From d542954c55ce6d2f0c8250cc4bf143889fed089e Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Tue, 26 Sep 2023 19:26:09 +0400 Subject: [PATCH] netmap: Add reserved node attribute for verified nodes' domain Sometimes there is a need to control the entry of some storage nodes into a certain group at the stage of registration in the NeoFS network. For example, a specific organization may wish to be part of a public network, but limit the ability of a third party to indicate its affiliation. Previously, any candidate node could specify any valid attribute making private node group (aka subnet) not implementable. This commit reserves node attribute with key `VerifiedNodesDomain`. From now, any storage attempting to enter the NeoFS network and declaring this attribute will have to confirm its right to do so. This feature will allow parties to organize subgroups of nodes (i.e. subnets) and control access to them. While new changes impose requirements and are technically not backwards compatible, the use of the new attribute has never been observed in practice. It's worth noting that omitting is backwards compatible. Signed-off-by: Leonard Lyubich --- netmap/types.proto | 12 ++++++++++++ proto-docs/netmap.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/netmap/types.proto b/netmap/types.proto index 9f9b1e9..9410d01 100644 --- a/netmap/types.proto +++ b/netmap/types.proto @@ -208,6 +208,18 @@ message NodeInfo { // Must contain a comma-separated list of multi-addresses. // * Version // Node implementation's version in a free string form. + // * VerifiedNodesDomain + // Confirmation of admission to a group of storage nodes. + // The value is the domain name registered in the NeoFS NNS. If attribute + // is specified, the storage node requesting entry into the NeoFS network + // map with this attribute must be included in the access list located on + // the specified domain. The access list is represented by a set of TXT + // records: Neo addresses resolved from public keys. To be admitted to the + // network, Neo address of the node's public key declared in 'public_key' + // field must be present in domain records. Otherwise, registration will be + // denied. + // Value must be a valid NeoFS NNS domain name. Note that if this attribute + // is absent, this check is not carried out. // // For detailed description of each well-known attribute please see the // corresponding section in NeoFS Technical Specification. diff --git a/proto-docs/netmap.md b/proto-docs/netmap.md index 85d04c1..a99ad42 100644 --- a/proto-docs/netmap.md +++ b/proto-docs/netmap.md @@ -450,6 +450,18 @@ explicitly set: Must contain a comma-separated list of multi-addresses. * Version Node implementation's version in a free string form. +* VerifiedNodesDomain + Confirmation of admission to a group of storage nodes. + The value is the domain name registered in the NeoFS NNS. If attribute + is specified, the storage node requesting entry into the NeoFS network + map with this attribute must be included in the access list located on + the specified domain. The access list is represented by a set of TXT + records: Neo addresses resolved from public keys. To be admitted to the + network, Neo address of the node's public key declared in 'public_key' + field must be present in domain records. Otherwise, registration will be + denied. + Value must be a valid NeoFS NNS domain name. Note that if this attribute + is absent, this check is not carried out. For detailed description of each well-known attribute please see the corresponding section in NeoFS Technical Specification.