Chromium Code Reviews Chromium Code Reviews
Issue 2952723003:
token-server: Make machine token minter config apply to subdomains. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 syntax = "proto3"; | 5 syntax = "proto3"; |
| 6 | 6 |
| 7 package tokenserver.admin; | 7 package tokenserver.admin; |
| 8 | 8 |
| 9 | 9 |
| 10 // TokenServerConfig is read from tokenserver.cfg in luci-config. | 10 // TokenServerConfig is read from tokenserver.cfg in luci-config. |
| 11 message TokenServerConfig { | 11 message TokenServerConfig { |
| 12 // List of CAs we trust. | 12 // List of CAs we trust. |
| 13 repeated CertificateAuthorityConfig certificate_authority = 1; | 13 repeated CertificateAuthorityConfig certificate_authority = 1; |
| 14 } | 14 } |
| 15 | 15 |
| 16 | 16 |
| 17 // CertificateAuthorityConfig defines a single CA we trust. | 17 // CertificateAuthorityConfig defines a single CA we trust. |
| 18 // | 18 // |
| 19 // Such CA issues certificates for nodes that use The Token Service. Each node | 19 // Such CA issues certificates for nodes that use The Token Service. Each node |
| 20 // has a private key and certificate with Common Name set to the FQDN of this | 20 // has a private key and certificate with Common Name set to the FQDN of this |
| 21 // node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal". | 21 // node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal". |
| 22 // | 22 // |
| 23 // The Token Server uses this CN to derive an identity string for a machine. It | 23 // The Token Server uses this CN to derive an identity string for a machine. It |
| 24 // splits FQDN into a hostname ("slave43-c1") and a domain name | 24 // splits FQDN into a hostname ("slave43-c1") and a domain name |
| 25 // ("c.chromecompute.google.com.internal"), searches for a domain name in | 25 // ("c.chromecompute.google.com.internal"), searches for a domain name in |
| 26 // "known_domains" set, and, if it is present, uses parameters described there | 26 // "known_domains" set, and, if it is present, uses parameters described there |
| 27 // for generating a token with machine_id <hostname>@<token-server-url>. | 27 // for generating a token that contains machine's FQDN and certificate serial |
|
Vadim Sh.
2017/06/21 00:09:02
<hostname>@<token-server-url> format was actually
| |
| 28 // number (among other things, see MachineTokenBody in machine_token.proto). | |
| 28 message CertificateAuthorityConfig { | 29 message CertificateAuthorityConfig { |
| 29 int64 unique_id = 6; // ID of this CA, will be embedded into tokens. | 30 int64 unique_id = 6; // ID of this CA, will be embedded into tokens. |
| 30 string cn = 1; // CA Common Name, must match Subject CN in the cert | 31 string cn = 1; // CA Common Name, must match Subject CN in the cert |
| 31 string cert_path = 2; // path to the root certificate file in luci-config | 32 string cert_path = 2; // path to the root certificate file in luci-config |
| 32 string crl_url = 3; // where to fetch CRL from | 33 string crl_url = 3; // where to fetch CRL from |
| 33 bool use_oauth = 4; // true to send Authorization header when fetching CRL | 34 bool use_oauth = 4; // true to send Authorization header when fetching CRL |
| 34 | 35 |
| 35 // KnownDomains describes parameters to use for each particular domain. | 36 // KnownDomains describes parameters to use for each particular domain. |
| 36 repeated DomainConfig known_domains = 5; | 37 repeated DomainConfig known_domains = 5; |
| 37 } | 38 } |
| 38 | 39 |
| 39 | 40 |
| 40 // DomainConfig is used inside CertificateAuthorityConfig. | 41 // DomainConfig is used inside CertificateAuthorityConfig. |
| 41 message DomainConfig { | 42 message DomainConfig { |
| 42 reserved 2, 3, 4, 6; // deleted fields, do not reuse. | 43 reserved 2, 3, 4, 6; // deleted fields, do not reuse. |
| 43 | 44 |
| 44 // Domain is domain names of hosts this config applies to. | 45 // Domain is domain names of hosts this config applies to. |
| 46 // | |
| 47 // Machines that reside in a subdomain of given domain are also considered | |
| 48 // part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com" | |
| 49 // match domain "example.com". | |
| 45 repeated string domain = 1; | 50 repeated string domain = 1; |
| 46 | 51 |
| 47 // MachineTokenLifetime is how long generated machine tokens live, in seconds. | 52 // MachineTokenLifetime is how long generated machine tokens live, in seconds. |
| 48 // | 53 // |
| 49 // If 0, machine tokens are not allowed. | 54 // If 0, machine tokens are not allowed. |
| 50 int64 machine_token_lifetime = 5; | 55 int64 machine_token_lifetime = 5; |
| 51 } | 56 } |
| 52 | 57 |
| 53 | 58 |
| 54 // DelegationPermissions is read from delegation.cfg in luci-config. | 59 // DelegationPermissions is read from delegation.cfg in luci-config. |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 146 // * A service identity string ("service:<id>"). | 151 // * A service identity string ("service:<id>"). |
| 147 // * A special token "*" that mean "any LUCI service should accept the | 152 // * A special token "*" that mean "any LUCI service should accept the |
| 148 // token". | 153 // token". |
| 149 repeated string target_service = 6; | 154 repeated string target_service = 6; |
| 150 | 155 |
| 151 // Maximum allowed validity duration (sec) of minted delegation tokens. | 156 // Maximum allowed validity duration (sec) of minted delegation tokens. |
| 152 // | 157 // |
| 153 // Default is 12 hours. | 158 // Default is 12 hours. |
| 154 int64 max_validity_duration = 7; | 159 int64 max_validity_duration = 7; |
| 155 } | 160 } |
| OLD | NEW |
