Merge branch 'release/0.2.8'

2019-12-21 12:25:45 +03:00 · 2019-12-21 12:25:45 +03:00 · abc3c371ce
commit abc3c371ce
parent a7f2026db0 e1b7d0a7a6
10 changed files with 732 additions and 65 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,15 @@
 # Changelog
 This is the changelog for NeoFS Proto

+## [0.2.8] - 2019-12-21
+
+### Added
+- Container access control type definitions
+
+### Changed
+- Used sync.Pool for Sign/VerifyRequestHeader
+- VerifiableRequest.Marshal method replace with MarshalTo and Size
+
 ## [0.2.7] - 2019-12-17

 ### Fixed
@ -78,3 +87,4 @@ Initial public release
 [0.2.5]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.4...v0.2.5
 [0.2.6]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.5...v0.2.6
 [0.2.7]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.6...v0.2.7
+[0.2.8]: https://github.com/nspcc-dev/neofs-proto/compare/v0.2.7...v0.2.8
--- a/container/service.pb.go
+++ b/container/service.pb.go
@ -38,6 +38,8 @@ type PutRequest struct {
 	OwnerID OwnerID `protobuf:"bytes,3,opt,name=OwnerID,proto3,customtype=OwnerID" json:"OwnerID"`
 	// Rules define storage policy for the object inside the container.
 	Rules netmap.PlacementRule `protobuf:"bytes,4,opt,name=rules,proto3" json:"rules"`
+	// Container ACL.
+	Group AccessGroup `protobuf:"bytes,5,opt,name=Group,proto3" json:"Group"`
 	// RequestMetaHeader contains information about request meta headers (should be embedded into message)
 	service.RequestMetaHeader `protobuf:"bytes,98,opt,name=Meta,proto3,embedded=Meta" json:"Meta"`
 	// RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
@ -90,6 +92,13 @@ func (m *PutRequest) GetRules() netmap.PlacementRule {
 	return netmap.PlacementRule{}
 }

+func (m *PutRequest) GetGroup() AccessGroup {
+	if m != nil {
+		return m.Group
+	}
+	return AccessGroup{}
+}
+
 type PutResponse struct {
 	// CID (container id) is a SHA256 hash of the container structure
 	CID                  CID      `protobuf:"bytes,1,opt,name=CID,proto3,customtype=CID" json:"CID"`
@ -382,43 +391,44 @@ func init() {
 func init() { proto.RegisterFile("container/service.proto", fileDescriptor_e1fa9d7ab2e7ae06) }

 var fileDescriptor_e1fa9d7ab2e7ae06 = []byte{
-	// 562 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x54, 0xcd, 0x6e, 0xd3, 0x4c,
-	0x14, 0xed, 0x34, 0xf9, 0xd2, 0xe6, 0xba, 0x1f, 0x3f, 0xa3, 0x86, 0x1a, 0x4b, 0x24, 0x91, 0x57,
-	0x01, 0x11, 0x5b, 0x84, 0x4a, 0xb0, 0x41, 0x82, 0x24, 0x52, 0xa9, 0x44, 0x45, 0x64, 0x24, 0x16,
-	0xec, 0x1c, 0xf7, 0x26, 0x58, 0x72, 0x6c, 0xe3, 0x19, 0x07, 0xe5, 0x4d, 0x78, 0x07, 0x24, 0xb6,
-	0xf0, 0x08, 0x5d, 0x76, 0x89, 0x58, 0x44, 0x28, 0xac, 0x79, 0x07, 0xe4, 0xf1, 0xf8, 0x27, 0x69,
-	0x81, 0x65, 0xc5, 0xc6, 0x9a, 0x39, 0xe7, 0x9e, 0x3b, 0xf7, 0xdc, 0xb9, 0x1e, 0x38, 0x70, 0x02,
-	0x9f, 0xdb, 0xae, 0x8f, 0x91, 0xc9, 0x30, 0x9a, 0xbb, 0x0e, 0x1a, 0x61, 0x14, 0xf0, 0x80, 0xd6,
-	0x73, 0x42, 0xa3, 0x92, 0x31, 0x67, 0xc8, 0xed, 0x94, 0xd6, 0xf6, 0x33, 0x6c, 0x8e, 0x91, 0x3b,
-	0x59, 0x48, 0xb4, 0x51, 0x64, 0xe3, 0x8b, 0x10, 0x99, 0x84, 0xef, 0x4d, 0x5d, 0xfe, 0x36, 0x1e,
-	0x1b, 0x4e, 0x30, 0x33, 0x7d, 0x16, 0x3a, 0x4e, 0xf7, 0x14, 0xe7, 0xa6, 0x8f, 0x7c, 0x66, 0x87,
-	0x26, 0x43, 0x0f, 0x1d, 0x1e, 0x44, 0x32, 0xb6, 0x5b, 0x8a, 0x9d, 0x06, 0xd3, 0xc0, 0x14, 0xf0,
-	0x38, 0x9e, 0x88, 0x9d, 0xd8, 0x88, 0x55, 0x1a, 0xae, 0x7f, 0xde, 0x06, 0x18, 0xc5, 0xdc, 0xc2,
-	0x77, 0x31, 0x32, 0x4e, 0x4d, 0xa8, 0x9f, 0x20, 0x63, 0xf6, 0x14, 0x8f, 0x87, 0x2a, 0x69, 0x93,
-	0xce, 0x5e, 0xff, 0xe6, 0xd9, 0xb2, 0xb5, 0xf5, 0x6d, 0xd9, 0x2a, 0x08, 0xab, 0x58, 0x52, 0x0d,
-	0x76, 0x07, 0x76, 0x68, 0x3b, 0x2e, 0x5f, 0xa8, 0xdb, 0x6d, 0xd2, 0xa9, 0x5a, 0xf9, 0x9e, 0xde,
-	0x85, 0x9d, 0x97, 0xef, 0x7d, 0x8c, 0x8e, 0x87, 0x6a, 0x45, 0xa4, 0xba, 0x2e, 0x53, 0x65, 0xb0,
-	0x95, 0x2d, 0xe8, 0x03, 0xf8, 0x2f, 0x8a, 0x3d, 0x64, 0x6a, 0xb5, 0x4d, 0x3a, 0x4a, 0xaf, 0x61,
-	0xa4, 0xe6, 0x8c, 0x91, 0x67, 0x3b, 0x38, 0x43, 0x9f, 0x5b, 0xb1, 0x87, 0xfd, 0x6a, 0xa2, 0xb7,
-	0xd2, 0x48, 0xfa, 0x18, 0xaa, 0x27, 0xc8, 0x6d, 0x75, 0x2c, 0x14, 0x9a, 0x91, 0xb5, 0x5f, 0x5a,
-	0x49, 0xb8, 0xe7, 0x68, 0x9f, 0x62, 0xd4, 0xdf, 0x4d, 0x64, 0xe7, 0xcb, 0x16, 0xb1, 0x84, 0x82,
-	0x0e, 0xa1, 0xf6, 0x5a, 0x74, 0x5d, 0x75, 0x84, 0x56, 0xdf, 0xd4, 0x0a, 0xd6, 0x75, 0x6c, 0xee,
-	0x06, 0xfe, 0x85, 0x1c, 0x52, 0xab, 0xdf, 0x07, 0x45, 0x34, 0x8e, 0x85, 0x81, 0xcf, 0x90, 0xde,
-	0x81, 0xca, 0x20, 0xef, 0x99, 0x22, 0x8d, 0x26, 0x90, 0x95, 0x7c, 0xf4, 0x4f, 0x04, 0xfe, 0x1f,
-	0xa2, 0x87, 0x1c, 0xb3, 0x56, 0xff, 0x59, 0x70, 0xe5, 0xf6, 0x6e, 0xc0, 0xb5, 0xac, 0xde, 0xd4,
-	0xa1, 0xfe, 0x91, 0x00, 0x1c, 0x21, 0xff, 0x47, 0xea, 0x7f, 0x06, 0x8a, 0x28, 0x56, 0x5e, 0x4f,
-	0x0f, 0xea, 0x83, 0xec, 0xdf, 0x12, 0x35, 0x2b, 0xbd, 0x7d, 0x23, 0xff, 0xdb, 0x8c, 0x9c, 0xb3,
-	0x8a, 0x30, 0xfd, 0x0b, 0x01, 0xe5, 0x85, 0xcb, 0x72, 0xc7, 0xa5, 0x79, 0x26, 0x7f, 0x99, 0xe7,
-	0xab, 0x76, 0xdf, 0x85, 0xbd, 0xb4, 0xf2, 0xcd, 0xe9, 0xac, 0x5c, 0x76, 0x59, 0xbd, 0x9f, 0x04,
-	0x76, 0x5e, 0xa5, 0xc7, 0xd0, 0x43, 0xa8, 0x8c, 0x62, 0x4e, 0x1b, 0xa5, 0xee, 0x14, 0x0f, 0x84,
-	0x76, 0x6b, 0x13, 0x96, 0x07, 0x3c, 0x81, 0x5a, 0x3a, 0x2e, 0x54, 0x2d, 0x45, 0xac, 0x4d, 0xbc,
-	0x76, 0xfb, 0x12, 0x46, 0xca, 0x0f, 0xa1, 0x72, 0x84, 0xeb, 0x87, 0x16, 0xa3, 0xb6, 0x76, 0x68,
-	0xf9, 0x52, 0x1f, 0x41, 0x35, 0x71, 0x49, 0xcb, 0x7c, 0xe9, 0xc2, 0xb4, 0x83, 0x0b, 0x78, 0x2a,
-	0xec, 0x3f, 0x3d, 0x5b, 0x35, 0xc9, 0xf9, 0xaa, 0x49, 0xbe, 0xae, 0x9a, 0xe4, 0xfb, 0xaa, 0x49,
-	0x3e, 0xfc, 0x68, 0x6e, 0xbd, 0xf9, 0xdd, 0x33, 0x1b, 0x4c, 0x58, 0x37, 0x7d, 0x38, 0xf3, 0x74,
-	0xe3, 0x9a, 0x00, 0x1e, 0xfe, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x36, 0x72, 0xbd, 0x89, 0x00, 0x06,
-	0x00, 0x00,
+	// 580 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x54, 0xcb, 0x6e, 0xd3, 0x40,
+	0x14, 0xed, 0x34, 0xe9, 0x23, 0xd7, 0xe5, 0x35, 0x6a, 0x5a, 0x63, 0x89, 0x24, 0xf2, 0x2a, 0x20,
+	0x62, 0x8b, 0x50, 0x09, 0x36, 0x48, 0x34, 0x89, 0x14, 0x2a, 0x51, 0x11, 0x19, 0x89, 0x05, 0x3b,
+	0x67, 0x7a, 0x13, 0x2c, 0x25, 0xb6, 0xf1, 0x8c, 0x83, 0xf2, 0x27, 0xfc, 0x03, 0x12, 0x6b, 0x3e,
+	0xa1, 0xcb, 0x2e, 0x11, 0x8b, 0x08, 0x85, 0x25, 0xe2, 0x1f, 0x90, 0xc7, 0xcf, 0xa4, 0x05, 0x96,
+	0x15, 0x1b, 0x6b, 0xe6, 0x9c, 0x7b, 0xee, 0xdb, 0x03, 0x87, 0xcc, 0x73, 0x85, 0xed, 0xb8, 0x18,
+	0x98, 0x1c, 0x83, 0x99, 0xc3, 0xd0, 0xf0, 0x03, 0x4f, 0x78, 0xb4, 0x92, 0x11, 0x1a, 0x4d, 0x18,
+	0x73, 0x8a, 0xc2, 0x8e, 0x69, 0x6d, 0x3f, 0xc5, 0x66, 0x18, 0x38, 0xa3, 0x79, 0x82, 0x56, 0x73,
+	0x6f, 0x62, 0xee, 0x23, 0x4f, 0xe0, 0x07, 0x63, 0x47, 0xbc, 0x0b, 0x87, 0x06, 0xf3, 0xa6, 0xa6,
+	0xcb, 0x7d, 0xc6, 0x5a, 0x67, 0x38, 0x33, 0x5d, 0x14, 0x53, 0xdb, 0x37, 0x39, 0x4e, 0x90, 0x09,
+	0x2f, 0x48, 0x6c, 0x5b, 0x05, 0xdb, 0xb1, 0x37, 0xf6, 0x4c, 0x09, 0x0f, 0xc3, 0x91, 0xbc, 0xc9,
+	0x8b, 0x3c, 0xc5, 0xe6, 0xfa, 0xcf, 0x4d, 0x80, 0x41, 0x28, 0x2c, 0x7c, 0x1f, 0x22, 0x17, 0xd4,
+	0x84, 0xca, 0x29, 0x72, 0x6e, 0x8f, 0xf1, 0xa4, 0xa7, 0x92, 0x06, 0x69, 0xee, 0x75, 0xee, 0x9c,
+	0x2f, 0xea, 0x1b, 0xdf, 0x16, 0xf5, 0x9c, 0xb0, 0xf2, 0x23, 0xd5, 0x60, 0xb7, 0x6b, 0xfb, 0x36,
+	0x73, 0xc4, 0x5c, 0xdd, 0x6c, 0x90, 0x66, 0xd9, 0xca, 0xee, 0xf4, 0x3e, 0xec, 0xbc, 0xfa, 0xe0,
+	0x62, 0x70, 0xd2, 0x53, 0x4b, 0xd2, 0xd5, 0xad, 0xc4, 0x55, 0x0a, 0x5b, 0xe9, 0x81, 0x3e, 0x82,
+	0xad, 0x20, 0x9c, 0x20, 0x57, 0xcb, 0x0d, 0xd2, 0x54, 0xda, 0x55, 0x23, 0x2e, 0xce, 0x18, 0x4c,
+	0x6c, 0x86, 0x53, 0x74, 0x85, 0x15, 0x4e, 0xb0, 0x53, 0x8e, 0xf4, 0x56, 0x6c, 0x49, 0xdb, 0xb0,
+	0xd5, 0x0f, 0xbc, 0xd0, 0x57, 0xb7, 0xa4, 0xe4, 0xc0, 0xc8, 0x7a, 0x67, 0x1c, 0x33, 0x86, 0x9c,
+	0x4b, 0x36, 0xd5, 0xc8, 0x0b, 0x7d, 0x0a, 0xe5, 0x53, 0x14, 0xb6, 0x3a, 0x94, 0x12, 0xcd, 0x48,
+	0x47, 0x96, 0x94, 0x1f, 0x71, 0x2f, 0xd0, 0x3e, 0xc3, 0xa0, 0xb3, 0x1b, 0xc9, 0x2e, 0x16, 0x75,
+	0x62, 0x49, 0x05, 0xed, 0xc1, 0xf6, 0x1b, 0x39, 0x29, 0x95, 0x49, 0xad, 0xbe, 0xae, 0x95, 0xac,
+	0xc3, 0x6c, 0xe1, 0x78, 0xee, 0x25, 0x1f, 0x89, 0x56, 0x7f, 0x08, 0x8a, 0x6c, 0x36, 0xf7, 0x3d,
+	0x97, 0x23, 0xbd, 0x07, 0xa5, 0x6e, 0xd6, 0x67, 0x25, 0x69, 0x4e, 0x04, 0x59, 0xd1, 0x47, 0xff,
+	0x4c, 0xe0, 0x46, 0x0f, 0x27, 0x28, 0x30, 0x1d, 0xcf, 0xdf, 0x05, 0xd7, 0x5e, 0xde, 0x6d, 0xb8,
+	0x99, 0xe6, 0x1b, 0x57, 0xa8, 0x7f, 0x22, 0x00, 0x7d, 0x14, 0xff, 0x49, 0xfe, 0xc7, 0xa0, 0xc8,
+	0x64, 0x93, 0xf1, 0xb4, 0xa1, 0xd2, 0x4d, 0x77, 0x4a, 0xe6, 0xac, 0xb4, 0xf7, 0x0b, 0x5b, 0x96,
+	0x71, 0x56, 0x6e, 0xa6, 0x7f, 0x21, 0xa0, 0xbc, 0x74, 0x78, 0x56, 0x71, 0xe1, 0x1f, 0x20, 0xff,
+	0xf8, 0x07, 0xae, 0xbb, 0xfa, 0x16, 0xec, 0xc5, 0x99, 0xaf, 0x6f, 0x67, 0xe9, 0xaa, 0x61, 0xb5,
+	0x7f, 0x11, 0xd8, 0x79, 0x1d, 0x87, 0xa1, 0x47, 0x50, 0x1a, 0x84, 0x82, 0x56, 0x0b, 0xdd, 0xc9,
+	0x1f, 0x15, 0xed, 0x60, 0x1d, 0x4e, 0x02, 0x3c, 0x83, 0xed, 0x78, 0x5d, 0xa8, 0x5a, 0xb0, 0x58,
+	0xd9, 0x78, 0xed, 0xee, 0x15, 0x4c, 0x22, 0x3f, 0x82, 0x52, 0x1f, 0x57, 0x83, 0xe6, 0xab, 0xb6,
+	0x12, 0xb4, 0x38, 0xd4, 0x27, 0x50, 0x8e, 0xaa, 0xa4, 0x45, 0xbe, 0x30, 0x30, 0xed, 0xf0, 0x12,
+	0x1e, 0x0b, 0x3b, 0xcf, 0xcf, 0x97, 0x35, 0x72, 0xb1, 0xac, 0x91, 0xaf, 0xcb, 0x1a, 0xf9, 0xbe,
+	0xac, 0x91, 0x8f, 0x3f, 0x6a, 0x1b, 0x6f, 0xff, 0xf4, 0x34, 0x7b, 0x23, 0xde, 0x8a, 0x1f, 0xdb,
+	0xcc, 0xdd, 0x70, 0x5b, 0x02, 0x8f, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x31, 0xf8, 0x4f, 0x34,
+	0x34, 0x06, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
@ -671,6 +681,16 @@ func (m *PutRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	dAtA[i] = 0x6
 	i--
 	dAtA[i] = 0x92
+	{
+		size, err := m.Group.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintService(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x2a
 	{
 		size, err := m.Rules.MarshalToSizedBuffer(dAtA[:i])
 		if err != nil {
@ -1062,6 +1082,8 @@ func (m *PutRequest) Size() (n int) {
 	n += 1 + l + sovService(uint64(l))
 	l = m.Rules.Size()
 	n += 1 + l + sovService(uint64(l))
+	l = m.Group.Size()
+	n += 1 + l + sovService(uint64(l))
 	l = m.RequestMetaHeader.Size()
 	n += 2 + l + sovService(uint64(l))
 	l = m.RequestVerificationHeader.Size()
@ -1339,6 +1361,39 @@ func (m *PutRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowService
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthService
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthService
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Group.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		case 98:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field RequestMetaHeader", wireType)
--- a/container/service.proto
+++ b/container/service.proto
@ -41,6 +41,9 @@ message PutRequest {
    // Rules define storage policy for the object inside the container.
    netmap.PlacementRule rules               = 4 [(gogoproto.nullable) = false];

+    // Container ACL.
+    AccessGroup Group                        = 5 [(gogoproto.nullable) = false];
+
    // RequestMetaHeader contains information about request meta headers (should be embedded into message)
    service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
    // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
--- a/container/types.go
+++ b/container/types.go
@ -11,6 +11,19 @@ import (
 	"github.com/pkg/errors"
 )

+// AccessMode is a container access mode type.
+type AccessMode uint32
+
+const (
+	// AccessModeRead is a read access mode.
+	AccessModeRead AccessMode = 1 << iota
+	// AccessModeWrite is a write access mode.
+	AccessModeWrite
+)
+
+// AccessModeReadWrite is a read/write container access mode.
+const AccessModeReadWrite = AccessModeRead | AccessModeWrite
+
 var (
 	_ internal.Custom = (*Container)(nil)

--- a/container/types.pb.go
+++ b/container/types.pb.go
@ -33,10 +33,12 @@ type Container struct {
 	// Capacity defines amount of data that can be stored in the container (doesn't used for now).
 	Capacity uint64 `protobuf:"varint,3,opt,name=Capacity,proto3" json:"Capacity,omitempty"`
 	// Rules define storage policy for the object inside the container.
-	Rules                netmap.PlacementRule `protobuf:"bytes,4,opt,name=Rules,proto3" json:"Rules"`
-	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
-	XXX_unrecognized     []byte               `json:"-"`
-	XXX_sizecache        int32                `json:"-"`
+	Rules netmap.PlacementRule `protobuf:"bytes,4,opt,name=Rules,proto3" json:"Rules"`
+	// Container ACL.
+	List                 AccessControlList `protobuf:"bytes,5,opt,name=List,proto3" json:"List"`
+	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
+	XXX_unrecognized     []byte            `json:"-"`
+	XXX_sizecache        int32             `json:"-"`
 }

 func (m *Container) Reset()         { *m = Container{} }
@ -82,32 +84,136 @@ func (m *Container) GetRules() netmap.PlacementRule {
 	return netmap.PlacementRule{}
 }

+func (m *Container) GetList() AccessControlList {
+	if m != nil {
+		return m.List
+	}
+	return AccessControlList{}
+}
+
+type AccessGroup struct {
+	// Group access mode.
+	AccessMode uint32 `protobuf:"varint,1,opt,name=AccessMode,proto3" json:"AccessMode,omitempty"`
+	// Group members.
+	UserGroup            []OwnerID `protobuf:"bytes,2,rep,name=UserGroup,proto3,customtype=OwnerID" json:"UserGroup"`
+	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
+	XXX_unrecognized     []byte    `json:"-"`
+	XXX_sizecache        int32     `json:"-"`
+}
+
+func (m *AccessGroup) Reset()         { *m = AccessGroup{} }
+func (m *AccessGroup) String() string { return proto.CompactTextString(m) }
+func (*AccessGroup) ProtoMessage()    {}
+func (*AccessGroup) Descriptor() ([]byte, []int) {
+	return fileDescriptor_1432e52ab0b53e3e, []int{1}
+}
+func (m *AccessGroup) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *AccessGroup) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *AccessGroup) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_AccessGroup.Merge(m, src)
+}
+func (m *AccessGroup) XXX_Size() int {
+	return m.Size()
+}
+func (m *AccessGroup) XXX_DiscardUnknown() {
+	xxx_messageInfo_AccessGroup.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_AccessGroup proto.InternalMessageInfo
+
+func (m *AccessGroup) GetAccessMode() uint32 {
+	if m != nil {
+		return m.AccessMode
+	}
+	return 0
+}
+
+type AccessControlList struct {
+	// List of access groups.
+	List                 []AccessGroup `protobuf:"bytes,1,rep,name=List,proto3" json:"List"`
+	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
+	XXX_unrecognized     []byte        `json:"-"`
+	XXX_sizecache        int32         `json:"-"`
+}
+
+func (m *AccessControlList) Reset()         { *m = AccessControlList{} }
+func (m *AccessControlList) String() string { return proto.CompactTextString(m) }
+func (*AccessControlList) ProtoMessage()    {}
+func (*AccessControlList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_1432e52ab0b53e3e, []int{2}
+}
+func (m *AccessControlList) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *AccessControlList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *AccessControlList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_AccessControlList.Merge(m, src)
+}
+func (m *AccessControlList) XXX_Size() int {
+	return m.Size()
+}
+func (m *AccessControlList) XXX_DiscardUnknown() {
+	xxx_messageInfo_AccessControlList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_AccessControlList proto.InternalMessageInfo
+
+func (m *AccessControlList) GetList() []AccessGroup {
+	if m != nil {
+		return m.List
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*Container)(nil), "container.Container")
+	proto.RegisterType((*AccessGroup)(nil), "container.AccessGroup")
+	proto.RegisterType((*AccessControlList)(nil), "container.AccessControlList")
 }

 func init() { proto.RegisterFile("container/types.proto", fileDescriptor_1432e52ab0b53e3e) }

 var fileDescriptor_1432e52ab0b53e3e = []byte{
-	// 275 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0x4d, 0xce, 0xcf, 0x2b,
-	0x49, 0xcc, 0xcc, 0x4b, 0x2d, 0xd2, 0x2f, 0xa9, 0x2c, 0x48, 0x2d, 0xd6, 0x2b, 0x28, 0xca, 0x2f,
-	0xc9, 0x17, 0xe2, 0x84, 0x0b, 0x4b, 0x69, 0xa5, 0x67, 0x96, 0x64, 0x94, 0x26, 0xe9, 0x25, 0xe7,
-	0xe7, 0xea, 0xe7, 0x15, 0x17, 0x24, 0x27, 0xeb, 0xa6, 0xa4, 0x96, 0xe9, 0xe7, 0xa5, 0x96, 0xe4,
-	0x26, 0x16, 0xe8, 0x17, 0xa7, 0xe6, 0xa4, 0x26, 0x97, 0xe4, 0x17, 0x41, 0xb4, 0x49, 0xe9, 0x22,
-	0xa9, 0x4d, 0xcf, 0x4f, 0xcf, 0xd7, 0x07, 0x0b, 0x27, 0x95, 0xa6, 0x81, 0x79, 0x60, 0x0e, 0x98,
-	0x05, 0x51, 0xae, 0xb4, 0x9c, 0x91, 0x8b, 0xd3, 0x19, 0x66, 0x91, 0x90, 0x26, 0x17, 0xbb, 0x7f,
-	0x79, 0x5e, 0x6a, 0x91, 0xa7, 0x8b, 0x04, 0xa3, 0x02, 0xa3, 0x06, 0x8f, 0x13, 0xff, 0x89, 0x7b,
-	0xf2, 0x0c, 0xb7, 0xee, 0xc9, 0xc3, 0x84, 0x83, 0x60, 0x0c, 0x21, 0x05, 0x2e, 0x96, 0xe0, 0xc4,
-	0x9c, 0x12, 0x09, 0x26, 0xb0, 0x3a, 0x1e, 0xa8, 0x3a, 0x96, 0xd0, 0x50, 0x4f, 0x97, 0x20, 0xb0,
-	0x8c, 0x90, 0x14, 0x17, 0x87, 0x73, 0x62, 0x41, 0x62, 0x72, 0x66, 0x49, 0xa5, 0x04, 0xb3, 0x02,
-	0xa3, 0x06, 0x4b, 0x10, 0x9c, 0x2f, 0x64, 0xc8, 0xc5, 0x1a, 0x54, 0x9a, 0x93, 0x5a, 0x2c, 0xc1,
-	0xa2, 0xc0, 0xa8, 0xc1, 0x6d, 0x24, 0xaa, 0x07, 0xf1, 0x8c, 0x5e, 0x40, 0x4e, 0x62, 0x72, 0x6a,
-	0x6e, 0x6a, 0x5e, 0x09, 0x48, 0xd6, 0x89, 0x05, 0x64, 0x6a, 0x10, 0x44, 0xa5, 0x93, 0xc3, 0x89,
-	0x47, 0x72, 0x8c, 0x17, 0x1e, 0xc9, 0x31, 0xde, 0x78, 0x24, 0xc7, 0xf8, 0xe0, 0x91, 0x1c, 0xe3,
-	0x8c, 0xc7, 0x72, 0x0c, 0x51, 0xb8, 0x82, 0x26, 0x3f, 0xad, 0x58, 0x17, 0xe2, 0x59, 0x78, 0x30,
-	0x26, 0xb1, 0x81, 0x05, 0x8c, 0x01, 0x01, 0x00, 0x00, 0xff, 0xff, 0x29, 0x6b, 0x4d, 0x08, 0x71,
-	0x01, 0x00, 0x00,
+	// 368 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x91, 0x4f, 0x4b, 0xfb, 0x30,
+	0x1c, 0xc6, 0x97, 0xad, 0xfb, 0xfd, 0x5c, 0x36, 0x11, 0x03, 0x93, 0x32, 0xa4, 0x2b, 0x3b, 0x55,
+	0xa1, 0xad, 0x4e, 0xf0, 0xac, 0xdb, 0x44, 0x06, 0x8a, 0x52, 0xd9, 0x45, 0xbc, 0x74, 0x59, 0x36,
+	0x0b, 0x5d, 0x53, 0x92, 0x54, 0xd9, 0x3b, 0xf1, 0x25, 0xed, 0xe8, 0x51, 0x3c, 0x4c, 0xa9, 0x6f,
+	0x44, 0x9a, 0x6c, 0x75, 0x30, 0xbd, 0xe5, 0x79, 0xf2, 0x79, 0x92, 0xef, 0x1f, 0x58, 0xc7, 0x34,
+	0x12, 0x7e, 0x10, 0x11, 0xe6, 0x8a, 0x59, 0x4c, 0xb8, 0x13, 0x33, 0x2a, 0x28, 0xaa, 0xe4, 0x76,
+	0xe3, 0x70, 0x12, 0x88, 0xc7, 0x64, 0xe8, 0x60, 0x3a, 0x75, 0x23, 0x1e, 0x63, 0x6c, 0x8f, 0xc8,
+	0x93, 0x1b, 0x11, 0x31, 0xf5, 0x63, 0x97, 0x93, 0x90, 0x60, 0x41, 0x99, 0x8a, 0x35, 0xec, 0x35,
+	0x76, 0x42, 0x27, 0xd4, 0x95, 0xf6, 0x30, 0x19, 0x4b, 0x25, 0x85, 0x3c, 0x29, 0xbc, 0xf5, 0x01,
+	0x60, 0xa5, 0xbb, 0xfa, 0x08, 0x1d, 0xc0, 0xff, 0x37, 0xcf, 0x11, 0x61, 0xfd, 0x9e, 0x0e, 0x4c,
+	0x60, 0xd5, 0x3a, 0x3b, 0xf3, 0x45, 0xb3, 0xf0, 0xbe, 0x68, 0xae, 0x6c, 0x6f, 0x75, 0x40, 0x26,
+	0xd4, 0xee, 0xfc, 0x50, 0xe8, 0x45, 0xc9, 0xd5, 0x96, 0x9c, 0x36, 0x18, 0xf4, 0x7b, 0x9e, 0xbc,
+	0x41, 0x0d, 0xb8, 0xd5, 0xf5, 0x63, 0x1f, 0x07, 0x62, 0xa6, 0x97, 0x4c, 0x60, 0x69, 0x5e, 0xae,
+	0xd1, 0x31, 0x2c, 0x7b, 0x49, 0x48, 0xb8, 0xae, 0x99, 0xc0, 0xaa, 0xb6, 0xeb, 0x8e, 0x6a, 0xc6,
+	0xb9, 0x0d, 0x7d, 0x4c, 0xa6, 0x24, 0x12, 0xd9, 0x6d, 0x47, 0xcb, 0x5e, 0xf5, 0x14, 0x89, 0x4e,
+	0xa1, 0x76, 0x15, 0x70, 0xa1, 0x97, 0x65, 0x62, 0xdf, 0xc9, 0xc7, 0xe3, 0x9c, 0x63, 0x4c, 0x38,
+	0xcf, 0xba, 0x60, 0x34, 0xcc, 0x98, 0x65, 0x50, 0xf2, 0xad, 0x07, 0x58, 0x55, 0xc0, 0x25, 0xa3,
+	0x49, 0x8c, 0x0c, 0x08, 0x95, 0xbc, 0xa6, 0x23, 0x22, 0xbb, 0xdc, 0xf6, 0xd6, 0x1c, 0x64, 0xc3,
+	0xca, 0x80, 0x13, 0x26, 0x61, 0xbd, 0x68, 0x96, 0x7e, 0x1b, 0xc2, 0x0f, 0xd1, 0xba, 0x80, 0xbb,
+	0x1b, 0xdf, 0xa3, 0xa3, 0x65, 0xa9, 0xc0, 0x2c, 0x59, 0xd5, 0xf6, 0xde, 0x46, 0xa9, 0x32, 0xba,
+	0x5e, 0x64, 0xe7, 0x6c, 0x9e, 0x1a, 0xe0, 0x35, 0x35, 0xc0, 0x5b, 0x6a, 0x80, 0xcf, 0xd4, 0x00,
+	0x2f, 0x5f, 0x46, 0xe1, 0xfe, 0xaf, 0xbd, 0xd3, 0x31, 0xb7, 0xd5, 0x26, 0xf3, 0x97, 0x87, 0xff,
+	0xa4, 0x71, 0xf2, 0x1d, 0x00, 0x00, 0xff, 0xff, 0x13, 0x1b, 0x01, 0x24, 0x4e, 0x02, 0x00, 0x00,
 }

 func (m *Container) Marshal() (dAtA []byte, err error) {
@ -134,6 +240,16 @@ func (m *Container) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	{
+		size, err := m.List.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintTypes(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x2a
 	{
 		size, err := m.Rules.MarshalToSizedBuffer(dAtA[:i])
 		if err != nil {
@ -172,6 +288,93 @@ func (m *Container) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }

+func (m *AccessGroup) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AccessGroup) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *AccessGroup) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.UserGroup) > 0 {
+		for iNdEx := len(m.UserGroup) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size := m.UserGroup[iNdEx].Size()
+				i -= size
+				if _, err := m.UserGroup[iNdEx].MarshalTo(dAtA[i:]); err != nil {
+					return 0, err
+				}
+				i = encodeVarintTypes(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	if m.AccessMode != 0 {
+		i = encodeVarintTypes(dAtA, i, uint64(m.AccessMode))
+		i--
+		dAtA[i] = 0x8
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *AccessControlList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AccessControlList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *AccessControlList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.List) > 0 {
+		for iNdEx := len(m.List) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.List[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintTypes(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintTypes(dAtA []byte, offset int, v uint64) int {
 	offset -= sovTypes(v)
 	base := offset
@ -198,6 +401,47 @@ func (m *Container) Size() (n int) {
 	}
 	l = m.Rules.Size()
 	n += 1 + l + sovTypes(uint64(l))
+	l = m.List.Size()
+	n += 1 + l + sovTypes(uint64(l))
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
+func (m *AccessGroup) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.AccessMode != 0 {
+		n += 1 + sovTypes(uint64(m.AccessMode))
+	}
+	if len(m.UserGroup) > 0 {
+		for _, e := range m.UserGroup {
+			l = e.Size()
+			n += 1 + l + sovTypes(uint64(l))
+		}
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
+func (m *AccessControlList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.List) > 0 {
+		for _, e := range m.List {
+			l = e.Size()
+			n += 1 + l + sovTypes(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@ -357,6 +601,235 @@ func (m *Container) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field List", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.List.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipTypes(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AccessGroup) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowTypes
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AccessGroup: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AccessGroup: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AccessMode", wireType)
+			}
+			m.AccessMode = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AccessMode |= uint32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UserGroup", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var v OwnerID
+			m.UserGroup = append(m.UserGroup, v)
+			if err := m.UserGroup[len(m.UserGroup)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipTypes(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AccessControlList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowTypes
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AccessControlList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AccessControlList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field List", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.List = append(m.List, AccessGroup{})
+			if err := m.List[len(m.List)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipTypes(dAtA[iNdEx:])
--- a/container/types.proto
+++ b/container/types.proto
@ -17,4 +17,18 @@ message Container {
    uint64 Capacity            = 3;
    // Rules define storage policy for the object inside the container.
    netmap.PlacementRule Rules = 4 [(gogoproto.nullable) = false];
+    // Container ACL.
+    AccessControlList List     = 5 [(gogoproto.nullable) = false];
+}
+
+message AccessGroup {
+    // Group access mode.
+    uint32 AccessMode         = 1;
+    // Group members.
+    repeated bytes UserGroup  = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
+}
+
+message AccessControlList {
+    // List of access groups.
+    repeated AccessGroup List = 1 [(gogoproto.nullable) = false];
 }
--- a/container/types_test.go
+++ b/container/types_test.go
@ -55,3 +55,23 @@ func TestCID(t *testing.T) {
 		require.Equal(t, cid1, cid2)
 	})
 }
+
+func TestAccessMode(t *testing.T) {
+	t.Run("read access to read/write mode", func(t *testing.T) {
+		require.Equal(t, AccessModeRead, AccessModeReadWrite&AccessModeRead)
+	})
+
+	t.Run("write access to read/write mode", func(t *testing.T) {
+		require.Equal(t, AccessModeWrite, AccessModeReadWrite&AccessModeWrite)
+	})
+
+	t.Run("read(write) access to write(read) mode", func(t *testing.T) {
+		require.Zero(t, AccessModeRead&AccessModeWrite)
+	})
+
+	t.Run("access to same mode", func(t *testing.T) {
+		require.Equal(t, AccessModeWrite, AccessModeWrite&AccessModeWrite)
+		require.Equal(t, AccessModeRead, AccessModeRead&AccessModeRead)
+		require.Equal(t, AccessModeReadWrite, AccessModeReadWrite&AccessModeReadWrite)
+	})
+}
--- a/go.mod
+++ b/go.mod
@ -18,3 +18,6 @@ require (
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	google.golang.org/grpc v1.24.0
 )
+
+// Used for debug reasons
+// replace github.com/nspcc-dev/neofs-crypto => ../neofs-crypto
--- a/service/verify.go
+++ b/service/verify.go
@ -2,6 +2,7 @@ package service

 import (
 	"crypto/ecdsa"
+	"sync"

 	crypto "github.com/nspcc-dev/neofs-crypto"
 	"github.com/nspcc-dev/neofs-proto/internal"
@ -12,7 +13,8 @@ import (
 type (
 	// VerifiableRequest adds possibility to sign and verify request header.
 	VerifiableRequest interface {
-		Marshal() ([]byte, error)
+		Size() int
+		MarshalTo([]byte) (int, error)
 		AddSignature(*RequestVerificationHeader_Signature)
 		GetSignatures() []*RequestVerificationHeader_Signature
 		SetSignatures([]*RequestVerificationHeader_Signature)
@ -133,6 +135,10 @@ func newSignature(key *ecdsa.PrivateKey, data []byte) (*RequestVerificationHeade
 	}, nil
 }

+var bytesPool = sync.Pool{New: func() interface{} {
+	return make([]byte, 4.5*1024*1024) // 4.5MB
+}}
+
 // SignRequestHeader receives private key and request with RequestVerificationHeader,
 // tries to marshal and sign request with passed PrivateKey, after that adds
 // new signature to headers. If something went wrong, returns error.
@ -146,12 +152,23 @@ func SignRequestHeader(key *ecdsa.PrivateKey, msg VerifiableRequest) error {
 		}()
 	}

-	data, err := msg.Marshal()
+	data := bytesPool.Get().([]byte)
+	defer func() {
+		bytesPool.Put(data)
+	}()
+
+	if size := msg.Size(); size <= cap(data) {
+		data = data[:size]
+	} else {
+		data = make([]byte, size)
+	}
+
+	size, err := msg.MarshalTo(data)
 	if err != nil {
 		return err
 	}

-	signature, err := newSignature(key, data)
+	signature, err := newSignature(key, data[:size])
 	if err != nil {
 		return err
 	}
@ -174,8 +191,10 @@ func VerifyRequestHeader(msg VerifiableRequest) error {
 		}()
 	}

+	data := bytesPool.Get().([]byte)
 	signatures := msg.GetSignatures()
 	defer func() {
+		bytesPool.Put(data)
 		msg.SetSignatures(signatures)
 	}()

@ -189,9 +208,15 @@ func VerifyRequestHeader(msg VerifiableRequest) error {
 			return errors.Wrapf(ErrCannotLoadPublicKey, "%d: %02x", i, peer)
 		}

-		if data, err := msg.Marshal(); err != nil {
+		if size := msg.Size(); size <= cap(data) {
+			data = data[:size]
+		} else {
+			data = make([]byte, size)
+		}
+
+		if size, err := msg.MarshalTo(data); err != nil {
 			return errors.Wrapf(err, "%d: %02x", i, peer)
-		} else if err := crypto.Verify(key, data, sign); err != nil {
+		} else if err := crypto.Verify(key, data[:size], sign); err != nil {
 			return errors.Wrapf(err, "%d: %02x", i, peer)
 		}
 	}
--- a/service/verify_test.go
+++ b/service/verify_test.go
@ -14,6 +14,57 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func BenchmarkSignRequestHeader(b *testing.B) {
+	key := test.DecodeKey(0)
+
+	custom := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
+
+	some := &TestRequest{
+		IntField:    math.MaxInt32,
+		StringField: "TestRequestStringField",
+		BytesField:  make([]byte, 1<<22),
+		CustomField: &custom,
+		RequestMetaHeader: RequestMetaHeader{
+			TTL:   math.MaxInt32 - 8,
+			Epoch: math.MaxInt64 - 12,
+		},
+	}
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		require.NoError(b, SignRequestHeader(key, some))
+	}
+}
+
+func BenchmarkVerifyRequestHeader(b *testing.B) {
+	custom := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
+
+	some := &TestRequest{
+		IntField:    math.MaxInt32,
+		StringField: "TestRequestStringField",
+		BytesField:  make([]byte, 1<<22),
+		CustomField: &custom,
+		RequestMetaHeader: RequestMetaHeader{
+			TTL:   math.MaxInt32 - 8,
+			Epoch: math.MaxInt64 - 12,
+		},
+	}
+
+	for i := 0; i < 10; i++ {
+		key := test.DecodeKey(i)
+		require.NoError(b, SignRequestHeader(key, some))
+	}
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		require.NoError(b, VerifyRequestHeader(some))
+	}
+}
+
 func TestSignRequestHeader(t *testing.T) {
 	req := &TestRequest{
 		IntField:    math.MaxInt32,