[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/messages/cron.proto

 // Copyright 2015 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 syntax = "proto3";
 
 package messages;
 
+// A single access control rule.
+message Acl {
+  enum Role {
+    // Can do read-only operations, such as listing invocations of a Job.
+    READER = 0;
+    // Same as READER + can modify state of a Job or Invocation such as aborting
+    // them.
+    WRITER = 1;
+  }
+  // Role denotes a list of actions that an identity can perform.
+  Role role = 1;
+  // A full identity string "kind:name", such as "group:xyz" or
+  // "email:mail@example.com".

[nodir, 2017/07/28 13:59:44]

Consider supporting prefix-less user emails, e.g. just "mail@example.com".
That's what others do.
https://cs.chromium.org/chromium/infra/luci/appengine/components/components/c...

[tandrii(chromium), 2017/07/28 15:15:12]

Done.

+  // For more details, see auth service on kinds of identities.
+  string identity = 2;

[nodir, 2017/07/28 13:59:44]

I think the term "identity" is reserved for one identity, not a group. The
defined kinds of identities do not include "group"

I recommend using another term

[tandrii(chromium), 2017/07/28 15:15:12]

You are right
https://cs.chromium.org/chromium/infra/go/src/github.com/luci/luci-go/server/...


Changed.

+}
+
+// A set of Acl messages. Can be referenced in a Job or Trigger by name.
+message AclSet {
+  // A name of the ACL set, unique for a project.
+  // Required. Must match regex '^[a-z0-9_]+$'.
+  string name = 1;
+  // List of access control rules.
+  // The order does not matter.
+  repeated Acl acls = 2;
+}
 
 // Job specifies a single regular job belonging to a project.
 //
 // Such jobs runs on a schedule or can be triggered by some trigger.
 message Job {
   // Id is a name of the job (unique for the project).
   //
   // Must match '^[0-9A-Za-z_\-\.]{1,100}$'.
   string id = 1;
 
@@ skipping 19 matching lines @@
 
   // Disabled is true to disable this job.
   bool disabled = 3;
 
   // Task defines what exactly to execute.
   //
   // TODO(vadimsh): Remove this field once all configs are updated not to
   // use it.
   TaskDefWrapper task = 4;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+  repeated Acl acls = 5;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 6;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" task.
   NoopTask noop = 100;
   // UrlFetch can be used to make a simple HTTP call.
   UrlFetchTask url_fetch = 101;
   // SwarmingTask can be used to schedule swarming job.
   SwarmingTask swarming = 102;
   // BuildbucketTask can be used to schedule buildbucket job.
   BuildbucketTask buildbucket = 103;
@@ skipping 11 matching lines @@
   string id = 1;
 
   // Schedule describes when to run this triggering job.
   //
   // See Job.schedule fro more info. Default is "with 30s interval".
   string schedule = 2;
 
   // Disabled is true to disable this job.
   bool disabled = 3;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+  repeated Acl acls = 4;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 5;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" trigger.
   NoopTask noop = 100;
   // Gitiles is used to trigger jobs for new commits on Gitiles.
   GitilesTask gitiles = 101;
 }
 
 
 // NoopTask is used for testing. It is "do nothing" task.
@@ skipping 75 matching lines @@
 
 
 // ProjectConfig defines a schema for config file that describe jobs belonging
 // to some project.
 message ProjectConfig {
   // Job is a set of jobs defined in the project.
   repeated Job job = 1;
 
   // Trigger is a set of triggering jobs defined in the project.
   repeated Trigger trigger = 2;
+
+  // A list of ACL sets. Names must be unique.
+  repeated AclSet acl_sets = 3;
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 // Internal stuff.
 
 // TaskDefWrapper is a union type of all possible tasks known to the scheduler.
 //
 // It is used internally when storing jobs in the datastore.
 //
 // TODO(vadimsh): Remove '_task' suffixes once TaskDefWrapper is no longer
 // a part of 'Job' proto.
 message TaskDefWrapper {
   NoopTask noop = 1;
   UrlFetchTask url_fetch = 2;
   SwarmingTask swarming_task = 3;
   BuildbucketTask buildbucket_task = 4;
   GitilesTask gitiles_task = 5;
 }