | ----------- |
2020-08-13 16:18:53 +00:00
| MATCH_TYPE_UNSPECIFIED | 0 | Unspecified match type, default value. |
| STRING_EQUAL | 1 | Return true if strings are equal |
| STRING_NOT_EQUAL | 2 | Return true if strings are different |
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
< a name = "neo.fs.v2.acl.Operation" > < / a >
2020-07-08 07:22:07 +00:00
2020-08-14 19:04:56 +00:00
### Operation
2020-10-16 11:40:12 +00:00
Request's operation type to match if the rule is applicable to a particular
request.
2020-07-08 07:22:07 +00:00
| Name | Number | Description |
| ---- | ------ | ----------- |
2020-10-16 11:40:12 +00:00
| OPERATION_UNSPECIFIED | 0 | Unspecified operation, default value |
2020-08-13 16:18:53 +00:00
| GET | 1 | Get |
| HEAD | 2 | Head |
| PUT | 3 | Put |
| DELETE | 4 | Delete |
| SEARCH | 5 | Search |
| GETRANGE | 6 | GetRange |
| GETRANGEHASH | 7 | GetRangeHash |
2020-07-08 07:22:07 +00:00
2020-09-02 11:06:21 +00:00
< a name = "neo.fs.v2.acl.Role" > < / a >
2020-04-01 15:48:49 +00:00
2020-09-02 11:06:21 +00:00
### Role
Target role of the access control rule in access control list.
2020-04-01 15:48:49 +00:00
| Name | Number | Description |
| ---- | ------ | ----------- |
2020-10-16 11:40:12 +00:00
| ROLE_UNSPECIFIED | 0 | Unspecified role, default value |
| USER | 1 | User target rule is applied if sender is the owner of the container |
2022-06-21 11:32:14 +00:00
| SYSTEM | 2 | System target rule is applied if sender is a storage node within the container or an inner ring node |
| OTHERS | 3 | Others target rule is applied if sender is neither a user nor a system target |
2020-04-01 15:48:49 +00:00
<!-- end enums -->
## Scalar Value Types
| .proto Type | Notes | C++ Type | Java Type | Python Type |
| ----------- | ----- | -------- | --------- | ----------- |
| < a name = "double" / > double | | double | double | float |
| < a name = "float" / > float | | float | float | float |
| < a name = "int32" / > int32 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int |
| < a name = "int64" / > int64 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long |
| < a name = "uint32" / > uint32 | Uses variable-length encoding. | uint32 | int | int/long |
| < a name = "uint64" / > uint64 | Uses variable-length encoding. | uint64 | long | int/long |
| < a name = "sint32" / > sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int |
| < a name = "sint64" / > sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long |
| < a name = "fixed32" / > fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int |
| < a name = "fixed64" / > fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long |
| < a name = "sfixed32" / > sfixed32 | Always four bytes. | int32 | int | int |
| < a name = "sfixed64" / > sfixed64 | Always eight bytes. | int64 | long | int/long |
| < a name = "bool" / > bool | | bool | boolean | boolean |
| < a name = "string" / > string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode |
| < a name = "bytes" / > bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str |