token-server: Delegation config import, validation and evaluation.

tokenserver/api/minter/v1/token_minter.pb.go

Index: tokenserver/api/minter/v1/token_minter.pb.go
diff --git a/tokenserver/api/minter/v1/token_minter.pb.go b/tokenserver/api/minter/v1/token_minter.pb.go
index 520cd866661013d8bb109c2731da45d28856d652..8d5d9823b5b628c67c38d05564eaffba54657629 100644
--- a/tokenserver/api/minter/v1/token_minter.pb.go
+++ b/tokenserver/api/minter/v1/token_minter.pb.go
@@ -328,8 +328,9 @@ func (m *LuciMachineToken) GetExpiry() *google_protobuf.Timestamp {
 type MintDelegationTokenRequest struct {
 	// Identity whose authority is delegated.
 	//
-	// A string of the form "user:<email>". The token server will check its ACLs
-	// to make sure the caller is authorized to impersonate this identity.
+	// A string of the form "user:<email>" or a special token "REQUESTOR" that
+	// means to delegate caller's own identity. The token server will check its
+	// ACLs to make sure the caller is authorized to impersonate this identity.
 	//
 	// Required.
 	DelegatedIdentity string `protobuf:"bytes,1,opt,name=delegated_identity,json=delegatedIdentity" json:"delegated_identity,omitempty"`
@@ -340,7 +341,9 @@ type MintDelegationTokenRequest struct {
 	// Who will be able to use the new token.
 	//
 	// Each item can be an identity string (e.g. "user:<email>"), a "group:<name>"
-	// string, or special "*" string which means "Any bearer can use the token".
+	// string, special "*" string which means "Any bearer can use the token", or
+	// "REQUESTOR" string which means "Whoever is making this call can use the
+	// token".
 	//
 	// This is semantically is a set, the order of elements doesn't matter.
 	//