Consider legal holds on NeoFS objects

[alexvanin]

Is your feature request related to a problem? Please describe.

S3 protocol defines Object Lock legal hold operation. This operation locks object for indefinite period of time. This lock can be removed.

As we decided here, NeoFS locks cannot be removed and must have expiration, see https://github.com/nspcc-dev/neofs-api/pull/221. This is suitable for retention locks in compliance mode, but it does not work with legal holds.

Describe the solution you'd like

As we discussed this with @realloc some time ago, there was a proposal to implement legal holds as a smart contract. This way we avoid API changes.

sequenceDiagram
    actor User
    User->> Alphabet Nodes: Lock cid/oid
    note right of User: Notary invocation of Legal Hold contract
    Alphabet Nodes-->>Alphabet Nodes: Collect multisignature
    Alphabet Nodes->>Legal Hold Contract: Lock cid/oid
    Legal Hold Contract ->> Storage Nodes: Notification
    User ->> Storage Nodes: Delete cid/oid
    activate Storage Nodes
    Storage Nodes --x User: Deny
    deactivate Storage Nodes

    User->> Alphabet Nodes: Unlock cid/oid
    Alphabet Nodes-->>Alphabet Nodes: Collect multisignature
    Alphabet Nodes->>Legal Hold Contract: Unlock cid/oid
    Legal Hold Contract ->> Storage Nodes: Notification
    User ->> Storage Nodes: Delete cid/oid
    activate Storage Nodes
    Storage Nodes ->> User: Ok
    deactivate Storage Nodes

Q: Who has the right to trigger legal hold? A: In public network -- nobody. In private network -- some set of keys defined in legal hold contract.

Q: How storage node stores legal hold information? A: In metabase. Maybe we can ask contract on every DELETE request.

Q: What if metabase is lost in SN? A: Resync the list of legal hold objects from contract at startup.

[fyrchik]

1. Add methods to the container contract.
2. Node make some local marks.
3. Syncronize during restart and on epoch tick.
4. TODO determine who can create legal holds
5. TODO try hold containers, check if it plays nicely with S3 spec
6. Container with active holds should not be removed.

[KirillovDenis]

Determine who can create legal holds AWS allows create legal hold users that have s3:PutObjectLegalHold persmission (it's related to revising ACL in s3-gw) https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html. So we can either:

• Add to the contract keys of the s3 gateways to allows them to check if user has appropriate s3:PutObjectLegalHold permission.
• Change some eACL logic (it seems we will do this because of https://github.com/nspcc-dev/neofs-s3-gw/issues/493 and https://github.com/nspcc-dev/neofs-s3-gw/issues/553) to allows contract to check the container eACL and check user permission. It seems the contract can handle service records (if they will be introduced) in eACL. PoC of using the service records can be found in this old draft PR

Try hold containers, check if it plays nicely with S3 spec I don't see any appropriate S3 API method that can be used to hold the bucket/container. There is only one method to change legal hold PutObjectLegalHold and it's per object version. Besides the bucket cannot be deleted if it isn't empty. So it's strange to introduce method to hold bucket in AWS mind.

There is one option though. Using https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLockConfiguration.html. We can extend body to accept param to hold bucket. But this will be incompatible with S3 protocol so I don't like it.