forked from TrueCloudLab/frostfs-api
27171ef753
EACLTable message and signature stored in blockchain storage. If owner has several containers, malicious node can return correct EACLTable of the container other than client actually requested. With container id field in the EACLTable, this malicious behaviour can be detected. ContainerID has id 1, so contract can easily cut container id from byte sequence. Signed-off-by: Alex Vanin <alexey@nspcc.ru>
108 lines
3.3 KiB
Protocol Buffer
108 lines
3.3 KiB
Protocol Buffer
syntax = "proto3";
|
|
package acl;
|
|
option go_package = "github.com/nspcc-dev/neofs-api-go/acl";
|
|
option csharp_namespace = "NeoFS.API.Acl";
|
|
|
|
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
|
|
option (gogoproto.stable_marshaler_all) = true;
|
|
|
|
// Target of the access control rule in access control list.
|
|
enum Target {
|
|
// Unknown target, default value.
|
|
Unknown = 0;
|
|
|
|
// User target rule is applied if sender is the owner of the container.
|
|
User = 1;
|
|
|
|
// System target rule is applied if sender is the storage node within the
|
|
// container or inner ring node.
|
|
System = 2;
|
|
|
|
// Others target rule is applied if sender is not user or system target.
|
|
Others = 3;
|
|
|
|
// PubKey target rule is applied if sender has public key provided in
|
|
// extended ACL.
|
|
PubKey = 4;
|
|
}
|
|
|
|
// EACLRecord groups information about extended ACL rule.
|
|
message EACLRecord {
|
|
// Operation is an enumeration of operation types.
|
|
enum Operation {
|
|
OPERATION_UNKNOWN = 0;
|
|
GET = 1;
|
|
HEAD = 2;
|
|
PUT = 3;
|
|
DELETE = 4;
|
|
SEARCH = 5;
|
|
GETRANGE = 6;
|
|
GETRANGEHASH = 7;
|
|
}
|
|
|
|
// Operation carries type of operation.
|
|
Operation operation = 1 [(gogoproto.customname) = "Operation", json_name="Operation"];
|
|
|
|
// Action is an enumeration of EACL actions.
|
|
enum Action {
|
|
ActionUnknown = 0;
|
|
Allow = 1;
|
|
Deny = 2;
|
|
}
|
|
|
|
// Action carries ACL target action.
|
|
Action action = 2 [(gogoproto.customname) = "Action", json_name="Action"];
|
|
|
|
// FilterInfo groups information about filter.
|
|
message FilterInfo {
|
|
// Header is an enumeration of filtering header types.
|
|
enum Header {
|
|
HeaderUnknown = 0;
|
|
Request = 1;
|
|
ObjectSystem = 2;
|
|
ObjectUser = 3;
|
|
}
|
|
|
|
// Header carries type of header.
|
|
Header header = 1 [(gogoproto.customname) = "Header", json_name="HeaderType"];
|
|
|
|
// MatchType is an enumeration of match types.
|
|
enum MatchType {
|
|
MatchUnknown = 0;
|
|
StringEqual = 1;
|
|
StringNotEqual = 2;
|
|
}
|
|
|
|
// MatchType carries type of match.
|
|
MatchType matchType = 2 [(gogoproto.customname) = "MatchType", json_name="MatchType"];
|
|
|
|
// HeaderName carries name of filtering header.
|
|
string HeaderName = 3 [json_name="Name"];
|
|
|
|
// HeaderVal carries value of filtering header.
|
|
string HeaderVal = 4 [json_name="Value"];
|
|
}
|
|
|
|
// Filters carries set of filters.
|
|
repeated FilterInfo Filters = 3 [json_name="Filters"];
|
|
|
|
// TargetInfo groups information about extended ACL target.
|
|
message TargetInfo {
|
|
// Target carries target of ACL rule.
|
|
acl.Target Target = 1 [json_name="Role"];
|
|
|
|
// KeyList carries public keys of ACL target.
|
|
repeated bytes KeyList = 2 [json_name="Keys"];
|
|
}
|
|
|
|
// Targets carries information about extended ACL target list.
|
|
repeated TargetInfo Targets = 4 [json_name="Targets"];
|
|
}
|
|
|
|
// EACLRecord carries the information about extended ACL rules.
|
|
message EACLTable {
|
|
// ContainerID of the container that should use given access control rules.
|
|
bytes ContainerID = 1 [json_name="ContainerID"];
|
|
// Records carries list of extended ACL rule records.
|
|
repeated EACLRecord Records = 2 [json_name="Records"];
|
|
}
|