[#1522] adm/frostfsid: Remove unreachable condition

SendConsensusTx() modifies SendTxs field, if it is not the case, there
is a bug in code.

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>

CHANGELOG.md

@@ -9,6 +9,30 @@ Changelog for FrostFS Node
 ### Removed
 ### Updated
 
+## [v0.44.0] - 2024-25-11 - Rongbuk
+
+### Added
+- Allow to prioritize nodes during GET traversal via attributes (#1439)
+- Add metrics for the frostfsid cache (#1464)
+- Customize constant attributes attached to every tracing span (#1488)
+- Manage additional keys in the `frostfsid` contract (#1505)
+- Describe `--rule` flag in detail for `frostfs-cli ape-manager` subcommands (#1519)
+
+### Changed
+- Support richer interaction with the console in `frostfs-cli container policy-playground` (#1396)
+- Print address in base58 format in `frostfs-adm morph policy set-admin` (#1515)
+
+### Fixed
+- Fix EC object search (#1408)
+- Fix EC object put when one of the nodes is unavailable (#1427)
+
+### Removed
+- Drop most of the eACL-related code (#1425)
+- Remove `--basic-acl` flag from `frostfs-cli container create` (#1483)
+
+### Upgrading from v0.43.0
+The metabase schema has changed completely, resync is required.
+
 ## [v0.42.0]
 
 ### Added

VERSION

@@ -1 +1 @@
-v0.42.0
+v0.44.0

cmd/frostfs-adm/internal/modules/morph/ape/ape.go

@@ -8,7 +8,7 @@ import (
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
 	apeCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common/ape"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
-	"github.com/nspcc-dev/neo-go/pkg/util"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -200,7 +200,7 @@ func listRuleChains(cmd *cobra.Command, _ []string) {
 
 func setAdmin(cmd *cobra.Command, _ []string) {
 	s, _ := cmd.Flags().GetString(addrAdminFlag)
-	addr, err := util.Uint160DecodeStringLE(s)
+	addr, err := address.StringToUint160(s)
 	commonCmd.ExitOnErr(cmd, "can't decode admin addr: %w", err)
 	pci, ac := newPolicyContractInterface(cmd)
 	h, vub, err := pci.SetAdmin(addr)
@@ -214,7 +214,7 @@ func getAdmin(cmd *cobra.Command, _ []string) {
 	pci, _ := newPolicyContractReaderInterface(cmd)
 	addr, err := pci.GetAdmin()
 	commonCmd.ExitOnErr(cmd, "unable to get admin: %w", err)
-	cmd.Println(addr.StringLE())
+	cmd.Println(address.Uint160ToString(addr))
 }
 
 func listTargets(cmd *cobra.Command, _ []string) {

cmd/frostfs-adm/internal/modules/morph/ape/ape_util.go

@@ -53,16 +53,15 @@ func (n *invokerAdapter) GetRPCInvoker() invoker.RPCInvoke {
 }
 
 func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorageReader, *invoker.Invoker) {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	inv := invoker.New(c, nil)
-	var ch util.Uint160
 	r := management.NewReader(inv)
 	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
 
-	ch, err = helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
+	ch, err := helper.NNSResolveHash(inv, nnsCs.Hash, helper.DomainOf(constants.PolicyContract))
 	commonCmd.ExitOnErr(cmd, "unable to resolve policy contract hash: %w", err)
 
 	invokerAdapter := &invokerAdapter{
@@ -74,7 +73,7 @@ func newPolicyContractReaderInterface(cmd *cobra.Command) (*morph.ContractStorag
 }
 
 func newPolicyContractInterface(cmd *cobra.Command) (*morph.ContractStorage, *helper.LocalActor) {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	ac, err := helper.NewLocalActor(cmd, c, constants.ConsensusAccountName)

cmd/frostfs-adm/internal/modules/morph/balance/balance.go

@@ -51,7 +51,7 @@ func dumpBalances(cmd *cobra.Command, _ []string) error {
 		nmHash          util.Uint160
 	)
 
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return err
 	}

cmd/frostfs-adm/internal/modules/morph/config/config.go

@@ -26,7 +26,7 @@ import (
 const forceConfigSet = "force"
 
 func dumpNetworkConfig(cmd *cobra.Command, _ []string) error {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/container/container.go

@@ -76,7 +76,7 @@ func dumpContainers(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("invalid filename: %w", err)
 	}
 
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}
@@ -157,7 +157,7 @@ func dumpSingleContainer(bw *io.BufBinWriter, ch util.Uint160, inv *invoker.Invo
 }
 
 func listContainers(cmd *cobra.Command, _ []string) error {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/contract/dump_hashes.go

@@ -36,7 +36,7 @@ type contractDumpInfo struct {
 }
 
 func dumpContractHashes(cmd *cobra.Command, _ []string) error {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return fmt.Errorf("can't create N3 client: %w", err)
 	}

cmd/frostfs-adm/internal/modules/morph/frostfsid/frostfsid.go

@@ -1,7 +1,6 @@
 package frostfsid
 
 import (
-	"errors"
 	"fmt"
 	"math/big"
 	"sort"
@@ -61,7 +60,6 @@ var (
 		Use:   "list-namespaces",
 		Short: "List all namespaces in frostfsid",
 		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListNamespaces,
@@ -91,7 +89,6 @@ var (
 		Use:   "list-subjects",
 		Short: "List subjects in namespace",
 		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListSubjects,
@@ -121,7 +118,6 @@ var (
 		Use:   "list-groups",
 		Short: "List groups in namespace",
 		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListGroups,
@@ -151,7 +147,6 @@ var (
 		Use:   "list-group-subjects",
 		Short: "List subjects in group",
 		PreRun: func(cmd *cobra.Command, _ []string) {
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
 		},
 		Run: frostfsidListGroupSubjects,
@@ -169,7 +164,6 @@ func initFrostfsIDCreateNamespaceCmd() {
 func initFrostfsIDListNamespacesCmd() {
 	Cmd.AddCommand(frostfsidListNamespacesCmd)
 	frostfsidListNamespacesCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	frostfsidListNamespacesCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDCreateSubjectCmd() {
@@ -193,7 +187,6 @@ func initFrostfsIDListSubjectsCmd() {
 	frostfsidListSubjectsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	frostfsidListSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace to list subjects")
 	frostfsidListSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
-	frostfsidListSubjectsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDCreateGroupCmd() {
@@ -217,7 +210,6 @@ func initFrostfsIDListGroupsCmd() {
 	Cmd.AddCommand(frostfsidListGroupsCmd)
 	frostfsidListGroupsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
 	frostfsidListGroupsCmd.Flags().String(namespaceFlag, "", "Namespace to list groups")
-	frostfsidListGroupsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func initFrostfsIDAddSubjectToGroupCmd() {
@@ -242,7 +234,6 @@ func initFrostfsIDListGroupSubjectsCmd() {
 	frostfsidListGroupSubjectsCmd.Flags().String(namespaceFlag, "", "Namespace name")
 	frostfsidListGroupSubjectsCmd.Flags().Int64(groupIDFlag, 0, "Group id")
 	frostfsidListGroupSubjectsCmd.Flags().Bool(includeNamesFlag, false, "Whether include subject name (require additional requests)")
-	frostfsidListGroupSubjectsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 }
 
 func frostfsidCreateNamespace(cmd *cobra.Command, _ []string) {
@@ -497,10 +488,6 @@ func (f *frostfsidClient) sendWaitRes() (*state.AppExecResult, error) {
 	}
 	f.bw.Reset()
 
-	if len(f.wCtx.SentTxs) == 0 {
-		return nil, errors.New("no transactions to wait")
-	}
-
 	f.wCtx.Command.Println("Waiting for transactions to persist...")
 	return f.roCli.Wait(f.wCtx.SentTxs[0].Hash, f.wCtx.SentTxs[0].Vub, nil)
 }
@@ -522,7 +509,7 @@ func readIterator(inv *invoker.Invoker, iter *result.Iterator, batchSize int, se
 }
 
 func initInvoker(cmd *cobra.Command) (*invoker.Invoker, *state.Contract, util.Uint160) {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
 
 	inv := invoker.New(c, nil)

cmd/frostfs-adm/internal/modules/morph/frostfsid/frostfsid_util_test.go

@@ -1,59 +1,12 @@
 package frostfsid
 
 import (
-	"encoding/hex"
 	"testing"
 
-	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/internal/ape"
-	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
-	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
-	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 )
 
-func TestFrostfsIDConfig(t *testing.T) {
-	pks := make([]*keys.PrivateKey, 4)
-	for i := range pks {
-		pk, err := keys.NewPrivateKey()
-		require.NoError(t, err)
-		pks[i] = pk
-	}
-
-	fmts := []string{
-		pks[0].GetScriptHash().StringLE(),
-		address.Uint160ToString(pks[1].GetScriptHash()),
-		hex.EncodeToString(pks[2].PublicKey().UncompressedBytes()),
-		hex.EncodeToString(pks[3].PublicKey().Bytes()),
-	}
-
-	for i := range fmts {
-		v := viper.New()
-		v.Set("frostfsid.admin", fmts[i])
-
-		actual, found, err := helper.GetFrostfsIDAdmin(v)
-		require.NoError(t, err)
-		require.True(t, found)
-		require.Equal(t, pks[i].GetScriptHash(), actual)
-	}
-
-	t.Run("bad key", func(t *testing.T) {
-		v := viper.New()
-		v.Set("frostfsid.admin", "abc")
-
-		_, found, err := helper.GetFrostfsIDAdmin(v)
-		require.Error(t, err)
-		require.True(t, found)
-	})
-	t.Run("missing key", func(t *testing.T) {
-		v := viper.New()
-
-		_, found, err := helper.GetFrostfsIDAdmin(v)
-		require.NoError(t, err)
-		require.False(t, found)
-	})
-}
-
 func TestNamespaceRegexp(t *testing.T) {
 	for _, tc := range []struct {
 		name      string

cmd/frostfs-adm/internal/modules/morph/helper/actor.go

@@ -38,38 +38,24 @@ func NewLocalActor(cmd *cobra.Command, c actor.RPCActor, accName string) (*Local
 	walletDir := config.ResolveHomePath(viper.GetString(commonflags.AlphabetWalletsFlag))
 	var act *actor.Actor
 	var accounts []*wallet.Account
-	if walletDir == "" {
-		account, err := wallet.NewAccount()
-		commonCmd.ExitOnErr(cmd, "unable to create dummy account: %w", err)
-		act, err = actor.New(c, []actor.SignerAccount{{
-			Signer: transaction.Signer{
-				Account: account.Contract.ScriptHash(),
-				Scopes:  transaction.Global,
-			},
-			Account: account,
-		}})
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		wallets, err := GetAlphabetWallets(viper.GetViper(), walletDir)
-		commonCmd.ExitOnErr(cmd, "unable to get alphabet wallets: %w", err)
 
-		for _, w := range wallets {
+	wallets, err := GetAlphabetWallets(viper.GetViper(), walletDir)
-			acc, err := GetWalletAccount(w, accName)
+	commonCmd.ExitOnErr(cmd, "unable to get alphabet wallets: %w", err)
-			commonCmd.ExitOnErr(cmd, fmt.Sprintf("can't find %s account: %%w", accName), err)
+
-			accounts = append(accounts, acc)
+	for _, w := range wallets {
-		}
+		acc, err := GetWalletAccount(w, accName)
-		act, err = actor.New(c, []actor.SignerAccount{{
+		commonCmd.ExitOnErr(cmd, fmt.Sprintf("can't find %s account: %%w", accName), err)
-			Signer: transaction.Signer{
+		accounts = append(accounts, acc)
-				Account: accounts[0].Contract.ScriptHash(),
+	}
-				Scopes:  transaction.Global,
+	act, err = actor.New(c, []actor.SignerAccount{{
-			},
+		Signer: transaction.Signer{
-			Account: accounts[0],
+			Account: accounts[0].Contract.ScriptHash(),
-		}})
+			Scopes:  transaction.Global,
-		if err != nil {
+		},
-			return nil, err
+		Account: accounts[0],
-		}
+	}})
+	if err != nil {
+		return nil, err
 	}
 	return &LocalActor{
 		neoActor:   act,

cmd/frostfs-adm/internal/modules/morph/helper/contract.go

@@ -82,7 +82,7 @@ func GetContractDeployData(c *InitializeContext, ctrName string, keysParam []any
 			h, found, err = getFrostfsIDAdminFromContract(c.ReadOnlyInvoker)
 		}
 		if method != constants.UpdateMethodName || err == nil && !found {
-			h, found, err = GetFrostfsIDAdmin(viper.GetViper())
+			h, found, err = getFrostfsIDAdmin(viper.GetViper())
 		}
 		if err != nil {
 			return nil, err

cmd/frostfs-adm/internal/modules/morph/helper/frostfsid.go

@@ -11,7 +11,7 @@ import (
 
 const frostfsIDAdminConfigKey = "frostfsid.admin"
 
-func GetFrostfsIDAdmin(v *viper.Viper) (util.Uint160, bool, error) {
+func getFrostfsIDAdmin(v *viper.Viper) (util.Uint160, bool, error) {
 	admin := v.GetString(frostfsIDAdminConfigKey)
 	if admin == "" {
 		return util.Uint160{}, false, nil

cmd/frostfs-adm/internal/modules/morph/helper/frostfsid_test.go

@@ -0,0 +1,53 @@
+package helper
+
+import (
+	"encoding/hex"
+	"testing"
+
+	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/address"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFrostfsIDConfig(t *testing.T) {
+	pks := make([]*keys.PrivateKey, 4)
+	for i := range pks {
+		pk, err := keys.NewPrivateKey()
+		require.NoError(t, err)
+		pks[i] = pk
+	}
+
+	fmts := []string{
+		pks[0].GetScriptHash().StringLE(),
+		address.Uint160ToString(pks[1].GetScriptHash()),
+		hex.EncodeToString(pks[2].PublicKey().UncompressedBytes()),
+		hex.EncodeToString(pks[3].PublicKey().Bytes()),
+	}
+
+	for i := range fmts {
+		v := viper.New()
+		v.Set("frostfsid.admin", fmts[i])
+
+		actual, found, err := getFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.True(t, found)
+		require.Equal(t, pks[i].GetScriptHash(), actual)
+	}
+
+	t.Run("bad key", func(t *testing.T) {
+		v := viper.New()
+		v.Set("frostfsid.admin", "abc")
+
+		_, found, err := getFrostfsIDAdmin(v)
+		require.Error(t, err)
+		require.True(t, found)
+	})
+	t.Run("missing key", func(t *testing.T) {
+		v := viper.New()
+
+		_, found, err := getFrostfsIDAdmin(v)
+		require.NoError(t, err)
+		require.False(t, found)
+	})
+}

cmd/frostfs-adm/internal/modules/morph/helper/initialize_ctx.go

@@ -134,12 +134,12 @@ func NewInitializeContext(cmd *cobra.Command, v *viper.Viper) (*InitializeContex
 		return nil, err
 	}
 
-	accounts, err := createWalletAccounts(wallets)
+	accounts, err := getSingleAccounts(wallets)
 	if err != nil {
 		return nil, err
 	}
 
-	cliCtx, err := DefaultClientContext(c, committeeAcc)
+	cliCtx, err := defaultClientContext(c, committeeAcc)
 	if err != nil {
 		return nil, fmt.Errorf("client context: %w", err)
 	}
@@ -191,7 +191,7 @@ func createClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet)
 		}
 		c, err = NewLocalClient(cmd, v, wallets, ldf.Value.String())
 	} else {
-		c, err = GetN3Client(v)
+		c, err = NewRemoteClient(v)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("can't create N3 client: %w", err)
@@ -211,7 +211,7 @@ func getContractsPath(cmd *cobra.Command, needContracts bool) (string, error) {
 	return ctrPath, nil
 }
 
-func createWalletAccounts(wallets []*wallet.Wallet) ([]*wallet.Account, error) {
+func getSingleAccounts(wallets []*wallet.Wallet) ([]*wallet.Account, error) {
 	accounts := make([]*wallet.Account, len(wallets))
 	for i, w := range wallets {
 		acc, err := GetWalletAccount(w, constants.SingleAccountName)

cmd/frostfs-adm/internal/modules/morph/helper/local_client.go

@@ -58,17 +58,59 @@ func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet
 		return nil, err
 	}
 
-	m := smartcontract.GetDefaultHonestNodeCount(int(cfg.ProtocolConfiguration.ValidatorsCount))
+	go bc.Run()
-	accounts := make([]*wallet.Account, len(wallets))
+
-	for i := range accounts {
+	accounts, err := getBlockSigningAccounts(cfg.ProtocolConfiguration, wallets)
-		accounts[i], err = GetWalletAccount(wallets[i], constants.ConsensusAccountName)
+	if err != nil {
-		if err != nil {
+		return nil, err
-			return nil, err
+	}
+
+	if cmd.Name() != "init" {
+		if err := restoreDump(bc, dumpPath); err != nil {
+			return nil, fmt.Errorf("restore dump: %w", err)
 		}
 	}
 
+	return &LocalClient{
+		bc:       bc,
+		dumpPath: dumpPath,
+		accounts: accounts,
+	}, nil
+}
+
+func restoreDump(bc *core.Blockchain, dumpPath string) error {
+	f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0o600)
+	if err != nil {
+		return fmt.Errorf("can't open local dump: %w", err)
+	}
+	defer f.Close()
+
+	r := io.NewBinReaderFromIO(f)
+
+	var skip uint32
+	if bc.BlockHeight() != 0 {
+		skip = bc.BlockHeight() + 1
+	}
+
+	count := r.ReadU32LE() - skip
+	if err := chaindump.Restore(bc, r, skip, count, nil); err != nil {
+		return err
+	}
+	return nil
+}
+
+func getBlockSigningAccounts(cfg config.ProtocolConfiguration, wallets []*wallet.Wallet) ([]*wallet.Account, error) {
+	accounts := make([]*wallet.Account, len(wallets))
+	for i := range accounts {
+		acc, err := GetWalletAccount(wallets[i], constants.ConsensusAccountName)
+		if err != nil {
+			return nil, err
+		}
+		accounts[i] = acc
+	}
+
 	indexMap := make(map[string]int)
-	for i, pub := range cfg.ProtocolConfiguration.StandbyCommittee {
+	for i, pub := range cfg.StandbyCommittee {
 		indexMap[pub] = i
 	}
 
@@ -77,37 +119,12 @@ func NewLocalClient(cmd *cobra.Command, v *viper.Viper, wallets []*wallet.Wallet
 		pj := accounts[j].PrivateKey().PublicKey().Bytes()
 		return indexMap[string(pi)] < indexMap[string(pj)]
 	})
-	sort.Slice(accounts[:cfg.ProtocolConfiguration.ValidatorsCount], func(i, j int) bool {
+	sort.Slice(accounts[:cfg.ValidatorsCount], func(i, j int) bool {
 		return accounts[i].PublicKey().Cmp(accounts[j].PublicKey()) == -1
 	})
 
-	go bc.Run()
+	m := smartcontract.GetDefaultHonestNodeCount(int(cfg.ValidatorsCount))
-
+	return accounts[:m], nil
-	if cmd.Name() != "init" {
-		f, err := os.OpenFile(dumpPath, os.O_RDONLY, 0o600)
-		if err != nil {
-			return nil, fmt.Errorf("can't open local dump: %w", err)
-		}
-		defer f.Close()
-
-		r := io.NewBinReaderFromIO(f)
-
-		var skip uint32
-		if bc.BlockHeight() != 0 {
-			skip = bc.BlockHeight() + 1
-		}
-
-		count := r.ReadU32LE() - skip
-		if err := chaindump.Restore(bc, r, skip, count, nil); err != nil {
-			return nil, fmt.Errorf("can't restore local dump: %w", err)
-		}
-	}
-
-	return &LocalClient{
-		bc:       bc,
-		dumpPath: dumpPath,
-		accounts: accounts[:m],
-	}, nil
 }
 
 func (l *LocalClient) GetBlockCount() (uint32, error) {
@@ -128,11 +145,6 @@ func (l *LocalClient) GetApplicationLog(h util.Uint256, t *trigger.Type) (*resul
 	return &a, nil
 }
 
-func (l *LocalClient) GetCommittee() (keys.PublicKeys, error) {
-	// not used by `morph init` command
-	panic("unexpected call")
-}
-
 // InvokeFunction is implemented via `InvokeScript`.
 func (l *LocalClient) InvokeFunction(h util.Uint160, method string, sPrm []smartcontract.Parameter, ss []transaction.Signer) (*result.Invoke, error) {
 	var err error
@@ -296,13 +308,7 @@ func (l *LocalClient) InvokeScript(script []byte, signers []transaction.Signer)
 }
 
 func (l *LocalClient) SendRawTransaction(tx *transaction.Transaction) (util.Uint256, error) {
-	// We need to test that transaction was formed correctly to catch as many errors as we can.
+	tx = tx.Copy()
-	bs := tx.Bytes()
-	_, err := transaction.NewTransactionFromBytes(bs)
-	if err != nil {
-		return tx.Hash(), fmt.Errorf("invalid transaction: %w", err)
-	}
-
 	l.transactions = append(l.transactions, tx)
 	return tx.Hash(), nil
 }

cmd/frostfs-adm/internal/modules/morph/helper/n3client.go

@@ -10,7 +10,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
-	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/neorpc/result"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
@@ -25,15 +24,10 @@ import (
 // Client represents N3 client interface capable of test-invoking scripts
 // and sending signed transactions to chain.
 type Client interface {
-	invoker.RPCInvoke
+	actor.RPCActor
 
-	GetBlockCount() (uint32, error)
 	GetNativeContracts() ([]state.Contract, error)
 	GetApplicationLog(util.Uint256, *trigger.Type) (*result.ApplicationLog, error)
-	GetVersion() (*result.Version, error)
-	SendRawTransaction(*transaction.Transaction) (util.Uint256, error)
-	GetCommittee() (keys.PublicKeys, error)
-	CalculateNetworkFee(tx *transaction.Transaction) (int64, error)
 }
 
 type HashVUBPair struct {
@@ -48,7 +42,7 @@ type ClientContext struct {
 	SentTxs         []HashVUBPair
 }
 
-func GetN3Client(v *viper.Viper) (Client, error) {
+func NewRemoteClient(v *viper.Viper) (Client, error) {
 	// number of opened connections
 	// by neo-go client per one host
 	const (
@@ -88,8 +82,14 @@ func GetN3Client(v *viper.Viper) (Client, error) {
 	return c, nil
 }
 
-func DefaultClientContext(c Client, committeeAcc *wallet.Account) (*ClientContext, error) {
+func defaultClientContext(c Client, committeeAcc *wallet.Account) (*ClientContext, error) {
-	commAct, err := NewActor(c, committeeAcc)
+	commAct, err := actor.New(c, []actor.SignerAccount{{
+		Signer: transaction.Signer{
+			Account: committeeAcc.Contract.ScriptHash(),
+			Scopes:  transaction.Global,
+		},
+		Account: committeeAcc,
+	}})
 	if err != nil {
 		return nil, err
 	}

cmd/frostfs-adm/internal/modules/morph/helper/util.go

@@ -15,10 +15,8 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/pkg/innerring"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
-	"github.com/nspcc-dev/neo-go/pkg/core/transaction"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/encoding/fixedn"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient/actor"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
 	"github.com/nspcc-dev/neo-go/pkg/wallet"
 	"github.com/spf13/viper"
@@ -87,16 +85,6 @@ func openAlphabetWallets(v *viper.Viper, walletDir string) ([]*wallet.Wallet, er
 	return wallets, nil
 }
 
-func NewActor(c actor.RPCActor, committeeAcc *wallet.Account) (*actor.Actor, error) {
-	return actor.New(c, []actor.SignerAccount{{
-		Signer: transaction.Signer{
-			Account: committeeAcc.Contract.ScriptHash(),
-			Scopes:  transaction.Global,
-		},
-		Account: committeeAcc,
-	}})
-}
-
 func ReadContract(ctrPath, ctrName string) (*ContractState, error) {
 	rawNef, err := os.ReadFile(filepath.Join(ctrPath, ctrName+"_contract.nef"))
 	if err != nil {

cmd/frostfs-adm/internal/modules/morph/netmap/netmap_candidates.go

@@ -13,7 +13,7 @@ import (
 )
 
 func listNetmapCandidatesNodes(cmd *cobra.Command, _ []string) {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client: %w", err)
 
 	inv := invoker.New(c, nil)

cmd/frostfs-adm/internal/modules/morph/netmap/root.go

@@ -12,7 +12,6 @@ var (
 		Short: "List netmap candidates nodes",
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlag(commonflags.EndpointFlag, cmd.Flags().Lookup(commonflags.EndpointFlag))
-			_ = viper.BindPFlag(commonflags.AlphabetWalletsFlag, cmd.Flags().Lookup(commonflags.AlphabetWalletsFlag))
 		},
 		Run: listNetmapCandidatesNodes,
 	}

cmd/frostfs-adm/internal/modules/morph/nns/domains.go

@@ -24,7 +24,7 @@ func initRegisterCmd() {
 }
 
 func registerDomain(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	email, _ := cmd.Flags().GetString(nnsEmailFlag)
@@ -53,7 +53,7 @@ func initDeleteCmd() {
 }
 
 func deleteDomain(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	h, vub, err := c.DeleteDomain(name)

cmd/frostfs-adm/internal/modules/morph/nns/helper.go

@@ -5,15 +5,15 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/constants"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/modules/morph/helper"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
+	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/management"
-	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
-func getRPCClient(cmd *cobra.Command) (*client.Contract, *helper.LocalActor, util.Uint160) {
+func nnsWriter(cmd *cobra.Command) (*client.Contract, *helper.LocalActor) {
 	v := viper.GetViper()
-	c, err := helper.GetN3Client(v)
+	c, err := helper.NewRemoteClient(v)
 	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
 
 	ac, err := helper.NewLocalActor(cmd, c, constants.CommitteeAccountName)
@@ -22,5 +22,17 @@ func getRPCClient(cmd *cobra.Command) (*client.Contract, *helper.LocalActor, uti
 	r := management.NewReader(ac.Invoker)
 	nnsCs, err := helper.GetContractByID(r, 1)
 	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
-	return client.New(ac, nnsCs.Hash), ac, nnsCs.Hash
+	return client.New(ac, nnsCs.Hash), ac
+}
+
+func nnsReader(cmd *cobra.Command) (*client.ContractReader, *invoker.Invoker) {
+	c, err := helper.NewRemoteClient(viper.GetViper())
+	commonCmd.ExitOnErr(cmd, "unable to create NEO rpc client: %w", err)
+
+	inv := invoker.New(c, nil)
+	r := management.NewReader(inv)
+	nnsCs, err := helper.GetContractByID(r, 1)
+	commonCmd.ExitOnErr(cmd, "can't get NNS contract state: %w", err)
+
+	return client.NewReader(inv, nnsCs.Hash), inv
 }

cmd/frostfs-adm/internal/modules/morph/nns/record.go

@@ -8,7 +8,6 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
 	"git.frostfs.info/TrueCloudLab/frostfs-node/cmd/frostfs-adm/internal/commonflags"
 	commonCmd "git.frostfs.info/TrueCloudLab/frostfs-node/cmd/internal/common"
-	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/spf13/cobra"
 )
@@ -29,7 +28,6 @@ func initAddRecordCmd() {
 func initGetRecordsCmd() {
 	Cmd.AddCommand(getRecordsCmd)
 	getRecordsCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	getRecordsCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	getRecordsCmd.Flags().String(nnsNameFlag, "", nnsNameFlagDesc)
 	getRecordsCmd.Flags().String(nnsRecordTypeFlag, "", nnsRecordTypeFlagDesc)
 
@@ -61,7 +59,7 @@ func initDelRecordCmd() {
 }
 
 func addRecord(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	data, _ := cmd.Flags().GetString(nnsRecordDataFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
@@ -77,16 +75,16 @@ func addRecord(cmd *cobra.Command, _ []string) {
 }
 
 func getRecords(cmd *cobra.Command, _ []string) {
-	c, act, hash := getRPCClient(cmd)
+	c, inv := nnsReader(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
 	if recordType == "" {
-		sid, r, err := unwrap.SessionIterator(act.Invoker.Call(hash, "getAllRecords", name))
+		sid, r, err := c.GetAllRecords(name)
 		commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		defer func() {
-			_ = act.Invoker.TerminateSession(sid)
+			_ = inv.TerminateSession(sid)
 		}()
-		items, err := act.Invoker.TraverseIterator(sid, &r, 0)
+		items, err := inv.TraverseIterator(sid, &r, 0)
 		commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		for len(items) != 0 {
 			for j := range items {
@@ -97,7 +95,7 @@ func getRecords(cmd *cobra.Command, _ []string) {
 					recordTypeToString(nns.RecordType(rs[1].Value().(*big.Int).Int64())),
 					string(bs))
 			}
-			items, err = act.Invoker.TraverseIterator(sid, &r, 0)
+			items, err = inv.TraverseIterator(sid, &r, 0)
 			commonCmd.ExitOnErr(cmd, "unable to get records: %w", err)
 		}
 	} else {
@@ -114,7 +112,7 @@ func getRecords(cmd *cobra.Command, _ []string) {
 }
 
 func delRecords(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)
 	typ, err := getRecordType(recordType)
@@ -129,7 +127,7 @@ func delRecords(cmd *cobra.Command, _ []string) {
 }
 
 func delRecord(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	data, _ := cmd.Flags().GetString(nnsRecordDataFlag)
 	recordType, _ := cmd.Flags().GetString(nnsRecordTypeFlag)

cmd/frostfs-adm/internal/modules/morph/nns/renew.go

@@ -14,7 +14,7 @@ func initRenewCmd() {
 }
 
 func renewDomain(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	h, vub, err := c.Renew(name)
 	commonCmd.ExitOnErr(cmd, "unable to renew domain: %w", err)

cmd/frostfs-adm/internal/modules/morph/nns/tokens.go

@@ -18,12 +18,11 @@ const (
 func initTokensCmd() {
 	Cmd.AddCommand(tokensCmd)
 	tokensCmd.Flags().StringP(commonflags.EndpointFlag, commonflags.EndpointFlagShort, "", commonflags.EndpointFlagDesc)
-	tokensCmd.Flags().String(commonflags.AlphabetWalletsFlag, "", commonflags.AlphabetWalletsFlagDesc)
 	tokensCmd.Flags().BoolP(commonflags.Verbose, commonflags.VerboseShorthand, false, verboseDesc)
 }
 
 func listTokens(cmd *cobra.Command, _ []string) {
-	c, _, _ := getRPCClient(cmd)
+	c, _ := nnsReader(cmd)
 	it, err := c.Tokens()
 	commonCmd.ExitOnErr(cmd, "unable to get tokens: %w", err)
 	for toks, err := it.Next(10); err == nil && len(toks) > 0; toks, err = it.Next(10) {
@@ -41,7 +40,7 @@ func listTokens(cmd *cobra.Command, _ []string) {
 	}
 }
 
-func getCnameRecord(c *client.Contract, token []byte) (string, error) {
+func getCnameRecord(c *client.ContractReader, token []byte) (string, error) {
 	items, err := c.GetRecords(string(token), big.NewInt(int64(nns.CNAME)))
 
 	// GetRecords returns the error "not an array" if the domain does not contain records.

cmd/frostfs-adm/internal/modules/morph/nns/update.go

@@ -30,7 +30,7 @@ func initUpdateCmd() {
 }
 
 func updateSOA(cmd *cobra.Command, _ []string) {
-	c, actor, _ := getRPCClient(cmd)
+	c, actor := nnsWriter(cmd)
 
 	name, _ := cmd.Flags().GetString(nnsNameFlag)
 	email, _ := cmd.Flags().GetString(nnsEmailFlag)

cmd/frostfs-adm/internal/modules/morph/notary/notary.go

@@ -89,7 +89,7 @@ func depositNotary(cmd *cobra.Command, _ []string) error {
 }
 
 func transferGas(cmd *cobra.Command, acc *wallet.Account, accHash util.Uint160, gasAmount fixedn.Fixed8, till int64) error {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	if err != nil {
 		return err
 	}

cmd/frostfs-adm/internal/modules/morph/policy/policy.go

@@ -62,7 +62,7 @@ func SetPolicyCmd(cmd *cobra.Command, args []string) error {
 }
 
 func dumpPolicyCmd(cmd *cobra.Command, _ []string) error {
-	c, err := helper.GetN3Client(viper.GetViper())
+	c, err := helper.NewRemoteClient(viper.GetViper())
 	commonCmd.ExitOnErr(cmd, "can't create N3 client:", err)
 
 	inv := invoker.New(c, nil)

cmd/internal/common/ape/flags.go

@@ -2,7 +2,6 @@ package ape
 
 const (
 	RuleFlag           = "rule"
-	RuleFlagDesc       = "Rule statement"
 	PathFlag           = "path"
 	PathFlagDesc       = "Path to encoded chain in JSON or binary format"
 	TargetNameFlag     = "target-name"
@@ -17,3 +16,64 @@ const (
 	ChainNameFlagDesc  = "Chain name(ingress|s3)"
 	AllFlag            = "all"
 )
+
+const RuleFlagDesc = `Defines an Access Policy Engine (APE) rule in the format:
+    <status>[:status_detail] <action>... <condition>... <resource>...
+
+Status:
+  - allow                   Permits specified actions
+  - deny                    Prohibits specified actions
+  - deny:QuotaLimitReached  Denies access due to quota limits
+
+Actions:
+    Object operations:
+    - Object.Put, Object.Get, etc.
+    - Object.*     (all object operations)
+    Container operations:
+    - Container.Put, Container.Get, etc.
+    - Container.*  (all container operations)
+
+Conditions:
+    ResourceCondition:
+      Format: ResourceCondition:"key"=value, "key"!=value
+        Reserved properties (use '\' before '$'):
+        - $Object:version
+        - $Object:objectID
+        - $Object:containerID
+        - $Object:ownerID
+        - $Object:creationEpoch
+        - $Object:payloadLength
+        - $Object:payloadHash
+        - $Object:objectType
+        - $Object:homomorphicHash
+
+RequestCondition:
+    Format: RequestCondition:"key"=value, "key"!=value
+      Reserved properties (use '\' before '$'):
+        - $Actor:publicKey
+        - $Actor:role
+
+      Example:
+        ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others
+
+Resources:
+    For objects:
+      - namespace/cid/oid    (specific object)
+      - namespace/cid/*      (all objects in container)
+      - namespace/*          (all objects in namespace)
+      - *                    (all objects)
+      - /*                   (all objects in root namespace)
+      - /cid/*               (all objects in root container)
+      - /cid/oid             (specific object in root container)
+
+    For containers:
+      - namespace/cid        (specific container)
+      - namespace/*          (all containers in namespace)
+      - *                    (all containers)
+      - /cid                 (root container)
+      - /*                   (all root containers)
+
+Notes:
+    - Cannot mix object and container operations in one rule
+    - Default behavior is Any=false unless 'any' is specified
+    - Use 'all' keyword to explicitly set Any=false`

cmd/internal/common/exit.go

@@ -26,13 +26,15 @@ func ExitOnErr(cmd *cobra.Command, errFmt string, err error) {
 		_ = iota
 		internal
 		aclDenied
+		apemanagerDenied
 	)
 
 	var (
 		code int
 
-		internalErr = new(sdkstatus.ServerInternal)
+		internalErr   = new(sdkstatus.ServerInternal)
-		accessErr   = new(sdkstatus.ObjectAccessDenied)
+		accessErr     = new(sdkstatus.ObjectAccessDenied)
+		apemanagerErr = new(sdkstatus.APEManagerAccessDenied)
 	)
 
 	switch {
@@ -41,6 +43,9 @@ func ExitOnErr(cmd *cobra.Command, errFmt string, err error) {
 	case errors.As(err, &accessErr):
 		code = aclDenied
 		err = fmt.Errorf("%w: %s", err, accessErr.Reason())
+	case errors.As(err, &apemanagerErr):
+		code = apemanagerDenied
+		err = fmt.Errorf("%w: %s", err, apemanagerErr.Reason())
 	default:
 		code = internal
 	}

go.mod

@@ -4,7 +4,7 @@ go 1.22
 
 require (
 	code.gitea.io/sdk/gitea v0.17.1
-	git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.0
+	git.frostfs.info/TrueCloudLab/frostfs-contract v0.21.0-rc.4
 	git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0
 	git.frostfs.info/TrueCloudLab/frostfs-locode-db v0.4.1-0.20240710074952-65761deb5c0d
 	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88