[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/messages/cron.proto

 // Copyright 2015 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 syntax = "proto3";
 
 package messages;
 
+// A single access control rule.
+//
+// WARNING: until ACLs are fully deployed, DO NOT rely on READER Role
+// limiting access to your project. Follow crbug/736770 if in doubt.
+// TODO(tandrii): REMOVE THIS WARNING once deployment is complete.
+message Acl {
+  enum Role {
+    // Can do read-only operations, such as listing invocations of a Job.
+    READER = 0;
+                // Same as READER + can modify state of a Job or Invocation such as
+                // triggering or aborting them.
+    // LUCI scheduler (this service) is an OWNER of each `Job` and `Trigger`, thus
+                // `Trigger`s are allowed to trigger all `Job`s defined in the same
+                // project, regardless of their respective ACLs.
+    OWNER = 1;
+  }
+  // Role denotes a list of actions that an identity can perform.
+  Role role = 1;
+  // Either email or "group:xyz" or auth service identity string "kind:name".
+  string granted_to = 2;
+}
+
+// A set of Acl messages. Can be referenced in a Job or Trigger by name.
+message AclSet {
+  // A name of the ACL set, unique for a project.
+  // Required. Must match regex '^[0-9A-Za-z_\-\.]{1,100}$'.
+  string name = 1;
+  // List of access control rules.
+  // The order does not matter.
+  repeated Acl acls = 2;
+}
 
 // Job specifies a single regular job belonging to a project.
 //
 // Such jobs runs on a schedule or can be triggered by some trigger.
 message Job {
   // Id is a name of the job (unique for the project).
   //
   // Must match '^[0-9A-Za-z_\-\.]{1,100}$'.
   string id = 1;
 
   // Schedule describes when to run the job.
   //
   // Supported kinds of schedules (illustrated by examples):
   //   - "* 0 * * * *": standard cron-like expression. Cron engine will attempt
   //     to start a job at specified moments in time (based on UTC clock). If
   //     when triggering a job, previous invocation is still running, an overrun
   //     will be recorded (and next attempt to start a job happens based on the
   //     schedule, not when the previous invocation finishes). This is absolute
   //     schedule (i.e. doesn't depend on job state).
   //   - "with 10s interval": runs invocations in a loop, waiting 10s after
   //     finishing invocation before starting a new one. This is relative
   //     schedule. Overruns are not possible.
   //   - "continuously" is alias for "with 0s interval", meaning the job will
   //     run in a loop without any pauses.
-  //   - "triggered" schedule indicates that job is always started via "Run now"
+  //   - "triggered" schedule indicates that job is only started via "Run now"
   //     button or via a trigger.
   //
   // Default is "triggered".
   string schedule = 2;
 
   // Disabled is true to disable this job.
   bool disabled = 3;
 
   // Task defines what exactly to execute.
   //
   // TODO(vadimsh): Remove this field once all configs are updated not to
   // use it.
   TaskDefWrapper task = 4;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+        // There can be at most 32 different acls for a Job, including those from
+        // acl_sets.
+  repeated Acl acls = 5;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 6;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" task.
   NoopTask noop = 100;
   // UrlFetch can be used to make a simple HTTP call.
   UrlFetchTask url_fetch = 101;
   // SwarmingTask can be used to schedule swarming job.
   SwarmingTask swarming = 102;
   // BuildbucketTask can be used to schedule buildbucket job.
   BuildbucketTask buildbucket = 103;
@@ skipping 11 matching lines @@
   string id = 1;
 
   // Schedule describes when to run this triggering job.
   //
   // See Job.schedule fro more info. Default is "with 30s interval".
   string schedule = 2;
 
   // Disabled is true to disable this job.
   bool disabled = 3;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+        // There can be at most 32 different acls for a Job, including those from
+        // acl_sets.
+  repeated Acl acls = 4;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 5;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" trigger.
   NoopTask noop = 100;
   // Gitiles is used to trigger jobs for new commits on Gitiles.
   GitilesTask gitiles = 101;
 }
 
 
 // NoopTask is used for testing. It is "do nothing" task.
@@ skipping 75 matching lines @@
 
 
 // ProjectConfig defines a schema for config file that describe jobs belonging
 // to some project.
 message ProjectConfig {
   // Job is a set of jobs defined in the project.
   repeated Job job = 1;
 
   // Trigger is a set of triggering jobs defined in the project.
   repeated Trigger trigger = 2;
+
+  // A list of ACL sets. Names must be unique.
+  repeated AclSet acl_sets = 3;
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 // Internal stuff.
 
 // TaskDefWrapper is a union type of all possible tasks known to the scheduler.
 //
 // It is used internally when storing jobs in the datastore.
 //
 // TODO(vadimsh): Remove '_task' suffixes once TaskDefWrapper is no longer
 // a part of 'Job' proto.
 message TaskDefWrapper {
   NoopTask noop = 1;
   UrlFetchTask url_fetch = 2;
   SwarmingTask swarming_task = 3;
   BuildbucketTask buildbucket_task = 4;
   GitilesTask gitiles_task = 5;
 }