[#1628] tree: Make ACL checks the same way as for object requests

1. Do not require a request to be signed by the container owner if a bearer token is missing 2. Do not check the system role since public requests are not expected to be signed by IR or a container node (unlike the object requests) Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-09-08 15:44:27 +03:00 · 2022-09-08 15:44:27 +03:00 · 876e014b5d
commit 876e014b5d
parent 4f18893d9b
5 changed files with 171 additions and 72 deletions
--- a/pkg/services/tree/options.go
+++ b/pkg/services/tree/options.go
@ -11,12 +11,13 @@ import (
 )

 type cfg struct {
-	log       *zap.Logger
-	key       *ecdsa.PrivateKey
-	rawPub    []byte
-	nmSource  netmap.Source
-	cnrSource container.Source
-	forest    pilorama.Forest
+	log        *zap.Logger
+	key        *ecdsa.PrivateKey
+	rawPub     []byte
+	nmSource   netmap.Source
+	cnrSource  container.Source
+	eaclSource container.EACLSource
+	forest     pilorama.Forest
 	// replication-related parameters
 	replicatorChannelCapacity int
 	replicatorWorkerCount     int
@ -34,6 +35,14 @@ func WithContainerSource(src container.Source) Option {
 	}
 }

+// WithEACLSource sets a eACL table source for a tree service.
+// This option is required.
+func WithEACLSource(src container.EACLSource) Option {
+	return func(c *cfg) {
+		c.eaclSource = src
+	}
+}
+
 // WithNetmapSource sets a netmap source for a tree service.
 // This option is required.
 func WithNetmapSource(src netmap.Source) Option {