[#1628] tree: Document ACL checks in tree service

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-09-12 14:10:32 +03:00 · 2022-09-12 14:10:32 +03:00 · 2ffcd02ac3
parent 8d0906c6ab
commit 2ffcd02ac3
1 changed files with 15 additions and 0 deletions
--- a/pkg/services/tree/service.proto
+++ b/pkg/services/tree/service.proto
@ -12,6 +12,21 @@ option go_package = "github.com/nspcc-dev/neofs-node/pkg/services/tree";
 service TreeService {
  /* Client API */

+  // Client methods are mapped to the object RPC:
+  //  [ Add, AddByPath, Remove, Move ] -> PUT;
+  //  [ GetNodeByPath, GetSubTree ] -> GET.
+  //  One of the following must be true:
+  //  - a signer passes non-extended basic ACL;
+  //  - a signer passes extended basic ACL AND bearer token is
+  //    attached AND the basic ACL allows attaching bearer token
+  //    to the GET/PUT operation AND eACL table in the bearer contains
+  //    an explicit allowing the signer's key (or its role) rule
+  //    for the GET/PUT operation;
+  //  - a signer passes extended basic ACL AND the extension
+  //    contains an explicit allowing the signer's key (or its role)
+  //    rule for GET/PUT operation.
+  //  Otherwise, a request is denied.
+
  // Add adds new node to the tree. Invoked by a client.
  rpc Add (AddRequest) returns (AddResponse);
  // AddByPath adds new node to the tree by path. Invoked by a client.