| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| import "mesos/mesos.proto"; |
| |
| package mesos; |
| |
| option java_package = "org.apache.mesos"; |
| option java_outer_classname = "Protos"; |
| |
| |
| /** |
| * ACLs used for local authorization (See authorization.md file in the |
| * docs). |
| */ |
| message ACL { |
| |
| // Entity is used to describe a subject(s) or an object(s) of an ACL. |
| // NOTE: |
| // To allow everyone access to an Entity set its type to 'ANY'. |
| // To deny access to an Entity set its type to 'NONE'. |
| message Entity { |
| enum Type { |
| SOME = 0; |
| ANY = 1; |
| NONE = 2; |
| } |
| optional Type type = 1 [default = SOME]; |
| repeated string values = 2; // Ignored for ANY/NONE. |
| } |
| |
| // ACLs. |
| message RegisterFramework { |
| // Subjects. |
| required Entity principals = 1; // Framework principals. |
| |
| // Objects. |
| required Entity roles = 2; // Roles for resource offers. |
| } |
| |
| message RunTask { |
| // Subjects. |
| required Entity principals = 1; // Framework principals. |
| |
| // Objects. |
| required Entity users = 2; // Users to run the tasks/executors as. |
| } |
| |
| // Which principals are authorized to shutdown frameworks of other |
| // principals. |
| message ShutdownFramework { |
| // Subjects. |
| required Entity principals = 1; |
| |
| // Objects. |
| required Entity framework_principals = 2; |
| } |
| } |
| |
| |
| /** |
| * Collection of ACL. |
| * |
| * Each authorization request is evaluated against the ACLs in the order |
| * they are defined. |
| * |
| * For simplicity, the ACLs for a given action are not aggregated even |
| * when they have the same subjects or objects. The first ACL that |
| * matches the request determines whether that request should be |
| * permitted or not. An ACL matches iff both the subjects |
| * (e.g., clients, principals) and the objects (e.g., urls, users, |
| * roles) of the ACL match the request. |
| * |
| * If none of the ACLs match the request, the 'permissive' field |
| * determines whether the request should be permitted or not. |
| * |
| * TODO(vinod): Do aggregation of ACLs when possible. |
| * |
| */ |
| message ACLs { |
| optional bool permissive = 1 [default = true]; |
| repeated ACL.RegisterFramework register_frameworks = 2; |
| repeated ACL.RunTask run_tasks = 3; |
| repeated ACL.ShutdownFramework shutdown_frameworks = 4; |
| } |