Skip to content

Chain

As part of communication between frostfs components there is APE definitions

edition = "2023";

package frost.fs.ape;

// TargetType is a type target to which a rule chain is defined.
enum TargetType {
   UNDEFINED = 0;

   NAMESPACE = 1;

   CONTAINER = 2;

   USER = 3;

   GROUP = 4;
}

// ChainTarget is an object to which a rule chain is defined.
message ChainTarget {
   TargetType type = 1;

   string name = 2;
}

// Chain is a chain of rules defined for a specific target.
message Chain {
   oneof kind {
      // Raw representation of a serizalized rule chain.
      bytes raw = 1;
   }
}

Here we describe what exactly can be stored in Chain.kind.raw field. It's a binary format that will be described below. Currently, there are several implementations:

Chain

Marshal

Chain

Serializer

Chain (Core)

Serializer (Core)

Grammar (pseudo code)

Chain = {
    ID        // Chain identifier
    []Rule    // List of rules
    MatchType // Rule selection priority
}

Rule: {
    Status       // Policy application status
    Actions      // Information about the methods being checked
    Resources    // Resources on which the action is performed
    Any          // Flag indicating that the rule triggers if at least one condition is met
    []Condition  // Conditions for triggering this rule
}

ID: <bytes>

MatchType: (<deny_priority_match_type> | <first_match_priority_match_type>)

Status: (<allow_status> | <access_denied_status> | <quota_limit_reached_status> | <no_rule_found_status>)

Actions: {
    Inverted // Actions inversion flag (all others except those specified)
    []Name   // Operations names
}

Resources: {
    Inverted // Resources inversion flag (all others except those specified)
    []Name   // Resources names
}

Inverted: (<true> | <false>)

Name: <string>

Any: (<true> | <false>)

Condition: {
    Op    // Condition operator
    Kind  // What the condition is applied to
    Key   // Key for defining the condition
    Value // Value for defining the condition
}

Op: <operator>

Kind: (<resource_kind> | <request_kind>)

Key: <string>

Value: <string>

Chain

Parameter JSON Binary
ID string (base64 encoded value) []byte
Rule.Status string (status constants) byte
Rule.Actions.Inverted bool byte
Rule.Actions.Name string string
Rule.Resources.Inverted bool byte
Rule.Resources.Name string string
Rule.Any bool byte
Rules.Condition.Op string (operator constants). byte
Rules.Condition.Kind string (kind constants) byte
Rules.Condition.Key string string
Rules.Condition.Value string string
MatchType string (matchType constants) byte

Status constants

JSON Binary
Allow 0x00
NoRuleFound 0x01
AccessDenied 0x02
QuotaLimitReached 0x03

Operator constants

JSON Binary
StringEquals 0x00
StringNotEquals 0x01
StringEqualsIgnoreCase 0x02
StringNotEqualsIgnoreCase 0x03
StringLike 0x04
StringNotLike 0x05
StringLessThan 0x06
StringLessThanEquals 0x07
StringGreaterThan 0x08
StringGreaterThanEquals 0x09
NumericEquals 0x0a
NumericNotEquals 0x0b
NumericLessThan 0x0c
NumericLessThanEquals 0x0d
NumericGreaterThan 0x0e
NumericGreaterThanEquals 0x0f
SliceContains 0x10
IPAddress 0x11
NotIPAddress 0x12

Kind constants

JSON Binary
Resource 0x00
Request 0x01

MatchType constants

JSON Binary
DenyPriority 0x00
FirstMatch 0x01

Actions

You can use either exact action names or * (also can be used as wildcard once as suffix)

  • GetObject
  • PutObject
  • HeadObject
  • DeleteObject
  • SearchObject
  • RangeObject
  • HashObject
  • PatchObject
  • PutContainer
  • DeleteContainer
  • GetContainer
  • ListContainers
  • iam:NativeAddChain
  • iam:NativeGetChain
  • iam:NativeRemoveChain
  • iam:NativeListTargets
  • iam:NativeListChainNames
  • iam:NativeListChains
  • iam:NativeCreateSubject
  • iam:NativeUpdateSubject
  • iam:NativeGetSubject
  • iam:NativeGetSubjectByName
  • iam:NativeDeleteSubject
  • iam:NativeSetSubjectKVs
  • iam:NativeDeleteSubjectKVs
  • iam:NativeAddSubjectKeys
  • iam:NativeRemoveSubjectKeys
  • iam:NativeListSubjects
  • iam:NativeCreateGroup
  • iam:NativeUpdateGroup
  • iam:NativeGetGroup
  • iam:NativeGetGroupByName
  • iam:NativeDeleteGroup
  • iam:NativeSetGroupKVs
  • iam:NativeDeleteGroupKVs
  • iam:NativeAddSubjectsToGroup
  • iam:NativeRemoveSubjectsFromGroup
  • iam:NativeListGroups
  • iam:NativeListGroupSubjects
  • iam:NativeListSubjectGroups
  • s3:ListBuckets
  • s3:OptionsBucket
  • s3:HeadBucket
  • s3:ListMultipartUploads
  • s3:GetBucketLocation
  • s3:GetBucketPolicyStatus
  • s3:GetBucketPolicy
  • s3:GetBucketLifecycle
  • s3:GetBucketEncryption
  • s3:GetBucketCors
  • s3:GetBucketACL
  • s3:GetBucketWebsite
  • s3:GetBucketAccelerate
  • s3:GetBucketRequestPayment
  • s3:GetBucketLogging
  • s3:GetBucketReplication
  • s3:GetBucketTagging
  • s3:GetBucketObjectLockConfig
  • s3:GetBucketVersioning
  • s3:GetBucketNotification
  • s3:ListenBucketNotification
  • s3:ListBucketObjectVersions
  • s3:ListObjectsV2M
  • s3:ListObjectsV2
  • s3:ListObjectsV1
  • s3:PutBucketCors
  • s3:PutBucketACL
  • s3:PutBucketLifecycle
  • s3:PutBucketEncryption
  • s3:PutBucketPolicy
  • s3:PutBucketObjectLockConfig
  • s3:PutBucketTagging
  • s3:PutBucketVersioning
  • s3:PutBucketNotification
  • s3:PutBucketWebsite
  • s3:CreateBucket
  • s3:DeleteMultipleObjects
  • s3:PostObject
  • s3:DeleteBucketCors
  • s3:DeleteBucketWebsite
  • s3:DeleteBucketTagging
  • s3:DeleteBucketPolicy
  • s3:DeleteBucketLifecycle
  • s3:DeleteBucketEncryption
  • s3:DeleteBucket
  • s3:PutPublicAccessBlock
  • s3:GetPublicAccessBlock
  • s3:DeletePublicAccessBlock
  • s3:OptionsObject
  • s3:HeadObject
  • s3:GetObject
  • s3:GetObjectACL
  • s3:GetObjectTagging
  • s3:GetObjectRetention
  • s3:GetObjectLegalHold
  • s3:GetObjectAttributes
  • s3:UploadPartCopy
  • s3:UploadPart
  • s3:ListParts
  • s3:PutObjectACL
  • s3:PutObjectTagging
  • s3:CopyObject
  • s3:PutObjectRetention
  • s3:PutObjectLegalHold
  • s3:PutObject
  • s3:CompleteMultipartUpload
  • s3:CreateMultipartUpload
  • s3:SelectObjectContent
  • s3:AbortMultipartUpload
  • s3:DeleteObjectTagging
  • s3:DeleteObject
  • s3:PatchObject
  • iam:AddUserToGroup
  • iam:AttachGroupPolicy
  • iam:AttachUserPolicy
  • iam:CreateAccessKey
  • iam:CreateNativeCredentials
  • iam:CreateGroup
  • iam:CreatePolicy
  • iam:CreateUser
  • iam:DeleteAccessKey
  • iam:DeleteGroup
  • iam:DeleteGroupPolicy
  • iam:DeletePolicy
  • iam:DeleteUser
  • iam:DeleteUserPolicy
  • iam:DetachGroupPolicy
  • iam:DetachUserPolicy
  • iam:GetGroup
  • iam:GetGroupPolicy
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:GetUser
  • iam:GetUserPolicy
  • iam:ListAccessKeys
  • iam:ListAttachedGroupPolicies
  • iam:ListAttachedUserPolicies
  • iam:ListEntitiesForPolicy
  • iam:ListGroupPolicies
  • iam:ListGroups
  • iam:ListGroupsForUser
  • iam:ListPolicies
  • iam:ListPolicyVersions
  • iam:ListUserPolicies
  • iam:ListUsers
  • iam:PutGroupPolicy
  • iam:PutUserPolicy
  • iam:RemoveUserFromGroup
  • iam:UpdateGroup
  • iam:UpdateUser
  • iam:TagUser
  • iam:UntagUser
  • iam:ListUserTags
  • iam:CreateVirtualMFADevice
  • iam:DeleteVirtualMFADevice
  • iam:EnableMFADevice
  • iam:ListVirtualMFADevices
  • iam:ListMFADevices
  • iam:DeactivateMFADevice
  • iam:GetSessionToken
  • iam:GetCallerIdentity
  • iam:TagMFADevice
  • iam:UntagMFADevice
  • iam:ListMFADeviceTags

Resources

You can use either exact resource names or * (also can be used as wildcard once as suffix)

Native resources must follow schemes:

For container operations: 

native:container/<namespace>/<container_id>

Examples:

Resource Description
native:container/repa/4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4 Match exact container in "repa" namespace
native:container//4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4 Match exact container in "" (root) namespace
native:container/repa/* Match any container in "repa" namespace
native:container//* Match any container in "" (root) namespace
native:container/* Match any container in any namespace
* Match any container in any namespace

For object operations: 

native:object/<namespace>/<container_id>/<object_id>

Examples:

Resource Description
native:object/repa/4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4/2KhrmfBfmP4YdnQHmwzsmrfTRjeCi4Mrj7beVRJujFxe Match exact object in exact container in "repa" namespace
native:object//4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4/2KhrmfBfmP4YdnQHmwzsmrfTRjeCi4Mrj7beVRJujFxe Match exact object in exact container in "" (root) namespace
native:object/repa/4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4/* Match any object in exact container in "repa" namespace
native:object//4uv1kTDXJ5vNKWhmm88ofxGnd3cfe8ER4daBbuVE99p4/* Match any object in exact container in "" (root) namespace
native:object/repa/* Match any object in any container in "repa" namespace
native:object//* Match any object in any container in "" (root) namespace
native:object/* Match any object in any container in any namespace
* Match any object in any container in any namespace

Not applicable

Native resources must follow schemes:

arn:aws:s3:::<bucket>/<object>

Examples:

Resource Description
arn:aws:s3:::test/in/dir/obj Match exact "in/dir/obj" object in "test" bucket
arn:aws:s3:::test/prefix* Match any object with "prefix" prefix in "test" bucket
arn:aws:s3:::test/* Match any object in "test" bucket
arn:aws:s3:::* Match any object in any bucket
* Match any object in any bucket

Group

For group operations: 

arn:aws:iam::<namespace>:group/<group-name-with-path>

Applied to actions:

  • iam:CreateGroup
  • iam:AddUserToGroup
  • iam:AttachGroupPolicy
  • iam:DeleteGroup
  • iam:DeleteGroupPolicy
  • iam:GetGroup
  • iam:GetGroupPolicy
  • iam:DetachGroupPolicy
  • iam:ListAttachedGroupPolicies
  • iam:ListGroupPolicies
  • iam:PutGroupPolicy
  • iam:RemoveUserFromGroup
  • iam:UpdateGroup

Examples:

Resource Description
arn:aws:iam::repa:group/path/group Match exact group in "repa" namespace
arn:aws:iam:::group/path/group Match exact group in "" (root) namespace
arn:aws:iam::repa:group/* Match any group in "repa" namespace
arn:aws:iam:::group/* Match any group in "" (root) namespace
arn:aws:iam::/* Match any group in any namespace
* Match any group in any namespace

Policy

For policy operations: 

arn:aws:iam::<namespace>:policy/<policy-name-with-path>

Applied to actions:

  • iam:CreatePolicy
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:ListPolicyVersions
  • iam:ListEntitiesForPolicy
  • iam:DeletePolicy

Examples:

Resource Description
arn:aws:iam::repa:policy/path/policy Match exact policy in "repa" namespace
arn:aws:iam:::policy/path/policy Match exact policy in "" (root) namespace
arn:aws:iam::repa:policy/* Match any policy in "repa" namespace
arn:aws:iam:::policy/* Match any policy in "" (root) namespace
arn:aws:iam::/* Match any policy in any namespace
* Match any policy in any namespace

User

For user operations: 

arn:aws:iam::<namespace>:user/<user-name-with-path>

Applied to actions:

  • iam:CreateUser
  • iam:AttachUserPolicy
  • iam:CreateAccessKey
  • iam:CreateNativeCredentials
  • iam:DeleteAccessKey
  • iam:DeleteUser
  • iam:DeleteUserPolicy
  • iam:DetachUserPolicy
  • iam:GetUser
  • iam:GetUserPolicy
  • iam:ListAccessKeys
  • iam:ListAttachedUserPolicies
  • iam:ListGroupsForUser
  • iam:ListUserPolicies
  • iam:PutUserPolicy
  • iam:UpdateUser
  • iam:TagUser
  • iam:UntagUser
  • iam:ListUserTags
  • iam:DeactivateMFADevice
  • iam:ListMFADevices

Examples:

Resource Description
arn:aws:iam::repa:user/path/user Match exact user in "repa" namespace
arn:aws:iam:::user/path/user Match exact user in "" (root) namespace
arn:aws:iam::repa:user/* Match any user in "repa" namespace
arn:aws:iam:::user/* Match any user in "" (root) namespace
arn:aws:iam::/* Match any user in any namespace
* Match any user in any namespace

MFA

For mfa operations: 

arn:aws:iam::<namespace>:mfa/<mfa-name-with-path>

Applied to actions:

  • iam:CreateVirtualMFADevice
  • iam:DeleteVirtualMFADevice
  • iam:EnableMFADevice
  • iam:TagMFADevice
  • iam:UntagMFADevice
  • iam:ListMFADeviceTags

Examples:

Resource Description
arn:aws:iam::repa:mfa/path/mfa Match exact mfa device in "repa" namespace
arn:aws:iam:::mfa/path/mfa Match exact mfa device in "" (root) namespace
arn:aws:iam::repa:mfa/* Match any mfa device in "repa" namespace
arn:aws:iam:::mfa/* Match any mfa device in "" (root) namespace
arn:aws:iam::/* Match any mfa device in any namespace
* Match any mfa device in any namespace

Conditions

There are some predefined condition keys that can be used in chain rules

Condtion Key Kind Description
$Object:version Resource Version field in object header
$Object:objectID Resource Object identifier field in object header
$Object:containerID Resource Container indentifier field in object header
$Object:ownerID Resource OwnerID field in object header
$Object:creationEpoch Resource CreationEpoch field in object header
$Object:payloadLength Resource PayloadSize field in object header
$Object:payloadHash Resource PayloadChecksum field in object header
$Object:objectType Resource Type field in object header (one of TOMBSTONE, LOCK, REGULAR)
$Object:homomorphicHash Resource PayloadHomomorphicHash field in object header
$Object:containerAttribute/%s Resource Arbitrary container attribute (in object operations)
$Container:ownerID Resource Owner filed in container
$Container:attribute/%s Resource Arbitrary container attribute (in container operations)
$Tree:ID Resource Tree identifier (in tree service operations)
$Actor:publicKey Request Hex encoded public key of request actor
$Actor:role Request Role of request actor (one of owner, ir, container, others)
frostfsid:userClaim/%s Request Arbitrary claims of actor (user) in frostfsid contract
frostfsid:groupID Request Actor (user) groups in frostfsid contract
frostfs:sourceIP Request IP address of client
frostfs:xheader/%s Request Arbitrary additional XHeaders from request
Condtion Key Kind Description
$Actor:publicKey Request Hex encoded public key of request actor
Condtion Key Kind Description
Owner Request Base58 encoded user Neo N3 address
frostfsid:userClaim/%s Request Arbitrary claims of user in frostfsid contract
frostfsid:groupID Request Uuser groups in frostfsid contract
frostfs:sourceIP Request IP address of client
s3:delimiter Request Delimiter parameter in listing operations
s3:prefix Request Prefix parameter in listing operations
s3:max-keys Request MaxKeys parameter in listing opertions
s3:VersionId Request VersionID of object
s3:x-amz-copy-source Request X-Amz-Copy-Source parameter in copy operation
s3:x-amz-metadata-directive Request X-Amz-Metadata-Directive parameter in copy operation
AccessBox-Attribute/IAM-MFA Request Is credential was issued using MFA
AccessBox-Attribute/%s Request Arbitrary attributes of credentials object
aws:RequestTag/%s Request Arbitrary tags in S3 request
aws:ResourceTag/%s Resource Arbitrary tags in S3 resource
s3:ExistingObjectTag/%s Resource Arbitrary tags in S3 resource
Condtion Key Kind Description
Owner Request Base58 encoded user Neo N3 address
frostfsid:userClaim/%s Request Arbitrary claims of user in frostfsid contract
frostfsid:groupID Request Uuser groups in frostfsid contract
frostfs:sourceIP Request IP address of client
AccessBox-Attribute/IAM-MFA Request Is credential was issued using MFA
AccessBox-Attribute/%s Request Arbitrary attributes of credentials object

Binary format

Chain must be marshaled to bytes according to:

<marshal_version_byte> +

<chain_marshal_version_byte> +

<varint_encoded_chain_id_length> +
    <chain_id_bytes> +

<varint_encoded_rules_length> +
    <status_byte> +

    <actions_inverted_bool_flag_byte> +
    <varint_encoded_actions_names_length> +
        <varint_encoded_action_name_length> +
            <action_name_bytes> +

    <resources_inverted_bool_flag_byte> +
    <varint_encoded_resources_names_length> +
        <varint_encoded_resource_name_length> +
            <resource_name_bytes> +

    <any_bool_flag_byte> +

    <varint_encoded_conditions_length> +
        <condition_operator_byte> +
        <condition_kind_byte> +
        <varint_encoded_condition_key_length> +
            <condition_key_bytes> +

<match_type_byte>

Let's say we have the following chain json

{
  "ID": "",
  "Rules": [
    {
      "Status": "AccessDenied",
      "Actions": {
        "Inverted": true,
        "Names": [
          "GetObject"
        ]
      },
      "Resources": {
        "Inverted": true,
        "Names": [
          "native:object/*"
        ]
      },
      "Any": true,
      "Condition": [
        {
          "Op": "NumericLessThanEquals",
          "Kind": "Request",
          "Key": "Department",
          "Value": "HR"
        }
      ]
    }
  ],
  "MatchType": "FirstMatch"
}

The binary form be:

# Bytes with comment
[
0x00,                                                                       # marshal version 0
0x00,                                                                       # chain marshal version 0
0x00,                                                                       # ID length 0 varint encoded
0x02,                                                                       # Rules length 1 varint (sign int64) encoded
0x02,                                                                       # AccessDenied status
0x01,                                                                       # Inverted actions flag true
0x02,                                                                       # Actions length 1 varint (sign int64) encoded
0x12,                                                                       # "GetObject" action length 9 varint (sign int64) encoded
0x47,0x65,0x74,0x4f,0x62,0x6a,0x65,0x63,0x74,                               # "GetObject" encoded
0x01,                                                                       # Inverted resources flag true
0x02,                                                                       # Resources length 1 varint (sign int64) encoded
0x1e,                                                                       # "native:object/*" resource length 16 varint (sign int64) encoded
0x6e,0x61,0x74,0x69,0x76,0x65,0x3a,0x6f,0x62,0x6a,0x65,0x63,0x74,0x2f,0x2a, # "native:object/*" encoded
0x01,                                                                       # Any flag true
0x02,                                                                       # Conditions length 1 varint (sign int64) encoded
0x0d,                                                                       # NumericLessThanEquals operator
0x01,                                                                       # Request kind
0x14,                                                                       # "Department" key length 10 varint (sign int64) encoded
0x44,0x65,0x70,0x61,0x72,0x74,0x6d,0x65,0x6e,0x74,                          # "Department" encoded
0x04,                                                                       # "HR" key length 2 varint (sign int64) encoded
0x48,0x52,                                                                  # "HR" encoded
0x01                                                                        # FirstMatch match type
]

# Bytes
[0x00,0x00,0x00,0x02,0x02,0x01,0x02,0x12,0x47,0x65,0x74,0x4f,0x62,0x6a,0x65,0x63,0x74,0x01,
0x02,0x1e,0x6e,0x61,0x74,0x69,0x76,0x65,0x3a,0x6f,0x62,0x6a,0x65,0x63,0x74,0x2f,0x2a,0x01,
0x02,0x0d,0x01,0x14,0x44,0x65,0x70,0x61,0x72,0x74,0x6d,0x65,0x6e,0x74,0x04,0x48,0x52,0x01]

# Hex
00000002020102124765744f626a65637401021e6e61746976653a6f626a6563742f2a01020d01144465706172746d656e7404485201

# String
0x000x000x000x020x020x010x020x12GetObject0x010x020x1enative:object/*0x010x020x0d0x010x14Department0x04HR0x01

Examples

For simplicity, we will use json formated chains. How to encode it to binary see section.

Full Object Access

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": ["*"]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["native:object/*"]
    },
    "Any": false,
    "Condition": []
  }],
  "MatchType": "DenyPriority"
}

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": ["s3:*"]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["arn:aws:s3:::*"]
    },
    "Any": false,
    "Condition": []
  }],
  "MatchType": "DenyPriority"
}

Read-only Object Access

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": [
        "GetObject",
        "HeadObject",
        "SearchObject",
        "RangeObject",
        "HashObject"
      ]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["native:object/*"]
    },
    "Any": false,
    "Condition": []
  }],
  "MatchType": "DenyPriority"
}

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": [
        "s3:GetObject",
        "s3:HeadObject",
        "s3:ListObjectsV1",
        "s3:ListObjectsV2"
      ]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["arn:aws:s3:::*"]
    },
    "Any": false,
    "Condition": []
  }],
  "MatchType": "DenyPriority"
}

Specific Object Actions Access

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": [
        "GetObject",
        "HeadObject"
      ]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["native:object//EyEeS5NcyUGUkCvm3KrrgjpQd1m2MDMN1TPxomcJKPvb/2KhrmfBfmP4YdnQHmwzsmrfTRjeCi4Mrj7beVRJujFxe"]
    },
    "Any": false,
    "Condition": [{
      "Op": "StringEquals",
      "Kind": "Request",
      "Key":"$Actor:publicKey",
      "Value":"022e6bfd4be6546c7e28b1126397851184c26318eeab3f56d94e949fe3fe9ecd17"
    }]
  }],
  "MatchType": "DenyPriority"
}

{
  "ID": "",
  "Rules": [{
    "Status": "Allow",
    "Actions": {
      "Inverted": false,
      "Names": [
        "s3:GetObject",
        "s3:HeadObject",
      ]
    },
    "Resources": {
      "Inverted": false,
      "Names": ["arn:aws:s3:::test-bucket/object"]
    },
    "Any": false,
    "Condition": [{
      "Op": "StringEquals",
      "Kind": "Request",
      "Key":"Owner",
      "Value":"NXeWRFkLsskUtMgBmfnR2nbJeudMtghqrq"
    }]
  }],
  "MatchType": "DenyPriority"
}

Target type and chain names

When we add chain to system (actually to policy contract) we have to specify the following

  • target type
  • target name
  • chain name
Target type Target name
NAMESPACE Just namespace name (e.g. "", repa)
CONTAINER Just base58 encode CID (e.g. EyEeS5NcyUGUkCvm3KrrgjpQd1m2MDMN1TPxomcJKPvb)
GROUP Concatenation of namespace name and group id in format <namespace>:<group-id> (e.g. :1, repa:2)
USER Concatenation of namespace name and user address in format <namespace>:<user_addr> (e.g. :NXeWRFkLsskUtMgBmfnR2nbJeudMtghqrq, repa:NXeWRFkLsskUtMgBmfnR2nbJeudMtghqrq)
Chain name Description
ingress:<name> With this format (ingress: prefix) chains be applied to requests to Storage node and native IAM
s3:<name> With this format (s3: prefix) chains be applied to requests to S3 and IAM S3