Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(168)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/api/admin/v1/config.proto

Issue 2413683004: token-server: Delegation config import, validation and evaluation. (Closed)
Patch Set: also check validity_duration Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « tokenserver/api/admin/v1/certificate_authorities.pb.go ('k') | tokenserver/api/admin/v1/config.pb.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The LUCI Authors. All rights reserved. 1 // Copyright 2016 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 syntax = "proto3"; 5 syntax = "proto3";
6 6
7 package tokenserver.admin; 7 package tokenserver.admin;
8 8
9 9
10 // TokenServerConfig is read from tokenserver.cfg in luci-config. 10 // TokenServerConfig is read from tokenserver.cfg in luci-config.
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
59 // request to allow the operation. If none rules or more than one rule match, 59 // request to allow the operation. If none rules or more than one rule match,
60 // the request will be denied. 60 // the request will be denied.
61 // 61 //
62 // See DelegationRule comments for more details. 62 // See DelegationRule comments for more details.
63 repeated DelegationRule rules = 1; 63 repeated DelegationRule rules = 1;
64 } 64 }
65 65
66 66
67 // DelegationRule describes a single allowed case of using delegation tokens. 67 // DelegationRule describes a single allowed case of using delegation tokens.
68 // 68 //
69 // An incoming MintDelegationToken request is basically a tuple of: 69 // An incoming MintDelegationTokenRequest is basically a tuple of:
70 // * 'requestor_id' - an identity of whoever makes the request. 70 // * 'requestor_id' - an identity of whoever makes the request.
71 // * 'delegated_identity' - an identity to delegate. 71 // * 'delegated_identity' - an identity to delegate.
72 // * 'audience' - a set of identities that will be able to use the token. 72 // * 'audience' - a set of identities that will be able to use the token.
73 // * 'services' - a set of services that should accept the token. 73 // * 'services' - a set of services that should accept the token.
74 // 74 //
75 // A request matches a rule iff: 75 // A request matches a rule iff:
76 // * 'requestor_id' is in 'requestor' set. 76 // * 'requestor_id' is in 'requestor' set.
77 // * 'delegated_identity' is in 'allowed_to_impersonate' set. 77 // * 'delegated_identity' is in 'allowed_to_impersonate' set.
78 // * 'audience' is a subset of 'allowed_audience' set. 78 // * 'audience' is a subset of 'allowed_audience' set.
79 // * 'services' is a subset of 'target_service' set. 79 // * 'services' is a subset of 'target_service' set.
80 // 80 //
81 // The presence of a matching rule permits to mint the token. The rule also 81 // The presence of a matching rule permits to mint the token. The rule also
82 // provides an upper bound on allowed validity_duration, and the rule's name 82 // provides an upper bound on allowed validity_duration, and the rule's name
83 // is logged in the audit trail. 83 // is logged in the audit trail.
84 message DelegationRule { 84 message DelegationRule {
85 // A descriptive name of this rule, for the audit log. 85 // A descriptive name of this rule, for the audit log.
86 string name = 1; 86 string name = 1;
87 87
88 // Email of developers that added this rule, to know who to contact. 88 // Email of developers that added this rule, to know who to contact.
89 repeated string owner = 2; 89 repeated string owner = 2;
90 90
91 // A set of callers to which this rule applies. 91 // A set of callers to which this rule applies.
92 // 92 //
93 // Matched against verified credentials of a caller of MintDelegationToken.
94 //
93 // Each element is either: 95 // Each element is either:
94 // * An identity string ("user:<email>"). 96 // * An identity string ("user:<email>").
95 // * A group reference ("group:<name>"). 97 // * A group reference ("group:<name>").
98 //
99 // The groups specified here are expanded when MintDelegationTokenRequest is
100 // evaluated.
96 repeated string requestor = 3; 101 repeated string requestor = 3;
97 102
98 // Identities that are allowed to be delegated/impersonated by the requestor. 103 // Identities that are allowed to be delegated/impersonated by the requestor.
99 // 104 //
105 // Matched against 'delegated_identity' field of MintDelegationTokenRequest.
106 //
100 // Each element is either: 107 // Each element is either:
101 // * An identity string ("user:<email>"). 108 // * An identity string ("user:<email>").
102 // * A group reference ("group:<name>"). 109 // * A group reference ("group:<name>").
103 // * A special identifier "REQUESTOR" that is substituted by the requestor 110 // * A special identifier "REQUESTOR" that is substituted by the requestor
104 // identity when evaluating the rule. 111 // identity when evaluating the rule.
105 // 112 //
106 // "REQUESTOR" allows one to generate tokens that delegate their own identity 113 // "REQUESTOR" allows one to generate tokens that delegate their own identity
107 // to some target audience. 114 // to some target audience.
115 //
116 // The groups specified here are expanded when MintDelegationTokenRequest is
117 // evaluated.
108 repeated string allowed_to_impersonate = 4; 118 repeated string allowed_to_impersonate = 4;
109 119
110 // A set of identities that should be able to use the new token. 120 // A set of identities that should be able to use the new token.
111 // 121 //
122 // Matched against 'audience' field of MintDelegationTokenRequest.
123 //
112 // Each element is either: 124 // Each element is either:
113 // * An identity string ("user:<email>"). 125 // * An identity string ("user:<email>").
114 // * A group reference ("group:<name>"). 126 // * A group reference ("group:<name>").
115 // * A special identifier "REQUESTOR" that is substituted by the requestor 127 // * A special identifier "REQUESTOR" that is substituted by the requestor
116 // identity when evaluating the rule. 128 // identity when evaluating the rule.
129 // * A special token "*" that means "any bearer can use the new token,
130 // including anonymous".
117 // 131 //
118 // "REQUESTOR" is typically used here for rules that allow requestors to 132 // "REQUESTOR" is typically used here for rules that allow requestors to
119 // impersonate someone else. The corresponding tokens have the requestor as 133 // impersonate someone else. The corresponding tokens have the requestor as
120 // the only allowed audience. 134 // the only allowed audience.
135 //
136 // The groups specified here are NOT expanded when MintDelegationTokenRequest
137 // is evaluated. To match the rule, MintDelegationTokenRequest must specify
138 // subset of 'allowed_audience' groups explicitly in 'audience' field.
121 repeated string allowed_audience = 5; 139 repeated string allowed_audience = 5;
122 140
123 // A set of services that should be able to accept the new token. 141 // A set of services that should be able to accept the new token.
124 // 142 //
125 // Each element is a service identity string ("service:<id>"). 143 // Matched against 'services' field of MintDelegationTokenRequest.
144 //
145 // Each element is either:
146 // * A service identity string ("service:<id>").
147 // * A special token "*" that mean "any LUCI service should accept the
148 // token".
126 repeated string target_service = 6; 149 repeated string target_service = 6;
127 150
128 // Maximum allowed validity duration (sec) of minted delegation tokens. 151 // Maximum allowed validity duration (sec) of minted delegation tokens.
129 // 152 //
130 // Default is 12 hours. 153 // Default is 12 hours.
131 int64 max_validity_duration = 7; 154 int64 max_validity_duration = 7;
132 } 155 }
OLDNEW
« no previous file with comments | « tokenserver/api/admin/v1/certificate_authorities.pb.go ('k') | tokenserver/api/admin/v1/config.pb.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698