From cd73abdaa2dca68336bd183e8761392788f032c9 Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Tue, 26 Sep 2023 19:26:09 +0400 Subject: [PATCH] netmap: Add reserved node attribute for verified nodes' domain Sometimes there is a need to control the entry of some storage nodes into a certain group at the stage of registration in the NeoFS network. For example, a specific organization may wish to be part of a public network, but limit the ability of a third party to indicate its affiliation. Previously, any candidate node could specify any valid attribute making private node group (aka subnet) not implementable. This commit reserves node attribute with key `VerifiedNodesDomain`. From now, any storage attempting to enter the NeoFS network and declaring this attribute will have to confirm its right to do so. This feature will allow parties to organize subgroups of nodes (i.e. subnets) and control access to them. While new changes impose requirements and are technically not backwards compatible, the use of the new attribute has never been observed in practice. It's worth noting that omitting is backwards compatible. Signed-off-by: Leonard Lyubich --- netmap/types.proto | 12 ++++++++++++ proto-docs/netmap.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/netmap/types.proto b/netmap/types.proto index 9f9b1e9..59d205c 100644 --- a/netmap/types.proto +++ b/netmap/types.proto @@ -208,6 +208,18 @@ message NodeInfo { // Must contain a comma-separated list of multi-addresses. // * Version // Node implementation's version in a free string form. + // * VerifiedNodesDomain + // Confirmation of admission to a group of storage nodes. + // The value is the domain name registered in the NeoFS NNS. If attribute + // is specified, the storage node requesting entry into the NeoFS network + // map with this attribute must be included in the access list located on + // the specified domain. The access list is represented by a set of TXT + // records: Neo script hashes from public keys. To be admitted to the + // network, script hash of the node's public key declared in 'public_key' + // field must be present in domain records. Otherwise, registration will be + // denied. + // Value must be a valid NeoFS NNS domain name. Note that if this attribute + // is absent, this check is not carried out. // // For detailed description of each well-known attribute please see the // corresponding section in NeoFS Technical Specification. diff --git a/proto-docs/netmap.md b/proto-docs/netmap.md index 85d04c1..be72e4b 100644 --- a/proto-docs/netmap.md +++ b/proto-docs/netmap.md @@ -450,6 +450,18 @@ explicitly set: Must contain a comma-separated list of multi-addresses. * Version Node implementation's version in a free string form. +* VerifiedNodesDomain + Confirmation of admission to a group of storage nodes. + The value is the domain name registered in the NeoFS NNS. If attribute + is specified, the storage node requesting entry into the NeoFS network + map with this attribute must be included in the access list located on + the specified domain. The access list is represented by a set of TXT + records: Neo script hashes from public keys. To be admitted to the + network, script hash of the node's public key declared in 'public_key' + field must be present in domain records. Otherwise, registration will be + denied. + Value must be a valid NeoFS NNS domain name. Note that if this attribute + is absent, this check is not carried out. For detailed description of each well-known attribute please see the corresponding section in NeoFS Technical Specification.