[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/engine/engine.go

 // Copyright 2015 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 30 matching lines @@
         "github.com/luci/luci-go/common/data/rand/mathrand"
         "github.com/luci/luci-go/common/data/stringset"
         "github.com/luci/luci-go/common/errors"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/common/retry/transient"
         "github.com/luci/luci-go/server/auth"
         "github.com/luci/luci-go/server/auth/identity"
         "github.com/luci/luci-go/server/auth/signing"
         "github.com/luci/luci-go/server/tokens"
 
+        "github.com/luci/luci-go/scheduler/appengine/acl"
         "github.com/luci/luci-go/scheduler/appengine/catalog"
         "github.com/luci/luci-go/scheduler/appengine/schedule"
         "github.com/luci/luci-go/scheduler/appengine/task"
 )
 
 var (
         ErrNoSuchJob        = errors.New("no such job")
         ErrNoSuchInvocation = errors.New("the invocation doesn't exist")
 )
 
@@ skipping 201 matching lines @@
         // an appropriate revision.
         RevisionURL string `gae:",noindex"`
 
         // Schedule is the job's schedule in regular cron expression format.
         Schedule string `gae:",noindex"`
 
         // Task is the job's payload in serialized form. Opaque from the point of view
         // of the engine. See Catalog.UnmarshalTask().
         Task []byte `gae:",noindex"`
 
+        // ACLs are the latest ACLs applied to Job and all its invocations.
+        Acls acl.GrantsByRole `gae:",noindex"`
+
         // State is the job's state machine state, see StateMachine.
         State JobState
 }
 
 // GetJobName returns name of this Job as defined its project's config.
 func (e *Job) GetJobName() string {
         // JobID has form <project>/<id>. Split it into components.
         chunks := strings.Split(e.JobID, "/")
         return chunks[1]
 }
@@ skipping 39 matching lines @@
                 e.State == other.State)
 }
 
 // matches returns true if job definition in the entity matches the one
 // specified by catalog.Definition struct. UpdateProjectJobs skips updates for
 // such jobs (assuming they are up-to-date).
 func (e *Job) matches(def catalog.Definition) bool {
         return e.JobID == def.JobID &&
                 e.Flavor == def.Flavor &&
                 e.Schedule == def.Schedule &&
+                def.Acls.Equal(&e.Acls) &&

[Vadim Sh., 2017/08/01 01:56:19]

nit: swap

e.Acls.Equal(&def.Acls)

[tandrii(chromium), 2017/08/01 22:50:01]

Done.

                 bytes.Equal(e.Task, def.Task)
 }
 
 // Invocation entity stores single attempt to run a job. Its parent entity
 // is corresponding Job, its ID is generated based on time.
 type Invocation struct {
         _kind  string         `gae:"$kind,Invocation"`
         _extra ds.PropertyMap `gae:"-,extra"`
 
         // ID is identifier of this particular attempt to run a job. Multiple attempts
@@ skipping 1611 matching lines @@
                 }
                 if hasFinished {
                         return ctl.eng.rollSM(c, job, func(sm *StateMachine) error {
                                 sm.OnInvocationDone(saving.ID)
                                 return nil
                         })
                 }
                 return nil
         })
 }