[#770] node: Introduce ape chain source

* Provide methods to access rule chains with access
  policy engine (APE) chain source
* Initialize apeChainSource within object service
  initialization
* Share apeChainSource with control service
* Implement dummy apeChainSource instance based on
  in-memory implementation

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

cmd/frostfs-node/config.go

@@ -510,6 +510,11 @@ type cfgObject struct {
 
 	eaclSource container.EACLSource
 
+	// Access policy chain source is used by object service to
+	// check for operation permissions but this source is also shared with
+	// control service that dispatches local overrides.
+	apeChainSource container.AccessPolicyEngineChainSource
+
 	pool cfgObjectRoutines
 
 	cfgLocalStorage cfgLocalStorage

cmd/frostfs-node/control.go

@@ -51,6 +51,7 @@ func initControlService(c *cfg) {
 		controlSvc.WithTreeService(treeSynchronizer{
 			c.treeService,
 		}),
+		controlSvc.WithAPEChainSource(c.cfgObject.apeChainSource),
 	)
 
 	lis, err := net.Listen("tcp", endpoint)

cmd/frostfs-node/object.go

@@ -157,6 +157,8 @@ func initObjectService(c *cfg) {
 
 	c.replicator = createReplicator(c, keyStorage, c.bgClientCache)
 
+	c.cfgObject.apeChainSource = NewAPESource()
+
 	addPolicer(c, keyStorage, c.bgClientCache)
 
 	traverseGen := util.NewTraverserGenerator(c.netMapSource, c.cfgObject.cnrSource, c)

cmd/frostfs-node/policy_engine.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/core/container"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
+)
+
+type apeChainSourceImpl struct {
+	localChainStorage map[cid.ID]policyengine.CachedChainStorage
+}
+
+func NewAPESource() container.AccessPolicyEngineChainSource {
+	return &apeChainSourceImpl{
+		localChainStorage: make(map[cid.ID]policyengine.CachedChainStorage),
+	}
+}
+
+var _ container.AccessPolicyEngineChainSource = (*apeChainSourceImpl)(nil)
+
+func (c *apeChainSourceImpl) GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error) {
+	s, ok := c.localChainStorage[cid]
+	if ok {
+		return s, nil
+	}
+	c.localChainStorage[cid] = policyengine.NewInMemory()
+	return c.localChainStorage[cid], nil
+}

go.mod

@@ -8,6 +8,7 @@ require (
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20230531082742-c97d21411eb6
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20231101144515-6fbe1595cb3d
 	git.frostfs.info/TrueCloudLab/hrw v1.2.1
+	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20231101082425-5eee1a733432
 	git.frostfs.info/TrueCloudLab/tzhash v1.8.0
 	github.com/cheggaaa/pb v1.0.29
 	github.com/chzyer/readline v1.5.1

pkg/core/container/storage.go

@@ -6,6 +6,7 @@ import (
 	frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
+	policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
 )
 
 // Container groups information about the FrostFS container stored in the FrostFS network.
@@ -70,3 +71,10 @@ type EACLSource interface {
 	// eACL table is not in source.
 	GetEACL(cid.ID) (*EACL, error)
 }
+
+// AccessPolicyEngineChainSource interface provides methods to access and manipulate
+// policy engine chain storage.
+type AccessPolicyEngineChainSource interface {
+	// TODO (aarifullin): Better to use simpler interface instead CachedChainStorage.
+	GetChainSource(cid cid.ID) (policyengine.CachedChainStorage, error)
+}

pkg/services/control/server/server.go

@@ -59,6 +59,8 @@ type cfg struct {
 
 	cnrSrc container.Source
 
+	apeChainSrc container.AccessPolicyEngineChainSource
+
 	replicator *replicator.Replicator
 
 	nodeState NodeState
@@ -151,3 +153,11 @@ func WithTreeService(s TreeService) Option {
 		c.treeService = s
 	}
 }
+
+// WithAPEChainSource returns the option to set access policy engine
+// chain source.
+func WithAPEChainSource(apeChainSrc container.AccessPolicyEngineChainSource) Option {
+	return func(c *cfg) {
+		c.apeChainSrc = apeChainSrc
+	}
+}