[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/messages/cron.proto

Index: scheduler/appengine/messages/cron.proto
diff --git a/scheduler/appengine/messages/cron.proto b/scheduler/appengine/messages/cron.proto
index 549f4709471a5227f8669e21760c428e4389eb0c..cf6618e967bc91d5dfb4a8096c546ca91e48f61b 100644
--- a/scheduler/appengine/messages/cron.proto
+++ b/scheduler/appengine/messages/cron.proto
@@ -6,6 +6,32 @@ syntax = "proto3";
 
 package messages;
 
+// A single access control rule.
+message Acl {
+  enum Role {
+    // Can do read-only operations, such as listing invocations of a Job.
+    READER = 0;
+    // Same as READER + can modify state of a Job or Invocation such as aborting
+    // them.
+    WRITER = 1;
+  }
+  // Role denotes a list of actions that an identity can perform.
+  Role role = 1;
+  // A full identity string "kind:name", such as "group:xyz" or
+  // "email:mail@example.com".

[nodir, 2017/07/28 13:59:44]

Consider supporting prefix-less user emails, e.g. just "mail@example.com".
That's what others do.
https://cs.chromium.org/chromium/infra/luci/appengine/components/components/c...

[tandrii(chromium), 2017/07/28 15:15:12]

Done.

+  // For more details, see auth service on kinds of identities.
+  string identity = 2;

[nodir, 2017/07/28 13:59:44]

I think the term "identity" is reserved for one identity, not a group. The
defined kinds of identities do not include "group"

I recommend using another term

[tandrii(chromium), 2017/07/28 15:15:12]

You are right
https://cs.chromium.org/chromium/infra/go/src/github.com/luci/luci-go/server/...


Changed.

+}
+
+// A set of Acl messages. Can be referenced in a Job or Trigger by name.
+message AclSet {
+  // A name of the ACL set, unique for a project.
+  // Required. Must match regex '^[a-z0-9_]+$'.
+  string name = 1;
+  // List of access control rules.
+  // The order does not matter.
+  repeated Acl acls = 2;
+}
 
 // Job specifies a single regular job belonging to a project.
 //
@@ -45,6 +71,14 @@ message Job {
   // use it.
   TaskDefWrapper task = 4;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+  repeated Acl acls = 5;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 6;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" task.
@@ -76,6 +110,14 @@ message Trigger {
   // Disabled is true to disable this job.
   bool disabled = 3;
 
+  // List of access control rules for the Job.
+  // The order does not matter.
+  repeated Acl acls = 4;
+  // A list of ACL set names. Each ACL in each referenced ACL set will be
+  // included in this Job.
+  // The order does not matter.
+  repeated string acl_sets = 5;
+
   // One and only one field below must be set. It defines what this job does.
 
   // Noop is used for testing. It is "do nothing" trigger.
@@ -171,6 +213,9 @@ message ProjectConfig {
 
   // Trigger is a set of triggering jobs defined in the project.
   repeated Trigger trigger = 2;
+
+  // A list of ACL sets. Names must be unique.
+  repeated AclSet acl_sets = 3;
 }
 
 ////////////////////////////////////////////////////////////////////////////////