src/kudu/security/token.proto - kudu - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 syntax = "proto2";
 package kudu.security;

 option java_package = "org.apache.kudu.security";

 import "kudu/util/pb_util.proto";

 message ColumnPrivilegePB {
   // If set, the user has privileges to select and apply predicates on the
   // column during scans.
   optional bool scan_privilege = 1;
 };

 message TablePrivilegePB {
   // The ID of the table to which the privileges apply.
   optional string table_id = 1;

   // If set, the user is authorized to select and apply predicates to all
   // columns when scanning the table, and `column_privileges` is ignored. If
   // unset, the user may only scan and apply predicates to columns with the
   // privileges specified in `column_privileges`.
   optional bool scan_privilege = 2;

   // If set, the user is authorized to insert rows into the table.
   optional bool insert_privilege= 3;

   // If set, the user is authorized to update rows in the table.
   optional bool update_privilege = 4;

   // If set, the user is authorized to delete rows in the table.
   optional bool delete_privilege = 5;

   // Per-column privileges, indexed by column ID.
   map<int32, ColumnPrivilegePB> column_privileges = 6;
 };

 message AuthnTokenPB {
   optional string username = 1;
 };

 message AuthzTokenPB {
   optional string username = 1;
   optional TablePrivilegePB table_privilege = 2;
 };

 message TokenPB {
   // The time at which this token expires, in seconds since the
   // unix epoch.
   optional int64 expire_unix_epoch_seconds = 1;

   enum Feature {
     // Protobuf doesn't let us define a enum with no values,
     // so we've got this placeholder in here for now. When we add
     // the first real feature flag, we can remove this.
     UNUSED_PLACEHOLDER = 999;
   };

   // List of incompatible features used by this token. If a feature
   // is listed in the token and a server verifying/authorizing the token
   // sees an UNKNOWN value in this list, it should reject the token.
   //
   // This allows us to safely add "restrictive" content to tokens
   // and have a "default deny" policy on servers that may not understand
   // them.
   //
   // We use an int32 here but the values correspond to the 'Feature' enum
   // above. This is to deal with protobuf's odd handling of unknown enum
   // values (see KUDU-1850).
   repeated int32 incompatible_features = 2;

   oneof token {
     AuthnTokenPB authn = 3;
     AuthzTokenPB authz = 4;
   }
 };

 message SignedTokenPB {
   // The actual token data. This is a serialized TokenPB protobuf. However, we use a
   // 'bytes' field, since protobuf doesn't guarantee that if two implementations serialize
   // a protobuf, they'll necessary get bytewise identical results, particularly in the
   // presence of unknown fields.
   optional bytes token_data = 1;

   // The cryptographic signature of 'token_contents'.
   optional bytes signature = 2 [ (kudu.REDACT) = true ];

   // The sequence number of the key which produced 'signature'.
   optional int64 signing_key_seq_num = 3;
 };

 // A private key used to sign tokens.
 message TokenSigningPrivateKeyPB {
   optional int64 key_seq_num = 1;

   // The private key material, in DER format.
   optional bytes rsa_key_der = 2 [ (kudu.REDACT) = true ];

   // The time at which signatures made by this key should no longer be valid.
   optional int64 expire_unix_epoch_seconds = 3;
 };

 // A public key corresponding to the private key used to sign tokens. Only
 // this part is necessary for token verification.
 message TokenSigningPublicKeyPB {
   optional int64 key_seq_num = 1;

   // The public key material, in DER format.
   optional bytes rsa_key_der = 2;

   // The time at which signatures made by this key should no longer be valid.
   optional int64 expire_unix_epoch_seconds = 3;
 };
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	syntax = "proto2";
	package kudu.security;

	option java_package = "org.apache.kudu.security";

	import "kudu/util/pb_util.proto";

	message ColumnPrivilegePB {
	// If set, the user has privileges to select and apply predicates on the
	// column during scans.
	optional bool scan_privilege = 1;
	};

	message TablePrivilegePB {
	// The ID of the table to which the privileges apply.
	optional string table_id = 1;

	// If set, the user is authorized to select and apply predicates to all
	// columns when scanning the table, and `column_privileges` is ignored. If
	// unset, the user may only scan and apply predicates to columns with the
	// privileges specified in `column_privileges`.
	optional bool scan_privilege = 2;

	// If set, the user is authorized to insert rows into the table.
	optional bool insert_privilege= 3;

	// If set, the user is authorized to update rows in the table.
	optional bool update_privilege = 4;

	// If set, the user is authorized to delete rows in the table.
	optional bool delete_privilege = 5;

	// Per-column privileges, indexed by column ID.
	map<int32, ColumnPrivilegePB> column_privileges = 6;
	};

	message AuthnTokenPB {
	optional string username = 1;
	};

	message AuthzTokenPB {
	optional string username = 1;
	optional TablePrivilegePB table_privilege = 2;
	};

	message TokenPB {
	// The time at which this token expires, in seconds since the
	// unix epoch.
	optional int64 expire_unix_epoch_seconds = 1;

	enum Feature {
	// Protobuf doesn't let us define a enum with no values,
	// so we've got this placeholder in here for now. When we add
	// the first real feature flag, we can remove this.
	UNUSED_PLACEHOLDER = 999;
	};

	// List of incompatible features used by this token. If a feature
	// is listed in the token and a server verifying/authorizing the token
	// sees an UNKNOWN value in this list, it should reject the token.
	//
	// This allows us to safely add "restrictive" content to tokens
	// and have a "default deny" policy on servers that may not understand
	// them.
	//
	// We use an int32 here but the values correspond to the 'Feature' enum
	// above. This is to deal with protobuf's odd handling of unknown enum
	// values (see KUDU-1850).
	repeated int32 incompatible_features = 2;

	oneof token {
	AuthnTokenPB authn = 3;
	AuthzTokenPB authz = 4;
	}
	};

	message SignedTokenPB {
	// The actual token data. This is a serialized TokenPB protobuf. However, we use a
	// 'bytes' field, since protobuf doesn't guarantee that if two implementations serialize
	// a protobuf, they'll necessary get bytewise identical results, particularly in the
	// presence of unknown fields.
	optional bytes token_data = 1;

	// The cryptographic signature of 'token_contents'.
	optional bytes signature = 2 [ (kudu.REDACT) = true ];

	// The sequence number of the key which produced 'signature'.
	optional int64 signing_key_seq_num = 3;
	};

	// A private key used to sign tokens.
	message TokenSigningPrivateKeyPB {
	optional int64 key_seq_num = 1;

	// The private key material, in DER format.
	optional bytes rsa_key_der = 2 [ (kudu.REDACT) = true ];

	// The time at which signatures made by this key should no longer be valid.
	optional int64 expire_unix_epoch_seconds = 3;
	};

	// A public key corresponding to the private key used to sign tokens. Only
	// this part is necessary for token verification.
	message TokenSigningPublicKeyPB {
	optional int64 key_seq_num = 1;

	// The public key material, in DER format.
	optional bytes rsa_key_der = 2;

	// The time at which signatures made by this key should no longer be valid.
	optional int64 expire_unix_epoch_seconds = 3;
	};