netmap: Add reserved node attribute for verified nodes' domain

Sometimes there is a need to control the entry of some storage nodes into a certain group at the stage of registration in the NeoFS network. For example, a specific organization may wish to be part of a public network, but limit the ability of a third party to indicate its affiliation. Previously, any candidate node could specify any valid attribute making private node group (aka subnet) not implementable. This commit reserves node attribute with key `VerifiedNodesDomain`. From now, any storage attempting to enter the NeoFS network and declaring this attribute will have to confirm its right to do so. This feature will allow parties to organize subgroups of nodes (i.e. subnets) and control access to them. While new changes impose requirements and are technically not backwards compatible, the use of the new attribute has never been observed in practice. It's worth noting that omitting is backwards compatible. Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
nspcc-dev · Sep 26, 2023 · cd73abd · cd73abd
1 parent c1a97ad
commit cd73abd
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/netmap/types.proto b/netmap/types.proto
@@ -208,6 +208,18 @@ message NodeInfo {
   //   Must contain a comma-separated list of multi-addresses.
   // * Version
   //   Node implementation's version in a free string form.
+  // * VerifiedNodesDomain
+  //   Confirmation of admission to a group of storage nodes.
+  //   The value is the domain name registered in the NeoFS NNS. If attribute
+  //   is specified, the storage node requesting entry into the NeoFS network
+  //   map with this attribute must be included in the access list located on
+  //   the specified domain. The access list is represented by a set of TXT
+  //   records: Neo script hashes from public keys. To be admitted to the
+  //   network, script hash of the node's public key declared in 'public_key'
+  //   field must be present in domain records. Otherwise, registration will be
+  //   denied.
+  //   Value must be a valid NeoFS NNS domain name. Note that if this attribute
+  //   is absent, this check is not carried out.
   //
   // For detailed description of each well-known attribute please see the
   // corresponding section in NeoFS Technical Specification.

diff --git a/proto-docs/netmap.md b/proto-docs/netmap.md
@@ -450,6 +450,18 @@ explicitly set:
   Must contain a comma-separated list of multi-addresses.
 * Version
   Node implementation's version in a free string form.
+* VerifiedNodesDomain
+  Confirmation of admission to a group of storage nodes.
+  The value is the domain name registered in the NeoFS NNS. If attribute
+  is specified, the storage node requesting entry into the NeoFS network
+  map with this attribute must be included in the access list located on
+  the specified domain. The access list is represented by a set of TXT
+  records: Neo script hashes from public keys. To be admitted to the
+  network, script hash of the node's public key declared in 'public_key'
+  field must be present in domain records. Otherwise, registration will be
+  denied.
+  Value must be a valid NeoFS NNS domain name. Note that if this attribute
+  is absent, this check is not carried out.
 
 For detailed description of each well-known attribute please see the
 corresponding section in NeoFS Technical Specification.