container: Replace AccessGroup with BasicACL

With new ACL conception, access control lists in NeoFS
defined as a required basic ACL and optional extended ACL.

Basic ACL must be set up in container structure. It is a bit
mask stored in 32-bit unsigned integer.

Seven nibbles represent seven object operations: get, put,
head, search, delete, range, range-hash.

Every nibble defines access rules for three targets: user,
owner, others and has permission bit for bearer token.

There is a permission bit for extended ACL and three unused
bits.
This commit is contained in:
alexvanin 2020-04-01 19:03:46 +03:00 committed by Stanislav Bogatyrev
parent 2b667d13ec
commit 18b698d429
2 changed files with 5 additions and 16 deletions

View file

@ -42,8 +42,8 @@ message PutRequest {
// Rules define storage policy for the object inside the container. // Rules define storage policy for the object inside the container.
netmap.PlacementRule rules = 4 [(gogoproto.nullable) = false]; netmap.PlacementRule rules = 4 [(gogoproto.nullable) = false];
// Container ACL. // BasicACL of the container.
AccessGroup Group = 5 [(gogoproto.nullable) = false]; uint32 BasicACL = 5;
// RequestMetaHeader contains information about request meta headers (should be embedded into message) // RequestMetaHeader contains information about request meta headers (should be embedded into message)
service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false]; service.RequestMetaHeader Meta = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];

View file

@ -18,18 +18,7 @@ message Container {
uint64 Capacity = 3; uint64 Capacity = 3;
// Rules define storage policy for the object inside the container. // Rules define storage policy for the object inside the container.
netmap.PlacementRule Rules = 4 [(gogoproto.nullable) = false]; netmap.PlacementRule Rules = 4 [(gogoproto.nullable) = false];
// Container ACL. // BasicACL with access control rules for owner, system, others and
AccessControlList List = 5 [(gogoproto.nullable) = false]; // permission bits for bearer token and extended ACL.
} uint32 BasicACL = 5;
message AccessGroup {
// Group access mode.
uint32 AccessMode = 1;
// Group members.
repeated bytes UserGroup = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
}
message AccessControlList {
// List of access groups.
repeated AccessGroup List = 1 [(gogoproto.nullable) = false];
} }