From bd50db11514ab543255c48cc5d3dfe7da7e3163c Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Tue, 21 Feb 2023 11:18:35 +0300 Subject: [PATCH] [#18] acl: Add impersonate field to bearer token Signed-off-by: Denis Kirillov --- CHANGELOG.md | 1 + acl/types.proto | 4 ++++ proto-docs/acl.md | 1 + 3 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index db99bc4..9b67e88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - Add `__SYSTEM__` attribute prefix (#12, #14) +- Add `allow_impersonate` flag to bearer token (#18) ## [2.14.0] - 2022-09-23 - Anmado (안마도, 鞍馬島) diff --git a/acl/types.proto b/acl/types.proto index 1ca947a..31a43d4 100644 --- a/acl/types.proto +++ b/acl/types.proto @@ -213,6 +213,10 @@ message BearerToken { } // Token expiration and valid time period parameters TokenLifetime lifetime = 3 [json_name="lifetime"]; + + // AllowImpersonate flag to consider token signer as request owner. + // If this field is true extended ACL table in token body isn't processed. + bool allow_impersonate = 4 [json_name="allowImpersonate"]; } // Bearer Token body Body body = 1 [json_name="body"]; diff --git a/proto-docs/acl.md b/proto-docs/acl.md index 09762a1..c32f958 100644 --- a/proto-docs/acl.md +++ b/proto-docs/acl.md @@ -60,6 +60,7 @@ owner with additional information preventing token abuse. | eacl_table | [EACLTable](#neo.fs.v2.acl.EACLTable) | | Table of Extended ACL rules to use instead of the ones attached to the container. If it contains `container_id` field, bearer token is only valid for this specific container. Otherwise, any container of the same owner is allowed. | | owner_id | [neo.fs.v2.refs.OwnerID](#neo.fs.v2.refs.OwnerID) | | `OwnerID` defines to whom the token was issued. It must match the request originator's `OwnerID`. If empty, any token bearer will be accepted. | | lifetime | [BearerToken.Body.TokenLifetime](#neo.fs.v2.acl.BearerToken.Body.TokenLifetime) | | Token expiration and valid time period parameters | +| allow_impersonate | [bool](#bool) | | AllowImpersonate flag to consider token signer as request owner. If this field is true extended ACL table in token body isn't processed. |