CNs should keep all replica MNs up to date with SystemMetadata changes
SystemMetadata changes frequently by both d1_synchronization and d1_replication once an object's metadata documents are synchronized. Since MNs can only set access policies through the CN, the CN needs to synchronize the system metadata back to each MN replica node so they can 1) have the latest version (serialVersion) and 2) enforce the correct access policies.
Update ACL only via CN, only possible if Auth MN is Tier2+):
0. User edits ACL on an object using ITK tool;
1. Update ACL on CN-1;
a. lock PID
b. check serial number on sysmeta - change request serial # must match sys meta serial
c. put systemMetadata on CN-1 via hazelcast
e. changes propogated to other CNs via hazelcast
d. unlock PID
2. CN-1 pushes ACL to all object copies;
3. CN-1 verifies ACL change;
If a Tier 1 MN is authoritative, then there is no support for changing ACLs.
If a Tier 1 MN attempts to create an object that has an ACL other than public read, that synchronize to the CN should fail. This is similar to the problem that the synchronize should fail if the identifier for the object is not unique.