LogDog: Add project namespace to Butler/Collector.

common/proto/logdog/logpb/butler.proto

Index: common/proto/logdog/logpb/butler.proto
diff --git a/common/proto/logdog/logpb/butler.proto b/common/proto/logdog/logpb/butler.proto
index 565cb7f70c4540a6019a47689c1994a85a1bbf5d..9daee95e84025f9bfbd1e1e0f1fc22a41763a907 100644
--- a/common/proto/logdog/logpb/butler.proto
+++ b/common/proto/logdog/logpb/butler.proto
@@ -77,21 +77,8 @@ message ButlerLogBundle {
      */
     logpb.LogStreamDescriptor desc = 1;
 
-    /*
-     * The log prefix's secret value (required).
-     *
-     * The secret is generated by the Butler and unique to this specific log
-     * stream. The Coordinator will record the secret associated with a given
-     * log Prefix/Stream, but will not share the secret with a client.
-     *
-     * The Collector will check the secret prior to ingesting logs. If the
-     * secret doesn't match the value recorded by the Coordinator, the log
-     * will be discarded.
-     *
-     * This ensures that only the Butler instance that generated the log stream
-     * can emit log data for that stream.
-     */
-    bytes secret = 2;
+    /* (DEPRECATED) Per-entry secret replaced with Butler-wide secret. */
+    bytes deprecated_entry_secret = 2;
 
     /*
      * Whether this log entry terminates its stream.
@@ -125,4 +112,31 @@ message ButlerLogBundle {
    * Each Entry is an individual set of log records for a given log stream.
    */
   repeated Entry entries = 3;
+
+  /** Project specifies which luci-config project this stream belongs to. */
+  string project = 4;
+
+  /**
+   * The log stream prefix that is shared by all bundled streams.
+   *
+   * This prefix is valid within the supplied project scope.
+   */
+  string prefix = 5;
+
+  /*
+   * The log prefix's secret value (required).
+   *
+   * The secret is bound to all log streams that share the supplied Prefix, and
+   * The Coordinator will record the secret associated with a given log Prefix,
+   but will not share the secret with a client.

[Vadim Sh., 2016/04/25 18:51:52]

also, who exactly is meant by "a client" here? Log consumers?

[Vadim Sh., 2016/04/25 18:51:52]

nit: add "* " :)

+   *
+   * The Collector will check the secret prior to ingesting logs. If the
+   * secret doesn't match the value recorded by the Coordinator, the log
+   * will be discarded.
+   *
+   * This ensures that only the Butler instance that generated the log stream

[Vadim Sh., 2016/04/25 18:51:52]

Is knowing secret alone sufficient to push messages to the stream?

Does it have an expiration time? Any bearer tokens should have short lifetime.

[dnj, 2016/04/25 19:30:26]

The secret is:
- At the moment, generated by this Butler instance and used when registering
streams. The Coordinator will accept the secret of the first stream for a given
name and enforce that all messages associated with that stream match the secret.
- In the future, be generated by the Coordinator after a negotiation with the
Butler, and be valid until the stream prefix is closed, which will happen after
a fixed amount of time since its creation.

This is less a token and more a stream property. If you know the stream secret,
you are either a privileged internal service or the Butler instance that owns
the stream.

+   * can emit log data for that stream. It also ensures that only authenticated
+   * users can write to a Prefix.
+   */
+  bytes secret = 6;
 }