[#1039] object: Skip APE check for certain request roles

* Skip APE check if a role is Container.
* Skip APE check if a role is IR and methods are get-like.

Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>

pkg/services/object/ape/checker.go

@@ -10,6 +10,7 @@ import (
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	apechain "git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
 	policyengine "git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
+	nativeschema "git.frostfs.info/TrueCloudLab/policy-engine/schema/native"
 )
 
 type checkerImpl struct {
@@ -56,6 +57,21 @@ var errMissingOID = errors.New("object ID is not set")
 // CheckAPE checks if a request or a response is permitted creating an ape request and passing
 // it to chain router.
 func (c *checkerImpl) CheckAPE(ctx context.Context, prm Prm) error {
+	// APE check is ignored for some inter-node requests.
+	if prm.Role == nativeschema.PropertyValueContainerRoleContainer {
+		return nil
+	} else if prm.Role == nativeschema.PropertyValueContainerRoleIR {
+		switch prm.Method {
+		case nativeschema.MethodGetObject,
+			nativeschema.MethodHeadObject,
+			nativeschema.MethodSearchObject,
+			nativeschema.MethodRangeObject,
+			nativeschema.MethodHashObject:
+			return nil
+		default:
+		}
+	}
+
 	r, err := c.newAPERequest(ctx, prm)
 	if err != nil {
 		return fmt.Errorf("failed to create ape request: %w", err)