Impossible to put big object via non-container node without HEAD allowed

[carpawell]

After split V2 scheme adoption, every big object PUT requires to HEAD the first part. If it is denied by container policy, the whole PUT fails. However, this operation does not look like smth strange and the system should allow this behaviour.

Expected Behavior

PUT big object through a non-container node to a container with HEAD denied to others should work OK.

Current Behavior

Returns 2048 error (access denied).

Possible Solution

Do not check ACL objects if a node is not expected to store an object (does not belong to a container). Even for session cases it splits and signs an object and tries to PUT it to a container node. If it does not pass ACL checks, then it is what it is, return error it gets.
Also, re-checks, that if an object is signed (completed, PUT-without-session case), it is just forwarded to a container node; this code does not work usually (or maybe not used at all since it was written).

Steps to Reproduce (for bugs)

Run nspcc-dev/neofs-s3-gw#969 test case, see errors.

Context

nspcc-dev/neofs-s3-gw#969 PUTs objects via SDK's Pool. It uses every node it has, however only 3/4 nodes belong to the test container, so every time part it PUT to a non-container node, the test fails.

Regression

Yes, split V2.

[carpawell]

@roman-khimov, @cthulhu-rider, validate the whole description, and this essentially:

Do not check ACL objects if a node is not expected to store an object (does not belong to a container).

Not sure if this is true for big objects or for all objects in general.

[roman-khimov]

Only when you can't check it (pieces of a big object). In all other cases it can easily be checked and things should fail fast.

[carpawell]

Only when you can't check it (pieces of a big object)

OK, can be done, just did not want to treat some objects differently (it complicates code for not that often cases) compared to others (however, I do agree that it something can be done faster it should).