Chromium Code Reviews Chromium Code Reviews
Issue 2413683004:
token-server: Delegation config import, validation and evaluation. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 syntax = "proto3"; | 5 syntax = "proto3"; |
| 6 | 6 |
| 7 package tokenserver.admin; | 7 package tokenserver.admin; |
| 8 | 8 |
| 9 | 9 |
| 10 // TokenServerConfig is read from tokenserver.cfg in luci-config. | 10 // TokenServerConfig is read from tokenserver.cfg in luci-config. |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 107 // to some target audience. | 107 // to some target audience. |
| 108 repeated string allowed_to_impersonate = 4; | 108 repeated string allowed_to_impersonate = 4; |
| 109 | 109 |
| 110 // A set of identities that should be able to use the new token. | 110 // A set of identities that should be able to use the new token. |
| 111 // | 111 // |
| 112 // Each element is either: | 112 // Each element is either: |
| 113 // * An identity string ("user:<email>"). | 113 // * An identity string ("user:<email>"). |
| 114 // * A group reference ("group:<name>"). | 114 // * A group reference ("group:<name>"). |
| 115 // * A special identifier "REQUESTOR" that is substituted by the requestor | 115 // * A special identifier "REQUESTOR" that is substituted by the requestor |
| 116 // identity when evaluating the rule. | 116 // identity when evaluating the rule. |
| 117 // * A special token "*" that means "any bearer can use the new token, | |
| 118 // including anonymous". | |
| 117 // | 119 // |
| 118 // "REQUESTOR" is typically used here for rules that allow requestors to | 120 // "REQUESTOR" is typically used here for rules that allow requestors to |
| 119 // impersonate someone else. The corresponding tokens have the requestor as | 121 // impersonate someone else. The corresponding tokens have the requestor as |
| 120 // the only allowed audience. | 122 // the only allowed audience. |
| 121 repeated string allowed_audience = 5; | 123 repeated string allowed_audience = 5; |
| 122 | 124 |
| 123 // A set of services that should be able to accept the new token. | 125 // A set of services that should be able to accept the new token. |
| 124 // | 126 // |
| 125 // Each element is a service identity string ("service:<id>"). | 127 // Each element is either: |
| 128 // * A service identity string ("service:<id>"). | |
| 129 // * A special token "*" that mean "any LUCI service should accept the | |
|
nodir
2016/10/13 22:03:52
means
| |
| 130 // token". | |
| 126 repeated string target_service = 6; | 131 repeated string target_service = 6; |
| 127 | 132 |
| 128 // Maximum allowed validity duration (sec) of minted delegation tokens. | 133 // Maximum allowed validity duration (sec) of minted delegation tokens. |
| 129 // | 134 // |
| 130 // Default is 12 hours. | 135 // Default is 12 hours. |
| 131 int64 max_validity_duration = 7; | 136 int64 max_validity_duration = 7; |
| 132 } | 137 } |
| OLD | NEW |
