ir: Support verified NNS domains of the storage nodes

From now, the Inner Ring checks any incoming node for permission to
associate itself with optional private node group (kind of subnet).
Access lists are stored in the NeoFS NNS.

Closes #2280.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>

CHANGELOG.md

@@ -3,6 +3,9 @@ Changelog for NeoFS Node
 
 ## [Unreleased]
 
+### Added
+- Support of verified domains for the storage nodes (#2280)
+
 ### Fixed
 - `neofs-cli netmap netinfo` documentation (#2555)
 - `GETRANGEHASH` to a node without an object produced `GETRANGE` or `GET` requests (#2541)

config/example/node.yaml

@@ -22,8 +22,12 @@ node:
     - /dns4/s02.neofs.devenv/tcp/8081
     - grpc://127.0.0.1:8082
     - grpcs://localhost:8083
+  # List of colon-separated key-value attributes.
   attribute_0: "Price:11"
   attribute_1: UN-LOCODE:RU MSK
+  # Next attribute specifies optional NeoFS NNS domain in order to enter the storage node into a private node group
+  # (kind of subnet). The node must have public key from the corresponding access list. See docs for more detailed information.
+  attribute_2: VerifiedNodesDomain:nodes.some-org.neofs
   relay: true  # start Storage node in relay mode without bootstrapping into the Network map
   persistent_sessions:
     path: /sessions  # path to persistent session tokens file of Storage node (default: in-memory sessions)

docs/storage-node-configuration.md

@@ -311,7 +311,7 @@ node:
 | `key`                 | `string`                                                      |               | Path to the binary-encoded private key.                                 |
 | `wallet`              | [Wallet config](#wallet-subsection)                           |               | Wallet configuration. Has no effect if `key` is provided.               |
 | `addresses`           | `[]string`                                                    |               | Addresses advertised in the netmap.                                     |
-| `attribute`           | `[]string`                                                    |               | Node attributes as a list of key-value pairs in `<key>:<value>` format. |
+| `attribute`           | `[]string`                                                    |               | Node attributes as a list of key-value pairs in `<key>:<value>` format. See also docs about verified nodes' domains.|
 | `relay`               | `bool`                                                        |               | Enable relay mode.                                                      |
 | `persistent_sessions` | [Persistent sessions config](#persistent_sessions-subsection) |               | Persistent session token store configuration.                           |
 | `persistent_state`    | [Persistent state config](#persistent_state-subsection)       |               | Persistent state configuration.                                         |

docs/verified-node-domains.md

@@ -0,0 +1,40 @@
+# Verified domains of the NeoFS storage nodes
+
+Storage nodes declare information flexibly via key-value string attributes when
+applying to enter the NeoFS network map. In general, any attributes can be
+declared, however, some of them may be subject to restrictions. In particular,
+some parties may need to limit the relationship to them of any nodes of their
+public network. For example, an organization may need to deploy its storage
+nodes as a subnet of a public network to implement specific data storage
+strategies. In this example, the organization’s nodes will be “normal” for 3rd
+parties, while other nodes will not be able to enter the subnet without special
+permission at the system level.
+
+NeoFS implements solution of the described task through access lists managed
+within NeoFS NNS.
+
+## Access lists
+
+These lists are stored in the NeoFS NNS. Each party may register any available
+NNS domain and set records of `TXT` type with Neo addresses of the storage
+nodes. After the domain is registered, it becomes an alias to the subnet composed
+only from specified storage nodes. Any storage node trying to associate itself
+with this subnet while trying to enter the network must have public key
+presented in the access list. The Inner Ring will deny everyone else access to
+the network map.
+
+### Domain record format
+
+For each public key, a record is created - a structure with at least 3 fields:
+1. `ByteString` with name of the corresponding domain
+2. `Integer` that should be `16` (TXT records)
+3. `ByteString` with Neo address of the storage node's public key
+
+## Private subnet entrance
+
+By default, storage nodes do not belong to private groups. Any node wishing to
+enter the private subnet of storage nodes must first find out the corresponding
+domain name. To request a binding to a given subnet, a node needs to set
+related domain name in its information about when registering in the network
+map. The domain is set via `VerifiedNodesDomain` attribute. To be admitted to
+the network, a node must be present in the access list.

go.mod

@@ -17,8 +17,8 @@ require (
 	github.com/nspcc-dev/hrw v1.0.9
 	github.com/nspcc-dev/neo-go v0.101.1
 	github.com/nspcc-dev/neofs-api-go/v2 v2.14.0
-	github.com/nspcc-dev/neofs-contract v0.16.0
-	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11
+	github.com/nspcc-dev/neofs-contract v0.17.1-0.20230922122459-8170ce150d61
+	github.com/nspcc-dev/neofs-sdk-go v1.0.0-rc.11.0.20230926161529-a5cb78a74aed
 	github.com/nspcc-dev/tzhash v1.7.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/panjf2000/ants/v2 v2.4.0
@@ -72,7 +72,7 @@ require (
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/nspcc-dev/dbft v0.0.0-20230315155759-60347b1563e7 // indirect
 	github.com/nspcc-dev/go-ordered-json v0.0.0-20220111165707-25110be27d22 // indirect
-	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20221202075445-cb5c18dc73eb // indirect
+	github.com/nspcc-dev/neo-go/pkg/interop v0.0.0-20230208100456-1d6e48ee78e5 // indirect
 	github.com/nspcc-dev/neofs-crypto v0.4.0 // indirect
 	github.com/nspcc-dev/rfc6979 v0.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect