diff --git a/container/service.proto b/container/service.proto index eae69e27..a77cc84c 100644 --- a/container/service.proto +++ b/container/service.proto @@ -136,12 +136,37 @@ message PutRequest { // creation by `Container` smart contract. `ContainerID` is a SHA256 hash of // the stable-marshalled container strucutre, hence there is no need for // additional signature checks. + // + // Optional `eacl` field allows to set extended access rules for the + // container. It must be either set or unset along with `eacl_signature`. + // `eacl_session_token` or `eacl_session_token_v1` must be set along with + // `eacl` only. message Body { // Container structure to register in NeoFS container.Container container = 1; // Signature of a stable-marshalled container according to RFC-6979. neo.fs.v2.refs.SignatureRFC6979 signature = 2; + + // Extended ACL for the container. + neo.fs.v2.acl.EACLTable eacl = 3; + + // N3 witness of stable-marshalled `eacl` field. The witness must + // authenticate either container owner or one of subjects in + // the `eacl_session_token` field if any. Signature according to + // `ECDSA_RFC6979_SHA256` scheme is also supported. + neo.fs.v2.refs.SignatureRFC6979 eacl_signature = 4; + + // Optional eACL session token. The token must be issued by the container + // owner. The token must have at least one subject authenticated + // by `eacl_signature` field. The token must have at least one context + // with this container and `CONTAINER_SETEACL` verb. + neo.fs.v2.session.SessionTokenV2 eacl_session_token = 5; + + // Optional eACL session token (V1). It must not be set together with + // `eacl_session_token` field that is highly recommended to be used + // instead. Requirements are the same for both. + neo.fs.v2.session.SessionToken eacl_session_token_v1 = 6; } // Body of container put request message. Body body = 1; diff --git a/proto-docs/container.md b/proto-docs/container.md index e5ae6e02..81389abc 100644 --- a/proto-docs/container.md +++ b/proto-docs/container.md @@ -526,11 +526,20 @@ creation by `Container` smart contract. `ContainerID` is a SHA256 hash of the stable-marshalled container strucutre, hence there is no need for additional signature checks. +Optional `eacl` field allows to set extended access rules for the +container. It must be either set or unset along with `eacl_signature`. +`eacl_session_token` or `eacl_session_token_v1` must be set along with +`eacl` only. + | Field | Type | Label | Description | | ----- | ---- | ----- | ----------- | | container | [Container](#neo.fs.v2.container.Container) | | Container structure to register in NeoFS | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of a stable-marshalled container according to RFC-6979. | +| eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL for the container. | +| eacl_signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | N3 witness of stable-marshalled `eacl` field. The witness must authenticate either container owner or one of subjects in the `eacl_session_token` field if any. Signature according to `ECDSA_RFC6979_SHA256` scheme is also supported. | +| eacl_session_token | [neo.fs.v2.session.SessionTokenV2](#neo.fs.v2.session.SessionTokenV2) | | Optional eACL session token. The token must be issued by the container owner. The token must have at least one subject authenticated by `eacl_signature` field. The token must have at least one context with this container and `CONTAINER_SETEACL` verb. | +| eacl_session_token_v1 | [neo.fs.v2.session.SessionToken](#neo.fs.v2.session.SessionToken) | | Optional eACL session token (V1). It must not be set together with `eacl_session_token` field that is highly recommended to be used instead. Requirements are the same for both. |