acl: do not check EACL for system role (#3015)

CHANGELOG.md

@@ -42,6 +42,7 @@ attribute, which is used for container domain name in NNS contracts (#2954)
 - Pprof and metrics services stop at the end of SN's application lifecycle (#2976)
 - Reject configuration with unknown fields (#2981)
 - Log sampling is disabled by default now (#3011)
+- EACL is no longer considered for system role (#2972)
 
 ### Removed
 - Support for node.key configuration (#2959)

pkg/services/object/acl/acl.go

@@ -129,6 +129,22 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		return nil
 	}
 
+	var eaclRole eaclSDK.Role
+	switch op := reqInfo.RequestRole(); op {
+	default:
+		eaclRole = eaclSDK.Role(op)
+	case acl.RoleOwner:
+		eaclRole = eaclSDK.RoleUser
+	case acl.RoleInnerRing, acl.RoleContainer:
+		eaclRole = eaclSDK.RoleSystem
+	case acl.RoleOthers:
+		eaclRole = eaclSDK.RoleOthers
+	}
+
+	if eaclRole == eaclSDK.RoleSystem {
+		return nil // Controlled by BasicACL, EACL can not contain any rules for system role since 0.38.0.
+	}
+
 	// if bearer token is not allowed, then ignore it
 	if !basicACL.AllowedBearerRules(reqInfo.Operation()) {
 		reqInfo.CleanBearer()
@@ -182,18 +198,6 @@ func (c *Checker) CheckEACL(msg any, reqInfo v2.RequestInfo) error {
 		return fmt.Errorf("can't parse headers: %w", err)
 	}
 
-	var eaclRole eaclSDK.Role
-	switch op := reqInfo.RequestRole(); op {
-	default:
-		eaclRole = eaclSDK.Role(op)
-	case acl.RoleOwner:
-		eaclRole = eaclSDK.RoleUser
-	case acl.RoleInnerRing, acl.RoleContainer:
-		eaclRole = eaclSDK.RoleSystem
-	case acl.RoleOthers:
-		eaclRole = eaclSDK.RoleOthers
-	}
-
 	vu := new(eaclSDK.ValidationUnit).
 		WithRole(eaclRole).
 		WithOperation(eaclSDK.Operation(reqInfo.Operation())).