include/mesos/authorizer/authorizer.proto - mesos - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 import "mesos/mesos.proto";

 package mesos;

 option java_package = "org.apache.mesos";
 option java_outer_classname = "Protos";


 /**
  * ACLs used for local authorization (See authorization.md file in the
  * docs).
  */
 message ACL {

   // Entity is used to describe a subject(s) or an object(s) of an ACL.
   // NOTE:
   // To allow everyone access to an Entity set its type to 'ANY'.
   // To deny access to an Entity set its type to 'NONE'.
   message Entity {
     enum Type {
       SOME = 0;
       ANY = 1;
       NONE = 2;
     }
     optional Type type = 1 [default = SOME];
     repeated string values = 2; // Ignored for ANY/NONE.
   }

   // ACLs.
   message RegisterFramework {
     // Subjects.
     required Entity principals = 1; // Framework principals.

     // Objects.
     required Entity roles = 2; // Roles for resource offers.
   }

   message RunTask {
     // Subjects.
     required Entity principals = 1; // Framework principals.

     // Objects.
     required Entity users = 2; // Users to run the tasks/executors as.
   }

   // Which principals are authorized to shutdown frameworks of other
   // principals.
   message ShutdownFramework {
     // Subjects.
     required Entity principals = 1;

     // Objects.
     required Entity framework_principals = 2;
   }
 }


 /**
  * Collection of ACL.
  *
  * Each authorization request is evaluated against the ACLs in the order
  * they are defined.
  *
  * For simplicity, the ACLs for a given action are not aggregated even
  * when they have the same subjects or objects. The first ACL that
  * matches the request determines whether that request should be
  * permitted or not. An ACL matches iff both the subjects
  * (e.g., clients, principals) and the objects (e.g., urls, users,
  * roles) of the ACL match the request.
  *
  * If none of the ACLs match the request, the 'permissive' field
  * determines whether the request should be permitted or not.
  *
  * TODO(vinod): Do aggregation of ACLs when possible.
  *
  */
 message ACLs {
   optional bool permissive = 1 [default = true];
   repeated ACL.RegisterFramework register_frameworks = 2;
   repeated ACL.RunTask run_tasks = 3;
   repeated ACL.ShutdownFramework shutdown_frameworks = 4;
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	import "mesos/mesos.proto";

	package mesos;

	option java_package = "org.apache.mesos";
	option java_outer_classname = "Protos";


	/**
	* ACLs used for local authorization (See authorization.md file in the
	* docs).
	*/
	message ACL {

	// Entity is used to describe a subject(s) or an object(s) of an ACL.
	// NOTE:
	// To allow everyone access to an Entity set its type to 'ANY'.
	// To deny access to an Entity set its type to 'NONE'.
	message Entity {
	enum Type {
	SOME = 0;
	ANY = 1;
	NONE = 2;
	}
	optional Type type = 1 [default = SOME];
	repeated string values = 2; // Ignored for ANY/NONE.
	}

	// ACLs.
	message RegisterFramework {
	// Subjects.
	required Entity principals = 1; // Framework principals.

	// Objects.
	required Entity roles = 2; // Roles for resource offers.
	}

	message RunTask {
	// Subjects.
	required Entity principals = 1; // Framework principals.

	// Objects.
	required Entity users = 2; // Users to run the tasks/executors as.
	}

	// Which principals are authorized to shutdown frameworks of other
	// principals.
	message ShutdownFramework {
	// Subjects.
	required Entity principals = 1;

	// Objects.
	required Entity framework_principals = 2;
	}
	}


	/**
	* Collection of ACL.
	*
	* Each authorization request is evaluated against the ACLs in the order
	* they are defined.
	*
	* For simplicity, the ACLs for a given action are not aggregated even
	* when they have the same subjects or objects. The first ACL that
	* matches the request determines whether that request should be
	* permitted or not. An ACL matches iff both the subjects
	* (e.g., clients, principals) and the objects (e.g., urls, users,
	* roles) of the ACL match the request.
	*
	* If none of the ACLs match the request, the 'permissive' field
	* determines whether the request should be permitted or not.
	*
	* TODO(vinod): Do aggregation of ACLs when possible.
	*
	*/
	message ACLs {
	optional bool permissive = 1 [default = true];
	repeated ACL.RegisterFramework register_frameworks = 2;
	repeated ACL.RunTask run_tasks = 3;
	repeated ACL.ShutdownFramework shutdown_frameworks = 4;
	}