Inccident: ACL issue in case of replication

[anatoly-bogatyrev]

If we have 4 nodes and a container with storage policy like:

REP 2 IN X
CBF 2
SELECT 2 FROM F AS X
FILTER Deployed EQ NSPCC AS F

We expected that all 4 nodes will be in the container and replication will be passed without issues.

But in fact, during replication we have ACL error for each other node:
окт 06 14:31:14 neofs-storage[5135]: 2021-10-06T14:31:14.770Z error replicator/process.go:90 could not replicate object {"component": "Object Replicator", "node": "03aeff8a19f0202090afb0916b1c00b432321be7e8623a06c9b9b5db8ee5c053a4", "error": "(*putsvc.RemoteSender) could not send object: (*putsvc.remoteTarget) could not put object to [/dns4/st1.storage.fs.neo.org/tcp/8080]: closing the stream failed: rpc error: code = Unknown desc = access to operation PUT is denied by extended ACL check"}

[alexvanin]

Here is the problem:

neofs-node/pkg/services/object/acl/acl.go

Line 384 in e41e74b

sTok := part.GetHeader().GetSessionToken()

Node uses session token from the object header instead of the request meta header. This way request classified as user's request which is denied by eACL.

We should check if it is okay to use request meta header in the object.Put operations. I think it should be okay, because nodes that split objects must include session token both in the object and request meta header. But it will be better to double check.